Firewalla Purple VLANS Setup
I am currently using a Firewalla Purple and mainly my concern is segmenting my network. Currently I have a new Orbi 6E which supposedly supports VLANS. Orbi has wired backhaul to its satelites via an unmanaged switch. I have tried to approach this setup multiple ways.
1. Put orbi into router mode (this is only mode that allows VLANS configurations), activated its IOT wifi network, and created a vlan on orbi's port 4 (a few IOT devices are connected via ethernet) I do not think that worked.
2. Then I decided to activate firewalla purple wifi for IOT devices and created VLAN that included both Wifi and LAN1. Only three of my 20+ IOT devices would connect to it. I changed Ipv6 to Ipv4 to see if that made a difference but it did not work. I was hoping this method would work so I could just change the firewalla purple for firewalla gold to plug in ethernet IOT devices later.
~ Upon purchasing Firewalla, I was thinking it would be easy to assign devices on an individual bases segmented network but I understand that is not the case.
-
So I’m not clear on how you configured purple and how orbi set up. Is purple in router mode? If orbi is in router mode and providing Wi-Fi then it can’t be in front of Firewalla in router mode.
If orbi can support WVLANs in bridge mode, then it goes after Firewalla in router mode. If not, you can’t have purple in router mode. You could try putting Purple in bridge mode https://help.firewalla.com/hc/en-us/articles/4411167832851-Firewalla-Router-Mode-Configuration-Guide-#h_01FN8AB4RNRTPTRCDEQV31Q7JR
But that comes with some limitations so see if there are any show stoppers for you.
another option is to find APs that support WVLANs and usr FW in router mode which is the recommended configuration.
note from orbi
Your Orbi Pro WiFi 6 offers four pre-defined VLANs; Default (VLAN 1), Employee (VLAN 20), Guest (VLAN 30), and IoT (VLAN 40). The Default VLAN is the only VLAN that can be edited or deleted.
~ Upon purchasing Firewalla, I was thinking it would be easy to assign devices on an individual bases segmented network but I understand that is not the case.
Devices belong to the segment you connect them to. If you use Wi-Fi than thr SSID will be dedicated to a VLAN. There will be a different SSID for IoT than trusted LAN. If you use Ethernet, the managed switch will usually dictate which VLAN (though some devices can do that through heir own configuration.)
I think the issue you have is how you have configured the network, not a Firewalla limitation.
-
I understand that it is not a Firewalla Limitation. I have figured that I will need more LAN ports and therefore should have purchased the Firewalla Gold. I have my orbi router in AP mode and firewalla is operating as the router. However, I am trying to understand why none of the devices connected to wifi that is coming from the Firewalla. It only connected to 4 devices in about thirty minutes. If I can get ioT devices to connect directly to the firewalla wifi then I could go ahead and upgrade to Firewalla Gold to place ethernet ioT devices on their own port and my Orbi mesh on its own port. Thereby, segmenting the network.
In the meantime I have done the following to the Firewalla Purple and wondering if is actually possible. I created two device groups ioT and traditional. Then I created two vlan networks on the Firewalla one for ioT and one for traditional devices. I then applied rules to the these two groups saying that ioT group devices is blocked from accessing traditional vlan network and visa versa for the traditional devices. The firewalla allowed it so technically the two groups should not be communicating with each other. I think this may be a work around.
-
You don't necessarily need more LAN ports on Fireawlla if you use VLANs You can use a managed switch to solve that and the only limitation is the number of ports in your switch.
However, I am trying to understand why none of the devices connected to wifi that is coming from the Firewalla. It only connected to 4 devices in about thirty minutes. I
Is the SSID for FWP Wi-Fi different than Orbi? Keep in mind that FWP Wi-Fi is meant to be somewhat short range. It can't compete with Orbi on distance. The Firewalla and Orbi should not share SSID names.
Also, keep in mind there are different ways to segment a network. Port based networks (each port is a seprate network) and VLANs which don't have that limitation. Again, not sure what approach you are going for.I created two device groups ioT and traditional. Then I created two vlan networks on the Firewalla one for ioT and one for traditional devices. I then applied rules to the these two groups saying that ioT group devices is blocked from accessing traditional vlan network and visa versa for the traditional devices. The firewalla allowed it so technically the two groups should not be communicating with each other.
If I follow what you are saying the groups are irrelevant. Once you have VLANs you you can decide access. For example you could configure:
VLAN A > VLAN B (A can see B but B cannot see A)
VLAN A <-> VLAN B (A and B can see each other. this is almost like not having separate VLANs.)
VLAN A < VLAN B (B can see A but A cannot see B) -
I think what you want to do:
- Ignore the Purple WiFi, it's really for management or travel (hotel room).
- Set the Purple as your Router
- Set Orbi (with IOT VLAN / WiFi on)
- Unplug other Orbi's (for now)
So now you have internet in (Ethernet) plugged into the Purple WAN, and Ethernet out of the Purple into the Orbi. As Michael points out, the predefined IOT VLAN on the Orbi is VLAN ID 40, so on the purple, create a VLAN with an ID of 40.
See if, with this setup, your IOT and default VLANs get their correct IP's as defined by the Purple. Unless you need to hardwire devices to a particular VLAN you shouldn't need the gold. Even then, you can pick up a managed switch for $30-$40 to do that.
-
You should be able to make it work without a managed switch, but it will depend on whether you can configure the switch ports on the Orbi router to support tagged vlans.
ISP --> Purple in router mode --> Orbi router --> Orbi APs
Create separate SSIDs on the Orbi for each network (LAN, Guest, IOT, etc; keep it to <=4), and assign them to separate vlans.
Configure 1 ports on the Orbi router with all vlans. It may want to keep vlan 1 as untagged, and the rest as tagged. Or it might allow you configure it as a true vlan trunk with just tagged vlans.
Configure LAN port on the Purple with all the vlans. Make sure to match the configuration on the Orbi (meaning, if the Orbi requires vlan 1 untagged, then setup the Purple with vlan 1 untagged). You'll need to configure DHCP separately on each network, using separate IP subnets.
That way, when a device connects to the IOT SSID the packets get tagged as vlan X and the Purple will hand-out IPs via DHCP using subnet Y. When a device connects to the LAN SSID the packets get tagged as vlan A and the Purple will hand-out IPs via DHCP using subnet B. And so on.
This is similar to how I have our home network setup, although I'm using a managed switch and the APs are wired into the switch, but a wireless mesh setup is conceptually the same. I have 4 networks (LAN, Guests, Kids, IoT) on 4 separate vlans using 4 separate subnets, with different rules for each network.
Please sign in to leave a comment.
Comments
6 comments