Creating a secure home network shouldn’t be and doesn’t have to be difficult. As someone who works with firewalls professionally at the office, I wanted something for home that was reasonably priced without costly annual subscriptions and that was simple to configure but that still allowed me to maintain a secure home network that would protect my work laptop, my personal desktop, my home NAS, my security cameras and other IoT devices, and that would protect my family and kids devices from Internet threats. Over the years I tried a lot of different home and SMB class firewalls with Parental Controls, but it wasn’t until I came across Firewalla and their Firewalla Gold that I stopped looking for something else. This firewall was just what I had been looking for and it checked all the boxes.
The Firewalla Gold is a Home and SMB Firewall & Router with Multi-Gigabit capability at a great price. It packs features such as: Firewall, Intrusion Prevention, VPN Server and VPN Client, Network Segmentation, Access Control Rules and Routes, Multi-WAN, Link Aggregation, Smart Queue, DNS over HTTPS, AdBlock, Parental Control, Family Protect, and more. And best of all, it is all easily configured through an app on my smartphone.
How to use the Firewalla Gold
One of the cool features of the Firewalla Gold is that it is a fully featured in-line firewall that has built-in router capabilities. For my setup this was exactly what I wanted as it allowed me to replace my Frontier FIOS ISP provided router in its entirety. I simply plugged the Ethernet handoff directly into the Firewalla WAN interface which I configured for DHCP.
Configuring the Network on Firewalla
One of the first steps I took in configuring the new firewall was to configure the network and subnets using the Network Manager. I set up a HOME network to be used by my personal laptop and other family computers, including our shared NAS. I also created a HOME-WIFI subnet as to be used as a wireless extension to the HOME network, but opted to configure that as a separate VLAN for better control and segmentation and for reasons that may become more clear later. I knew I also wanted to segregate IoT devices into a separate subnet so that if any IoT devices were hacked the attackers would not be able to access our HOME or HOME-WIFI network, including any devices and storage resources. Same with guest Internet access. I had no reason to allow guest devices access to anything besides straight Internet access. Using the Network Manager I configured a separate guest network called HOME-GUEST and an IoT network called HOME-DEVICES, both as VLAN as well.
Configuring the Switches and Access Points
The next step was to configure my other network equipment like the switch and the wireless access points. I wanted these on the HOME network and configured my Aruba Instant On 8-port 1930 switch to IP 192.168.100.2. I configured my two Aruba Instant On AP11D Access Points to IP 192.168.100.11 and 192.168.100.12 respectively. I configured the wireless access points to operate in Bridge mode. This is key, as that puts the Firewalla in charge of issuing dynamic IP addresses through its built-in DHCP server and it provides the Firewalla with full visibility into any devices and network traffic originating from or serviced by the access points. I also configured the various wireless networks and SSIDs using HOME-WIFI (VLAN 101), HOME-GUEST (VLAN 102), and HOME-DEVICES (VLAN 103).
Configuring Access Control Rules
The next step was to configure the access control rules. This is the functionality that is policing the network and controls which subnet can access the Internet and which subnets can or can’t talk to one another.
HOME
By default I configure this to block Traffic from Internet and to block Traffic from & to All Local Networks. I then specifically allow Traffic to Internet. I also allow Traffic from & to HOME-WIFI.
HOME-WIFI
By default I configure this to block Traffic from Internet and to block Traffic from & to All Local Networks. I then specifically allow Traffic to Internet. I also allow Traffic from & to HOME.
HOME-DEVICES
By default I configure this to block Traffic from Internet and to block Traffic from & to All Local Networks. I then specifically allow Traffic to Internet.
HOME-GUEST
By default I configure this to block Traffic from Internet and to block Traffic from & to All Local Networks. I then specifically allow Traffic to Internet. Since this is a guest network I felt that I should control the traffic a bit more and opted to also block All VPN Sites, block All P2P Sites, and block All Porn Sites.
Blocking ICMP (Ping)
Under the Box Settings, I went to Advanced, then Configurations, then Block ICMP (Ping) where I turned on blocking of pings to all networks, except for my HOME and HOME-WIFI where I left the blocking disabled. The result of this is that when I am connected to those two networks I can ping devices on any network to check their online status, but if I am connected to any of my other configured networks I can only ping devices on those specific subnets only.
Configuring DNS over HTTPS
To protect the privacy of my DNS requests I configured DNS over HTTPS. I opted for using Quad9 since they are HQ in Switzerland which has some of the strictest privacy regulations in the world and it seemed they were the only public resolver that didn’t appear to have a conflict of interest, so I felt my DNS data is in the best hands with them compared to any others. I use the 9.9.9.9 address which also provides Malware blocking and DNSSEC validation. This no-cost and easy to implement first layer of defense translates to increased privacy and increased security.
The Firewalla Gold has a lot more to offer, but at least now I had my basic secure home network in place with network segmentation using VLAN and Access Control Rules, and I had an additional layer of privacy and security through the use of a DNS over HTTPS recursive resolver that include both malware threat blocking and DNSSEC services.
