This mode applies to Gold and Purple series boxes. It does NOT work on Firewalla Red, Blue, or Blue Plus.
Firewalla Transparent Bridge Mode places a Firewalla device physically in the middle of an existing network without modifying the IP address of the network. A transparent Bridge Firewall is also called a layer 2 firewall, which can transparently filter traffic without detection.
- Before getting into this mode, you should always look at Router mode (Firewalla Router mode configuration guide). Check this: How does Firewalla intercept traffic?
- In bridge mode, blocking features, protection features, and the ad blocked will work the same way as in router mode.
Use Bridge Mode If:
- You want to preserve existing router functions due to the compliance or complexity of replacing the router.
- You want to filter traffic without creating additional networks.
- Your network is not compatible with the Firewalla Simple Mode and you don't want to use the DHCP mode.
- See below for equipment and configuration requirements.
How is the transparent bridge deployed?
When the Firewalla is bridged, one of the interfaces must be connected to a router. Firewalla itself will need to acquire an IP address from that router.
In Bridge mode Firewalla must be placed between a router and a switch, or a router and access points. All network flows passing through Firewalla will be monitored and controlled.
Please do NOT connect Firewalla's WAN to your ISP modem as the ISP modem is only capable of issuing one IP address.
Note: In bridge mode, the Firewalla ports are all equal so you can use any ports you like.
If you have VLANs configured on your router, Firewalla will also help you monitor VLAN networks in bridge mode. To monitor different VLANs on the network, you will need to use the network manager to add a new bridge interface with the VLAN ID you want to monitor.
Rules for blocking VLANs
If you like to block vlan1 to access vlan2, a blocking rule that matches the local network - VLAN 1, apply to VLAN 2, will not work. instead, you can create a rule to block the IP range - (the subnet of VLAN 1), then apply it to VLAN 2. If you have several VLANs, Target List will make this easier.
Enable Wi-Fi Access Point on Purple
You can also enable the Wi-Fi Interface on Purple to share a single range of IPs as other devices.
Please note, WAN connection via Wi-Fi is not available on Firewalla Purple in bridge mode. WANs should be connected through your router.
- On the Network Manager page, tap Edit → LAN Network,
- Select Wi-Fi Interface, it will bring up the Wi-Fi settings. You'll need to assign for the Wi-Fi network:
- Wi-Fi Name(SSID)
- Tap Done -> Save to save the network configuration.
Limitations in Bridge Mode
Firewalla Transparent Bridge Mode is a layer 2 service, when the bridge mode is active, all the layer 3 (IP layer) services will be disabled, this includes, but is not limited to:
- VPN Client (all features under the VPN Client button)
- Policy-Based Routing (all features under the route button)
- Smart Queue (all features under the Smart Queue button)
- Site to Site VPN (If another Firewalla box established a site to site VPN connection to the Box (as server site) in bridge mode, need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
Reminder 1: If you have devices connected to the router (instead of behind the Firewalla box), Firewalla will still be able to discover those devices, but it can NOT monitor them.
Reminder 2: If you are having issues with incoming port forwarding from your main router, please double-check your rules. If you have a blocking rule with the target "Traffic from Internet", please remove it.
Switching to Bridge mode
If you'd like to switch your Firewalla box to bridge mode, just go to your box's main screen, scroll down to find the Monitoring button → Mode, tap Bridge Mode and follow the guide to switch.
Switching Out of Bridge Mode
If you would like to switch from Bridge mode to other modes, you will need to specify the uplink port as a WAN port before switching.
So, I have been thinking about how to make this mode useful to the (sad) users of systems like google mesh , google WiFi etc.
For it to work you’d have to place the Gold between the main google WiFi router and the internet provider modem. However, you also need Gold to get an IP from the WiFi router.
So, could you maybe enable gold to fetch an IP from a eth port other than the wan , so that :
Google WiFi -> Gold in bridge mode -> Wan
Gold other ETH -> get dhcp IP from Google WiFi
To clarify, for this to work you need to physically connect Gold in a similar way to the one shown in your google WiFi tutorial:
Gold wan to modem
Gold eth0 in bridge mode to google WiFi wan
Gold eth1 to switch where google WiFi LAN is also connected.
Gold gets DHCP IP from ETH1
Thanks again for the effort to make this real Firewalla team … so far most is working as expected; however, I am struggling to get my pi-hole to work correctly (and I am not sure if this is a bridge issue or just a user issue). I have created bridges for each of my VLANs (for the sake of this discussion suppose I have a user vlan (2) and a services vlan (3)). My pi-hole in the services vlan is not working correctly for hosts in the user vlan (my router sets it as the primary DNS server for clients in the user vlan). I can get to the pi-hole dashboard fine via browser, but the DNS components aren’t working. When I turn on Emergency Access, pi-hole works as expected. I have tried adding incremental rules for the following (Allow pi-hole (x.x.3.118) on bridge 2, Allow x.x.2.0/24 on Pi-hole (x.x.3.118), Allow x.x.0.0/16 on pi-hole (x.x.3.118), Allow pi-hole (x.x.3.118) on All Devices) but I still can’t get the pi-hole to do it’s thing. I have no block entries created at this point besides Active Protect Rules and the default Block from Internet. I’m not sure if it’s related but I see a bunch of blocked flows showing up from the gateway IP (x.x.2.1) to the device (x.x.2.229). Is there something that Firewalla is doing that is either catching DNS traffic inline (I have tried with ad-block both on and off) or otherwise causing the device to fall back on the secondary entry? Did I just miss something in my rules? Thanks so much in advance!
@Tom Please check if "Family Protect" or "DNS over HTTPS" is enabled on the user vlan. Firewalla will still intercept and redirect DNS traffic to the local DNS server on the box in bridge mode. If "Family Protect" or "DNS over HTTPS" is enabled on the user vlan, DNS queries will send to a different upstream DNS other than the pi-hole in the service vlan.
Thanks for you response. While I had DNS over HTTPS on at one point, I turned it off early in my troubleshooting. Family Protect has never been enabled. Ad-block is also turned off at this time.
I don’t know if this is related, but I have a large amount of blocked flows showing up, the vast majority of them seem to be the vlan virtual gateway being blocked from a host (blocked device Uknown (192.168.2.1) from accessing 192.168.2.49). Not sure if there is some issue with traffic coming back to the host which is causing a secondary lookup?
Additionally, I see some cross vlan traffic being blocked, but I don’t see a rule in the app showing a cross vlan block rule as the default. Is there some rule behind the scenes that’s doing that? Also, can you share how rule priority is implemented? I don’t see rule IDs, and the block rules are listed at the top of the page, so I’m assuming it’s not in that order, is it as simple as all allows and then all blocks or something else?
Hi @Support … any update on this one? Thanks!
@Tom. I think it's better to send an email to firstname.lastname@example.org to open a support ticket so that we can do further troubleshooting.
Hi ... my current setup is
Fibre Internet (Bell Canada) -> TP Link MC220L Media Convertor -> ASUS Zen Wifi Mesh Router(s) .
I have to tag VLAN 35 for wifi and 36 for the TV service. Question: will I be able to put the Firewalla Gold in bridge mode between the Media Converter and the Router?
The best place for the gold to be in bridge mode is place it right after the router and before the switch (or wifi) all of your devices are connected to. If your Fiber internet is a router or the media converter is a router, can you can place it behind
So I have been testing the FWG Bridge mode on and off for a few days. I've been cautious in getting it up and running, since my wife/kids need internet and I dont want to hear whining :)
But after some testing, everything seems to be more or less working. My setup is:
ISP Modem <--> USG-4 Router <--> Firewalla Gold <--> 48port switch <--> everything else (More switches, AP's, client devices, etc).
My network is all Unifi devices (USG, about 8 switches, numerous AP's, CloudKeyG2, etc etc).
I have multiple VLAN's on my network, and I've added each one into Firewalla, all are being monitored correctly. From within the Firewalla app, all seems good!
The issue I am having, as a result of the FWG being insisted between my USG-4 and my 48-Port Switch is that within the UI controller, now it seems like my UI cannot properly detect network topology, and figure out what devices are plugged into what switch / port. I have numerous repeats (the controller thinks a bunch of devices are physically plugged into a single port which is not possible, etc).
Also, it shows my Firewalla Gold Twice? Once into the USG, which is correct, but then also into another switch on my network (not the correct one!).
Here's a screenshot of what I am talking about:
If I unplug the FWG and go back to my prior setup where the USG goes to my 48port switch, then all the network topology corrects itself and devices show where are plugged into correctly.
In case this helps anyone set up a Firewalla Gold in Transparent/Bridge Mode, remember/know to wire your existing router and Firewalla Gold the same way the diagrams show for setting up Router Mode and DHCP/overlay Mode (with the FW Gold’s WAN port 4 connected to a LAN port on your router).
Then switch to Transparent/Bridge Mode by tapping Monitoring in the app and select Transparent/Bridge Mode.
Once this is enabled, it doesn’t matter what port on the FW Gold is connected to the LAN port on your router.
Just remember when setting up Transparent/Bridge Mode to switch to this mode first BEFORE wiring it any differently.
Make sure to NOT first start by wiring the FW Gold like the above current illustration for Transparent/Bridge Mode shows here before first switching to Transparent Mode (because by default ports 1-3 are LAN ports and so your FW Gold won’t be able to reach the Internet and the app won’t be able to connect to it.)
You can optionally rewire FW Gold using any port on it after switching to Transparent/Bridge Mode as the diagram I believe intends to convey.
Just as an update from my post a few months ago, the issues I was having were related to crappy firmware from UI (5.60.x and 5.70.x branches), and NOT from the bridge mode of my Firewalla Gold. Going back to 5.43.x branch of firmware from Ubiquiti solved my above issues.
Transparent mode is working excellently!!!
I have an Ethernet cable from my provider to my home network. As I understand it, I can put the Firewalla in bridge mode even before my router and get even the router protected from attacks. Maybe I will have to invent a method to get connected to the Firewalla for setup - via USB?
Is this idea correct?
@Petr, the best way is just to use purple/gold as your main router. If not, if you place it before your main router, you will need to make the purple can get an IP address from the ISP, and also the router behind it can also get its own IP address.
@rajuabju I have the same setup but after I connect my purple in this was I have network issues (instability & slow).
Within bridge mode you have an option to have it in DHCP or in static-ip. What mode are you using? Did you change anything else in either Firewalla or Unifiy setup?
@gthijssen - I set it up with Static IP. Also, I cant figure out why, but, ONLY 5.43x branch is ok for me. Anything newer, and it gets weird with Unifi topology.
Hello, I'm getting Gold for my company add protection on Botnet but like to know if this possible to place in between Cisco router and ISP as Cisco router is routing traffic to Cisco ASA to establish IPsec to other branch office
Branch Off ----IPsec ----- ISP---- Cisco Router --- Cisco ASA --- (Multi VLAN)
Please sign in to leave a comment.