Firewalla: Transparent Bridge Mode

Follow

Comments

18 comments

  • Avatar
    sk0rp10

    So, I have been thinking about how to make this mode useful to the (sad) users of systems like google mesh , google WiFi etc.
    For it to work you’d have to place the Gold between the main google WiFi router and the internet provider modem. However, you also need Gold to get an IP from the WiFi router.
    So, could you maybe enable gold to fetch an IP from a eth port other than the wan , so that :

    Google WiFi -> Gold in bridge mode -> Wan

    And

    Gold other ETH -> get dhcp IP from Google WiFi

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    To clarify, for this to work you need to physically connect Gold in a similar way to the one shown in your google WiFi tutorial:

    Gold wan to modem
    Gold eth0 in bridge mode to google WiFi wan
    Gold eth1 to switch where google WiFi LAN is also connected.

    Gold gets DHCP IP from ETH1

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Thanks again for the effort to make this real Firewalla team … so far most is working as expected; however, I am struggling to get my pi-hole to work correctly (and I am not sure if this is a bridge issue or just a user issue).  I have created bridges for each of my VLANs (for the sake of this discussion suppose I have a user vlan (2) and a services vlan (3)).  My pi-hole in the services vlan is not working correctly for hosts in the user vlan (my router sets it as the primary DNS server for clients in the user vlan).  I can get to the pi-hole dashboard fine via browser, but the DNS components aren’t working.  When I turn on Emergency Access, pi-hole works as expected.  I have tried adding incremental rules for the following (Allow pi-hole (x.x.3.118) on bridge 2, Allow x.x.2.0/24 on Pi-hole (x.x.3.118), Allow x.x.0.0/16 on pi-hole (x.x.3.118), Allow pi-hole (x.x.3.118) on All Devices) but I still can’t get the pi-hole to do it’s thing.  I have no block entries created at this point besides Active Protect Rules and the default Block from Internet.  I’m not sure if it’s related but I see a bunch of blocked flows showing up from the gateway IP (x.x.2.1) to the device (x.x.2.229).  Is there something that Firewalla is doing that is either catching DNS traffic inline (I have tried with ad-block both on and off) or otherwise causing the device to fall back on the secondary entry?  Did I just miss something in my rules?  Thanks so much in advance!

    1
    Comment actions Permalink
  • Avatar
    Support

    @Tom Please check if "Family Protect" or "DNS over HTTPS" is enabled on the user vlan. Firewalla will still intercept and redirect DNS traffic to the local DNS server on the box in bridge mode. If "Family Protect" or "DNS over HTTPS" is enabled on the user vlan, DNS queries will send to a different upstream DNS other than the pi-hole in the service vlan.

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Thanks for you response.  While I had DNS over HTTPS on at one point, I turned it off early in my troubleshooting.  Family Protect has never been enabled.  Ad-block is also turned off at this time.

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    I don’t know if this is related, but I have a large amount of blocked flows showing up, the vast majority of them seem to be the vlan virtual gateway being blocked from a host (blocked device Uknown (192.168.2.1) from accessing 192.168.2.49).  Not sure if there is some issue with traffic coming back to the host which is causing a secondary lookup?

    Additionally, I see some cross vlan traffic being blocked, but I don’t see a rule in the app showing a cross vlan block rule as the default.  Is there some rule behind the scenes that’s doing that? Also, can you share how rule priority is implemented?  I don’t see rule IDs, and the block rules are listed at the top of the page, so I’m assuming it’s not in that order, is it as simple as all allows and then all blocks or something else?

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Hi @Support … any update on this one?  Thanks!

    0
    Comment actions Permalink
  • Avatar
    Support

    @Tom. I think it's better to send an email to help@firewalla.com to open a support ticket so that we can do further troubleshooting.

    0
    Comment actions Permalink
  • Avatar
    John Morton

    Hi ... my current setup is

    Fibre Internet (Bell Canada) -> TP Link MC220L Media Convertor -> ASUS Zen Wifi Mesh Router(s) .

    I have to tag VLAN 35 for wifi and 36 for the TV service.  Question: will I be able to put the Firewalla Gold in bridge mode between the Media Converter and the Router?  

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The best place for the gold to be in bridge mode is place it right after the router and before the switch (or wifi) all of your devices are connected to. If your Fiber internet is a router or the media converter is a router, can you can place it behind

    0
    Comment actions Permalink
  • Avatar
    rajuabju

    So I have been testing the FWG Bridge mode on and off for a few days. I've been cautious in getting it up and running, since my wife/kids need internet and I dont want to hear whining :)

    But after some testing, everything seems to be more or less working. My setup is:

    ISP Modem <--> USG-4 Router <--> Firewalla Gold <--> 48port switch <--> everything else (More switches, AP's, client devices, etc). 

    My network is all Unifi devices (USG, about 8 switches, numerous AP's, CloudKeyG2, etc etc).

    I have multiple VLAN's on my network, and I've added each one into Firewalla, all are being monitored correctly. From within the Firewalla app, all seems good!

    The issue I am having, as a result of the FWG being insisted between my USG-4 and my 48-Port Switch is that within the UI controller, now it seems like my UI cannot properly detect network topology, and figure out what devices are plugged into what switch / port. I have numerous repeats (the controller thinks a bunch of devices are physically plugged into a single port which is not possible, etc).

    Also, it shows my Firewalla Gold Twice? Once into the USG, which is correct, but then also into another switch on my network (not the correct one!).

    Here's a screenshot of what I am talking about:

    If I unplug the FWG and go back to my prior setup where the USG goes to my 48port switch, then all the network topology corrects itself and devices show where are plugged into correctly.

    0
    Comment actions Permalink
  • Avatar
    mobius strip

    In case this helps anyone set up a Firewalla Gold in Transparent/Bridge Mode, remember/know to wire your existing router and Firewalla Gold the same way the diagrams show for setting up Router Mode and DHCP/overlay Mode (with the FW Gold’s WAN port 4 connected to a LAN port on your router).

    Then switch to Transparent/Bridge Mode by tapping Monitoring in the app and select Transparent/Bridge Mode.

    Once this is enabled, it doesn’t matter what port on the FW Gold is connected to the LAN port on your router.

    Just remember when setting up Transparent/Bridge Mode to switch to this mode first  BEFORE wiring it any differently.

    Make sure to NOT first start by wiring the FW Gold like the above current illustration for Transparent/Bridge Mode shows here before first switching to Transparent Mode (because by default ports 1-3 are LAN ports and so your FW Gold won’t be able to reach the Internet and the app won’t be able to connect to it.)

    You can optionally rewire FW Gold using any port on it after switching to Transparent/Bridge Mode as the diagram I believe intends to convey.

    0
    Comment actions Permalink
  • Avatar
    rajuabju

    Just as an update from my post a few months ago, the issues I was having were related to crappy firmware from UI (5.60.x and 5.70.x branches), and NOT from the bridge mode of my Firewalla Gold. Going back to 5.43.x branch of firmware from Ubiquiti solved my above issues.

    Transparent mode is working excellently!!!

    0
    Comment actions Permalink
  • Avatar
    Petr dusek

    I have an Ethernet cable from my provider to my home network. As I understand it, I can put the Firewalla in bridge mode even before my router and get even the router protected from attacks. Maybe I will have to invent a method to get connected to the Firewalla for setup - via USB?

    Is this idea correct?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Petr, the best way is just to use purple/gold as your main router. If not, if you place it before your main router, you will need to make the purple can get an IP address from the ISP, and also the router behind it can also get its own IP address. 

    0
    Comment actions Permalink
  • Avatar
    GThijssen

    @rajuabju I have the same setup but after I connect my purple in this was I have network issues (instability & slow).

    Within bridge mode you have an option to have it in DHCP or in static-ip. What mode are you using? Did you change anything else in either Firewalla or Unifiy setup?

     

    0
    Comment actions Permalink
  • Avatar
    rajuabju

    @gthijssen - I set it up with Static IP. Also, I cant figure out why, but, ONLY 5.43x branch is ok for me. Anything newer, and it gets weird with Unifi topology.

    0
    Comment actions Permalink
  • Avatar
    Ron Tan

    Hello, I'm getting Gold for my company add protection on Botnet but like to know if this possible to place in between Cisco router and ISP as Cisco router is routing traffic to Cisco ASA to establish IPsec to other branch office 

    Branch Off ----IPsec  ----- ISP---- Cisco Router --- Cisco ASA --- (Multi VLAN)

    0
    Comment actions Permalink

Please sign in to leave a comment.