Firewalla: Transparent Bridge Mode (Beta)

Follow

Comments

8 comments

  • Avatar
    sk0rp10

    So, I have been thinking about how to make this mode useful to the (sad) users of systems like google mesh , google WiFi etc.
    For it to work you’d have to place the Gold between the main google WiFi router and the internet provider modem. However, you also need Gold to get an IP from the WiFi router.
    So, could you maybe enable gold to fetch an IP from a eth port other than the wan , so that :

    Google WiFi -> Gold in bridge mode -> Wan

    And

    Gold other ETH -> get dhcp IP from Google WiFi

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    To clarify, for this to work you need to physically connect Gold in a similar way to the one shown in your google WiFi tutorial:

    Gold wan to modem
    Gold eth0 in bridge mode to google WiFi wan
    Gold eth1 to switch where google WiFi LAN is also connected.

    Gold gets DHCP IP from ETH1

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Thanks again for the effort to make this real Firewalla team … so far most is working as expected; however, I am struggling to get my pi-hole to work correctly (and I am not sure if this is a bridge issue or just a user issue).  I have created bridges for each of my VLANs (for the sake of this discussion suppose I have a user vlan (2) and a services vlan (3)).  My pi-hole in the services vlan is not working correctly for hosts in the user vlan (my router sets it as the primary DNS server for clients in the user vlan).  I can get to the pi-hole dashboard fine via browser, but the DNS components aren’t working.  When I turn on Emergency Access, pi-hole works as expected.  I have tried adding incremental rules for the following (Allow pi-hole (x.x.3.118) on bridge 2, Allow x.x.2.0/24 on Pi-hole (x.x.3.118), Allow x.x.0.0/16 on pi-hole (x.x.3.118), Allow pi-hole (x.x.3.118) on All Devices) but I still can’t get the pi-hole to do it’s thing.  I have no block entries created at this point besides Active Protect Rules and the default Block from Internet.  I’m not sure if it’s related but I see a bunch of blocked flows showing up from the gateway IP (x.x.2.1) to the device (x.x.2.229).  Is there something that Firewalla is doing that is either catching DNS traffic inline (I have tried with ad-block both on and off) or otherwise causing the device to fall back on the secondary entry?  Did I just miss something in my rules?  Thanks so much in advance!

    1
    Comment actions Permalink
  • Avatar
    Support

    @Tom Please check if "Family Protect" or "DNS over HTTPS" is enabled on the user vlan. Firewalla will still intercept and redirect DNS traffic to the local DNS server on the box in bridge mode. If "Family Protect" or "DNS over HTTPS" is enabled on the user vlan, DNS queries will send to a different upstream DNS other than the pi-hole in the service vlan.

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Thanks for you response.  While I had DNS over HTTPS on at one point, I turned it off early in my troubleshooting.  Family Protect has never been enabled.  Ad-block is also turned off at this time.

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    I don’t know if this is related, but I have a large amount of blocked flows showing up, the vast majority of them seem to be the vlan virtual gateway being blocked from a host (blocked device Uknown (192.168.2.1) from accessing 192.168.2.49).  Not sure if there is some issue with traffic coming back to the host which is causing a secondary lookup?

    Additionally, I see some cross vlan traffic being blocked, but I don’t see a rule in the app showing a cross vlan block rule as the default.  Is there some rule behind the scenes that’s doing that? Also, can you share how rule priority is implemented?  I don’t see rule IDs, and the block rules are listed at the top of the page, so I’m assuming it’s not in that order, is it as simple as all allows and then all blocks or something else?

    0
    Comment actions Permalink
  • Avatar
    Tom Holland

    Hi @Support … any update on this one?  Thanks!

    0
    Comment actions Permalink
  • Avatar
    Support

    @Tom. I think it's better to send an email to help@firewalla.com to open a support ticket so that we can do further troubleshooting.

    0
    Comment actions Permalink

Please sign in to leave a comment.