This mode does NOT work on Firewalla Red, Blue, or Blue Plus.
Firewalla Transparent Bridge Mode places a Firewalla device physically in the middle of an existing network without modifying the IP address of the network. A transparent Bridge Firewall is also called a layer 2 firewall, which can transparently filter traffic without detection.
- Before getting into this mode, you should always look at Router mode (Firewalla Router mode configuration guide). Check this: How does Firewalla intercept traffic?
- In bridge mode, blocking features, protection features, and the ad blocked will work the same way as in router mode.
Use Bridge Mode If:
- You'd like to preserve existing router functions due to the compliance or complexity of replacing the router.
- You want to filter traffic without creating additional networks.
- Your network is not compatible with the Firewalla Simple Mode and you don't want to use the DHCP mode.
How is the transparent bridge deployed?
When the Firewalla is bridged, one of the interfaces must be connected to a router. Firewalla itself will need to acquire an IP address from that router.
Firewalla when bridged will need to be placed between a router and a switch, or a router and access points. All network flows passing through Firewalla will be monitored and controlled.
Please do NOT connect Firewalla's WAN to your ISP modem as the ISP modem is only capable of issuing one IP address.
Note in bridge mode the ports are all equal so you can use any ports you like.
If you have VLANs configured on your router, Firewalla will also help you monitor VLAN networks in bridge mode. To monitor different VLANs on the network, you will need to use the network manager to add a new bridge interface with the VLAN ID you want to monitor.
As a layer2 firewall, VLANs are independent networks to Firewalla. When you want to block traffic between VLANs, you need to note down the IP range of the VLAN and block the IP range. If you have several VLANs, Target List will make life easier.
Enable WiFi Access Point on Purple
You can also enable the Wi-Fi Interface on Purple to share a single range of IPs as other devices.
Please note, WAN connection via Wi-Fi is not available on Firewalla Purple in bridge mode.
- On the Network Manager page, tap Edit → LAN Network,
- Select Wi-Fi Interface, it will bring up the Wi-Fi settings. You'll need to assign for the Wi-Fi network:
- Wi-Fi Name(SSID)
- Tap Done -> Save to save the network configuration.
Limitations in Bridge Mode
Firewalla Transparent Bridge Mode is a layer 2 service, when the bridge mode is active, all the layer 3 (IP layer) services will be disabled, this includes, but is not limited to:
- VPN Client (all features under the VPN Client button)
- Policy-Based Routing (all features under the route button)
- Smart Queue (all features under the Smart Queue button)
- Site to Site VPN (If another Firewalla box established a site to site VPN connection to the Box (as server site) in bridge mode, need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
Reminder 1: If you have devices connected to the router (instead of the Firewalla box), Firewalla will still be able to discover those devices, but it can NOT monitor them.
Reminder 2: If you are having issues with incoming port forwarding from your main router, please double-check your rules. If you have a blocking rule with the target "Traffic from Internet", please remove it.
How to switch to bridge mode?
If you'd like to switch your Firewalla box to Bridge mode, just go to your box's main screen, scroll down to find the Monitoring button → Mode, tap Bridge Mode and follow the guide to switch.
If you'd like to switch from Bridge mode to other modes, you will need to specify the uplink port as a WAN port before switching.