How to: Beginners guide for setting up Firewalla with LAN and multiple VLAN via managed Switch
Hello everyone (and all the others, too)!
I had some issues setting up my VLAN-network and needed some help. I read a lot of guides, but some are definetly wrong (for examle the description of tagged and untagged, the first was the opposite of how it's done). So I needed Firewalla Support. Finally I got it working with their help. Perhaps this guide helps some newbies like me to get their VLAN running.
Initial State
Well, I had setup the base network (and while you are reading this I assume you did, too). I have a Fritz!Box 6590 cable router as a modem. It's in bridge mode and Firewalla is connected to this (Firewalla is in router mode). A second Fritz!Box 4060 provides WLAN and is connected to Firewalla Port 2, while my unmanaged main network switch is connected to Firewalla Port 1. How I did that you can find in this Guide:
How to: Using Firewalla in router mode between two Fritz!Boxes
There is a mangaged switch (it's a TP-Link TL-SG108E, but I think it will be the same with other brands, too)
The objective
I want to have multiple VLANs connected to port 3 of Firewalla:
- Guest network (VLAN 110, IP 192.168.110.1)
- Server network, reachable from internet and local network (VLAN 120, IP 192.168.120.1)
- Garden network with only some basic services (VLAN 130, IP 192.168.130.1)
- IoT network with higher safety (VLAN 140, IP 192.168.140.1)
As you see I am using the VLAN id in the IP address again. So it is easier to remember networks and IPs.
This is my network setup I connect the managed switch to the unmanaged, too (Port 2) and to Firewalla (Port 1). This is because I want Port 1 to be responsible only for VLANs, but the switch itself shall be part of the base network. I want to config it with the normal home network and other VLANs should not be able to set it up. (Therefore you can restrict the network traffic between networks on firewalla or you can setup rules for single devices).
1 Starting with the switch
I started to setup my switch cause it's easier to test with set (you could also provide normal lan from Firewalla and give the rights tags so there would be one VLAN on that port, but you need one Firewalla for one VLAN then and I only got one Port for all of them).
- Open the switches web ui and login
- You need to open the VLAN settings. For TP-Link it's 802.1Q VLAN in the menu
- You will see a management formular then, but first we need to enable VLAN configuration. Click on enable first, then press apply:
- After that you can setup your first VLAN.
- Enter the VLAN ID first and give it a Name. In my case: 110 and Guest
- Select Port 1 to be tagged, Port 3 to be untagged, all other ports aren't member of this.
- Finally hit Add/Modify
- We need to remove Port 1 and 3 from the standard VLAN (1) that is the normal network:
- Enter VLAN ID: 1; if you wish you can change the networks name, too or keep it by the default: Default. Cool ;)
- Mark Port 1 and 3 as not being member.
- Click Add/Modify finally
Later I will remove all ports except Port 2 from VLAN 1. But you must setup all other ports before you do this.
There is still something to do! We need to setup the PVID. Go to PVID settings in the side menu for this.
- Enter PVID 110, check Port 3 and click Apply
With doing this Port 3 will tag all packets coming from this port with the VLAN id. Otherwise they might go out to any device and you don't want that.
2 Setting up Firewalla
I assume your normal network is already running. In my case restrict it to port 1 and 2, because port 3 is for VLAN.
- Add a network
- Set it to VLAN
- Set the VLAN id (110)
- Set the networks address (192.168.110.1).
You will have a network setup like this after that:
Your VLANs setup should like this:
3 Testing
For testing I prepared a windows testing laptop. I installed NetSetMan. It's freeware and able to swap between multiple configurations for a single ethernet adapter. Normally you would just set the device to DHCP automatically, but if you need to test a port with more than one VLAN id you should force the laptop to use a specific DHCP server (of the VLAN you want to connect to).
I connected the laptop to port 3 of the managed switch, so I can test, if I get an internet connection.
I did this and I was able to connect. After seeing the connection is fine (and you got internet) there are some more steps:
- Open Commandline with typing cmd into windows search bar and hit enter
- Type the following command:
C:> ipconfig /all
- Scroll upwarts to the adapter you use. Check that the VLANs IP range is used. In my case it is 192.168.110.1 for DHCP and DNS and the IP should be 192.168.110.x
If you got an error, please be sure you did everything step by step.
4 Adding multiple VLANs
Having one VLAN is great, but still there is more to be done. Dozens of other VLANs are waiting. Go to Point 1 and 2 and do it again for the other VLAN Ids.
For me this table shows how the switch is setup:
I added the PVID settings, too. Every port except 1 and 2 are given a PVID because I always use only one VLAN at one port. If you use multiple you might need to setup a more complex network or force the device to use VLAN (some network adapters can do this, too).
Thanks to the Firewalla support who helped me to manage my network.
-
@Cae - I think there was a typo in the original guide’s diagram - it should be labeled unmanaged port 2 goes to the “managed switch port 2” which 0per the diagram, is all untagged traffic coming back to the Firewalla port 1 (not configured/expecting to have tagged traffic). This configuration should work and maybe the only other suggestion to add to the guide and in general to avoid network loop/broadcast storms is enabling STP on the switch. I believe Firewalla enables STP by default for VLAN-enabled ports that you configure as well. This can/should be disabled (STP) after testing is completed to shorten IP connectivity/assignment for the connected device(s).
Please sign in to leave a comment.
Comments
5 comments