[Fixed] Connect FWP to switch, setup vlans
I have a pretty simple setup - modem -> FWP -> netgear managed switch -> (work computer, wifi router)
I wanted to setup a vlan, on the switch, so that a media server could be isolated. I should note that I’m totally not a network guy.
The first time I tried, I set the vlans in the switch admin, and everything blew up. My FW freaked out and would usually lose internet connection when I connected the switch. Even when sometimes (after a frantic reboot the world sequence, sometimes with switch reset) everything would be connected, I still wasn’t able to load the switch admin from my PC.
Finally, I noted the IP on the switch, and checked if it was outside the range of my FW LAN. It was! That’s probably what made FW freak out. So, I updated the LAN ip range, and was able to connect to the switch, and load the admin.
I had previously reset the switch, so I set up the vlans again. All ports had to be in a VLAN, so I set up
port 1 as a trunk port on vlans 1 and 2
ports 2&3 as Trunk ports only on vlan 2, with a default to vlan 1 (which is probably functionally, in my usecase, the same as leaving them untagged. IDK)
port 4 as untagged on vlan 1
and port 5 on vlan 2
I setup vlans on the firewalla to match (vlan IDs 1 and 2)
And it worked!
But now my PC was on a vlan whose IP range didn’t include the switch IP, and I couldn’t load the switch admin anymore. And I couldn’t change the vlan IP range, because it would then interfere with the LAN range (which I had previously changed to include the switch)
I checked the LAN in the FW, and noted that no devices were connected to it. I took a chance and deleted it, and moved the primary vlan (ID 1) into its IP range (which included the switch IP).
And it worked! I had to unplug and replug the wifi routers (as the FW app advised), and now everyone is happily moved over to VLAN 1, except for that one port on vlan 2.
The switch shows up in the firewalla app (because the IP is in the range of one of it’s networks, in particular VLAN 1), and the admin is accessible from my PC on vlan 1.
Cheers!
One question for firewalla support (if you made it this far in this post) - as far as I can tell, if you’re using vlans with a purple, all connections must be on a vlan, and you’ll probably want to (or at least, might as well) delete your lan. ( I’d imagine on the gold, you could keep the lan connection for some ports.)
Is that correct, and is that documented prominently in the network segmentation docs?
Also, maybe the docs should note that you should make sure that the switch IP is in the same range as your primary vlan (on purple - maybe lan is enough on gold, IDK).
(A “problem” that firewalla has is it makes so much cool networking stuff accessible to amateurs, who inevitably shoot themselves in the foot. Please continue doing so.)
-
"as far as I can tell, if you’re using vlans with a purple, all connections must be on a vlan, and you’ll probably want to (or at least, might as well) delete your lan. ( I’d imagine on the gold, you could keep the lan connection for some ports.)"
The main network need not have a VLAN ID, is this what you are asking?
-
What configuration? I don't see a way in firewalla to export configs. I looked here
-
@Yehuda
- You may have all VLANs on a port (with no LAN).
- You can have a LAN and a VLAN on the same port.
- You can not have two LANs on the same port (you have to make the second a VLAN)
If you have trouble downstream with these configurations it could be the switch was not configured correctly.
Please sign in to leave a comment.
Comments
6 comments