Help us make the Firewalla Switch
We are getting closer to building our first Firewalla Switch! To get us moving faster, please fill out this survey: https://forms.gle/iuCZGmchSshjsTkb7
(By answering this survey, you will be automatically subscribed to Firewalla Newsletters)
---
The Spec is pending and needs your requirements
-
I'm not a sophisticated network configurator. I've been watching the New Firewalla Switch dialog and appears there are a ton of opinions and as many directions.
I have been using different Firewalla units for a few years now as I developed my network. Currently a Firewalla Gold Pro with TP-Link Omada Controller, Omada managed switches and AP's. My ISP can only provide financially practical 1650 Mbps download service. During my journey, I went from a few smaller quantity port switches to one Core 2.5G 24 RJ45 + 4 SFP+ switch (SG3428XPP-M2). My thoughts were 100% PoE and didn't expect to use that capability across all ports, but would have that opportunity. I didn't want to use a bunch of power bricks or USB C/A power supplies. I transitioned all practical power sources to my switch which cleaned up my network area. Don't like using RJ45 SFP+ adapters due to heat generation and found out too late, there is really a practical limit on how many should be used next to each other. My best Omada AP had erratic performance on the SFP+ port using an RJ45 adapter, intent was best Wi-Fi and backhaul performance, even with a SFP++ power supply. My 1000 Mb/s capable devices were directionally faster when I increased the modem and switch capability and before increasing ISP capability beyond 1GB. But practically, really want fast Wi-Fi speed (400 to 700+ Mbps) with tethered devices except AP's at 1000 Mbps.
I would like to see the best wired backhaul performance for AP's to my core network. What does that mean with FW AP7's? Probably greater than 2.5G and really a few 10G RJ45 switch ports based on FW's final direction, Maybe a 10G smaller count port switch for AP's (min 4 RJ45 ports) with SFP+ (min 2) capability to connect to a core 2.5G switch. A core switch 2.5G with at least 12 ports. I am using 11 now with a connection to a 1G PoE NVR camera switch.
Sounds like a managed switch may not be required in the FW Zero Trust network based on L2 AP and L3 FW Router/Firewall software enhancement. Would like to know if this is a correct interpretation. Sort of swims upstream against my knowledge of network segmentation security.
Probably rambled a bit but hopefully journey and minimum desires are clear. Either way, I can't wait for the FW AP7's and enhanced network capability.
-
My least favorite part about discussing wishlist items with enthusiasts and aspiring enthusiasts is that it always devolves into a "religious" debate. Everyone has their own opinions and requirements, that's what Firewalla asked for with this post - "what are your requirements?". How you feel about someone's wishlist is immaterial as I'm sure many of these people would scoff at yours as well. A lot of it is personal preference.
The reality here is the team responsible for new product development is almost their own worst enemy. They chose (granted with a lot of excitement from their fan base, myself included) to enter a crowded market in Wi-Fi and now are exploring the same for the switch space. I don't see any way that Firewalla can't make multiple products that pair with the various Firewalla firewalls and be taken seriously, especially when the first AP they introduce has both 2.5G and 10G networking. If I have a Gold Pro, I would want something that offers at minimum 2.5G with multiple 10G ports.
Regarding PoE - I think it's a necessity for those of us that put a lot of time into aesthetics and don't have the "luxury" of hiding our network stack in a closet somewhere. My expectation would be that the PoE standard would be whatever Firewalla could/would potentially use for future APs; maybe it's not PoE++ but I can live with that if it's designed to work within their ecosystem.
That all being said, I hope Firewalla is able to bring something to market, even if it doesn't satisfy my wishlist. -
@DanM
"Sounds like a managed switch may not be required in the FW Zero Trust network based on L2 AP and L3 FW Router/Firewall software enhancement. Would like to know if this is a correct interpretation. "A managed switch is normally required. Unmanaged ones just pass traffic without touching it (hopefully, as some strip VLAN tags off). So while the firewall and AP can tag things, so technically it isn't truly required as long as tags are maintained, you normally use managed switches so VLAN config can be passed to the switch and to tag specific port for default vlans.
-
@Rory M
"especially when the first AP they introduce has both 2.5G and 10G networking. If I have a Gold Pro, I would want something that offers at minimum 2.5G with multiple 10G ports."That's what I was saying too, the switch should support the products Firewalla actually has. If customers are getting just AP7s and Gold SE type stuff and they want their whole network to be wifi then that's fine, those people won't be buying a switch anyway cause they wont want/care about wired devices. Their customer base for the network switch is the people who have the Gold SE, Gold Plus, and Gold Pro and want their APs and devices hard wired in. To that end, since the Gold Plus and Gold SE have 2.5gb ports, so the switch definitely needs 2.5gb ports on it to support those devices. The AP7 (and the next ceiling mount AP) have both 10gb and 2.5gb ports, and the Gold Pro has 10gb and 2.5gb ports, then the switch should probably have 10gb and 2.5gb ports as well. I think the Gold Pro customers are probably also going to be the biggest customers of the switch, which is why I think the switch should probably have four 10gb ports on it.
Whether the network switch should have PoE as well is debatable. I would personally like it to power the next AP coming out, but I can see for a first product just having something like four 10gb and four 2.5gb and no poe, then have a recommended injector to use for people who want/need poe+(+)
-
Interpretation: If your environment is small, mostly wireless, and your L3 firewall/router plus L2 AP can handle all VLAN segments (i.e., zero trust policies, advanced routing, and SSID-based segmentation), then a full managed L2 switch may not be mandatory.
Caveat: As soon as you add more wired devices, different VLANs on the wired side, or advanced PoE/QoS/monitoring needs, a managed switch becomes advantageous (and, in many medium-to-large networks, essential).
Thus, it is partly correct to say you can omit a managed L2 switch if everything is handled at L3 on the firewall and you have minimal wired demands. But in any environment with wired VLAN segmentation, substantial PoE requirements, or detailed port-level security, a managed switch is recommended—even in a zero-trust architecture.
We are talking about a switch architecture that will be made commercial. So, least common denominator is very important.That would be a managed switched
The whole point is to let Firewalla handle every device with its capabilities.
-
I had an issue over Christmas where a loop was introduced to the network, which took a while to diagnose, I think having the switch communicate to firewalla and then the firewalla send a push notification would be a game changer. When a loop is introduced it's not immediate to everyone you have a loop, you just get some strange behaviours
-
I'm a home user with a large house and an extensively wired configuration. I currently have 1GBE fiber -> Gold Plus -> Eero Pro 6E (Primary AP double NAT'ed) -> Cisco Catalyst 3750G-48PS-48. I've got 3 additional Eero Pro 6E in a mesh using wired backhaul, *multiple* cameras, solar power monitoring, several AppleTVs, PS4/5, a Mac Studio w/ attached RAID, printer, a number of IoT devices, and several hardwired docks for laptops. Given that firewalla Gold(+) targets both the high end home user and the small office markets, I think you would need several different L2 models (L3 handled at the router level works well enough in these use cases IMO).
1) 4 port wall mountable / rack mountable 10GBE->100MBE auto-sensing w/ 3 POE+ with the same form factor as the Gold Pro
2) 8 port wall mountable / rack mountable 10GBE->100MBE auto-sensing w/ 6 supporting POE+
3) Rack mountable 16 port 10GBE->100MBE auto-sensing w/ 8 POE++ and 2x SFP28
4) Rack mountable and stackable 24 port 10GBE->100MBE auto-sensing w/ 16 POE++ and 4x SFP28.
5) Rack mountable and stackable 48 port 10GBE->100MBE auto-sensing w/ 24 POE++ and 4x SFP28.
The 24 and 48 port models should support LAG. Also love the comment about investigating the Zyxel XMG1915 chipset in order to reduce power utilization where feasible. Fanless preferred (one less thing to worry about), but may not be feasible on larger switch models (which should have dual fans to support this if fans are needed). POE+ vs POE++ on the smaller switches doesn't make a difference to me, but could to others. Small office users may want dual power supply capabilities for redundancy.
QoS for all ports on all switches should be manageable via the firewall to support traffic management (i.e firewall policy propagating to switch port based on device in similar manner as micro-segmentation supports by-device VqLAN). I'd also like to see ports assignable at the "group" level to ensure that the network ports available to my children can only access allowed content/sites/apps should they find a way to sneak a device onto the network (yes, I know, zero-trust, but I'd rather have the extra capability and not need it then need it and not have it - defense in depth and all that).
All this would suggest there needs to be another Firewalla router above the Gold Pro w/ additional 10GBE ports and an SFP28 port (shipped with a 10GBE RJ45 module by default) for future 25GB upstream bandwidth (Gold Pro Plus / Titanium?). I'd prefer all my Wifi APs to run directly from the Firewalla via 10GBE wired backhaul. I'd also like my switch(es) to have 10GBE connectivity w/ LAG capabilities. A 10GBE for DMZ traffic doesn't hurt either :-). LAG support would be great for those who want failover / higher bandwidth connection to a switch (can be limited to specific ports if needs be).
A "higher" level of web based remote management as a service would be great for IT subcontracting organizations to support different small office customers (i.e. management capabilitiy of multiple tenants with the ability to propagate down policies).
Related: I'd love to see the AP7 have a 10GBE downstream port rather than a 2.5GBE. If I need to daisy chain from the AP, I'd love to be able to support full wired speed. A ceiling mounted AP7 would be awesome as well for the small office customer and IT subcontractors.
-
Firewalla
Then make it 12 port all Poe to be half the price, I meant the switch should be One U but half the size to be possible to mount two of them side by side in One U. And I guess if you don’t have SFP in other products then at least (2)two Rg45 10G cupru in each switch, and rest of the ports 2.5G
If not then tell us what you have in mind?
-
In my opinion, keep it fairly simple. 2.5GB as the mainline, 1 or 2 10GB ports. POE is ok, but I think definitely make that the 2nd choice. Or, if you can have 2 or 3 POE ports mixed in?
I am really not sure what you'd be able to offer to compel me off of a basic $100-$200 switch, but if it wasn't too much more money and offered tighter software integration, that would convince me to switch my switch.
-
Firewalla, please take a look at HPE Aruba Instant On. I think their product offerings are similar to what you are trying to target Sadly, I don't you will be able to compete with them on specifications and prices due their scale and sharing some tech from their enterprise offerings.
-
i may be in the odd here - but id rather multiple smaller switches. one managed 8 port switch, and then a few 4-8 port unmanaged, and then handle vlan tagging on the managed switch or AP7 port for vlans to the unamnaged switch.
There are no good affordable US company trusted 2.5gb switches in my opinion. And 10G is overkill for what i need out of the unmanaged switches. But 2.5 from the unmanaged to managed, and then 10g uplink from managed to firewalla would be ideal.
I would run my APs off the managed switch directly, tagging all vlans, and then the all additional iot devices and such off the unmanaged switch.
POE is a must on all ports.
The price should be competitive with aruba instant on switches.
And size wise should fit in a structured media cabinet like leviton that is being installed on new builds across the US. With ears to rack mount for those who have racks.
This will cover more of the non full networking stack users doing it this way as well.
If someone NEEDS a 10g 48 port switch, they are going to be willing to pay alot more for it. This is not the average consumer. -
For me, a 8 port and a 16 port 2.5 gbps switch with POE+ on half the ports. I really don’t need over 2.5 gbps, I’m running gigabit switches today (Aruba on Demand) and they work great. However, 2.5 gb would give me an incentive to upgrade. 10 gbps is going to drive the price up too much and I also worry about the power consumption of 10 gbps copper. If I need a 10 gbps link I’ll use an SFP and fiber, in part to keep power consumption down. I’d be very excited to see a Firewalla switch, it would really round out the ecosystem.
-
The fact is, to be taken seriously, you'll need to develop an entire lineup of switches.
If it were me, I would look at the Ubiquiti "Pro Max" lineup and build comparable units (similar hardware, and close-ish on price - depending on value add of additional features)... The 16, 24, and 48 port units. And probably an 8 port unit and something like their "flex" lineup eventually. (While Ubiquiti has plenty of cheaper options, but I don't think you need to / should compete with those).
(You can ignore Ubiquiti's silly "ether-lighting" makes for a cool demo, but pretty limited utility. It's not worth more than a few dollars per switch to me).
If you're going to do it, I think you'll find it a hard market unless you develop some truly innovative features on top of it. If it's a white label of existing switch technology with a nice app overlay, that's great, but it won't demand any premium. Ubiquiti's already a super nice UI. If you've got plans for truly unique stuff, that's great. -
It is for sure not possible to build a lineup of switches together. We are looking to start something simple (a popular model) and then move up or down the ladder.
At the moment, it is really hard to zero down to the spec, and that problem is mainly due to pricing expectations from some and also capability concerns from other. Some want the switch to have enterprise features at TPLink price. Others want the best and at any cost ...
Anyway, we start another quick survey together with the AP7 already, hopefully that will give us more directions
-
For sure you've got to start somewhere. I meant to say "16, 24, 48... *In that order*"
What's your typical demographic? If it's home users, maybe smaller still
Cheap options abound. No point in wasting firebase development talent on that. Build something special and charge appropriately, or just skip it. -
At the moment, it is really hard to zero down to the spec, and that problem is mainly due to pricing expectations from some and also capability concerns from other. Some want the switch to have enterprise features at TPLink price. Others want the best and at any cost ...
@Firewalla I think that would be the case regardless of the product or the vendor. Your through process is correct, try and hit the middle of the bell curve. Enough ports to cover most use-cases.
Personal opinion: I almost would rather see you all have an 8 port 2.5G + 2 port 10G and deploy two of them together for additional density using the 2x10G ports (SFP or Copper). Bonus points if it's 10G across the board (but thats a lot of heat).
I do agree, once you start layering in a POE feature, your permutations get a little bit crazy. Which flavor? How many ports? etc. Maybe merit in having a POE version and a non-POE version? But now you're talking so many SKUs, prob. not what you all are looking to do.
As far as the comment about UniFi, I humbly disagree, I would use their model as an anti-pattern. They have so many models, so many flavors, and so much churn, it's just exhausting.
Having a smaller 8/10 port switch would allow me to setup a homelab in one of these too https://deskpi.com/products/deskpi-rackmate-t1-rackmount-10-inch-4u-server-cabinet-for-network-servers-audio-and-video-equipment
Having Firewalla software/integration on top of a layout/port config similar to CRS310-8G+2S+IN or CSS610-8P-2S+IN (if you wanted POE) would be a solid offering. Esp. as a starting point.
-
I’d love to have an end to end Firewalla system, router, switches, and AP’s. Got two of the three so far.
On switching, I run a 48 port POE, a 24 Port POE, and a 16 port 10G aggregation switch.
Would love to see models that align to that. Or possibly even create a bigger rack mounted router with 8 ports of PoE++ and multiple 10Gb uplinks. Wouldn’t really want anything less than 2.5Gb ports for Ethernet as it seems like the cost should be coming down enough to make those ubiquitous.
Unless you’re just trying to sell a lab product, I don’t know why you’d consider anything less than 16 ports. And I’m not looking for the cheapest thing out there, I’m looking for a fully integrated stack with unified management. That’s the value to me. I’m guessing you’re approaching this market not to try and take on the Ubiquiti’s of the world, but rather to develop an end to end awesome experience for Firewalla folks. Of course, I’m also often wrong. Just ask my wife. 😉
Please sign in to leave a comment.
Comments
241 comments