Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Bridge Mode, separate plural VPN bridges on Firewalla Gold Pro

Follow
Avatar
Volker Jordan

I am using the Gold Pro on the LAN/VLAN side a UniFi UDM SE, and have defined plural Bridges for different VLANs, and would like to define the blocking and pass rules between the untagged LAN and the VLANs in the UDM SE. This means the the individual bridges should let all traffic pass to the UDM SE, also if an IP address of another VLAN is the target, but that there shouldn't be a passing of such traffic between the VLANS within the Gold Pro. The below inserted advice to create a rule to block the IP range of a respective second VLAN from the bridge of a respective first VLAN would block such traffic completely, I assume, so that it wouldn't reach the UDM SE. Is this correct, and, if yes, is there a solution that achieves that all bridges are effectively independent bridges not allowing that traffic passes between them?

Rules for blocking VLANs

If you like to block vlan1 to access vlan2, a blocking rule that matches the local network - VLAN 1, apply to VLAN 2, will not work. instead, you can create a rule to block the IP range - (the subnet of VLAN 1), then apply it to VLAN 2. If you have several VLANs, Target List will make this easier.

0

Comments

9 comments

Sort by Date Votes
  • Avatar
    Michael Bierman
    • Edited

    If you want to block access for all devices on VLAN1. > VLAN2, go to VLAN2 and create a block for Traffic matching from (or “from and to to” as appropriate) VLAN1 (or all local networks if you prefer) on VLAN 2

    0
    Comment actions Permalink
  • Avatar
    Volker Jordan

    Thank you Michael. However, it appears that I can specify in the bridge modes blocking rules only with respect to "ON" or "TARGET", but not with respect to "SOURCE". The latter would be needed to follow your advice according to my understanding. Or did I overlook or misunderstand something?

    0
    Comment actions Permalink
  • Avatar
    Volker Jordan

    Hi Firewalla team: Do you have any advice? If there is no solution, then please consider the above as feature request. I

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hi Volker, 

    Sorry i see your point. Mostly I run in router mode so I forgot the options are different in bridge mode. I think the earlier suggestion of using IP range should work. Did you try that? 

    0
    Comment actions Permalink
  • Avatar
    Volker Jordan

    Hi Michael, yes, this should work, but the respective IP range would be blocked completely according to my understanding so that corresponding IP traffic would not reach the router (in my case the UDM SE).  I would like to define the transmission and blocking rules for IP traffic between the LAN and VLANs in the UDM SE, not in the Firewalla device.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So you have UDM SE {router mode} >  Gold Pro {bridge mode}. That's fine, as long as all devices connect downstream of Gold. 


    I would like to define the blocking and pass rules between the untagged LAN and the VLANs in the UDM SE. This means the the individual bridges should let all traffic pass to the UDM SE,

    That is what will happen. 

    also if an IP address of another VLAN is the target, but that there shouldn't be a passing of such traffic between the VLANS within the Gold Pro.

    Not sure I follow you here. Each VLAN in Gold Pro will send traffic to the UDM SE and it will decide what to do.  The traffic on each VLAN is separate from all the other VLANs in bridge mode. 

    0
    Comment actions Permalink
  • Avatar
    Volker Jordan
    • Edited

    Hi Michael, I think that your assumption at the end of your post is not correct. My understanding is that the IP traffic passes between the bridges of the Gold pro in bridge mode. Otherwise the advice

    Rules for blocking VLANs

    If you like to block vlan1 to access vlan2, a blocking rule that matches the local network - VLAN 1, apply to VLAN 2, will not work. instead, you can create a rule to block the IP range - (the subnet of VLAN 1), then apply it to VLAN 2. If you have several VLANs, Target List will make this easier.

    at https://help.firewalla.com/hc/en-us/articles/1500012304202-Firewalla-Transparent-Bridge-Mode

    makes no sense according to my understanding.

    0
    Comment actions Permalink
  • Avatar
    Firewalla Team

    In router mode, all networks are managed by Firewalla. You can create a rule to block all local traffic from/to a specific network.

    But in bridge mode, each bridge network are independent and it couldn't control local traffic. If you want to block traffic VLAN 1 to VLAN 2, you will need to  Set 'MATCHING' to IP range and manually enter VLAN 1 IP range. If you need to block several VLAN networks access VLAN 2, you can set rules for those VLAN network seperatly or create a target list with those VLANs included. That could be easier. So far no other better choice for your case.

    0
    Comment actions Permalink
  • Avatar
    Volker Jordan

    Hi Firewalla Team, thank you for your response, but I do not completely understand it. You write that in bridge mode each bridge network is independent. But what means "independent" in this context? If you have to set these blocking rules to prevent that traffic passes from VLAN 1 to VLAN 2 (within the Firewalla device I assume), I would say that the bridge for VLAN 1 and the bridge for VLAN2 are not independent.

    Or do I understand your advice wrong?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post