Unifi USG / Firewalla configuration

Comments

52 comments

  • Avatar
    Firewalla

    The transparency may require a physical bridge connection between your routers.   Example

    USG <----> WiFi

    to

    USG <----> Firewalla <--- Wifi 

    In the second case, firewalla will need to be Gold, since it has three more ports.   Can the gold do this type of bridging, I think one of our engineers is looking at now.  

    2
    Comment actions Permalink
  • Avatar
    James

    I have the same question. How can configure firewalla with my usg ubiquiti router?

    2
    Comment actions Permalink
  • Avatar
    xOperator

    Any update of your engineers worked on transparent bridging?

    For the price of the gold, I seem like not having this feature is a big miss, especially if you are looking to have "advanced" users attracted to the gold.

     

    I've been on the fence on getting the Gold or just getting a Protectli box and putting something on there for transparent bridging with a Uibiquiti products (USG/UDM)

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    The transparent bridging feature hasn't started yet, we have no idea the cost to build that system.   Everyone is pretty much focusing to get the release 1.0 out of the Gold, will likely to look at this after we deliver Dual WAN and QoS features. 

    3
    Comment actions Permalink
  • Avatar
    xOperator

    thanks for an update

    1
    Comment actions Permalink
  • Avatar
    Guy Stewart

    Just a reminder to the team that this feature is still in demand. 

    Firewalla Gold is currently causing sporadic connectivity issues with my Unifi network. 

    5
    Comment actions Permalink
  • Avatar
    Panos Ips

    i’m facing the same issue:

    However, as expected, all traffic stats from the Unifi Controller shows that everything is going through Firewalla rather than each individual device. Is there a way to configure the Firewall network (I'm not great with network settings) to have this transparency

    Is there a way to achieve transparency on USG? I own a firewalla blue

    3
    Comment actions Permalink
  • Avatar
    rajuabju

    Another vote for Bridge mode! Definitely would love this feature on my Firewalla Gold

    5
    Comment actions Permalink
  • Avatar
    Firewalla

    Got it... this is a significantly bigger feature request, need more up votes.  

    10
    Comment actions Permalink
  • Avatar
    sk0rp10

    Up - totally agree on getting the layer 2 mode. it would sort out for once the Google Wifi problem (https://help.firewalla.com/hc/en-us/articles/360048869274?page=1#comment_360006838153) , make it compatible with other systems like UniFi, and also get you a Gold Box offer which covers a lot more use cases. Layer 2 firewalls are pretty common (and appreciated!) in complex network setup. 

     

    You have my double-upvote (I have a blue and a gold, and I paid import tax in the UK , can I get two upvotes? :D ) 

    3
    Comment actions Permalink
  • Avatar
    Richard Riffel

    I also agree.  I have settled with the USG->FGold->Rest of Uni AP's and Switches.    I was finally able to get a single Uni controller to drive it all despite FGold in Router mode.  However the stats do need to be piecemeal connected although I can see the aggregate traffic totals.    I also use Pi-Hole as a DNS server in there so I can see who is driving alot of DNS querys as a starting point when I see unexpectedly high traffic.  But Transparent Bridging would definitely be a plus and add alot of value.  Already voted up 2x (I also have a blue).

    4
    Comment actions Permalink
  • Avatar
    rajuabju

    Yup, I've been holding out hope for this to happen for months now. I get its a big ask, but I hope the Firewalla team listens to the requests.

    For me, at home I have one FW Gold running in Simple mode just fine for my home / homelab UNiFI network, where I have a USG-Pro4, and a bunch of UI switches and AP's, although if it would be in Bridge / Transparent mode, so my network doesn't have all the ARP requests back and forth, it would be a huge plus.

    But I wont deploy the FWG for all the dozen or so rental properties I oversee. Simple mode doesnt "do enough", and I dont want to remove all the USG-Pro4's because they are perfect in every way except IDS/IPS! I'd quickly deploy FWG's across all the rental properties I manage, all of which have smallish networks running USG-Pro4's + each with a 1-2 UI switches & between 4-5 AP's.

    I hope this gets added to the roadmap at some point in the not too distant future.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Now we have the Gold out :) we are open to looking at the bridging mode.  So, if you are interested in this mode, please post it here. 

    Here is what we are thinking.  

    1. We can not do a totally transparent bridge mode.  That's is not possible for us.

    2. We likely can do a transparent mode, but the Gold will still need to get an IP address from your main router.

    3. There are certain features that may not work due to bridging,  will list them once we hear more interest on this mode.

    4. This mode will only be available to the Gold (it needs two or more real ethernet ports)

    5. We hope the performance is the same router mode ... we have not tested anything yet.

     

     

    3
    Comment actions Permalink
  • Avatar
    sk0rp10

    let me just say: Folks - you - at Firewalla are just AMAZING :) A few hours since we're asking for a massive feature and you just laid down what looks like a great plan. 

    Needing Firewalla to get an IP? Not a big deal in my own view . Haven't tested the performances yet? Same. 

    You know why? Cause of course we'll support you and test the hell out of the feature once you get it out on beta :) - first in line here I am. 

    Seriously, thanks guys. Never been so happy of having purchased a product and joined this amazing community. 

     

    2
    Comment actions Permalink
  • Avatar
    Richard Riffel

    I completely agree with sk0rp10 - this is service and customer engagement that is very rare today.  I develop hardware based communication products and know how hard it is to balance these kinds of things so even coming up with a rough proposal is great.

    I'm on board with this, even with limitations.  There would be enough value in the transparency that trading off some features is something i'd expect and certainly be able to manage.

    I'm also ready to get in line - 2nd - for testing etc.

    Thanks for getting back to us quickly regardless of where this ends up.  Great work.

    2
    Comment actions Permalink
  • Avatar
    rajuabju

    Yup, I'd be happy to beta test transparent mode with limitations in my homelab before buying/deploying to production sites I oversee.

    Getting its IP from main router isnt an issue/concern at all (unless that somehow will interfere with the "single pane of glass" stats/info that all my UNiFI devices feed into the controller but I dont think that should be the case). What I'd like (ideally) to see is my modem <---> router (USG and others of course) <---> FWG <----> switches <----> everything else. No need for firewalla to do DHCP, DNS, or any other routing functions. Just pure firewally (firewalla) features --- blocking bad stuff, and IDS/IPS.

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    @rajuabju, yes understand, this is the "bridging function".   If you do not need firewalla do DNS, then you will lose all the DNS blocks ... 

    Everyone else, please post here if you need the feature.  This is a very large feature, so we want to make sure there is enough support for it before we start designing this.   Also, this feature can't happen over night, it is a bigger change.  

    At least, it is on the discussion list for 1.973 or 1.974.

    3
    Comment actions Permalink
  • Avatar
    David Beaumier

    I'm very interested by this feature.

    I think it also has the potential to allow for a graduall transition from a full Unifi stack to using the FWG as the main router, but in smaller steps.

    2
    Comment actions Permalink
  • Avatar
    hody

    I am definitely interested in the feature. Being able to set up firewalla gold and unifi together would be amazing.

    I have the UDM-PRO. And running tons here. Would love to use both.

    3
    Comment actions Permalink
  • Avatar
    Alex

    Just one question: Why you are using FWG and USG? Why you are not replacing the USG and do all the router stuff with firewalla?

    I own several unifi switches and aps and a FWG, but no USG. I see no reason why I should mix it with a USG? (And why not using just one of both).

    Maybe someone can explain it to me :-)

    0
    Comment actions Permalink
  • Avatar
    xOperator

    I'm still up for it.

     

    For the poster above,  I dont use USG, I use the UDM Pro, (2) 16 XG switches, (2) POE 48 Pros, and some unmanaged POE and Ethernet Netrgear switches.

    I have lots of cameras (25+), 4 esxi hosts, lots of VMs. I have some spare Cisco routers and switches, used to use a Cisco ASA, then moved to a PFsense, now im just lazy and like simple/easy things to manage for my home network

     

    2
    Comment actions Permalink
  • Avatar
    AR_Unseasoned

    I really need this also.

    I have a UDM Pro, 3x UAP AC Pro (currently hooked to the UDM Pro).

    Firewalla GOLD, I purchased to have Parental Controls the UDM Pro does not offer.

    I'm no network expert, and everything I tried to set up the GOLD has NOT worked with the UDM Pro to have all Parental Controls work.

    So I don't know if the solution you're all referring to will permit the full Parental Controls the GOLD offers with the UDM Pro, but if yes I'm all for it.

    I can do the setup like this:

    ISP Modem -> GOLD -> UDM Pro -> UAP AC Pro

    OR

    ISP Modem -> UDM Pro -> UAP AC Pro

                                            -> GOLD

    Thank you.

     

     

    1
    Comment actions Permalink
  • Avatar
    xOperator

    My dream setup would be Fiber ONT -> Firewalla Gold -> UDM Pro

    2
    Comment actions Permalink
  • Avatar
    David Beaumier

    To answer @Alex question, my main motivation to add the FWG in addition to a USG (or a UDM - same router role) is to get maximum network performances (2 ethernet ports vs 1 on other devices).

    IMHO the FWG should go in between the USG/UDM and the switch/AP. In that scenario the unifi router would still act as the outside network boundary.

    2
    Comment actions Permalink
  • Avatar
    Richard Riffel

    @David, this is the same setup I am looking for.  I run this configuration now but lose the visibility after FWG, so am looking in multiple places.   The USG on the outside is a main boundary for me, but it's nowhere close to as flexible or feature-rich as FWG.   But having a single control plane over both Uni and FWG is attractive and I get super features with FWG without compromising on either side of this.

    2
    Comment actions Permalink
  • Avatar
    Hoby Brenner

    Another vote for Bridge mode here as well.  I could unbox my Gold again and make use of it in my Unifi setup!

    4
    Comment actions Permalink
  • Avatar
    Thomas Nagels

    +1 There are hardly any solutions available which will "play nice" with the UNIFI setup.

    Ideally I would put this between the USG and the rest of the network, so that it basically sees all that goes from clients to UST and the internet. I prefer it inside (LAN° the network, rather than outside (WAN) because the USG will obscure any strange things going on internally.

    So, in an ideal scenario: transparent mode on multiple VLAN's at the same time, please!

    3
    Comment actions Permalink
  • Avatar
    Dean Holland

    Another +1 for bridge mode.

    I'm currently using a Sophos XG VM in bridge mode between a USG Pro and USW. I'm using it for web filtering but I believe most access control is from the two piholes on my network.

    Being able to manage firewall, port-forwards, VLANs etc. through the existing Unifi controller is desirable. Understandable the Firewalla needs an IP for pihole etc. but the target users for bridge mode probably understand this and the changes made to their DHCP servers to accommodate it.

    As with the previous poster, I also use multiple VLANs so a VLAN-capable bridge mode would be ideal!

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    Please upvote this thread if you really want to use the feature. 

    3
    Comment actions Permalink
  • Avatar
    sk0rp10

    There’s seems to be quite a lot of us already to at least give it a try in a Beta ;)

    1
    Comment actions Permalink

Please sign in to leave a comment.