Unifi USG / Firewalla configuration
Hi,
I'm enjoying the Firewalla Blue on my basic home network - it's was very effective. I've now upgraded my network to a Ubiquiti Unifi system which is fantastic and has transformed the network experience. I have added the Firewalla Blue onto this, and generally it all seems fine.
However, as expected, all traffic stats from the Unifi Controller shows that everything is going through Firewalla rather than each individual device. Is there a way to configure the Firewall network (I'm not great with network settings) to have this transparency?
Thanks!
-
The transparency may require a physical bridge connection between your routers. Example
USG <----> WiFi
to
USG <----> Firewalla <--- Wifi
In the second case, firewalla will need to be Gold, since it has three more ports. Can the gold do this type of bridging, I think one of our engineers is looking at now.
-
Any update of your engineers worked on transparent bridging?
For the price of the gold, I seem like not having this feature is a big miss, especially if you are looking to have "advanced" users attracted to the gold.
I've been on the fence on getting the Gold or just getting a Protectli box and putting something on there for transparent bridging with a Uibiquiti products (USG/UDM)
-
i’m facing the same issue:
However, as expected, all traffic stats from the Unifi Controller shows that everything is going through Firewalla rather than each individual device. Is there a way to configure the Firewall network (I'm not great with network settings) to have this transparency
Is there a way to achieve transparency on USG? I own a firewalla blue
-
Up - totally agree on getting the layer 2 mode. it would sort out for once the Google Wifi problem (https://help.firewalla.com/hc/en-us/articles/360048869274?page=1#comment_360006838153) , make it compatible with other systems like UniFi, and also get you a Gold Box offer which covers a lot more use cases. Layer 2 firewalls are pretty common (and appreciated!) in complex network setup.
You have my double-upvote (I have a blue and a gold, and I paid import tax in the UK , can I get two upvotes? :D )
-
I also agree. I have settled with the USG->FGold->Rest of Uni AP's and Switches. I was finally able to get a single Uni controller to drive it all despite FGold in Router mode. However the stats do need to be piecemeal connected although I can see the aggregate traffic totals. I also use Pi-Hole as a DNS server in there so I can see who is driving alot of DNS querys as a starting point when I see unexpectedly high traffic. But Transparent Bridging would definitely be a plus and add alot of value. Already voted up 2x (I also have a blue).
-
Yup, I've been holding out hope for this to happen for months now. I get its a big ask, but I hope the Firewalla team listens to the requests.
For me, at home I have one FW Gold running in Simple mode just fine for my home / homelab UNiFI network, where I have a USG-Pro4, and a bunch of UI switches and AP's, although if it would be in Bridge / Transparent mode, so my network doesn't have all the ARP requests back and forth, it would be a huge plus.
But I wont deploy the FWG for all the dozen or so rental properties I oversee. Simple mode doesnt "do enough", and I dont want to remove all the USG-Pro4's because they are perfect in every way except IDS/IPS! I'd quickly deploy FWG's across all the rental properties I manage, all of which have smallish networks running USG-Pro4's + each with a 1-2 UI switches & between 4-5 AP's.
I hope this gets added to the roadmap at some point in the not too distant future.
-
Now we have the Gold out :) we are open to looking at the bridging mode. So, if you are interested in this mode, please post it here.
Here is what we are thinking.
1. We can not do a totally transparent bridge mode. That's is not possible for us.
2. We likely can do a transparent mode, but the Gold will still need to get an IP address from your main router.
3. There are certain features that may not work due to bridging, will list them once we hear more interest on this mode.
4. This mode will only be available to the Gold (it needs two or more real ethernet ports)
5. We hope the performance is the same router mode ... we have not tested anything yet.
-
let me just say: Folks - you - at Firewalla are just AMAZING :) A few hours since we're asking for a massive feature and you just laid down what looks like a great plan.
Needing Firewalla to get an IP? Not a big deal in my own view . Haven't tested the performances yet? Same.
You know why? Cause of course we'll support you and test the hell out of the feature once you get it out on beta :) - first in line here I am.
Seriously, thanks guys. Never been so happy of having purchased a product and joined this amazing community.
-
I completely agree with sk0rp10 - this is service and customer engagement that is very rare today. I develop hardware based communication products and know how hard it is to balance these kinds of things so even coming up with a rough proposal is great.
I'm on board with this, even with limitations. There would be enough value in the transparency that trading off some features is something i'd expect and certainly be able to manage.
I'm also ready to get in line - 2nd - for testing etc.
Thanks for getting back to us quickly regardless of where this ends up. Great work.
-
Yup, I'd be happy to beta test transparent mode with limitations in my homelab before buying/deploying to production sites I oversee.
Getting its IP from main router isnt an issue/concern at all (unless that somehow will interfere with the "single pane of glass" stats/info that all my UNiFI devices feed into the controller but I dont think that should be the case). What I'd like (ideally) to see is my modem <---> router (USG and others of course) <---> FWG <----> switches <----> everything else. No need for firewalla to do DHCP, DNS, or any other routing functions. Just pure firewally (firewalla) features --- blocking bad stuff, and IDS/IPS.
-
@rajuabju, yes understand, this is the "bridging function". If you do not need firewalla do DNS, then you will lose all the DNS blocks ...
Everyone else, please post here if you need the feature. This is a very large feature, so we want to make sure there is enough support for it before we start designing this. Also, this feature can't happen over night, it is a bigger change.
At least, it is on the discussion list for 1.973 or 1.974.
-
Just one question: Why you are using FWG and USG? Why you are not replacing the USG and do all the router stuff with firewalla?
I own several unifi switches and aps and a FWG, but no USG. I see no reason why I should mix it with a USG? (And why not using just one of both).
Maybe someone can explain it to me :-)
-
I'm still up for it.
For the poster above, I dont use USG, I use the UDM Pro, (2) 16 XG switches, (2) POE 48 Pros, and some unmanaged POE and Ethernet Netrgear switches.
I have lots of cameras (25+), 4 esxi hosts, lots of VMs. I have some spare Cisco routers and switches, used to use a Cisco ASA, then moved to a PFsense, now im just lazy and like simple/easy things to manage for my home network
-
I really need this also.
I have a UDM Pro, 3x UAP AC Pro (currently hooked to the UDM Pro).
Firewalla GOLD, I purchased to have Parental Controls the UDM Pro does not offer.
I'm no network expert, and everything I tried to set up the GOLD has NOT worked with the UDM Pro to have all Parental Controls work.
So I don't know if the solution you're all referring to will permit the full Parental Controls the GOLD offers with the UDM Pro, but if yes I'm all for it.
I can do the setup like this:
ISP Modem -> GOLD -> UDM Pro -> UAP AC Pro
OR
ISP Modem -> UDM Pro -> UAP AC Pro
-> GOLD
Thank you.
-
To answer @Alex question, my main motivation to add the FWG in addition to a USG (or a UDM - same router role) is to get maximum network performances (2 ethernet ports vs 1 on other devices).
IMHO the FWG should go in between the USG/UDM and the switch/AP. In that scenario the unifi router would still act as the outside network boundary.
-
@David, this is the same setup I am looking for. I run this configuration now but lose the visibility after FWG, so am looking in multiple places. The USG on the outside is a main boundary for me, but it's nowhere close to as flexible or feature-rich as FWG. But having a single control plane over both Uni and FWG is attractive and I get super features with FWG without compromising on either side of this.
-
+1 There are hardly any solutions available which will "play nice" with the UNIFI setup.
Ideally I would put this between the USG and the rest of the network, so that it basically sees all that goes from clients to UST and the internet. I prefer it inside (LAN° the network, rather than outside (WAN) because the USG will obscure any strange things going on internally.
So, in an ideal scenario: transparent mode on multiple VLAN's at the same time, please!
-
Another +1 for bridge mode.
I'm currently using a Sophos XG VM in bridge mode between a USG Pro and USW. I'm using it for web filtering but I believe most access control is from the two piholes on my network.
Being able to manage firewall, port-forwards, VLANs etc. through the existing Unifi controller is desirable. Understandable the Firewalla needs an IP for pihole etc. but the target users for bridge mode probably understand this and the changes made to their DHCP servers to accommodate it.
As with the previous poster, I also use multiple VLANs so a VLAN-capable bridge mode would be ideal!
Please sign in to leave a comment.
Comments
53 comments