Unifi USG / Firewalla configuration

Comments

52 comments

  • Avatar
    Firewalla

    Got it... this is a significantly bigger feature request, need more up votes.  

    10
    Comment actions Permalink
  • Avatar
    Firewalla

    There is a possibility that this feature may be coming in 1.973.  The code is done, just need to polish it a bit.

    8
    Comment actions Permalink
  • Avatar
    Guy Stewart

    Just a reminder to the team that this feature is still in demand. 

    Firewalla Gold is currently causing sporadic connectivity issues with my Unifi network. 

    5
    Comment actions Permalink
  • Avatar
    rajuabju

    Another vote for Bridge mode! Definitely would love this feature on my Firewalla Gold

    5
    Comment actions Permalink
  • Avatar
    Richard Riffel

    I also agree.  I have settled with the USG->FGold->Rest of Uni AP's and Switches.    I was finally able to get a single Uni controller to drive it all despite FGold in Router mode.  However the stats do need to be piecemeal connected although I can see the aggregate traffic totals.    I also use Pi-Hole as a DNS server in there so I can see who is driving alot of DNS querys as a starting point when I see unexpectedly high traffic.  But Transparent Bridging would definitely be a plus and add alot of value.  Already voted up 2x (I also have a blue).

    4
    Comment actions Permalink
  • Avatar
    Hoby Brenner

    Another vote for Bridge mode here as well.  I could unbox my Gold again and make use of it in my Unifi setup!

    4
    Comment actions Permalink
  • Avatar
    Firewalla

    A bit more information for all of your interested. And likely after we push 1.972 to beta, we should be able to start a preview on this bridge mode.

    The transparent bridge mode will be a layer 2 bridge.   When the bridge mode is on, there will be no concept of WAN (it is a bridge), and features that involve complex routing will be disabled (primarily Policy Based Routing)

    4
    Comment actions Permalink
  • Avatar
    Firewalla

    The transparent bridging feature hasn't started yet, we have no idea the cost to build that system.   Everyone is pretty much focusing to get the release 1.0 out of the Gold, will likely to look at this after we deliver Dual WAN and QoS features. 

    3
    Comment actions Permalink
  • Avatar
    Panos Ips

    i’m facing the same issue:

    However, as expected, all traffic stats from the Unifi Controller shows that everything is going through Firewalla rather than each individual device. Is there a way to configure the Firewall network (I'm not great with network settings) to have this transparency

    Is there a way to achieve transparency on USG? I own a firewalla blue

    3
    Comment actions Permalink
  • Avatar
    sk0rp10

    Up - totally agree on getting the layer 2 mode. it would sort out for once the Google Wifi problem (https://help.firewalla.com/hc/en-us/articles/360048869274?page=1#comment_360006838153) , make it compatible with other systems like UniFi, and also get you a Gold Box offer which covers a lot more use cases. Layer 2 firewalls are pretty common (and appreciated!) in complex network setup. 

     

    You have my double-upvote (I have a blue and a gold, and I paid import tax in the UK , can I get two upvotes? :D ) 

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    Now we have the Gold out :) we are open to looking at the bridging mode.  So, if you are interested in this mode, please post it here. 

    Here is what we are thinking.  

    1. We can not do a totally transparent bridge mode.  That's is not possible for us.

    2. We likely can do a transparent mode, but the Gold will still need to get an IP address from your main router.

    3. There are certain features that may not work due to bridging,  will list them once we hear more interest on this mode.

    4. This mode will only be available to the Gold (it needs two or more real ethernet ports)

    5. We hope the performance is the same router mode ... we have not tested anything yet.

     

     

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    @rajuabju, yes understand, this is the "bridging function".   If you do not need firewalla do DNS, then you will lose all the DNS blocks ... 

    Everyone else, please post here if you need the feature.  This is a very large feature, so we want to make sure there is enough support for it before we start designing this.   Also, this feature can't happen over night, it is a bigger change.  

    At least, it is on the discussion list for 1.973 or 1.974.

    3
    Comment actions Permalink
  • Avatar
    hody

    I am definitely interested in the feature. Being able to set up firewalla gold and unifi together would be amazing.

    I have the UDM-PRO. And running tons here. Would love to use both.

    3
    Comment actions Permalink
  • Avatar
    Thomas Nagels

    +1 There are hardly any solutions available which will "play nice" with the UNIFI setup.

    Ideally I would put this between the USG and the rest of the network, so that it basically sees all that goes from clients to UST and the internet. I prefer it inside (LAN° the network, rather than outside (WAN) because the USG will obscure any strange things going on internally.

    So, in an ideal scenario: transparent mode on multiple VLAN's at the same time, please!

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    Please upvote this thread if you really want to use the feature. 

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    Bridge mode will be there for sure;  Hopefully right after 1.972 is out.  

    The bridge mode we are talking about is an "L2" bridge.  Meaning, some of the complex routing functions will NOT work when in bridge mode. (example, PBR, and VPN Client).   Besides this, it should be pretty transparent to be placed between your existing router and AP. 

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    The transparency may require a physical bridge connection between your routers.   Example

    USG <----> WiFi

    to

    USG <----> Firewalla <--- Wifi 

    In the second case, firewalla will need to be Gold, since it has three more ports.   Can the gold do this type of bridging, I think one of our engineers is looking at now.  

    2
    Comment actions Permalink
  • Avatar
    James

    I have the same question. How can configure firewalla with my usg ubiquiti router?

    2
    Comment actions Permalink
  • Avatar
    xOperator

    Any update of your engineers worked on transparent bridging?

    For the price of the gold, I seem like not having this feature is a big miss, especially if you are looking to have "advanced" users attracted to the gold.

     

    I've been on the fence on getting the Gold or just getting a Protectli box and putting something on there for transparent bridging with a Uibiquiti products (USG/UDM)

    2
    Comment actions Permalink
  • Avatar
    sk0rp10

    let me just say: Folks - you - at Firewalla are just AMAZING :) A few hours since we're asking for a massive feature and you just laid down what looks like a great plan. 

    Needing Firewalla to get an IP? Not a big deal in my own view . Haven't tested the performances yet? Same. 

    You know why? Cause of course we'll support you and test the hell out of the feature once you get it out on beta :) - first in line here I am. 

    Seriously, thanks guys. Never been so happy of having purchased a product and joined this amazing community. 

     

    2
    Comment actions Permalink
  • Avatar
    Richard Riffel

    I completely agree with sk0rp10 - this is service and customer engagement that is very rare today.  I develop hardware based communication products and know how hard it is to balance these kinds of things so even coming up with a rough proposal is great.

    I'm on board with this, even with limitations.  There would be enough value in the transparency that trading off some features is something i'd expect and certainly be able to manage.

    I'm also ready to get in line - 2nd - for testing etc.

    Thanks for getting back to us quickly regardless of where this ends up.  Great work.

    2
    Comment actions Permalink
  • Avatar
    rajuabju

    Yup, I'd be happy to beta test transparent mode with limitations in my homelab before buying/deploying to production sites I oversee.

    Getting its IP from main router isnt an issue/concern at all (unless that somehow will interfere with the "single pane of glass" stats/info that all my UNiFI devices feed into the controller but I dont think that should be the case). What I'd like (ideally) to see is my modem <---> router (USG and others of course) <---> FWG <----> switches <----> everything else. No need for firewalla to do DHCP, DNS, or any other routing functions. Just pure firewally (firewalla) features --- blocking bad stuff, and IDS/IPS.

    2
    Comment actions Permalink
  • Avatar
    David Beaumier

    I'm very interested by this feature.

    I think it also has the potential to allow for a graduall transition from a full Unifi stack to using the FWG as the main router, but in smaller steps.

    2
    Comment actions Permalink
  • Avatar
    xOperator

    I'm still up for it.

     

    For the poster above,  I dont use USG, I use the UDM Pro, (2) 16 XG switches, (2) POE 48 Pros, and some unmanaged POE and Ethernet Netrgear switches.

    I have lots of cameras (25+), 4 esxi hosts, lots of VMs. I have some spare Cisco routers and switches, used to use a Cisco ASA, then moved to a PFsense, now im just lazy and like simple/easy things to manage for my home network

     

    2
    Comment actions Permalink
  • Avatar
    xOperator

    My dream setup would be Fiber ONT -> Firewalla Gold -> UDM Pro

    2
    Comment actions Permalink
  • Avatar
    David Beaumier

    To answer @Alex question, my main motivation to add the FWG in addition to a USG (or a UDM - same router role) is to get maximum network performances (2 ethernet ports vs 1 on other devices).

    IMHO the FWG should go in between the USG/UDM and the switch/AP. In that scenario the unifi router would still act as the outside network boundary.

    2
    Comment actions Permalink
  • Avatar
    Richard Riffel

    @David, this is the same setup I am looking for.  I run this configuration now but lose the visibility after FWG, so am looking in multiple places.   The USG on the outside is a main boundary for me, but it's nowhere close to as flexible or feature-rich as FWG.   But having a single control plane over both Uni and FWG is attractive and I get super features with FWG without compromising on either side of this.

    2
    Comment actions Permalink
  • Avatar
    Dean Holland

    Another +1 for bridge mode.

    I'm currently using a Sophos XG VM in bridge mode between a USG Pro and USW. I'm using it for web filtering but I believe most access control is from the two piholes on my network.

    Being able to manage firewall, port-forwards, VLANs etc. through the existing Unifi controller is desirable. Understandable the Firewalla needs an IP for pihole etc. but the target users for bridge mode probably understand this and the changes made to their DHCP servers to accommodate it.

    As with the previous poster, I also use multiple VLANs so a VLAN-capable bridge mode would be ideal!

    2
    Comment actions Permalink
  • Avatar
    Tom Holland

    Agree with other posters, would like to be able to use FWG in transparent bridge mode between UDM-Base (border router + unifi controller) and Unifi Switches/APs.  Also, like some of the other posters, I utilize multiple VLANs so having VLAN awareness would be necessary.

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    If you are interested in the transparent bridge feature, please vote or comment here.  We are serious on making it happen in 1.973 https://help.firewalla.com/hc/en-us/community/posts/1500000822462-Firewalla-Transparent-Bridge-Mode-1-973-candidate-

     

    2
    Comment actions Permalink

Please sign in to leave a comment.