How to configure Firewalla Gold in Router mode with switch and VLANs

Follow

Herman

• February 19, 2021 21:56
• Edited

Is there an existing guide on how this can be done or can someone provide some "hand holding" on how to configure Firewalla Gold (FG) with a switch an 4 VLANs?

My current configuration is using a Netgear Modem (CM1150v - no built-in router) with Google Wifi and MoCA to provide connectivity to another switch elsewhere with in the house and ethernet backhaul for Google Wifi.  While this configuration has been very stable and easy to manage, it doesn't really allow for any traffic and content control.  

Currently, FG is connected to a switch behind the Google Wifi to get me basic internet connectivity while I try to configure the switch and VLANs before cutting over, but so far I've only accomplished to break connectivity on the switch connected to the Gold.

Below is a map of what I think the network would look like if configured properly.  Can anyone please provide some advice or help?

 

0

• 

  James Willhoite

  • February 20, 2021 21:32

  You have the basic, you need to creat the VLAN on the gold, then make sure you tag the switches with the VLAN also

  0

  Comment actions Permalink
• 

  Herman

  • February 22, 2021 23:26

  Thanks, James for replying.  

  I have made some progress, I tagged the port that the FG is connected to on the Office switch as a Trunk port and now devices on the office switch are getting IPs.  The Unifi AP on this switch is also working as are the VLANs and IPs being handed out to the connected wifi devices.   

  I also Trunked the port on the office switch where ethernet to the MoCA adapter is connected to the Garage switch and confirmed that the Garage switch is getting an IP from FG, but the IP is from the LAN, not a VLAN. 

  What I haven't figured out is:

  1. What's the purpose of the Default LAN, should devices be connected to this LAN or some other VLAN?  
  2. Do I Tag or Untag the ports on the switch where I'll be connecting a computer, such as my NVR?  As far as best practice, should the NVR be on the same VLAN as the cameras or can it reside on a different VLAN and have an allow rule so the NVR can access the internet?
  3. Should the Unifi Cloud-Key be on the same VLAN as the APs?
  4. Do I need to change the PVID of Tagged or Untagged ports?

   

   

  0

  Comment actions Permalink
• 

  James Willhoite

  • February 23, 2021 02:15
  • Edited

  The default LAN is just that, default. I use that for all my computers/switches/AP.

  As far as the computers, if you want that computer to be on a certain VLAN then you would changed that PVID to the VLAN and mark it as “untagged”. It will get the IP address from the FWG for that VLAN.

  If you want a switch to get the IP address from a specific VLAN then you would have to do the same.

  I would put your NVR on the same VLAN with the cameras, then put a allow rule for the NVR, otherwise you would have to put a allow rule for each camera.

  As for cameras (at our office), I have a separate physical LAN to keep all traffic from the cameras on it’s own network. Yes, the cameras will have to ping and arp to the FWG, but most of the traffic is contained in the managed switch. And the NVR can continue to record even if the Firewalla goes down.

  0

  Comment actions Permalink
• 

  Herman

  • March 11, 2021 03:09
  • Edited

  I've made some more progress despite having to replace both my office switch and my Comcast modem.

  Working:

  1. Connectivity from FW to Office switch and traffic Tagged over MoCA to Garage Switch
  2. Untagged ports on Garage switch so NVR and security cameras are on correct VLAN, blocked all internet access on this VLAN, set rule to allow NVR to have internet access
  3. Office computer picking up IP address from correct VLAN as defined by Untagged port on switch and corresponding PVID

  What isn't working or not working great:

  1. Both switches are being assigned IP addresses from the wrong VLAN, should be getting IPs from VLAN1 (default VLAN) but instead getting IPs from VLAN10 despite port between FW and Switch being Tagged/Trunked.  Maybe I just need to manually enter static IPs on each so if DHCP is down I can still manage them
  2. Polycom VoIP phone can't get an IP address on the VLAN that is assigned to the port
  3. None of the Unifi stuff are getting IPs, I have cloud key connected on an untagged port in VLAN1, it can't get an IP, Ubiquit APs on Tagged ports aren't getting IPs either.  
  4. When connected to the FW, I can access the internet to browse sites, but can't resolve some google sites such as messages.google.com

  Any help or guidance would be appreciated, Thanks.

  0

  Comment actions Permalink
• 

  James Willhoite

  • March 11, 2021 01:22

  1) I typically don't DHCP my switches. I always have static IPs for those normally. Normally I set aside about 50 IPs in any subset I create (just to have room, even though I typically only use 1/2 that).

  2) Do you have any rules that were set up in the Smart Queue?

  3) You shouldn't have to do anything if you are wanting to use the "Default" VLAN. Only time you adjust anything is if you need it to be a different VLAN.

  Here are some screen shots of my setup on FWG

  

  I have my ISP (XFinity) in on the WAN port

  - my normal LAN network (VLAN 1) out on port 3

  - I have a Guest VLAN 300 and a IoT VLAN 900 out on port 3

  I did this so I only needed to have one cable going to my switch.

   

  Here is the Setup of the "Guest" VLAN 300

  

   

  Here is the IoT VLAN 900

  

  And my Default (VLAN 1) network that I have a AD server running that takes care of DNS for me.

  

   

  Here are the VLANs I entered in my switch (It's old and has to use FireFox 3.6 ! ). The VLAN 1 is by default already in the list.

  

   

  Now I have not "UnTagged" any ports in the other VLANs so that is why all of my VLAN 1s are marked as "Untagged". This is a default setup and no modification on my side

  

   

  Here is the VLAN 300 (Guest network). I tagged port 23 & 24 as I use those ports as IN and OUT ports. My Firewalla is going from port 3 on the FWG to my switch on Port 24. That is why it is "Tagged" so it will pass "Tagged" VLAN traffic through that port. My AP is connected to port 23 which is VLAN aware and needs to have the "Tagged" port. Port 20 is my AD server, doesn't really need to be tagged, but I did it just in case, and for future use.

  

   

  My VLAN 900 (IoT) is set up the same as VLAN 300

  

  My PVID Configuration has not been touched, but here is the screen anyway. Typically, if I mark one of my ports as "Untagged" and it should only talk on that "Untagged" Network then I change the PVID for that port to be that VLAN (I did that at work, this is my home switch).

  

   

  Don't forget to tag your profiles on your AP so the devices that need to be on that network will pass through.

  

   

  Hope this all helps.

  1

  Comment actions Permalink
• 

  Herman

  • March 25, 2021 15:38
  • Edited

  James,

  Thanks for your assistance in helping me to understand and get it all setup.  I've followed your guidance and it's all working.  I'm just tweaking things to get them working better.  

  0

  Comment actions Permalink
• 

  James Willhoite

  • March 25, 2021 15:46

  Glad it is working for you.

  0

  Comment actions Permalink
• 

  Casper

  • November 04, 2021 06:02

  Hi James, I'm trying to setup something similar with simpler TP-Link switch and AP. With this setup, which network your AP and switch belong to? On mine they're showing up on different VLAN after I reboot them.

  0

  Comment actions Permalink
• 

  James Willhoite

  • November 04, 2021 09:36
  • Edited

  The APs and switch have IP addresses on my main LAN. When you set up your switch, make sure the port is Tagged and not access. If they are getting a IP address from one of your VLANs then the port is set as "access" and not Tagged/Trunked.

  0

  Comment actions Permalink

Please sign in to leave a comment.