New device setup Question for GOLD.

Comments

11 comments

  • Avatar
    FF

    Unfortunately there is no easy-way to achieve what you want...

    to ensure that 2 out of 3 devices remain connected if anyone dies you need to connect all 3 together which requires all 3 devices (including firewalla) to support compatible spanning tree protocols... for reference you can see a decent doc for tp-link here: configuring_spanning_tree (tp-link.com) You will have to start with the netgear documentation specific to your switches, then setup a compatible stp on the firewalla itself.

    In addition, keep in mind that the firewalla 4 ports are not hardware switch like common routers (like asus ones), practically all the traffic from one port to the other has to transit through the linux network drivers adding load on your device so when you configure your link priority you might want to keep one of the firewall->siwtch2 link at the lowest priority. 

    finally, network switch failures are so uncommon that you might want to reconsider and use a much simpler design where 1 switch is your "core", your firewalla, your other switches, access points etc all get connected to this core switch. Off the bat it will ensure that only internet traffic goes through the firewalla, you can use the interconnect ports to connect the switches together which optimize workload and should simplify administration.

    In this case the core switch is a SPOF, but if that's really a concern, then buy 2 of them and configure them as backup using stp above (it will be easier since they are from the same manufacturer), you will also need extra cables for redundant links. 

     

    my 2 cents

     

    1
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Derek,

      No good solution at the moment, just build a multi-port LACP LAG between the switches and connect the firewall to the root switch (as determined by RSTP, or the root as manually defined)

    The firewalla is a Layer3 device (Router).  I do not believe there is any risk of creating a loop 'through' the Firewallla appliance.  For instance, I have all three of the 'lan' ports on my Firewalla Gold connected to the same physical switch.  Each port carries one or more 'networks' using vlan tags.  But the only reason I'm doing this is because I cannot build an LACP port channel from the Firewalla to the Switch.  Otherwise I'd simply have a 3Gb LACP LAG that carried all of my vlans between the FWG and the Switch.

     

    @Firewalla --- We want LACP.

    1
    Comment actions Permalink
  • Avatar
    Chris Thomas

    *IF the FWG supported LACP, and you had multiple switches that could be 'stacked' or supported 'mlag', you could pull 2 cables from FWG to primary switch, and 1 cable to secondary switch.  Then if the primary switch failed, everything on Switch 2 would still have a path to the FWG on all vlans.

    1
    Comment actions Permalink
  • Avatar
    Derek Breydin

    Thanks for the reply, I have STP enabled on both the network switches currently and they are connected together.

    The question was more around the firewalla, I wasnt sure if there was something that was possible or not with the box itself, it  sounds like it is probably best to leave the switches connected together than have both connected to firewalla.

    Thanks for answering the question anyway will rethink my set up as you say with the core switch

    0
    Comment actions Permalink
  • Avatar
    FF

    actually no... You don't want to cause a loop

    if both switches are connected together and both are connected to firewalla, this is a physical loop. Then most likely you need to setup STP on the firewalla as well and/or make sure that the link between the 2 switches is marked as a backup link to avoid a loop but that will force all the traffic between the 2 switches to hit the firewalla which adding LAN traffic load to the appliance. 

    the simplest option is just to connect only 1 switch_1 to firewalla and connect switch_2  to switch_1 only.

    0
    Comment actions Permalink
  • Avatar
    Derek Breydin

    Now you have my attention, I asked a question like this the other day, someone else responded and it gave me the impression connecting x2 switches to FWG would potentially cause a loop.

    Only one if my switches support being stacked but certainly worth the upgrade to a second stacked switch so there is some redundancy in the event of a failure.

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    The FWG is operating as an L3 device, It would not cause issues to have multiple ports from Firewalla connected to one or more switches.

    HOWEVER... You can only have one network assigned to a port natively, unless you use vlan tags. But the network or vlan can only be associated to a single physical port.

    FWG does not support LACP, or any type of interface configuration that would allow you to failover between switches.

    A lot of people keep asking for Link Aggregation, but Firewalla keeps insisting that we only need Link Aggregation if we have more than 1 GB Internet Connection.

    0
    Comment actions Permalink
  • Avatar
    Blake

    Wouldn't LACP come into play with interVLAN routing?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Standard LACP is to bundle multiple circuits into one logical one ... and both sides need to be on the same switch.   To use multiple switches together with the same router,  it will work because STP will help you avoid the loops, but if you want both links from two switches of the same network to the router together, an additional protocol is needed (to replace the good old STP) ... this topology usually is a bit more difficult to manage.

     

     

    0
    Comment actions Permalink
  • Avatar
    Blake

    I was thinking of just a single switch with 2 ports bonded together into 2 ports on the FWG that were bonded.  That way when routing between VLANs you have that extra lane.  So say you had a NAS on one VLAN and wanted to move large files from another VLAN.  Something along those lines.  

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    From a network design perspective, you should co-locate the NAS with the same LAN as the most bandwidth user.  The problem you may encounter is likely [Some PC] -> Bonded interface-> Firewalla layer 3 -> same Bonded interface->Your Switch->[likely bond or 5g/10g switch to NAS]. This chain likely to be difficult to optimize ... 

     

    0
    Comment actions Permalink

Please sign in to leave a comment.