Switches and VLANs with AP7
-
There is no issue connecting the AP7 to switches.
Microsegmentation is within the AP7, as it is a L2 function that doesn't span beyond the WiFi network (mesh included). For example, if you have a device connecting to a switch, and the isolation button or vqlan button will not work with it. If that device is connected to the AP7, then yes, it will work.
If you are doing segmentation using VLAN's, then you just need to create the VLAN's on your managed switch before creating the VLAN via the Firewalla. It should all work after, including dynamic VLAN (SSID -> VLAN ID with personal key)
-
In the case of microsegmentation, I can see how it is a function of the AP, but what prevents the AP traffic from going out to the rest of the network and hitting non-WiFi devices if the AP is connected to a switch before the Firewalla? Or is that how the APs work in that they route all traffic to the Firewalla MAC address only, and the Firewalla routes packets outbound to the rest of the network after that?
My apologies for not fully understanding the way that segmentation works, I appreciate you helping me understand.
-
The VqLAN system may do multiple things to quarantine traffic; it can either based on L2 access lists or routes. From a usage perspective, as long as the device is managed by the AP, the quarantine feature should work. We do not guarantee that a device connecting outside of the AP, will have these features.
-
I'd like some further clarification on the VqLAN functionality.
I have several devices that connect via ethernet to my Firewalla Gold and will not be connecting first through the Firewalla AP7. If I create a VqLAN rule for a group on the AP7 that disallows traffic to another group and this 2nd group is solely ethernet connected directly to the Firewalla Gold, will this traffic be successfully quarantined from the first group?
-
I have been trying to get answers to open Tickets for the AP7 for several weeks now. The product setup requires LAN only and will only connect via VLAN after initial setup on a LAN. I have been unable to get any definitive answers on why this is necessary and why VLAN1 is required to pass traffic.
It seems like my use case is not architected in the product as I won't be using Mesh and there simply are not enough ports on the FWG Pro to plug each AP into it directly. I have got it working now only by installing a Non-Managed switch but can't get answers on ARP spoofing and/or ARP broadcasts.
I was waiting until I got an official answer to move this to a dedicated Managed switch which is configured for VLAN1 by default and hanging all my AP's off that via one port on the Firewalla using a separate LAN and VLANs for the SSIDs. I simply do not use VLAN1 on any of my other switches as it is security hole and generally not recommended you use VLAN1 to do either MGMT or route traffic so I do not have this on my other managed switches at all. Nothing is on VLAN1.
I asked for escalation of the ticket and then I lost fiber connectivity due to a ISP software upgrade and still not fully back on bandwidth :(
Does anyone have a similar configuration or any suggestions to try as I am not getting anywhere with direct tickets opened at Firewalla.
-
@Troy, check out this convo…. It doesn’t necessarily have to be vlan1, the ap7 should be in the same vlan as the wireless controller management vlan.
https://help.firewalla.com/hc/en-us/community/posts/38512557018003-AP7-connected-to-managed-switches-two-layers-down-Is-it-possible -
I was and still is sort of running an Omada system behind a managed switch. FWGP>Omada Core Switch> using separate ports home run to each AP7. I setup my first AP7 connected directly to the FWGP, then reconnected to a port off my core switch. I then setup the second AP7 same way and connected to same switch different port. Did initial setups in area of my switch and router. Then moved my primary to a field location with and used a home run to same switch port. The second AP7 was located to my second floor and initially the topology indicated it was connected to the first AP7. I then rebooted everything and now they appear as two separate entities. I kept the setup simple and just completed cleaning up all devices from Omada environment to the FW environment. My switch is still being controlled by the OC200 but only using one wired LAN. No issues but guessing you may have a more sophisticated LAN/VLAN setup than I did at transition.
-
@Troy, please allow me to clarify: Firewalla doesn't care about VLAN1. Same as our doc states, for AP pairing, you must have a LAN network configured on Firewalla, and one AP must be wired to one port of this LAN (via a switch also works). It's required for box to manage AP, especially during initial pairing. It's insure AP can still be managed while VLAN was mess up by accident.
For the VLAN 1 query, per my experience, VLAN 1 is the default VLAN on most managed switches for self-management purposes and is used by managed switches for any untagged traffic. I went through your case but couldn't find your switch configuration detail. One idea is to leave VLAN 1 configured on your switch but you don't have to create VLAN 1 network on Firewalla.
If it doesn't work, please share a full topology and configuration on your switch and Firewalla in your case. Our engineer can better help. Also, I suggest discussing one issue in one case.
-
@Firewalla:
You say you don't need VLAN1 but that was not what I was told by Firewalla tech support as they told me it was absolutely required both for initial setup as well as management of the device. They also told me that VLAN1 was required to put the AP7 on a switch cascaded off the Firewalla as well. If this is not accurate then great I will do some further testing. However, I could not get it working by moving the AP7 to just a VLAN only even directly connected to the Firewalla it would only connect when an actual LAN was also defined on the port that the AP7 connects to.
I can provide you my questions/responses to my tickets and I was very clear asking about VLAN1 requirements.
I don't use VLAN1 on any of my switches it is not required by most decent switch manufacturers and they state you should not use it especially for switch management traffic and always suggest a dedicated Management VLAN to be created which is not VLAN1 :)
In fact prior to putting the AP7 on my network I had no physical LANs defined anywhere and VLAN1 was not being used at all on any of my switches. I never had a problem with any other vendors AP's placed on either a cascaded switch or directly connected to the Firewalla on a port.
The problems only started when I stuck the first AP7 on the network.
I think Firewalla might be assuming that all people will use one AP7 directly connected to the Firewalla and then use Mesh to connect all the other AP7s or use a ethernet port daisy chained from another AP7. I do not use either configuration. My previous AP's were all hardwired and only 1 was plugged directly to the Firewalla on a VLAN the others were cascaded off my switches.
I am looking for this same configuration with no LANs only VLANs.
FYI - my details on my configuration was put in the ticket to include open items I had questions on. This got no response so I created separate tickets. If you are requiring people to use a LAN extended to a cascaded switch off the Firewall for either Mgmt or for the AP7 to connect and work then then my statements are correct. If not then please tell me how to properly configure the Firewalla AP7 and put it on a VLAN only switch cascaded off the FWGPro that I have as I have been unable to get this to work as of yet :)
Please sign in to leave a comment.
Comments
13 comments