Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Bridge Mode with multiple LANs

Follow
Avatar
Orcrist

I have a Gold plus with four ports.  I was hoping to connect two ports to my pfsense firewall as WAN ports, and then two ports to my unifi switch for the access points.  The current setup is I have some a VLAN on port 3 of pfsense plugged into port 3 of my switch, and another VLAN on port 4 of the pfsense plugged into port 4 of the switch.  I want to place the Gold in the middle so it is like this:

pfsense port 3 VLAN 3 >> Gold Port 3 >> Gold Port 1 >> switch port 3

pfsense port 4 VLAN 4 >> Gold Port 4 >> Gold port 2 >> switch port 4

My reasoning here was not to run my entire network through a single 1G port (Not the Gold, my pfsense only has 1G ports)

Other than the Gold in the middle this currently works.  On the bridge page it states that all four ports are equal and can be used, but in the setup it seems to imply that port 4 is the only uplink port.  Is what I am trying to do even possible?  Am I going to have to reconfigure the pfsense to send all VLANs through one port into the Gold and have two ports coming out into my switch? 

0

Comments

5 comments

Sort by Date Votes
  • Avatar
    Michael Bierman

    HI Orcrist,

    You can put Gold in bridge mode between a router and and a switch (or access point). 

    In Bridge mode, it doesn't matter which port goes to your router and which port is your switch's uplink. 

    The connections would look like this: 

    pfsense port 1 <trunk 1> Gold Port 1 <trunk 2> switch port 1

    A trunk means it carries multiple subnets. So in this case, each trunk would have:

    • LAN (for connecting the router, firewalla and switch
    • VLAN 3
    • VLAN 4

    Now the switch ports can be configured as accessed ports for VLAN 3 or VLAN 4. Any device you connect to an access port joins that VLAN.

    Not sure if you were thinking about LAG, but it isn't supported in Bridge mode. 

    0
    Comment actions Permalink
  • Avatar
    Orcrist

    I think the easiest way to set this up is to only use VLANs in the Firewalla.  Each pfsense port has a native and VLAN networks, but in the Firewalla I can only create one network that isn't a VLAN, and when I plugged the second cable from the Firewalla into the switch (not the router) it freaked out and killed the network.

    So, to simplify I am just going to use VLANs exclusively in the Firewalla.  I don't use the native networks downstream anyway.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Orchrist, if the pfsense and switch can do the VLAN tagging then your approach will work just fine. For many devices that isn't the case (or people don't realize they need to set a VLAN tag) and they plug in a device and it doesn't work. 

    0
    Comment actions Permalink
  • Avatar
    Orcrist

    What I really need is to be able to set the pvid for the firewalla ports.  Right now I have:

    pfsense trunk (172.16.46.0/24 + 3 vlans) >> firewalla trunk (192.168.20.0/24 + 3 vlans) >> switch trunk (192.168.20.0/24 and 3 vlans)

    I didn't define that network for firewalla, it grabbed it from the downstream switch.

    Any other configuration either causes looping or doesn't work for other reasons.  Even now the firewalla is getting an IP address from the downstream switch on the native network rather than the pfsense uplink.  I would like to set pvid on the switch and firewalla ports so I am not trunking at all to the switch - but when I tried that (on the switch, I can't on firewalla)  the pfsense subnet was the only network that made it downstream (everything was 172.16.46.0/24).

    0
    Comment actions Permalink
  • Avatar
    Orcrist

    I finally got this working.  I am not 100% sure why it was failing, but it is working solidly now.  This is my configuration:

    pfSense Port 4:  172.16.0.0/16 LAN with VLANS 20, 30 and 40.

    Firewalla Port 4 trunk plugged into pfSense Port 4 and VLANS 20, 30 and 40 defined.

    Firewalla Ports 1, 2 and 3:  Plugged into switch ports 3, 4 and 5.  These are all three trunked with pfSense port 4 since there is no configuration of the Firewalla ports possible.  (I would have liked to set those ports to PVID or use a VLAN as the native network but not possible as far as I can tell.

    Switch Port 3:  trunk set to native VLAN 33 and allows VLAN 20

    Switch Port 4:  trunk set to native VLAN 44 and allows VLAN 30

    Switch Port 5:  trunk set to native VLAN 55 and allows VLAN 40

    This arrangement works well and allows me to run all traffic through a 2.5G connection between the Firewalla and the pfSense, and gives each VLAN it's own 1G connection to the switch.

    The VLANs 33, 44 and 55 are defined as unmanaged networks in the switch and were needed to close a loop on the 172.16 subnet.  If I set the switch ports to use the VLANs natively, I got the DHCP server for 172.16 managing all the VLANs, effectively merging them.  If I set the three switches to use the same native network, no matter what it was, the system looped as far as I could tell.  All traffic stopped routing and the Firewalla would restart after a minute or so.

    Maybe I am not 100% on what bridging is, but this would be much easier to manage if I could configure the Firewalla ports directly.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post