Need some help to understand setup with FWG, Vlan and Unifi Switch + AP
I am waiting for my FWG to arrive. While I wait I want to figure out what is the best setup and how to accomplish it.
I have no experience with Unifi or FWG, so keep that in mind when posting answers :)
I want to keep stuff separated, and from what I understand this is where Vlan is useful.
My plan is to run 3 different ssid. Private, Guest and IOT. Will this be enough, or should kids devices be on its own ssid?
I also want to have all admin interfaces separated so no other than my self can access them.
Then I want everyone at home to be able to use casting devices, plex on my server, Sonos etc, but I dont want them to have access to my Server`s admin page, HomeAssistant.
I also want to have access to all my stuff from my laptop, computer and phone, but I dont want stuff like Xiaomi roborock, washing machine etc to have access to my personal devices.
So I am trying to understand how to approach this issue.
- What should be isolated on different vlans, and why?
- Are each port on switch/fwg working as a vlan, or can I set what device or ssid to be on each vlan?
- How can admin interfaces be separated from the rest, but still let me have access regardles of how I connect?
Starting to think that this might be a bit to complicated to configure properly
-
Let me try to rephrase my question
1) If I create a vlan in firewalla gold, will this vlan be mapped to a port so all traffic on this port is on the same vlan?
2) Can I create a vlan in firewalla, then use the same vlan-id to create the same vlan in unifi controller?
If I can use option 2, is there any downside to adding devices to different vlans in the unifi controller this way?
-
"What should be isolated on different vlans, and why?"
This questions needs to be answered by you. You can put every device in every VLAN, like you want to. Best example is guest network. Or you can have a own management network, where you could put all your management-devices into. For example configuration ports of switches, accesspoints, firewall, NAS and so on.
you additional questions:
1. i don't know how firewalla gold is handling VLAN. But actually VLAN could be tagged and untagged. To enter a tagged VLAN, you need to apply the VLAN-Tag-ID to the device which wants to connect to a tagged VLAN.
Actually in routing devices or in firewall devices it's interesting to have a "trunk-port" wich is "stacking" all VLAN-IDs. Do the same on a switch port and you can define native ports for each VLAN, which is possible to attach devices just with untagged port.
For example. You have firewall, define VLAN ID 1, 2, 3, 4. You need to set up a trunk-port for all this VLAN-IDs. The same at the switch, for example Port 1. If you want to connect a wired client to VLAN-ID 1, you can set VLAN-ID 1 untagged to a switch-port (for example Port 2). If you want to connect a wired client to VLAN ID 2, you can define VLAN-ID 2 untagged to a switchport (for example Port 3).
One wired connection between firewall and switch over trunk-port with all VLAN you need. And the switch is splitting port based VLAN.
Thats are the basics with VLAN, i think.
In Unifi-controller you can use profiles for ports. So there's a trunk-profil already, which will "stack" all VLAN-IDs together. This profil is called "All". This profil will have one native network (untagged).
For each network in Unifi-Controller (doesn't matter if it's VLAN only or Port based), there'll be a profile. So you can easily set, which port should be which profile.
Switch to Switch or Switch to Accespoint should be profile "All" to make it possible that each VLAN will be reachable.
-
I oddly enough just went through this myself except with a Purple, Netgear POE Layer 2 switch, and a Netgear WiFi6 AP.
Setting up the VLANs on the Firewalla was pretty straightforward. There are a few guides on the website about how to do it. I created 4 networks myself, Private, IoT, Guest, and Work. I wanted to use some VLANs to segment off my IoT devices and keep my work stuff separated from my private stuff. The one big lesson I learned is that make sure the port going from the Firewalla to the switch is in Trunk mode, and the port going from the switch to your AP is also in Trunk mode. You'll need to add the VLAN and PVID's to the switch and then add the VLAN IDs to the corresponding SSID and like magic, all your stuff will segment off depending on the SSID you're attached to. In programming the Netgear switch I have, I discovered I had to use an 802.1Q Advanced setup so I could enter the PVIDs. I haven't used the Unifi but I'd recommend downloading the manual and reading over the section on creating VLANs. Once you have that though it's pretty slick. The Purple has been an amazing investment for my network security.
-
It was all surprisingly easy to accomplish. The Firewalla is really easy to use and still get all kinds of rules etc in place.
Just two issues left to sort out and it will be the perfect setup :)
1) Firewalla Gold dont like vpn wireguard traffic from my devices and slows down my connection to 1/3 of full speed. Same setup with different router I get 1000 Mbit/s
2) Use Sonos + Sonos App across vlans.
I know Firewalla Team is looking into my first issue, so hopefully they have a solution in place for me soon.
Please sign in to leave a comment.
Comments
4 comments