Troubleshooting - Firewalla Gold added to Unifi network
I am a new Firewalla user and I am looking for some advice about my approach to setting up a firewalla gold with an existing unifi network including a USG.
My current network is:
ISP Modem/Router in Bridge Mode -> USG -> Unifi Network (4 switches, 2 APs, 3 networks)
My goal is to place the FWG in front of the USG, so that I can: (A) maintain my current network settings (~50 clients including virtual machines, with assignments across 4 VLans); and, (B) I can continue to use the Unifi guest portal and guest management features for the main network (VLan 1). After implementing changes to the unifi network and setting up my FWG I imagine that my network will be:
ISP Modem (bridge mode) --> FWG --> USG --> Networks
In the Firewalla app I created 3 networks, and assigned to each a range based on the current network settings in Unifi:
- Main network (1), 192.168.1.1/24, range: 192.168.1.2 to 192.168.1.255
- IoT network (20), 192.168.20.1/24, range: 192.168.20.2 to 192.168.20.255
- LabNetwork (60), 192.168.60.1/24, range: 192.168.60.2 to 192.168.60.255
My original strategy was to change the Unifi network settings from "DHCP server mode" to "DHCP relay mode" for each network. In the Unifi DHCP relay settings, I set the DHCP server to 192.168.1.1; 192.168.1.20.1; and, 192.168.60.1. These are the current gateway addresses for each network.
I saved all of the changes in the Unifi console and returned to the dashboard. Nothing seemed to happen (devices stayed online, internet connection did not change), so I proceeded to the next steps.
I disconnected the USG from the ISP modem and powered down the USG. I connected the FWG to the ISP modem. I powered off the ISP modem and waited for it to restart.
The Firewalla app confirmed that the FWG was online and connected to the internet. Sweet.
I then connected the FWG to the USG (WAN port) and then powered-on the USG. The Firewalla app said that it detected a new device, and it is a ubnt device. Seemed okay... so I kept waiting.
After about 5 minutes... it's all gone pete tong. The client devices on my network would not connect to the internet on any network, and scanning the network from within caused erratic results (same test would find different devices in subsequent network scans). And, the unifi controller showed "adoption failed" on most of the unifi devices...
I waited another 5 minutes, and when it seemed that this problem would not resolve by waiting I decided to reset my network to its starting state. Using the unifi controller I reset the DHCP server settings for each network, and then disconnected the FWG from the modem and USG, and connected the USG to the modem. I powered on the USG, and the networks all seemed to return to their normal operating state. Safe.
So I am pretty sure that I have created this issue, but I am not really sure how to troubleshoot. I have tried reading some of the articles about using the DHCP relay feature in unifi... and most of the articles talk about setting it to point to a windows DHCP server, and I can't find any mention of the dhcp relay settings in these forums.
I am very interested in implementing the FWG in my network, so please don't take this post as an indictment of the FWG. However, I am hoping that I can get set up. I am open to any suggestions about how to proceed.
-
I have considered replacing it entirely, but I had hoped to continue using it and phase it out in another step. Also, my understanding is that the guest portal and guest isolation policies require the usg... do you use guest network and portal? If so, do they still work as expected?
And, as far as using the unifi devices goes, how did you set up your cut-over the FWG? Were you able to get all of your current client devices to transition to their expected networks? Or did you have to set them all up? -
I literally did this a few days ago when I received my FWG.
I previously used a USG-3 in my network along with Unifi Switches and APs. I had configured 3 networks (2 of which were VLANS) and 3 SSID (one of which was Guest and used the built-in Hotspot Manager).
Prior to decommissioning the USG, I made sure that the cloud-key, all switches and APs were set to DHCP so that they would receive a new IP address from the FWG.
Then in the FWG, I replicated the same three networks on the ethernet port where my Unifi switch would connect to with the same IP ranges and VLAN ids. Once this was done, I did have to go and find the IP of my Cloud Key and go in there to reconfigure the networks that were previously configured to be VLAN only networks. This way, the FWG would be responsble assigning IP addresses to devices connecting to those VLANS. To my surprise, the Hotspot Manager was still an active option on my Cloud Key and I could continue to use the Portal Landing page and generate vouchers for people to access the guest network.
I'm not familiar with the Unifi Controller app outside of the Cloud Key so can't say for sure if this is hardware related but, I know at the moment, my network looks and operates the same as before when the USG was present.
My only gripe at the moment is that the FWG does not connect to my ISP via PPPoE which I'm trying to figure out.
-
@Donald Chan , @Michael Bierman
Thank you both for the responses and advice.I decided to remove the USG entirely from network and connected the FWG to the main Unifi switch. The implementation went very smoothly: since I had already configured the matching network ranges in the FWG, most of the devices seamlessly transferred over.
There were a few devices where I had some issues: for most part, it seems that any devices that were in a sleep/hibernate state when the FWG took over the network came back online with some connection issues. I did have to identify each of these devices, and then use the device console to go through a reboot cycle. This was pretty awkward for a couple of computers that were set up as headless servers. Otherwise, anything that was offline during the cut over and came back online afterwards connected to the network seamlessly.
I am having an issue with the Unifi guest portal... the portal page seems get blocked on android devices, but not in browsers (windows/linux) so I am looking into device settings.
On the whole, the cut over from the USG to the FWG has gone very well so far. I think that configuring the networks in the FWG ahead of time worked really well (and I think it was mentioned in another discussion thread... I'll update with a link later).
edit: spelling -
@Michael Bierman, not sure at the moment. Unable to log in with my PPPoE credentials so will investigate further. Currently have another router in front of the FWG but that does not have passthru or bridge mode so having to deal with double nat-ing until I work out what it is. Might just be powering down the NTD and restarting it.
Please sign in to leave a comment.
Comments
7 comments