Google doesn’t allow you to bridge their network box so you would have to double NAT and double port forward. Maybe some people are fine with that, but I hate it. Luckily, it’s really easy to bypass.


fiber_line --> fiber_to_ethernet_jack --> Google_Network_Box

The Google Fiber network box powers the fiber to Ethernet jack via Power over Ethernet. You need a PoE injector unless you have a PoE switch. I just have a regular old Cisco 3750G.

Injectors are anywhere from 5 to 30 bucks on Amazon for a single line. Traffic from the fiber jack is tagged as VLAN 2 with a 802.1p bit of 3. IGMP has 802.1p of 6 and DHCP traffic has IP 802.1p of 2. I also had to block IPv6 to the network box so it would pass to pfSense.


fiber_line --> fiber_to_ethernet_jack <--> PoE_Injector --> Cisco_3750G 
                                                               |  | |__> Google_Network_Box
                                                               |  |____> pfSense
                                                               |_______> Cisco_ASA

Create VLAN 2 if you don’t have it already, and name it.

vlan 2

Create a few ACLs. One to block IPv6 to the Google Network box.

ipv6 access-list DENY_IPV6
  deny ipv6 any any

And two to match DHCP and IGMP traffic.

access-list 100 permit igmp any any
access-list 101 permit udp any eq bootpc any eq bootps

Now we get into some good old fashioned QoS. The order is “Class Map”, “Policy Map”, “Service Policy”.

Create a class map for DHCP and IGMP.

class-map match-all IGMP
  match access-group 100
class-map match-all DHCP
  match access-group 101

Create a policy map for QoS.

policy-map GOOGLE_FIBER
  class DHCP
    set precedence 2
  class IGMP
    set precedence 6
  class class-default
    set precedence 3

Configure the port for the Fiber Jack to be a trunk on VLAN 2 with a CoS of 3.

interface GigabitEthernet1/0/1
  description GOOGLE_FIBER_JACK
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 2
  switchport mode trunk 
  mls qos cos 3

Configure the port for the network box on VLAN 2, deny IPv6, and add the QoS Service Policy.

interface GigabitEthernet1/0/2
  switchport access vlan 2
  ipv6 traffic-filter DENY_IPV6 in
  mls qos cos 2
  mls qos cos override
  service-policy input GOOGLE_FIBER

Configure the pfSense or any additional device’s WAN port on the switch.

interface GigabitEthernet1/0/3
  description PFSENSE_WAN_PORT
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 2
  switchport mode trunk
  mls qos cos 3

Set the pfSense WAN port to be on VLAN 2.

Go to Interfaces / Assignments / VLANs and create VLAN 2 with CoS of 3.

Next go to Interfaces / Assignments and assign VLAN 2 to the WAN.

May need to reboot the Google box and play with DHCP renewals on pf or another firewall/router. And if you don’t have google TV, you don’t even need the network box now.

This config has been working great for me.


Categories: Networking


Leave a Reply

Your email address will not be published. Required fields are marked *