Firewalla is a networking device that sits in between your connected devices and the main router. By sitting in between, Firewalla is able to see and block all traffic going through your network. Firewalla does not monitor your local traffic; only traffic that goes to the internet.
Traditional Method (Complex)
Traditionally to make such a thing happen, you'd need to add an in-between device and another router.
Here the device M is inserted into the network after your main router. Since more devices need to be connected, you will need to either add another router2 or M has to have a built-in router. It means that M is likely to be pretty expensive.
The Firewalla Approach: Use Hacker Tools Against Hackers!
The traditional way of intercepting traffic is obviously an overkill for consumers. It is also unlikely that consumers will buy an extra router just for security...
Hence, we start to explore other ways to monitor and block traffic. We want things to be simple, and also want to keep the cost down.
We were inspired by existing companies using the "hacker's" method to make security better. Isn't that amazing? Using "their" tools against them! (We are not the first one doing this, and will not take credit for this idea.)
So we started to innovate and turn some of the well-known hacker's tools into "good use".
Firewalla Simple Mode
To make life easier for consumers and at the same time make our solution affordable, we use the behavior of ARP protocol to route traffic virtually from connected devices to the Firewalla box.
Once started, Firewalla will tell each of the connected devices that it is the router and tell everyone "please send all network traffic to me". This will virtually divert all live traffic to Firewalla to be monitored and managed.
Technically, this method is called ARP spoofing, a creative way to do man-in-the-middle. In our case, the "good" man is Firewalla, and we have modified a few things to make this work better at home. (This method was inspired by another product on the market, and we take no credit for inventing this.)
Since the ARP protocol is supported differently on different routers, this mode may not be compatible with all routers. Please take a look at our compatibility guide. If your router is not on the list, no worries, we have you covered with other models.
- Simple to install, simple to use (that's why we call it simple mode).
- If anything goes wrong with Firewalla, your network will still be there.
- May not be compatible with all routers.
- In certain situations, packets may "leak" outside of Firewalla.
Firewalla DHCP Mode
The second model we support is the DHCP mode.
In this method, Firewalla creates another network over the existing network. So if you have 10.0.0.x network on your main router, you will also see 192.168.218.x network from Firewalla.
The new 192.168.218.x network is statically overlayed on top of your home network's physical layer. You can statically point your devices to this overlay network, or disable/modify the existing DHCP service on your main router and have the Firewalla serve DHCP requests.
To enable this mode, please read "How to set up with DHCP mode".
- All traffic will go through Firewalla.
- Double NAT
- Need to login to the router and disable the DHCP server.
- Double NAT
Firewalla Router Mode
This mode is unique to Firewalla Gold. Here, Firewalla Gold can act as your router/firewall/IPS/IDS inline to your network traffic. There are no compatibility issues in this mode.
When in router mode, Firewalla Gold will also be able to segment network traffic using the extra ports.
- Physically inline between LAN and WAN networks; High performance reaching gigabit rates.
- Routing and security functions are handled by Firewalla, leaving wifi routers only focus on wifi.
- Single modem+router will not work. This mode requires firewalla to be in between two network elements.
- Gold is more expensive than red and blue.
Firewalla Experimental Simple Mode (beta)
DO NOT USE THIS:
- If your router is compatible with Simple Mode.
- If you are good with DHCP mode.
Experimental Simple Mode will enable more routers that weren't compatible with Simple mode. These tricks may or may not work, hence the "experimental simple mode". DHCP mode is still preferred.
Firewalla Limited Mode
In this mode, Firewalla simply turns off monitoring and becomes a small network server.
Remember we talked about 192.168.218.x network? It is still there! What you can do is to assign static IP addresses like 192.168.218.20 to your device (such as iPhone), and make DNS point to 192.168.218.1. Now you have just secured one device.
We often use this mode to "check out" a particular device. Pretty good learning too.