Firewalla is a networking device that sits in between your connected devices and the main router. By sitting in between, Firewalla is able to see and block all traffic going through your network. Firewalla does not monitor your local traffic; only traffic that goes to the internet. 

• If you are using network segmentation, Firewalla will be able to filter traffic between your LAN networks.

There are four different modes that Firewalla supports to intercept network traffic. 

• Simple Mode: plug and play mode, no need to change the wiring
• DHCP Mode: plug and play mode, only need to disable the router DHCP server
• Router Mode: using Firewalla as your main router. (Gold only)
• Transparent Bridge Mode (beta): using Firewalla to bridge two networks transparently. (Gold only)

There are advantages and disadvantages to each mode, please see the chart at the end. 

Firewalla Simple Mode

To make life easier for consumers and at the same time make our solution affordable, we use the behavior of ARP protocol to route traffic virtually from connected devices to the Firewalla box.

Once started, Firewalla will tell each of the connected devices that it is the router and tell everyone, "please send all network traffic to me". This will virtually divert all live traffic to Firewalla to be monitored and managed.

Technically, this method is called ARP spoofing, a creative way to do man-in-the-middle. In our case, the "good" man is Firewalla, and we have modified a few things to make this work better at home. (This method was inspired by another product on the market, and we take no credit for inventing this.)

Since the ARP protocol is supported differently on different routers, this mode may not be compatible with all routers. Please take a look at our compatibility guide. If your router is not compatible, no worries, we have you covered with other modes. 

Pros:

• Simple to install, simple to use (that's why we call it simple mode).
• If anything goes wrong with Firewalla, your network will still be there.
• No need to rewire or configure anything, true plug and play

Cons:

• Not compatible with all routers.
• In certain situations, packets may "leak" outside of Firewalla.

Firewalla DHCP Mode

In this method, Firewalla creates another network over the existing network. So if you have a network on your main router, you will also see an overlay network from Firewalla.

This overlay network is created by Firewalla, and it is statically overlayed on top of your home network's physical layer. You can statically point your devices to this overlay network, or disable/modify the existing DHCP service on your main router and have the Firewalla serve DHCP requests.

To find out about your Firewalla's overlay network on the Firewalla app, tap Box Settings -> Advanced -> Network Settings -> Overlay Network. 

To enable this mode, please read "How to set up with DHCP mode". 

Pros:

• All traffic will go through Firewalla.  
• Double NAT

Cons:

• Need to login to the router and disable the DHCP server
• Double NAT

Firewalla Router Mode

This mode is unique to Firewalla Gold. Here, Firewalla Gold can act as your router/firewall/IPS/IDS inline to your network traffic. There are no compatibility issues in this mode.

When in router mode, Firewalla Gold will also be able to segment network traffic using the extra ports.

Pros:

• Physically inline between LAN and WAN networks; High performance, reaching gigabit rates.
• Routing and security functions are handled by Firewalla, leaving wifi routers only focus on wifi.
• The Gold operates the best in this mode.

Cons:

• If you only have one single device as your modem + router + access point, it will not work for you. This mode requires Firewalla to be in between two network elements.
• Gold is more expensive than red and blue. 

Firewalla Transparent Bridge Mode (beta)

This mode is unique to Firewalla Gold. Here, Firewalla can be placed in between your router and access points/switch and act as your firewall/IPS/IDS inline to your network traffic. There are no compatibility issues in this mode.

Pros:

• Physically inline between your existing router and switch (or access point)
• Preserve existing network assignment from your router
• LAN devices are not aware of the bridge
• A good transition mode without removing the existing router

Cons:

• Features include "Route", "Smart Queue", "VPN Client" will not work.
• This mode is very specific to certain network topologies.  

Learn more on the transparent bridge mode here.

Other Modes

Firewalla Experimental Simple Mode (beta) 

DO NOT USE THIS IF:

• Your router is compatible with Simple Mode.
• You are good with DHCP mode.

Experimental Simple Mode will enable more routers that weren't compatible with Simple mode. These tricks may or may not work, hence the "experimental simple mode".  DHCP mode is still preferred. 

Firewalla Limited Mode

In this mode, Firewalla simply turns off monitoring and becomes a small network server.

Remember we talked about the overlay network? It is still there! What you can do is, to assign static IP addresses like in the overlay network to your device (such as iPhone), and make DNS point to Firewalla's Gateway. Now you have just secured one device.   

We often use this mode to "check out" a particular device. Pretty good learning too. 

Which Mode To Use 

We made this chart which ranks the different modes in terms of installation, compatibility, and performance.  

Why supporting different modes?

• Not all networks are the same
• Not everyone has the same requirements
• For example, the simple mode is the most simple way to install, but its performance is ranked the least of the 3 modes.   This mode is not compatible with all routers. (https://firewalla.com/compatibility)
• Router mode is compatible with pretty much anything, but it will require you to physically replace your existing router.   And it is the best performing model.  This mode is recommended for the Gold.

Note: the performance difference usually is not detectable during bandwidth tests.

If you want to see the difference between the different products, please see this.