Firewalla is a networking device that sits in between your connected devices and the main router. By sitting in between, Firewalla is able to see and control all traffic going through your network.
- Firewalla does not monitor your local traffic (LAN to LAN); If you are using network segmentation, Firewalla will be able to filter traffic between your LAN networks.
There are four different modes that Firewalla supports to intercept network traffic.
- Simple Mode: plug and play mode, no need to change the wiring.
- DHCP Mode: plug and play mode, only need to disable the router DHCP server
- Router Mode: using Firewalla as your main router. (recommended for mode Firewalla Gold and Firewalla Purple)
- Transparent Bridge Mode (beta): using Firewalla to bridge two networks transparently. (Gold and Purple)
There are advantages and disadvantages to each mode, please see the chart at the end.
Firewalla Simple Mode
To make life easier for consumers and at the same time make our solution affordable, we use the behavior of ARP protocol (arp spoofing) to route traffic virtually from connected devices to the Firewalla box.
Once started, Firewalla will tell each of the connected devices that it is the router and tell everyone, "please send all network traffic to me". This will virtually divert all live traffic to Firewalla to be monitored and managed.
Technically, this method is called ARP spoofing, a creative way to do man-in-the-middle. In our case, the "good" man is Firewalla, and we have modified a few things to make this work better at home. (This method was inspired by another product on the market, and we take no credit for inventing this.)
Since the ARP protocol is supported differently on different routers, this mode may not be compatible with all routers. Please take a look at our compatibility guide. If your router is not compatible, no worries, we have you covered with other modes.
- Simple to install, simple to use (that's why we call it simple mode).
- If anything goes wrong with Firewalla, your network will still be there.
- No need to rewire or configure anything, true plug and play
- Not compatible with all routers.
- In certain situations, packets may "leak" outside of Firewalla.
Firewalla DHCP Mode
For Firewalla Red, Blue, Blue Plus, in the DHCP Mode, Firewalla creates another network over the existing network. So if you have a network on your main router, you will also see an overlay network from Firewalla.
This overlay network is created by Firewalla, and it is statically overlayed on top of your home network's physical layer. You can statically point your devices to this overlay network, or disable/modify the existing DHCP service on your main router and have the Firewalla serve DHCP requests.
To find out about your Firewalla's overlay network on the Firewalla app, tap Box Settings -> Advanced -> Network Settings -> Overlay Network.
Note: Firewalla Gold and Firewalla Purple don't create another overlay network. It will use the same subnet as your original network so that you don't have to configure the IP range used for DHCP on Gold in order to keep your network unchanged. Learn more about Gold in DHCP Mode.
- All traffic will go through Firewalla.
- Double NAT
- Need to login to the router and disable the DHCP server
- Double NAT
To enable this mode, please read "How to set up with DHCP mode".
Firewalla Router Mode
- When in router mode, Firewalla will also be able to segment network traffic using the extra ports and/or VLAN.
- Router mode requires Firewalla to be in between two network elements, such as a modem and a wifi access point.
- This is the best mode to use for the Firewalla Gold and Firewalla Purple.
- Physically inline between LAN and WAN networks; High performance, gigabit rates.
- Routing and security functions are handled by Firewalla, leaving Wi-Fi routers only focus on wifi.
- The Gold operates the best in this mode.
- If you only have one single device as your modem + router + access point, it will not work for you. This mode requires Firewalla to be in between two network elements, such as a modem and a Wi-Fi access point.
Firewalla Transparent Bridge Mode
This mode is unique to Firewalla Gold and Firewalla Purple. Here, Firewalla can be placed in between your router and access points/switch and act as your firewall/IPS/IDS inline to your network traffic. There are no compatibility issues in this mode.
- Physically inline between your existing router and switch (or access point)
- Preserve existing network assignments from your router
- LAN devices are not aware of the bridge
- A good transition mode without removing the existing router
- Features include "Route", "Smart Queue", "VPN Client" will not work.
- This mode is very specific to certain network topologies.
Which Mode To Use
We made this chart which ranks the different modes in terms of installation, compatibility, and performance.
Why supporting different modes?
- Not all networks are the same
- Not everyone has the same requirements
- For example, the simple mode is the most simple way to install, but its performance is ranked the least of the 3 modes. This mode is not compatible with all routers. (https://firewalla.com/compatibility)
- Router mode is compatible with pretty much anything, but it will require you to physically replace your existing router. And it is the best performing model. This mode is recommended for the Gold and Purple.
Note: the performance difference usually is not detectable during bandwidth tests.
|Simple Mode||DHCP Mode||Router Mode||Bridge Mode|
|Requires wiring change||No||No||Yes (replace your router)||Yes (place it between two networks)|
|Simple Install (ranking)||#1||#2||#4||#3|
|VPN Client||Overlay Only||Yes||Yes||No|
If you want to see the difference between the different products, please see this.
Firewalla Experimental Simple Mode (beta)
DO NOT USE THIS IF:
- Your router is compatible with Simple Mode.
- You are good with DHCP mode.
Experimental Simple Mode will enable more routers that weren't compatible with Simple mode. These tricks may or may not work, hence the "experimental simple mode". DHCP mode is still preferred.
Firewalla Limited Mode
In this mode, Firewalla simply turns off monitoring and becomes a small network server.
Remember we talked about the overlay network? It is still there! What you can do is, to assign static IP addresses like in the overlay network to your device (such as iPhone), and make DNS point to Firewalla's Gateway. Now you have just secured one device.
We often use this mode to "check out" a particular device. Pretty good learning too.