- What is Firewalla DHCP Mode?
- How to setup with DHCP Mode?
- How to setup IP Range for DHCP?
- How to setup port forwarding for devices in DHCP Mode?
- How to reserve IP address for device in DHCP Mode?
- How to keep your network unchanged in DHCP Mode?
What is Firewalla DHCP Mode?
There are 4 monitoring modes in Firewalla, Simple Mode, DHCP Mode, Limited Mode and Experimental Simple Mode. This article explains how each of them works:
"How does Firewalla Intercept Traffic?"
In DHCP method, Firewalla creates a network 192.168.218.x over the existing network. So if you have 10.0.0.x network on your main router, you will also see 192.168.218.x network from Firewalla.
The new 192.168.218.x network is statically overlayed on top of your home network's physical layer. You can statically point your devices to this Overlay network, or disable/modify the existing DHCP service on your main router and have the Firewalla serve DHCP request.
The 192.168.218.x network is there by default. You may use it by either using a DHCP server or manually configuring devices’ static IP address in that block.
- All traffic will go through Firewalla.
- Double NAT
- Hard to set up, need to login to the router
- May need to reset a bunch of devices.
- Double NAT
Note: Currently, Firewalla DHCP mode only monitors IPv4 traffic. When turning off router's DHCP server, if your router has a separate button to turn off IPv6 support, please do so. Otherwise, devices assigned with IPv6 address may bypass Firewalla monitoring.
How to setup with DHCP Mode?
When you first bring up Firewalla, it is running in simple mode by default. This mode works with most popular routers out there on the market. However, a small percentage of users home router may not be compatible with Firewalla's simple mode.
Step 0: Check out the compatibility list.
See if your router is compatible with Firewalla Simple Mode / DHCP Mode: https://firewalla.com/compatibility
Quick Tip: If your DNS server is the router itself, you may want to change that DNS server to a public one such as 22.214.171.124 or 126.96.36.199. There are a few routers that will turn off the DNS server on the router when DHCP is off (in step 2).
Step 1: Setup Firewalla with DHCP Mode.
During Installation: If Firewalla finds your main router is not compatible with Simple Mode, it will advise you to use DHCP Mode instead, tap on "setup with DHCP Mode" to continue.
After Installation: To manually switch to DHCP Mode, you can tap the “Monitoring” button, select "Mode", select "DHCP Mode". Firewalla box will assign a new IP address to all your devices.
Step 2: Turn off DHCP Server on your router.
Important: Please note your router's IP address (usually it's 192.168.x.1 or 10.x.x.1) before turning off DHCP server. In case anything goes wrong, you will need to manually configure a static IP on your phone/PC/Mac, set the router's IP as network gateway, to get back the access to your router.
Here are some examples of "how to" on popular routers. If your router is not on this list, please consult the user manual of your router, or search it on internet.
- Netgear Routers
1) Login to your Netgear router. 2) Navigate to "Advanced" tab -> "Setup" -> "LAN Setup". 3) Uncheck "Use Router as DHCP Server". 4) click "Apply" button.
- Linksys Routers
1) Under Router Settings, select Connectivity. 2) Select Local Network. 3) Uncheck the DHCP Server box. 4) Click OK to save changes.
- Fritz!Box 7490
1) Click "Home Network" in the FRITZ!Box user interface. 2) Click "Home Network Overview" in the "Home Network" menu. 3) Click on the "Network Settings" tab. 4) Click the "IPv4 Addresses" button. (If the button is not displayed, enable the Advanced View first.) 5) Turn Off DHCP.
- Google Wifi
- Synology 1900AC
- Xfinity Routers
- For routers that don't provide an option to turn off the built-in DHCP service, here is a simple workaround.
Step 3. Rejoin Network.
Have all the devices connected to your home router to rejoin network in order to get the new IP address from Firewalla DHCP service (you can either turn off/on the airplane mode on your mobile devices or simply reboot your devices).
How to setup IP Range for DHCP?
In DHCP Mode, Overlay network is the network that all monitored devices connect to, and the primary network is the network that all unmonitored devices connect to. Firewalla DHCP service will automatically allocate devices to these two networks based on monitoring configuration.
*Note: Firewalla Gold in DHCP mode does not offer these options, it will always config overlay network as the same network as the primary one. The resulting configuration is the same as method 2 in this document: How to keep your network unchanged in DHCP Mode?
Tap on Settings -> Advanced -> Network settings to configure the network.
Primary Network configures the network setup for all unmonitored devices. When Firewalla DHCP service replies device's DHCP request, it will pass the network setup to the device. By default, it inherits the settings from your router.
Overlay Network configures the network setup for all monitored devices. When Firewalla DHCP service replies device's DHCP request, it will pass the network setup to the device.
By default, the overlay network uses 192.168.218.0/24, you may change it to other network subnets. If you want to keep device IP address unchanged in overlay network for monitoring, you can make the overlay network use the SAME subnet as the primary network.
Be aware that for devices to pick up the new DHCP settings from Firewalla, either wait for the old settings to expire (it usually takes less than 24 hours), or re-join the device to network (for IoT devices, a reboot will do the job).
VPN Server Network:
VPN Server Network is the subnet for any VPN client when connect to a Firewalla VPN server. Each client will get an IP address allocated in this subnet. The subnet is randomly generated by Firewalla and it's not configurable.
How to setup port forwarding for devices in DHCP Mode?
Firewalla DHCP mode creates an overlay network above your main network, so if you want to create a port forwarding for your devices, such as accessing your NAS or cameras outside your home, you are required to take an extra step to create port mapping on Firewalla in additional to create port forwarding on your router.
Note: Although this setup allows you to access NAS device or camera remotely while you are outside of your home, this is not the most secure way of doing it. In this article, we suggest our users to use Firewalla VPN service instead, to achieve the same capability with security protection.
For example: If you want to access your home camera's website (http, TCP port 80) remotely, you need to setup port forwarding (e.g. TCP 8080 -> 8081) not only on your router, but port forwarding (e.g. TCP 8081 -> 80) on Firewalla as well. Then, you will be able to access camera website from http://<Firewalla_DDNS>:8080
*Note: For port 8080 and 8081, you can choose your own port, as long as they are consistent between router and Firewalla. It is not recommended to open any well-known ports on your router (e.g. 22, 80, 443 and etc), because it will much more likely be attacked.
Step 1: On your router, create a port forwarding to forward TCP port 8080 to a Firewalla's Port, say Port 8081. Detail step depends on each router's interface.
Here is a general guide: http://www.noip.com/support/knowledgebase/general-port-forwarding-guide/
*Note: If you have multiple layers of routers at your home, you need to setup port forwarding on both routers.
Step 2: On Firewalla, find the Camera you want to access in "Devices", tap "Port Mappings" -> "+" to create a new port mapping. Set the External Port to 8081, as the port on Firewalla; Internal Port to 80, as the port on your Camera. Tap "Save" to save your setting.
To Access the port: For example, use a browser to access http://<Firewalla_DDNS>:8080. You can find the DDNS info in "DDNS" feature, and Your Firewalla DDNS will automatically point to your public IP.
How to reserve an IP address for device in DHCP Mode?
Firewalla DHCP Mode allows you to switch the IP allocation method between Dynamic and Reserved. Open the device in the device list, scroll down to the section ->Information, tap IP Address of the device, tap “Reserved”, you can edit the IP address field and reserve it for the device.