- What is Firewalla DHCP Mode?
- How to set up with DHCP Mode?
- How to set up an IP Range for DHCP?
- How to setup port forwarding for devices in DHCP Mode?
- How to reserve an IP address for devices in DHCP Mode?
- How to keep your network unchanged in DHCP Mode?
What is Firewalla DHCP Mode?
For Firewalla Red and Blue, there are 4 monitoring modes, Simple Mode, DHCP Mode, Limited Mode, and Experimental Simple Mode. This article explains how each of them works: "How does Firewalla Intercept Traffic?"
Since the DHCP mode does not reply on arp spoofing to grab packets from the router, it is going to be more stable and slightly faster than the simple mode. And likely to be compatible with most of the routers out there.
Why DHCP Mode?
- All traffic will go through Firewalla.
- Seemless integrates with VPN Client Feature
- Faster performance than Simple Mode
- Double NAT
- Need to login to the router and disable DHCP or limit DHCP scope
- Double NAT
How does DHCP Mode work?
In the DHCP method, Firewalla creates a network over the existing network. If you have a network on your main router, you will also see another overlay network from Firewalla.
The new network is statically overlayed on top of your home network's physical layer. You can statically point your devices to this Overlay network, or disable/modify the existing DHCP service on your main router and have the Firewalla serve DHCP request.
Firewalla will respond DHCP requests from all devices in the same network and assign IP from the overlay network.
Where to find out your Firewalla's overlay network?
The overlay network is randomly created by Firewalla. To find out your overlay network on Firewalla App, tap Box Settings -> Advanced -> Network Settings -> Overlay Network.
You can change the network into other subnets, and you may use it by either using a DHCP server or manually configuring the device’ static IP address in that block.
Note: Currently, the Firewalla DHCP mode only monitors IPv4 traffic. When turning off the router's DHCP server, if your router has a separate button to turn off IPv6 support, please do so. Otherwise, devices assigned with IPv6 addresses may bypass Firewalla monitoring.
How to setup with DHCP Mode?
When you first bring up Firewalla, it is running in simple mode by default. This mode works with the most popular routers out there on the market. However, a small percentage of user's home router may not be compatible with Firewalla's simple mode.
Step 0: Check out the compatibility list.
See if your router is compatible with Firewalla Simple Mode / DHCP Mode: https://firewalla.com/compatibility
Step 1: Setup Firewalla with DHCP Mode.
During Installation: If Firewalla finds your main router is not compatible with Simple Mode, it will advise you to use DHCP Mode instead, tap on "setup with DHCP Mode" to continue.
After Installation: To manually switch to DHCP Mode, you can tap the “Monitoring” button, select "Mode", select "DHCP Mode". Firewalla box will assign a new IP address to all your devices.
Step 2: Turn off DHCP Server on your router.
- Please note your router's IP address (usually it's 192.168.x.1 or 10.x.x.1) before turning off DHCP server. In case anything goes wrong, you will need to manually configure a static IP on your phone/PC/Mac, set the router's IP as the network gateway, to get back the access to your router.
- If your DNS server is the router itself, you may want to change that DNS server to a public one such as 220.127.116.11 or 18.104.22.168. There are a few routers that will turn off the DNS server on the router when DHCP is off. Here is an example with Synology Router.
Here are some examples of "how-to" on popular routers. If your router is not on this list, please consult the user manual of your router, or search it on the internet.
- Netgear Routers
1) Login to your Netgear router. 2) Navigate to "Advanced" tab -> "Setup" -> "LAN Setup". 3) Uncheck "Use Router as DHCP Server". 4) click "Apply" button.
- Linksys Routers
1) Under Router Settings, select Connectivity. 2) Select Local Network. 3) Uncheck the DHCP Server box. 4) Click OK to save changes.
- Fritz!Box 7490
1) Click "Home Network" in the FRITZ!Box user interface. 2) Click "Home Network Overview" in the "Home Network" menu. 3) Click on the "Network Settings" tab. 4) Click the "IPv4 Addresses" button. (If the button is not displayed, enable the Advanced View first.) 5) Turn Off DHCP.
- Google Wifi
- Synology 1900AC
- Xfinity Routers
- For routers that don't provide an option to turn off the built-in DHCP service, here is a simple workaround.
Step 3. Rejoin Network.
Have all the devices connected to your home router to rejoin network in order to get the new IP address from Firewalla DHCP service (you can either turn off/on the Airplane Mode on your mobile devices or simply reboot your devices).
How to set up an IP Range for DHCP?
In DHCP Mode, the Overlay network is the network that all monitored devices connect to, and the primary network is the network that all unmonitored devices connect to. Firewalla DHCP service will automatically allocate devices to these two networks based on monitoring configuration.
*Note: Firewalla Gold in DHCP mode does not offer these options, it will always config overlay network as the same network as the primary one. The resulting configuration is the same as method 2 in this document: How to keep your network unchanged in DHCP Mode?
Tap on Settings -> Advanced -> Network settings to configure the network.
Primary Network configures the network setup for all unmonitored devices. When Firewalla DHCP service replies device's DHCP request, it will pass the network setup to the device. By default, it inherits the settings from your router.
Overlay Network configures the network setup for all monitored devices. When Firewalla DHCP service replies device's DHCP request, it will pass the network setup to the device.
By default, the overlay network is randomly created by Firewalla, you may change it to other network subnets. If you want to keep the device IP address unchanged in an overlay network for monitoring, you can make the overlay network use the SAME subnet as the primary network.
Be aware that for devices to pick up the new DHCP settings from Firewalla, either wait for the old settings to expire (it usually takes less than 24 hours), or re-join the device to the network (for IoT devices, a reboot will do the job).
VPN Server Network:
VPN Server Network is the subnet for any VPN client when connecting to a Firewalla VPN server. Each client will get an IP address allocated in this subnet. The subnet is randomly generated by Firewalla and it's not configurable.
How to set up port forwarding for devices in DHCP Mode?
Firewalla DHCP mode creates an overlay network above your main network, so if you want to create a port forwarding for your devices, such as accessing your NAS or cameras outside your home, you are required to take an extra step to create port mapping on Firewalla in additional to create port forwarding on your router.
Note: Although this setup allows you to access the NAS device or camera remotely while you are outside of your home, this is not the most secure way of doing it. In this article, we suggest our users to use Firewalla VPN service instead, to achieve the same capability with security protection.
For example: If you want to access your home camera's website (HTTP, TCP port 80) remotely, you need to setup port forwarding (e.g. TCP 8080 -> 8081) not only on your router but port forwarding (e.g. TCP 8081 -> 80) on Firewalla as well. Then, you will be able to access the camera website from http://<Firewalla_DDNS>:8080
*Note: For port 8080 and 8081, you can choose your own port, as long as they are consistent between router and Firewalla. It is not recommended to open any well-known ports on your router (e.g. 22, 80, 443 and etc), because it will much more likely be attacked.
Step 1: On your router, create a port forwarding to forward TCP port 8080 to a Firewalla's Port, say Port 8081. The detailed step depends on each router's interface.
Here is a general guide: http://www.noip.com/support/knowledgebase/general-port-forwarding-guide/
*Note: If you have multiple layers of routers at your home, you need to setup port forwarding on both routers.
Step 2: On Firewalla, find the Camera you want to access in Devices, tap Port -> Add Port Forwarding to create a new port forwarding. Set the External Port to 8081, as the port on Firewalla; Internal Port to 80, as the Port on your Camera. Tap "Save" to save your setting.
To Access the port: For example, use a browser to access http://<Firewalla_DDNS>:8080. You can find the DDNS info in "DDNS" feature, and Your Firewalla DDNS will automatically point to your public IP.
How to reserve an IP address for the device in DHCP Mode?
Firewalla DHCP Mode allows you to switch the IP allocation method between Dynamic and Reserved. Open the device in the device list, scroll down to the section ->Information, tap IP Address of the device, tap “Reserved”, you can edit the IP address field and reserve it for the device.
Nice article, I'm a fan of fritzbox-7590. They have a pretty good solution to the problem -- revocation to an IP address. A simple hash to get one IP is the most trivial of the solutions I could think of. If the router is compromising your laptop's IP, it is unlikely your router has compromised your router's network. And if you think that the router is compromised, it isn't at all likely that it is compromised.
"*Note: Firewalla Gold in DHCP mode does not offer these options, it will always config overlay network as the same network as the primary one. The resulting configuration is the same as method 2 in this document: How to keep your network unchanged in DHCP Mode?"
It looks like method 2 is swapping the 2 subnets, while method 1 is having both networks the same. Is method 1 equivalent to what Gold uses?
Please sign in to leave a comment.