- Default Networks
- Network Manager
- Example: Segment Guest Network via VLAN
Network Manager is a Firewalla Gold and Purple-only feature. It is used to configure WAN in Router Mode and also create network segments in both Router and Simple/DHCP Modes. If you are in bridge mode, it can help you manage your network bridges.
- Network Manager is accessible even if your network is down; You just need to stand closer to the physical unit.
- Firewalla supports multiple WANs, this is configured via the network manager.
- Network Manager is also used to provision VLAN's or port-level network segmentation.
To configure any network functions, you will need to press the Edit button
By default, there are two networks on Firewalla Gold/Purple:
- A WAN connection you configured during the initial setup, if Firewalla is in Router Mode.
- A default Local Network (LAN) that bridges the rest of the Ethernet Ports. Devices can join Firewalla's default Local network by connecting directly to one of these ports using an ethernet cable, or to a wireless access point or wired switch that connects to these ports.
Firewalla Gold has 4 Ethernet ports. Port 4 is the default WAN port in Router Mode, and the default port connects to the router in Simple/DHCP Mode. Ports 1, 2, 3, 4 can be configured to have their own network space. They can also be configured as VLAN trunking ports.
Here is a guide on how to change the default port 4 used for the WAN connection into another port.
Firewalla Purple has 2 Ethernet ports, the WAN port is the default WAN port in router mode, and the LAN port is the default port that connects to the router in Simple/DHCP mode.
The Network Manager screen (Home -> Network) shows all the existing networks with their IP range, VLAN ID, and the ethernet ports they are using.
If you want to create your own network, tap Create Network, then choose the network type.
- If you are using Firewalla Purple, you'll find more options about Wi-Fi networks. To learn more about how to manage wifi networks on purple, see this tutorial: Firewalla Purple Short Distance Wi-Fi.
- If you are using Firewalla Gold, and you've bought the Wi-Fi SD to extend the Gold for Wi-Fi use, see this tutorial: Wi-Fi SD for Firewalla Gold.
During the initial setup, Firewalla will auto-detect the connection type of your network.
If you wish to have more than one WAN connection, you can create a new connection in Network Manager after the initial setup. Please find more details here: Firewalla feature guide: Multi-WAN.
To create a WAN connection, you'd need to assign an ethernet port which connects to your ISP Device (a modem or router), a VLAN ID (if any), and a connection type.
A WAN connection can be one of 4 types:
- DHCP: Get the IP Address assigned by the modem/router automatically.
- Static IP: Manually assign an IP Address, Subnet Mask, Gateway, and DNS server for your connection. The static IP should be provided by your ISP. Otherwise, please make sure the IP Address is in the subnet of the router you are connected to.
For those of you who are given multiple static IP addresses by your ISP, Firewalla supports configuring additional IP addresses on your WAN connection. By assigning multiple IPs on a single WAN, you can forward different ports to different IP addresses, and set the DMZ host on any specific IP address. Find more details here.
- PPPoE: This requires an ISP-provided user name and password to connect to the Internet.
- Triple Play: Choose this type only if it is required by your ISP.
In addition to the basic settings, there are a few options that may be required by your ISP in order to get internet access. We've added these advanced options so you can configure them accordingly when creating a WAN connection:
- Change / Clone MAC Address of Ethernet Ports
- DHCP Option 60 - Vendor class identifier
- DHCP Option 61 - Client Identifier
- IGMP Proxy
- MTU/MRU for PPPoE
- WAN DNS Servers
For each WAN connection, you can configure the test targets for its connectivity test. The tests will be used to monitor the Internet connectivity of the wan connections, send you network events when your network goes down, and failover to the standby WAN if you are in multi-wan mode. Learn more about network events.
Additionally, as part of the 1.53 app release, we've provided a flexible way of configuring DHCP Options on both WAN (client options) and LAN (server options) networks. You can see a video tutorial or read more about this feature in our Firewalla App Release 1.53 notes.
To create a local network, you'll need to enter:
- A VLAN ID. Only if you are creating a virtual network.
- Ethernet port(s). If you select more than one port, they will be bridged automatically.
- Network settings. Firewalla fills the network settings for you. You can tap the blue "Suprise Me" button to generate a new one, or manually edit them as per your preference.
After the network is created, you can connect your devices to the ports with ethernet cables, or through a wireless access point or a router that has been set to Bridge Mode/ AP Mode.
Learn more on How to connect your devices
DNS Servers: Firewalla will automatically become the default upstream DNS for the entire LAN. So in this case, only Firewalla itself will use WAN configured DNS.
Search Domain: By default, Firewalla uses .lan for all local networks by default, you can set different search domains for different local networks as needed.
DHCP Options : Some devices may need special DHCP options. As part of the 1.53 app release (currently in Beta), we've provided a flexible way of configuring DHCP options on both WAN (client options) and LAN (server options) networks. You can read more about this feature and how to test it out in our Firewalla App Release 1.53 notes.
In order to provide better control of the NAT functionality in Firewalla. We have consolidated all NAT functions under Network -> NAT Settings. If you do not have advanced networks, there is no need to modify this.
Source NAT (default on):
If Source NAT is turned on, it means the local networks can access the Internet through the SNAT gateway. If you have multiple WANs, Source NAT can be turned on/off on each WAN connection separately, but all WANs will be sharing the same list of source networks. [There is no need to configure this in most networks.]
Source NAT is turned on for all local networks by default, in addition, you can manually add source networks.
NAT Passthrough helps connections of different protocols including PPTP, L2TP, IPSEC, H323 (for video call), SIP (for VoIP) to pass through the router.
UPnP per networks
For users who only want to enable UPnP for specific networks, say a gaming VLAN, we are now providing the ability to configure it on your local networks separately.
In Network Manager, go to NAT Settings -> Port Forwardings, tap Apply To->Specific Networks, and you can check/uncheck your networks.
For each port forwarding, you can:
- Choose whether to create an allow rule for open ports. The allow rule will be applied to the corresponding device.
- Block a port created by UPnP, or delete a manually created port forwarding.
Here is a tutorial on How to create port forwarding and limit access on ports.
Select one device as a DMZ Host so that it can be accessed directly from the outside of your network. If Allow on Firewall is turned on, an allow rule will be created on the device to allow all traffic from the internet as well.
Multiple IP Addresses on WAN:
For those of you who are given multiple static IP addresses by your ISP, Firewalla supports configuring additional IP addresses on your WAN connection. By assigning multiple IPs on a single WAN, you can forward different ports to different IP addresses, and set the DMZ host on any specific IP address.
Up to 5 additional IPs are supported on one WAN interface.
With IPv6 enabled, is it possible to override the ISP-assigned IPv6 DNS servers and use your own preferred ones, such as Cloudflare (2606:4700:4700::1111 and 2606:4700:4700::1001)?
Basically I would prefer to have the router push these out via DHCP rather than have to manually configure them on each device.
Also, does the DNS over HTTPS work with IPv6 DNS AAAA records?
+1 for this as well. Also, how can a custom Prefix Delegation be set?
I just ran into the same issue.
To fix this for android, windows 10, etc here is what I did.
You ssh into the firewalla gold and make a new file in /home/pi/.router/config/dhcp/conf/
In the file you put
but replace the ip with your own ipv6 dns server and br0 with what you use (run "ip add" to check).
Then reboot the firewalla
Then disabled/enabled network on windows 10 and it populated the ipv6 dns
You can now see the dhcpv6 responses with the dns server by running
sudo tcpdump -i br0 -n -vv '(udp port 546 or 547) or icmp6'
I had a problem with SIP calls and enabling SIP under the NAT Passthrough option solved it. Can you please explain what exactly does this option do in a technical sense? Thanks.
This article should explain the ALG part https://en.wikipedia.org/wiki/Application-level_gateway
Ok, so enabling NAT Passthrough activates ALG for those services.... why isn't it on by default? Does it consume resources when turned on? Or is there a security aspect to it?
What format is the MAC address supposed to be in? No matter what I try, xx-xx-xx-xx-xx-xx, xxxxxxxxxxxx, it says "invalid MAC address" even though it's the one copied from the router.
@Dave try xx:xx:xx:xxmxx:xx
Ah, thanks. And a request for the Firewalla folks, could fields for entering MAC addresses be made a bit more flexible? The xx-xx form is standard for MAC addresses with the hex-digits-one probably being the next most common, without @Michael's hint I'd never have guessed that colons are required. So for validation, take the input, remove any punctuation, and then check that it's 12 hex digits, that allows xx-xx, xx:xx, and xxxx forms.
Please sign in to leave a comment.