- Default Networks
- Network Manager
- Example: Segment Guest Network via VLAN
Network Manager is a Firewalla Gold and Purple-only feature. It is used to configure WAN in Router Mode and also create network segments in both Router and Simple/DHCP Modes. If you are in bridge mode, it can help you manage your network bridges.
- Network Manager is accessible even if your network is down; You just need to stand closer to the physical unit.
- Firewalla supports multiple WANs, this is configured via the network manager.
- Network Manager is also used to provision VLAN's or port-level network segmentation.
To configure any network functions, you will need to press the Edit button
By default, there are two networks on Firewalla Gold/Purple:
- A WAN connection you configured during the initial setup, if Firewalla is in Router Mode.
- A default Local Network (LAN) that bridges the rest of the Ethernet Ports. Devices can join Firewalla's default Local network by connecting directly to one of these ports using an ethernet cable, or to a wireless access point or wired switch that connects to these ports.
Firewalla Gold has 4 Ethernet ports. Port 4 is the default WAN port in Router Mode, and the default port connects to the router in Simple/DHCP Mode. Ports 1, 2, 3, 4 can be configured to have their own network space. They can also be configured as VLAN trunking ports.
Here is a guide on how to change the default port 4 used for the WAN connection into another port.
Firewalla Purple has 2 Ethernet ports, the WAN port is the default WAN port in router mode, and the LAN port is the default port that connects to the router in Simple/DHCP mode.
The Network Manager screen (Home -> Network) shows all the existing networks with their IP range, VLAN ID, and the ethernet ports they are using.
If you want to create your own network, tap Create Network, then choose the network type.
- If you are using Firewalla Purple, you'll find more options about Wi-Fi networks. To learn more about how to manage wifi networks on purple, see this tutorial: Firewalla Purple Short Distance Wi-Fi.
- If you are using Firewalla Gold, and you've bought the Wi-Fi SD to extend the Gold for Wi-Fi use, see this tutorial: Wi-Fi SD for Firewalla Gold.
During the initial setup, Firewalla will auto-detect the connection type of your network.
If you wish to have more than one WAN connection, you can create a new connection in Network Manager after the initial setup. Please find more details here: Firewalla feature guide: Multi-WAN.
To create a WAN connection, you'd need to assign an ethernet port which connects to your ISP Device (a modem or router), a VLAN ID (if any), and a connection type.
A WAN connection can be one of 4 types:
- DHCP: Get the IP Address assigned by the modem/router automatically.
- Static IP: Manually assign an IP Address, Subnet Mask, Gateway, and DNS server for your connection. The static IP should be provided by your ISP. Otherwise, please make sure the IP Address is in the subnet of the router you are connected to.
For those of you who are given multiple static IP addresses by your ISP, Firewalla supports configuring additional IP addresses on your WAN connection. By assigning multiple IPs on a single WAN, you can forward different ports to different IP addresses and set the DMZ host on any specific IP address. Find more details here.
- PPPoE: This requires an ISP-provided username and password to connect to the Internet.
- Triple Play: Choose this type only if it is required by your ISP.
In addition to the basic settings, there are a few options that may be required by your ISP in order to get internet access. We've added these advanced options so you can configure them accordingly when creating a WAN connection:
- Change / Clone MAC Address of Ethernet Ports
- DHCP Options
- IGMP Proxy - Often used with IPTV that uses multicast traffic
- MTU/MRU for PPPoE
- WAN DNS Servers
For each WAN connection, you can configure the test targets for its connectivity test. The tests will be used to monitor the Internet connectivity of the wan connections, send you network events when your network goes down, and failover to the standby WAN if you are in multi-wan mode. Learn more about network events.
Additionally, as part of the 1.53 app release, we've provided a flexible way of configuring DHCP Options on both WAN (client options) and LAN (server options) networks. You can see a video tutorial or read more about this feature in our Firewalla App Release 1.53 notes.
To create a local network, you'll need to enter:
- A VLAN ID. Only if you are creating a virtual network.
- Ethernet port(s). If you select more than one port, they will be bridged automatically.
- Network settings. Firewalla fills the network settings for you. You can tap the blue "Suprise Me" button to generate a new one, or manually edit them as per your preference.
After the network is created, you can connect your devices to the ports with ethernet cables, or through a wireless access point or a router that has been set to Bridge Mode/ AP Mode. Learn more about how to connect your devices.
Firewalla will automatically become the default upstream DNS for the entire LAN. So in this case, only Firewalla itself will use WAN-configured DNS.
By default, Firewalla uses .lan for all local networks by default, you can set different search domains for different local networks as needed.
Some devices may need special DHCP options. We've provided a flexible way of configuring DHCP options on both WAN (client options) and LAN (server options) networks. Below DHCP options are supported now.
For example, if you want to set up DHCP option 41 on Firewalla for your AP devices, you can tap a LAN network on the Network Manager page, scroll down to find the DHCP Options, tap add DHCP option, and configure the option code and value accordingly.
If you have multiple IPv6 WANs and want a certain LAN's IPv6 address to be delegated by a specific WAN, scroll down in your LAN's network settings to locate IPv6 Delegation, switch to Manual, and select a WAN with DHCPv6 enabled. Check out our video tutorial for detailed instructions.
To provide better control of NAT functionality in Firewalla, we have consolidated all NAT functions under Network -> NAT Settings. If you do not have advanced networks, there is no need to modify this.
Source NAT (default on):
If Source NAT is turned on, it means the local networks can access the Internet through the SNAT gateway. If you have multiple WANs, Source NAT can be turned on/off on each WAN connection separately, but all WANs will share the same list of source networks. Note that there is no need to configure this in most networks.
Source NAT is turned on for all local networks by default, in addition, you can manually add source networks.
NAT Passthrough helps connections of different protocols including PPTP, L2TP, IPSEC, H323 (for video call), SIP (for VoIP) to pass through the router.
UPnP per networks
For users who only want to enable UPnP for specific networks, say a gaming VLAN, we are now providing the ability to configure it on your local networks separately.
In Network Manager, go to NAT Settings > Port Forwardings, tap Apply To > Specific Networks, and you can check/uncheck your networks.
For each port forwarding, you can:
- Choose whether to create an allow rule for open ports. The allow rule will be applied to the corresponding device.
- Block a port created by UPnP, or delete a manually created port forwarding.
Here is a tutorial on How to create port forwarding and limit access on ports.
Select one device as a DMZ Host so that it can be accessed directly from the outside of your network. If Allow on Firewall is turned on, an allow rule will be created on the device to allow all traffic from the internet as well.
Multiple IP Addresses on WAN:
For those of you who are given multiple static IP addresses by your ISP, Firewalla supports configuring additional IP addresses on your WAN connection. By assigning multiple IPs on a single WAN, you can forward different ports to different IP addresses, and set the DMZ host on any specific IP address.
Up to 5 additional IPs are supported on one WAN interface.
Source NAT Rules/1:1 NAT:
If your Internet Service Provider has given you several IP addresses, you might want to assign a particular outgoing WAN IP address for specific devices. To do this, simply add a 1:1 NAT rule by selecting a device and a WAN IP address, then save to apply the changes. Check out our video tutorial for step-by-step instructions on how to use this feature.
Note that this type of rule is only available for WAN connections with Static IP addresses.