Network Manager is a Firewalla Gold / Purple only feature. It is used to configure WAN in Router Mode and also create network segments in both Router and Simple/DHCP Modes.
To configure any network functions, you will need to press the Edit button
Default Networks
By default, there are two networks on Firewalla Gold/Purple:
- A WAN connection you configured during the initial setup, if Firewalla is in Router Mode.
- A default Local Network (LAN) that bridges the rest of the Ethernet Ports. Devices can join Firewalla's default Local network by connecting directly to one of these ports using an ethernet cable, or to a wireless access point or wired switch that connects to these ports.
Firewalla Gold has 4 Ethernet ports. Port 4 is the default WAN port in Router Mode, and the default port connects to the router in Simple/DHCP Mode. Ports 1, 2, 3, 4 can be configured to have their own network space. They can also be configured as VLAN trunking ports.
Here is a guide on how to change the default port 4 used for WAN connection into another port.
Configure Networks - Network Manager
The Network Manager screen (Home -> Network) shows all the existing networks with their IP range, VLAN ID, and the ethernet ports they are using.
If you want to create your own network, tap Edit -> Create Network, then choose the network type.
WAN Configuration
During the initial setup, Firewalla will auto-detect the connection type of your network. You can either change it or create a new connection in Network Manager.
In simple mode/ DHCP mode, Firewalla is able to monitor the devices connected to the router through the WAN port.
Multi-WAN Connection: If you have more than one WAN connection, please find more details here: Firewalla feature guide: Multi-WAN.
Basic Settings
To create a WAN connection, you'd need to assign an ethernet port which connects to your ISP Device (a modem or router), a VLAN ID (if any), and a connection type.
A WAN connection can be one of 4 types:
- DHCP: Get the IP Address assigned by the modem/router automatically.
- Static IP: Manually assign an IP Address, Subnet Mask, Gateway, and DNS server for your connection. The static IP should be provided by your ISP. Otherwise, please make sure the IP Address is in the subnet of the router you are connected to.
If your ISP has provided you with multiple IP Addresses, find more details here. - PPPoE: This requires an ISP-provided user name and password to connect to the Internet.
- Triple Play: Choose this type only if it is required by your ISP.
Advanced Settings
In addition to the basic settings, there are a few options that may be required by your ISP in order to get internet access. We've added these advanced options so you can configure them accordingly when creating a WAN connection:
- Change / Clone MAC Address of Ethernet Ports
- DHCP Option 60 - Vendor class identifier
- IGMP Proxy
- MTU/MRU for PPPoE
- WAN DNS Servers
Note: Changing the MAC address of Ethernet Ports is only supported on Firewalla Gold.
Local Network Configuration
Basic Settings
To create a local network, you'll need to enter:
- A VLAN ID (If you are creating a virtual network)
- Ethernet port(s). If you select more than one port, they will be bridged automatically.
- Network settings. Firewalla fills the network settings for you. You can tap the blue "Smart Fill" button to generate a new one, or manually edit them as per your preference.
After the network is created, you can connect your devices to the ports with ethernet cables, or through a wireless access point or a router that has been set to Bridge Mode/ AP Mode.
Learn more on How to connect your devices
Advanced Settings
DNS Servers: Firewalla will automatically become the default upstream DNS for the entire LAN. So in this case, only Firewalla itself will use WAN configured DNS.
Search Domain: By default, Firewalla uses .lan for all local networks by default, you can set different search domains for different local networks as needed.
NAT Settings
In order to provide better control of the NAT functionality in Firewalla. We have consolidated all NAT functions under Network -> NAT Settings. If you do not have advanced networks, there is no need to modify this.
Source NAT (default on):
If Source NAT is turned on, it means the local networks can access the Internet through the SNAT gateway. If you have multiple WANs, Source NAT now can be turned on/off on each WAN connection separately, but all WANs will be sharing the same list of source networks. [There is no need to configure this in most networks.]
Source Networks:
Source NAT is turned on for all local networks by default, in addition, you can manually add source networks.
NAT Passthrough:
NAT Passthrough helps connections of different protocols including PPTP, L2TP, IPSEC, H323 (for video call), SIP (for VoIP) to pass through the router.
Port forwarding:
You can configure port forwarding on the WAN connection either manually or by UPnP. You can:
- Enable/Disable UPnP Globally
- Choose whether to automatically create an allow rule for open ports. The allow rule will be applied to the corresponding device.
- Block a port created by UPnP.
- Delete a manually created port forwarding.
Here is a tutorial on How to limit access on ports.
DMZ:
Select one device as a DMZ Host so that it can be accessed directly from the outside of your network. If Allow on Firewall is turned on, an allow rule will be created on the device to allow all traffic from the internet as well.
Multiple IP Addresses on WAN:
For those of you who are given multiple static IP addresses by your ISP, Firewalla supports configuring additional IP addresses on your WAN connection. By assigning multiple IPs on a single WAN, you can forward different ports to different IP addresses, and set DMZ host on any specific IP addresses.
Up to 5 additional IPs are supported on one WAN interface.
Example
Comments
6 comments
With IPv6 enabled, is it possible to override the ISP-assigned IPv6 DNS servers and use your own preferred ones, such as Cloudflare (2606:4700:4700::1111 and 2606:4700:4700::1001)?
Basically I would prefer to have the router push these out via DHCP rather than have to manually configure them on each device.
Also, does the DNS over HTTPS work with IPv6 DNS AAAA records?
+1 for this as well. Also, how can a custom Prefix Delegation be set?
I just ran into the same issue.
To fix this for android, windows 10, etc here is what I did.
You ssh into the firewalla gold and make a new file in /home/pi/.router/config/dhcp/conf/
For example:
nano /home/pi/.router/config/dhcp/conf/gero.conf/custom_v6_dns.conf
In the file you put
dhcp-range=tag:br0,::,constructor:br0,slaac,ra-stateless,86400
dhcp-option=tag:br0,option6:dns-server,[fd68:a4d3:aaf6:20::53]
but replace the ip with your own ipv6 dns server and br0 with what you use (run "ip add" to check).
Then reboot the firewalla
sudo reboot
Then disabled/enabled network on windows 10 and it populated the ipv6 dns
You can now see the dhcpv6 responses with the dns server by running
sudo tcpdump -i br0 -n -vv '(udp port 546 or 547) or icmp6'
for example
I had a problem with SIP calls and enabling SIP under the NAT Passthrough option solved it. Can you please explain what exactly does this option do in a technical sense? Thanks.
This article should explain the ALG part https://en.wikipedia.org/wiki/Application-level_gateway
Ok, so enabling NAT Passthrough activates ALG for those services.... why isn't it on by default? Does it consume resources when turned on? Or is there a security aspect to it?
Please sign in to leave a comment.