Firewalla Gold is optimized to use in Router Mode.
If you already have a router/multiple routers, we highly recommend that you turn off the routing function on your Wi-Fi router. Most routers will call this Bridge or AP mode. When you turn this on your router can be used as an additional Wi-Fi access point connected to Firewalla Gold's LAN port. This will also avoid double NAT in your network.
This can significantly increase your existing router's Wi-Fi performance because your router can spend all its resources on Wi-Fi, and Firewalla will do all the routing and filtering.
Here are some examples of how this is configured on popular routers. If your router is not on this list, please refer to your router's manual.
Official Guide: https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point
1) Login to your Netgear router. 2) Navigate to "Advanced" -> "Advanced Setup" -> "Router/AP/Bridge Mode". 3) Choose "AP Mode". 4) Apply.
UbiquitiOfficial Guide: https://help.amplifi.com/hc/en-us/articles/220979347-Enabling-Bridge-Mode
1) Login to your Ubiquiti router. 2) Navigate to "Internet" -> "Router Mode" sub-header. 3) Toggle on "Bridge Mode". 4) Save and confirm.
AsusOfficial Guide: https://www.asus.com/us/support/FAQ/1015009/
1) Login to your Asus router. 2) Navigate to "Administration" -> "Operation Mode". 3) Select "Access Point(AP) Mode". 4) Save.
LinksysOfficial Guide: https://www.linksys.com/us/support-article?articleNum=243548
1) Login to your Linksys router. 2) Navigate to "Advanced Settings" -> "Internet Settings" -> "Connection Type". 3) Change to "Bridge Mode". 4) Save.
eeroOfficial Guide: https://support.eero.com/hc/en-us/articles/208276903-How-do-I-bridge-my-eeros-
NOTE: If you are wiring your eero units. There might be unpredictable results for eero mesh in bridge mode. There's a good technical explanation on Reddit by eero devs. But if you still want to try, some of our customers found that changing the topology might help.
The first eero (gateway eero) must be directly after Firewalla if eero is not used as a router. All other units, part of the same mesh, will need to come off of one switch from the second ethernet of first gateway eero. So it has to be Firewall -> gateway eero -> switch => other eero units
Otherwise, it'll cause a network loop and bring down the performance dramatically.
dd-wrtOfficial Guide: https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
OpenWrtOfficial Guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap
Official Guide: http://forums.dlink.com/index.php?topic=65327.0
Tips for Pros
@Spblhedeam send us this link. Seems on some routers using the LAN port (instead of WAN port) may increase performance. https://community.netgear.com/t5/Nighthawk-WiFi-Routers/WAN-OR-LAN-Port-for-Access-Point/m-p/1066752#M29745
Currently (August 2020) the Ubiquiti USG 3P has no 'bridge mode' functionality exposed through the Unifi UI (I own one and could not find any such UI element). The Amplifi Alien does support this (based on link in the article) but the Dream Machine & Dream Machine Pro seem not to support this mode from the UI either. I do not own the Alien, DM, or DM Pro.
In addition, these are the steps that worked for me from Firewalla Support.
Here is the recommended sequence:
At first I could not get an internet connection. After trial and error I went to the Network setting in the Firewalla app, clicked on Edit, chose the WAN configuration, and changed the Connection Type from Static to DHCP. As soon as I did this, then devices in my network started to pick up new IP address that are preconfigured in the LAN network configuration.
If anyone's interested in the long explanation for why eeros need to be configured as indicated above, here it is, from the horse's mouth:
I designed it. It's not supposed to be used that way, and the results will be unpredictable.
eero is a software-defined network based on a heterogeneous backplane constructed from 802.11 and 802.3 links. Given this, we are trying to build a switch with every ethernet port and every wireless access point vdev as member ports.
The problem with this is that in any given network where two eeros are connected by a piece of ethernet cable, they're also connected by the mesh. As I say, each radio on each eero has a virtual device which we call an AP- it's the thing a wireless client connects to. we call those "ports", just like the ethernet ports on an eero.
The problem is that frames coming into those ports have to be delivered to their destinations in a locally consistent way, or non-mesh devices will become very confused.
Frames have to arrive in the same order they were sent, they all have to transit any piece of ethernet in the topology in the same direction every time, and if there is an ethernet path, even if for only part of the topology, we want to use it, because ethernet doesn't consume airtime. The mesh does not guarantee deterministic delivery of frames, but ethernet absolutely requires it.
This is extra specially complicated because while our mesh frames have six addresses and a time-to-live counter and can be trusted not to go in circles, ethernet frames only have two addresses- a source and a destination. Wireless AP frames from non-mesh clients only have three, one of which is just the network address and isn't useful.
So if an eero sees an ethernet frame, it needs to know whether it should inject it into the mesh or not, but the information it needs isn't present in the frame. Each ethernet segment needs to see each frame once and only once, and it needs to approach that segment from the same port onto that segment, or switches will mislearn the location of those clients.
We have an algorithm we invented called STAMP which solves this problem by building a table of segments and their intersections, and modifying the forwarding rules at each intersection to give every client a locally consistent view of the network that looks just like ethernet.
Unfortunately, if two eeros are both connected to an upstream router of some kind... STAMP can't work properly. The two eeros might both be responsible for injecting frames into their segments, or neither of them might be. The upstream device might choose to deliver the frame on one port, or neither. It doesn't support STAMP, so it can't participate in the STAMP algorithm, and delivery vectors will be formally unpredictable.
They have no way to figure this out unless there's an eero at the root of the topology.
So yes, you shouldn't do this. It might work, it might stop working. It'll be random and flakey. When you reboot some part of your network, it may stop working, or some clients may randomly stop being able to see other clients. It'll depend entirely on the arrival order of frames when the switch inside your router learns things. Oh, and if your router supports STP, it'll probably eventually disable one of the ports.
@hans thanks. Mostly rhetorical questions...
Why do eeros have to be connected via mesh if they are already connected via Ethernet? Seems like that is unnecessary.
Why didn’t eero make this clear for many years? Even their support folks didn’t know it. That made me give up on eero for good.
Just curious if a network switch is necessary for running the FWP with my eero pro 6 mesh system
Just to be 100% clear, the following diagram is correct for EERO, isn't it?
Please sign in to leave a comment.