Firewalla Gold is optimized to use in Router Mode.
If you already have a router/multiple routers, we highly recommend that you turn off the routing function on your Wi-Fi router. Most routers will call this Bridge or AP mode. When you turn this on your router can be used as an additional Wi-Fi access point connected to Firewalla Gold's LAN port. This will also avoid double NAT in your network.
This can significantly increase your existing router's Wi-Fi performance because your router can spend all its resources on Wi-Fi, and Firewalla will do all the routing and filtering.
Here are some examples of how this is configured on popular routers. If your router is not on this list, please refer to your router's manual.
-
Netgear
Official Guide: https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point
1) Login to your Netgear router. 2) Navigate to "Advanced" > "Advanced Setup" > "Router/AP/Bridge Mode". 3) Choose "AP Mode". 4) Apply.
-
Ubiquiti
Official Guide: https://help.amplifi.com/hc/en-us/articles/220979347-Enabling-Bridge-Mode1) Login to your Ubiquiti router. 2) Navigate to "Internet" > "Router Mode" sub-header. 3) Toggle on "Bridge Mode". 4) Save and confirm.
-
Asus
Official Guide: https://www.asus.com/us/support/FAQ/1015009/1) Login to your Asus router. 2) Navigate to "Administration" > "Operation Mode". 3) Select "Access Point(AP) Mode". 4) Save.
-
Linksys
Official Guide: https://www.linksys.com/support-article?articleNum=494531) Login to your Linksys router. 2) Navigate to "Advanced Settings" > "Internet Settings" > "Connection Type". 3) Change to "Bridge Mode". 4) Save.
-
eero
Official Guide: https://support.eero.com/hc/en-us/articles/208276903-How-do-I-bridge-my-eeros-
In this configuration, your eeros will be placed in bridge mode behind your Firewalla. The first eero must be directly after Firewalla and is known as a gateway eero even though it is not a router in this scenario. All other eero units that are part of the same mesh, will need to be behind the gateway eero. So it has to be
Firewalla -> gateway eero -> switch => other eero units
otherwise, it'll cause a network loop and bring down the performance dramatically. Here are diagrams to help visualize common configurations. There's a good technical explanation on Reddit by eero devs about why this is.
If you had eero set up in router mode with Eero profiles configured, some users reported better results if they deleted all Groups on eero before moving to Bridge mode.
-
DD-WRT
Official DD-WRT Guide: https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
-
OpenWrt
Official OpenWrt Guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap
-
DLink
Official Dlink Guide: http://forums.dlink.com/index.php?topic=65327.0
-
Google
Our Detailed Guide: https://help.firewalla.com/hc/en-us/articles/360048869274-Firewalla-Gold-Tutorial-Google-Wifi-Mesh-network-with-Gold-Beta-
Tips for Pros
@Spblhedeam send us this link. Seems on some routers using the LAN port (instead of WAN port) may increase performance. https://community.netgear.com/t5/Nighthawk-WiFi-Routers/WAN-OR-LAN-Port-for-Access-Point/m-p/1066752#M29745
Comments
9 comments
Currently (August 2020) the Ubiquiti USG 3P has no 'bridge mode' functionality exposed through the Unifi UI (I own one and could not find any such UI element). The Amplifi Alien does support this (based on link in the article) but the Dream Machine & Dream Machine Pro seem not to support this mode from the UI either. I do not own the Alien, DM, or DM Pro.
https://community.ui.com/questions/Ubiquiti-Dream-Machine-Pro-bridge-mode/5dc395d5-6d61-463c-9591-42242ef3dbef
In addition, these are the steps that worked for me from Firewalla Support.
Here is the recommended sequence:
At first I could not get an internet connection. After trial and error I went to the Network setting in the Firewalla app, clicked on Edit, chose the WAN configuration, and changed the Connection Type from Static to DHCP. As soon as I did this, then devices in my network started to pick up new IP address that are preconfigured in the LAN network configuration.
If anyone's interested in the long explanation for why eeros need to be configured as indicated above, here it is, from the horse's mouth:
I designed it. It's not supposed to be used that way, and the results will be unpredictable.
eero is a software-defined network based on a heterogeneous backplane constructed from 802.11 and 802.3 links. Given this, we are trying to build a switch with every ethernet port and every wireless access point vdev as member ports.
The problem with this is that in any given network where two eeros are connected by a piece of ethernet cable, they're also connected by the mesh. As I say, each radio on each eero has a virtual device which we call an AP- it's the thing a wireless client connects to. we call those "ports", just like the ethernet ports on an eero.
The problem is that frames coming into those ports have to be delivered to their destinations in a locally consistent way, or non-mesh devices will become very confused.
Frames have to arrive in the same order they were sent, they all have to transit any piece of ethernet in the topology in the same direction every time, and if there is an ethernet path, even if for only part of the topology, we want to use it, because ethernet doesn't consume airtime. The mesh does not guarantee deterministic delivery of frames, but ethernet absolutely requires it.
This is extra specially complicated because while our mesh frames have six addresses and a time-to-live counter and can be trusted not to go in circles, ethernet frames only have two addresses- a source and a destination. Wireless AP frames from non-mesh clients only have three, one of which is just the network address and isn't useful.
So if an eero sees an ethernet frame, it needs to know whether it should inject it into the mesh or not, but the information it needs isn't present in the frame. Each ethernet segment needs to see each frame once and only once, and it needs to approach that segment from the same port onto that segment, or switches will mislearn the location of those clients.
We have an algorithm we invented called STAMP which solves this problem by building a table of segments and their intersections, and modifying the forwarding rules at each intersection to give every client a locally consistent view of the network that looks just like ethernet.
Unfortunately, if two eeros are both connected to an upstream router of some kind... STAMP can't work properly. The two eeros might both be responsible for injecting frames into their segments, or neither of them might be. The upstream device might choose to deliver the frame on one port, or neither. It doesn't support STAMP, so it can't participate in the STAMP algorithm, and delivery vectors will be formally unpredictable.
They have no way to figure this out unless there's an eero at the root of the topology.
So yes, you shouldn't do this. It might work, it might stop working. It'll be random and flakey. When you reboot some part of your network, it may stop working, or some clients may randomly stop being able to see other clients. It'll depend entirely on the arrival order of frames when the switch inside your router learns things. Oh, and if your router supports STP, it'll probably eventually disable one of the ports.
@hans thanks. Mostly rhetorical questions...
Why do eeros have to be connected via mesh if they are already connected via Ethernet? Seems like that is unnecessary.
Why didn’t eero make this clear for many years? Even their support folks didn’t know it. That made me give up on eero for good.
Just curious if a network switch is necessary for running the FWP with my eero pro 6 mesh system
Just to be 100% clear, the following diagram is correct for EERO, isn't it?
This article uses the term "router" in the less technical sense to mean a device that is true router, plus a switch, and plus an AP (wifi access point). Putting the "router" in AP/Bridge mode essentially bypasses the router (of the "router") leaving the switch and AP intact. My current configuration has my firewire in router mode connected to a switch and then connected to APs, wired devices and another switch .... This is a standard hub and spoke topology. I don't need to put anything in Bridge/AP mode because the firewalla is the only router in my system and the only DHCP server.
I have Rogers Ignite Cable internet currently in bridge mode, connected to the WAN port on eeros main device providing DHCP at the moment. Then from the 2nd port on the main eeros, its connected to my unmanaged 4 port switch, which has my smart tv, PS5, and cable IPTV services. I have 2 other eeros on the mesh on the same floor in 2 other rooms.
This article mentions to have the main eeros right after the firewalla device. Can I then connect the swtich to the other avaialble port on eeros to for my other devices and will they be behind the firewalla?
Something like this:
@Ray
Yes, you can put a switch the second port on Eero. That's fine.
Please sign in to leave a comment.