- This article also applies to the Nest Wifi.
- To configure Google or nest Wifi with Blue series boxes, see Setup Guide: Mesh Routers Simple and DHCP modes
- To configure Google or nest Wifi with Purple series boxes, see Google Wifi or Nest Wifi Mesh network with Purple (Beta).
The best way to set up a mesh network with Firewalla Gold series boxes in router mode is to configure the mesh network in AP Mode/Bridge Mode.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla Gold LAN port.
However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial provides a workaround. This workaround is NOT perfect, if you have any issues, please let us know. You can also help convince Google/Nest to support "AP mode". This is the best solution.
If you don't want to use up all your ports on Firewalla Gold you can also set up the Google Wifi mesh network with VLANs as shown here for Firewalla Purple. Note this requires a managed switch.
There are two recommended solutions for using Google Wifi with Firewalla.
Solution 1: Wireless Backhaul
Use this configuration when you cannot connect the Points to the Google Wifi Router with Ethernet. Configuration 2 is preferable when you have a choice.
There will be three network subnets created:
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google points (satellites) (e.g. 192.168.86.0/24).
- Gold - Port 3, managed by Gold. This subnet is only used for Google Wifi's WAN IP (e.g. 192.168.200.0/30).
- Gold - Port 2, managed by Gold. This subnet is used for the remaining Wifi devices (e.g. 192.168.210.0/24).
Solution 2: Wired Backhaul
Use this configuration when you can connect the Points to the Google Wifi Router with Ethernet. This is the preferred option.
Network configuration steps remain the same.
ISP -> Gold Port 4
Gold Port 3 -> WAN port of the Primary Unit
Gold Port 2 -> Your Switch -> LAN port of the Primary Unit
-> WAN port of the Point (satellite)
-> Other devices
The idea is the LAN port of the Primary Unit and WAN port of the Point satellite are in one ethernet network (for subnet 192.168.86.1/24), and other devices and Gold port 2 are also in another ethernet network (for subnet 192.168.210.1/24). Both subnets are using the same physical ethernet network. Wi-Fi Clients that need an IP will ask Google Wifi for one, but there will be none for it to give and the request will go upstream to Firewalla DHCP server.
Configuration:
Step 1: Set up Local Networks in Gold
- Make sure Firewalla Gold is running in Router Mode. (See Mode) in the Firewalla app).
- Create a dedicated local network on Port 3. (e.g. start IP 192.168.200.0 end IP 192.168.200.3)
- Create another local network on Port 2. This network can include Port 1 if you like or be separate. (e.g. 192.168.210.1/24). However, Port 2 and Port 3 must be configured for different local networks.
Note:
1. Here is the tutorial on how to manage networks on Gold.
2. We'll use the subnets above as an example in this guide.
Do not connect Firewalla port 2 to the switch at this time.
Step 2: Set up a Google Wifi Mesh network with a limited DHCP address range
- Connect the WAN port of the Google Wifi primary unit to FWG's Port 3, then follow the official guide to set up the Google Wifi primary device. Double check that the WAN IP of Google Wifi should be under 192.168.200.1/30 (between 192.168.200.0-192.168.200.3). Once the Google primary unit is running, you should see the Google router appear as a device in Gold. If you are using New Device Quarantine, make sure the Google Wi-Fi isn’t quarantined.
- In the Google app, configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow two Wifi Points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.2-192.168.86.3; for three Wifi Points use 192.168.86.2-192.168.86.4.
- Set up Google Wifi Mesh network by adding additional Google Wifi points one by one, and verify that they get IP addresses within the range of what's reserved in step 2.
If you are setting up with configuration 2, connect the LAN port of the Google Wifi primary unit (Router) and the WAN port of additional Google Wifi Points to the switch. As you connect them, you should see the Google wifi satellites appear in the Google router.
Note: We recommend not connecting any other devices to the Google Wifi network while setting up the limited DHCP address range. This is because the IP address in the pool may be assigned to other devices that are supposed to be assigned to the Google Wifi Points.
Unfortunately, Google Wifi and nest Wifi do not allow IP reservations for the Points which would ensure that they don't create conflicts or get IPs from Firewalla. However, users of these APs report that usually once the router gives them an IP they tend to be "sticky" for a long time. A power cycle shouldn't cause it to get a new IP, but a factory reset (and subsequent setup) quite likely will. So in most cases, it shouldn't be a problem if you add one Point/Puck at a time and limit the IP range to be just big enough. Once you know if the units you have require one or two IPs and allow for that this workaround should not allow other devices to get IPs from the Google/nest router.
- Sometimes one Google Wifi Point may have two mac addresses, so you may need to reserve more IP addresses as needed. Just be sure the number of addresses you allow doesn't exceed what is needed for the Google or nest Wifi.
Step 3: Use DHCP from Gold for devices in the wireless mesh network
- For solution 1: Connect the LAN port on the Google Wifi primary unit to Port 2 on Firewalla Gold.
- For solution 2: Connect the switch to Port 2 on Firewalla Gold.
Now, any device connecting to the Google Wifi network should be able to get an IP address from Gold. They should get IP addresses under 192.168.210.0/24. in this example.
Step 4: Configure Gold to not allocate IP for Google Wifi Points (satellites)
Google Wifi points may accidentally get IP addresses from Gold If the DHCP allocation from Google Wifi expires. This may break the mesh setup. When this happens:
- The Firewalla app will get a New Device Alarm on google wifi points.
- Find the Wifi point devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
- For each Wifi point device, tap on "IP Address", and select "Do not allocate". This only needs to be done once.
- Reboot Wifi point to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.
Comments
49 comments
This guide worked well for me, but one thing to note:
Using the Google Home App to add the router and points requires the mobile device to ALSO connect to the same WiFi network; I had to set aside some additional IP's to get the access points added to the mesh.
A separate question I have: where can I add a switch in this setup for my other devices that also need to be on the same network?
How stable is this setup? I'm considering the Gold and currently running Google WiFi. I may end up going with different access points in the future but was hoping to run the Gold along with Google WiFi for a period.
There are a few people using it, should be usable. If you are going to a new mesh, avoid google/nest wifi, it is probably the only mesh out there refuse to support AP or bridge mode.
I must have done something wrong ... My entire wifi went down .... Tutorials like this ... If they are done using video ... That would be much easier...
We could probably debate that for weeks. :) I can tell you what I went with and why.
I went with the TP-Link Deco X60 (Three pack.)
They are super easy to configure, support WiFi-6, support ethernet backhaul, and were relatively inexpensive.
I directly wired each one to a port on the Firewalla and then created a single network for all of them.
My Nest WiFi Pros (3) reset this evening (for whatever reason, an update maybe?) and to my dismay one of the mesh pucks wouldn't connect.
After some troubleshooting it looks like some speakers are now Thread border routers and they're trying to take up the DHCP spots normally used by my mesh pucks.
Some background: I have all my devices (80+) using FW static IPs (except the WiFi half of the mesh pucks, those are getting 192.168.86.x DHCP addresses from the primary Nest WiFi) which has proven rock solid with performance and no loss of functionality (VPN, DNS, Family Protect, the various blocks, etc. I even went so far as to manually rename all the devices in Google Home WiFi so I could setup groups and rules there as well (e.g. timers for kids' devices) since they were all generic names which makes configuring groups in the WiFi Pro config impossible. When I got my FW I struggled with the instructions in OP but after sleeping on it I came up with an idea similar to some of the above posts - using temp password to isolate just the Nest WiFis to isolate and name appropriately to easily find them on a temp IP block, return the WiFi password to what all my devices are expecting then renaming and assigning static IPs to everything. Once every device has its static IP, change IP block in Nest WiFi Pro back to 192.168.210.1 (this forces all those DHCP addresses to reset - no need to wait for them to time out) then wrap up the instructions from the OP. After I put in the sweat to rename and assign static IPs (I already had a spreadsheet which I used prior to the FW which included MACs and desired last octets, so this helped immensely), I haven't had to touch a thing.
OK, I thought, no problem - I'll just assign a static IP and add it to my spreadsheet. Only problem is, for the first border router, that MAC address is already assigned (and weirdly, is actually using) a static IP in FW. BUT, in the Nest WiFi devices list, I uncovered 2 devices with the same MAC address -- the first was "--" (this is the FW static IP which doesn't show up in the WiFi Pro device list), but the 2nd was taking up a 192.168.86.x IP address assigned by the WiFi Pro DHCP. I couldn't for the life of me figure out if it was even possible to force a 2nd IP to that MAC address (I know next to nothing about Thread), so I gave up and opened up a few more DHCP addresses in the Nest WiFi Pro config and immediately my pucks came online.
The end result is: my pucks are back on the WiFi DHCP along with the Thread border routers. The remainder of my FW and Nest Wifi config remain the same and after a few hours of testing, all appears to be back to how it was prior to the issue happening this evening. Solid speed, functionality appears to be untouched, etc.
I figured I'd drop this here in case someone else is in the same boat and misses any border routers taking up their restricted/limited WiFi DHCP addresses. Honestly, I'm not even sure how I caught it in the first place but that was the turning point for me to track down what was going on.
You're welcome. Guess I'm gluten for yelling by my family. The many different possiblities I had dancing in my head, but still was thinking logically through the original setup on the article. Just to test the original write up again, I changed the network settings on the Firewalla Gold to the tee of the original article, it worked, but not stable. After doing some packet capture and looking through the captures, it appears that there seems to be some network flapping on the GW. It was getting confused once you set Do Not Assign. With the actual IP being assigned by the wireless LAN which we forced to Firewalla DHCP, Firewalla was not assigning the IP. The LAN of the Points, two of the Points were getting the x.x.86.x IP. One was still tie to a x.x.210.x IP. And kept dropping. So here is what worked, setup everything like the original article. Only caveat is that when the Points pick up a x.x.210.x don't select "Do Not Assign". Instead choose Reserve the IP's. This will be the LAN side. Restart the main GW router. Wait until it comes up. Test the connection. You should still have access via the Google WiFi app to the other Points. Go to each one, and make sure their LAN IP's are set to the one you want, in the original article, it's x.x.86.x. For the Pints that are not, restart them. Once they come up, it should pull the right LAN IP. If not it should still communicate. Go to the the GW app and go to the AP that you are working on, do a Move Point and go through the motions. It should pick up tan IP from the right scope. Repeat for the other ones. Now that you have all of the GW mesh up, go back to the GW app and do a reboot on all Points including the router. Wait until they come up, and if all the stars align, everything should work. The only caveat to this is, if you have a Guest wifi turned on, GW will automatically assign a separate VLAN which you can't control or change. Which stinks meaning you have to put all your stuff that you want to monitor in the LAN of GW. Those that you don't want to monitor and separate from internal LAN, you through them onto the Guest, but makes me a bit nervous because still transverse on the same connection. Probably more secure if I disable the Guest network and setup a cheap wireless WiFI 6 Router and use the other port on Firewalla to separate the connection for Guest.
Hopefully this helps so that you guys don't have to waste your GW or Nest investment. It's a pain, but would be cool if one day, Firewalla can make a combination box that is also a TAP/packet broker with enhance capabilities. If not, there is always the RPI route. Cheers everyone.
Hopefully this will help. Here is my setup and it works flawlessly. I followed the instructions above and the physical connection are exact.
So before you do the physical connection, on the Google WiFi go into the LAN settings, make sure its on a different IP schema, e.g. 172.x.x.x or 10.x.x.x. Now restart all your Google WiFi mesh, e.g. router and points. Once they come up, make sure all of them are pulling the new IP schema. Now configure your Firewalla exact to the instructions in the article, but skip the step of configuring your Google WiFi to 192.168.86.x. Now power down all your Google WiFi's so that nothing is connectioning to any of them. Now do the physical connection like the diagram. In your Firewalla, delete any devices that it discovered, except for the Firewalla. Now power up the Google WiFi. You should start seeing devices connecting to it, but instead of pulling the IP from Google WiFi it will pull an IP from Firewalla. You should now see devices populate into Firewalla. Some devices won't show up for a couple of minutes or an hour. You will see Google WiFi point pull from 192.168.200.x which is fine, but all your other devices non-Google WiFi will pull from the 192.168.210.x IP scope.
Hope that helps you guys and the network setup is very stable. I rebooted everything several times and everything connected backup with no issues. I tested the blocks using the Firewalla policies, and it worked with no issues. Only thing that this setup will not work with is the VPN, but may have an idea of how to fix that (will update once I get that working)
Hope this helps.
Unfortunately during my set up I had to allow a wider range of ip addresses for my Google wifi pucks than there were pucks (absolutely could not get it running otherwise). Now my android phones seem to get assigned ip addresses within the 192.168.86.x range and while they show up on firewalla app, all of the monitoring and blocking features fail to work properly. Any suggestions?
I have TP-Link Omada and purchased the Firewalla gold. my problem is that the Omada router doesn't have any bridge mode so I can't put the Firewalla between my ISP and Omada router.
I tried to setup the Firewalla using other option available to put the Firewalla between my main switch and the Omada Router (Firewalla in bridge mode). now the issue is I can't do any port forwarding because when I open it on my router, the Firewalla blocks it and doesn't support the port forwarding in the bridge mode.
anyone managed to setup Firewalla and Omada router and use the full capability of Firewalla ?
As I got this working I thought I’d share some tips (still please give us layer 2 🔥!)
-> you don’t need to factory reset your google WiFi <-
- make sure you have cellular data signal on your phone
- use google home app
1) prepare your firewalla gold by configuring the subnets as per tutorial. Do it with all its lan ports disconnected via Bluetooth . Prepare enough Ethernet patch cables for the firewalla connections. Do not connect them now
2) disconnect all your Ethernet connected devices BUT leave any secondary google WiFi router you may have connected
3) change the WiFi password to something else temporary - make sure you have cellular signal on your phone
4) you should now be connected via cellular to your home network and see no other device connected. All your WiFi points and routers should be connected. If yes to both continue to 5) else troubleshoot
5) change your google WiFi dhcp subnet and pool. I used 10.0.0.x . Allow space in the pool for 1 IP address for the main router (10.0.0.1), one IP per each Wi-Fi point and for any secondary router
6) verify all your mesh nodes are back online
7) time to connect your firewalla - plug all its eth ports as per tutorial
8) restore your WiFi password to what it was originally
No it hasd bridge mode for a single point but no AP mode or bridged mode for mesh.
The guide does work for the new Nest Wifi Pro however as another user mentioned I had to add an extra few addresses in the google wan dhcp scope to get all 3 points meshed together. After that it worked fine after the last 2 steps were completed
Hi, any word if the new Nest Wifi Pro will allow it to be set up in AP mode?
@ Michael Marrah... in my setup I do not use DHCP on the switch as firewalla has to serve as the DHCP server for all devices to track them. Hopefully you figured this out in the last four months:-) (noting for future readers).
Should DHCP service on the switch be enabled?
@Michael, the problem with Google / Nest Wifi is, it does NOT do access point or bridge mode when in mesh, this is a limitation on the google side. It has nothing to do with Firewalla. All the major mesh (orbi, eero, velop ... ) have true bridge/AP mode when in a mesh. Google is the only one that supports bridge only on one unit, not a mesh.
What you see here is just a way for us to get around that problem, until google starts to support bridge mode in mesh. Feel free to post to their forums and may be they listen to customers like we do :)
Now that bridge mode is available (in beta) would it work If we setup the network as in Solution 2 , and we set the Gold in bridge mode?
the idea is :
- Google main AP gets WAN IP from ISP modem
- Firewalla Gold gets IP from Google main AP
- all devices get IPs from Google main AP
- all traffic is still routed through Gold as Google main AP WAN is connected to Gold as per Solution 2 diagram.
And if I wanted to have 2 ISPs used (e.g., xfinity and ATT fiber), the ISP can be connected to Port 1?
@Pejman
Can you double check with TP-Link again? they are pretty good with AP/Bridge mode support. I have not heard any router they have not supporting. (AP mode or bridge mode)
Hi,
thanks for your prompt reply. TP-link supports all that when it is not being managed via Omada SDN. once you use a Omada controller to control all the TP-link devices in the network, then I don't see any functionality of putting the TP-link gateway in to bridge mode.
Thanks for this guide. I followed this setup at home and it worked OK.
Update: Since installing I still was finding some inconsistencies in the network performance. I decided to change to Eero and placed in Bridge mode. This has been flawless and solved any issue I had on the network previously.
@Ncdoty, did you get this resolved?
I have Google Wifi, which is more temperamental than the kids at home.
I am thinking of replacing ISP Router (Eero) with a Firewalla.
Thanks
I followed this tutorial, starting with just accounting for 1 IP address per point (not including the "router"/Google base station plugged into the Firewalla Gold). This was enough for 2 of the 3 points I tried to add but the third one would not connect. I looked at the IP assigned to each one and realized they were off by 2 from each other, and then remember the comment in the article about allowing multiple IPs per device. So I went to 2 per point and everything went smoothly from there. Now everything is working well. Keep in mind I had to reset the entire Google network to factory settings because they are apparently terrible at forgetting IP addresses.
So long story short, I followed this article using Solution 1 (wireless backhaul) and allowing 2 IPs per point. I bought a 4-pack of Google G6ZUC and so I gave it a range of X.X.86.20 to X.X.86.25 for 6 total IP addresses. Then I connected the LAN port on the Google "router"/base station to the LAN port on the Firewalla Gold.
After that, the first device I connected to the new wifi was assigned an IP from the Firewalla LAN network and I have since reconnected all my devices to the new network and they have all gotten IP addresses from Firewalla. I can monitor traffic from each and block/unblock as normal.
Thank you for the excellent article. I can confirm that G6ZUC needs 2 IP addresses per point (not including "router").
I'm trying to set up my Firewalla gold with Google Wifi. When I try to add the first google wifi router, and try to set it up in Google Home app, it tells me the device has no internet connection. Is Firewalla blocking it? I tried to hook something up to lan port 3 just to see if it got connection, and it did not. When i did a speed test with Firewalla, it was clearly getting a connection. I don't understand why there doesn't seem to be connectivity to Port 3 to set up the google wifi. Is the unit faulty?
Did you configure LAN Port 3 as part of your LAN? Tap on the network manager and make sure it can DHCP
Initially could not get it to work. Taking each step in sequence and restarting the wifi network at each step was the key to success.
Steps.
Router LAN IP to 10.0.0.1 Subnet Mask 255.255.255.0 DCHP Pool Start 10.0.0.2 End 10.0.0.5
(Tried to have the Pool End being 10.0.0.3 but my 3rd Google Puck could not obtain an IP and therefore connect to mesh)
5. Restarted Mesh network and confirmed that each Google device had an IP of 10.x…
6. Followed the digram for Port 3 only to make sure the Firewalla was part of the network and Mesh network integrated.
7. Followed with Port 2 integration.
Note: Firewalla will discover the Mesh Network LAN connection but will not assign an IP to them. In my case it discovered it for Port 2 connection and later for NAS. (Ignore them)
8. Finally once the network is stable change the SSID and Password back to original
Works great.
Firewalla handles all of the DCHP workload.
Did anyone have issues with not able to run speed test with gfilber app ? Also I have seen the extender and main coming up from the other port that google fiber i set up for no IP but not clear why it would show up.
Guide: Assigning Consecutive IP Addresses to Google/Nest Wifi APs with Firewalla Gold
This guide is for anyone trying to get their Google or Nest Wifi mesh access points (APs) to receive consecutive IP addresses when using Firewalla Gold in Router Mode. After many failed attempts, this method worked for me using a 6-puck setup.
Problem
The APs often receive non-consecutive IP addresses.
Setting a restricted DHCP range too early can cause setup failures in the Google Home app.
This guide addresses these issues, especially during Step 2 of the Firewalla + Google Wifi integration tutorial.
Step-by-Step Instructions
1. Set up a temporary Google Wifi network
Use the Google Home app to set up your primary Google Wifi router.
Choose a temporary SSID and password (you can switch back to your original network settings later).
Don’t restrict the DHCP range or worry about IP assignments at this stage.
2. Add all mesh points (APs)
Add each additional Google/Nest Wifi puck through the Google Home app.
Do not restrict the DHCP range yet — setup needs extra IPs for temporary connections, including your phone.
Example: For 6 APs, I used a DHCP range
192.168.86.20 – 192.168.86.40.3. Identify the assigned IPs
After all mesh points are installed, open the Google Home app and record the IP address of each AP.
You’ll likely find that the IPs are not consecutive, with some numbers skipped.
4. Adjust the DHCP range
Once setup is complete and all APs are online, go to your Google Wifi DHCP settings and narrow the range.
The new range should:
Be just large enough to include all APs + one extra IP (usually for your phone).
Be in a different part of the subnet, not overlapping with previously assigned IPs.
Example: For 6 APs, I used
192.168.86.201 – 192.168.86.206.The primary puck will remain at
192.168.86.1, while the other 5 should shift into the new range.5. Reboot the mesh network
Restart the primary Google/Nest Wifi router and all connected mesh points.
After rebooting, the APs should request new IP addresses from the restricted range and receive consecutive assignments.
6. Remove the unused IP
One IP in the restricted range may not be used (Hopefully the first or last).
Remove this IP from the DHCP range.
Tips
Don’t restrict the DHCP range during setup—this can cause the Google Home app to fail when adding devices.
Only apply the DHCP restriction after all APs are installed and stable.
Be patient—this process will take time. Have a good book and plenty of coffee ready!
Great. Thanks for the info. Does it have a way to limit time of clients? For example, set a usage limit of 1 hour per day for a particular client device?
No, there is no double NAT ... This special trick turns the Google wifi (which doesn't want to be an AP) into an AP
Please sign in to leave a comment.