The best way to set up a mesh network with Firewalla Gold in router mode is to configure the mesh network in AP Mode/Bridge Mode.
However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial introduces a workaround. This workaround is NOT perfect, if you have any issue, please do let us know. And if you can, convincing Google/Nest to support AP mode is the best solution.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla Gold LAN port. (no need to go through this)
Here is the proposed network connection:
There will be three network subnets created:
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google satellites (e.g. 192.168.86.0/24).
- Gold - Port 3, managed by Gold. This subnet is only used for Google Wifi's WAN IP (e.g. 192.168.200.0/24).
- Gold - Port 2, managed by Gold. This subnet is used for the remaining Wifi devices (e.g. 192.168.210.0/24).
Note: If you are doing ethernet backhaul, please refer to the other connection diagram. Network configuration steps remain the same..
Step 1: Set up Local Networks in Gold
- Make sure Firewalla Gold is running in Router Mode
- Create a dedicated local network on Port 3. (e.g. 192.168.200.1/24)
- Create another local network on Port 2. It can either be shared with Port 1 or dedicated. (e.g. 192.168.210.1/24). The basic requirement is Port 2 and Port 3 must be used for different local networks.
1. Here is the tutorial on how to manage networks on Gold
2. We'll use the subnets above as an example in the rest of this guide.
Step 2: Set up Google Wifi Mesh network with a limited DHCP address range
- Connect the WAN port of the Google Wifi primary unit to Port 3, then follow the official guide to set up the Google Wifi primary device. Double confirm that the WAN IP of Google Wifi should be under 192.168.200.1/24
- Configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow 2 more Wifi points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.2~192.168.86.3.
- Set up Google Wifi Mesh network by adding additional Google Wifi points one by one, and verify that they get IP addresses in the given DHCP address range.
- Sometimes one Google Wifi point may have two mac addresses, so you may need to reserve more IP addresses.
Note: It is highly recommended not to connect any other devices to the Google Wifi network when setting up the limited DHCP address range. Because the IP address in the pool may accidentally be assigned to other devices that are supposed to be assigned to Google Wifi points (satellites), eventually mess up the pool range.
Step 3: Use DHCP from Gold for devices in the wireless mesh network
- Connect the LAN port on Google Wifi primary unit to Port 2 on Firewalla Gold.
- Now any device connecting to the Google Wifi network should be able to get IP address allocated by Gold. (They should get IP address under 192.168.210.0/24.)
Step 4: Configure Gold to not allocate IP for Google Wifi points (satellites)
Google Wifi points may accidentally get IP addresses allocated by Gold If the DHCP allocation from Google Wifi expires. This may break mesh setup. When this happens:
1. Firewall App will get a New Device Alarm on google wifi points.
2. Find the Wifi points devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
2. For each Wifi point device, tap on "IP Address", select "Do not allocate". This only needs to be done once.
3. Reboot Wifi point to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.
Extras: If you are doing ethernet backhaul
Here is the proposed connection:
ISP -> Gold Port 4
Gold Port 3 -> WAN port of the Primary Unit
Gold Port 2 -> Your Switch -> LAN port of the Primary Unit
-> WAN port of the Satellites
-> Other devices
The main idea is the LAN port of the Primary Unit and WAN port of the satellites are in the same ethernet network (for subnet 192.168.86.1/24), and other devices and Gold port 2 are also in the same ethernet network (for subnet 192.168.210.1/24). Both subnets are using the same physical ethernet network.