(This also applies to the Nest Wifi)
The best way to set up a mesh network with Firewalla Gold in router mode is to configure the mesh network in AP Mode/Bridge Mode.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla Gold LAN port. (no need to go through this)
However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial introduces a workaround. This workaround is NOT perfect, if you have any issue, please do let us know. And if you can, convincing Google/Nest to support AP mode is the best solution.
If you don't want to use up all your ports on Firewalla Gold you can also set up the google wifi mesh network with VLANs as shown here for Firewalla Purple. This requires a managed switch.
There are two proposed network solutions:
There will be three network subnets created:
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google satellites (e.g. 192.168.86.0/24).
- Gold - Port 3, managed by Gold. This subnet is only used for Google Wifi's WAN IP (e.g. 192.168.200.0/24).
- Gold - Port 2, managed by Gold. This subnet is used for the remaining Wifi devices (e.g. 192.168.210.0/24).
If you are doing ethernet backhaul, please refer to this connection. Network configuration steps remain the same.
ISP -> Gold Port 4
Gold Port 3 -> WAN port of the Primary Unit
Gold Port 2 -> Your Switch -> LAN port of the Primary Unit
-> WAN port of the Satellites
-> Other devices
The main idea is the LAN port of the Primary Unit and WAN port of the satellites are in the same ethernet network (for subnet 192.168.86.1/24), and other devices and Gold port 2 are also in the same ethernet network (for subnet 192.168.210.1/24). Both subnets are using the same physical ethernet network.
Step 1: Set up Local Networks in Gold
- Make sure Firewalla Gold is running in Router Mode
- Create a dedicated local network on Port 3. (e.g. 192.168.200.1/24)
- Create another local network on Port 2. It can either be shared with Port 1 or dedicated. (e.g. 192.168.210.1/24). The basic requirement is Port 2 and Port 3 must be used for different local networks.
1. Here is the tutorial on how to manage networks on Gold
2. We'll use the subnets above as an example in the rest of this guide.
Step 2: Set up Google Wifi Mesh network with a limited DHCP address range
- Connect the WAN port of the Google Wifi primary unit to Port 3, then follow the official guide to set up the Google Wifi primary device. Double check that the WAN IP of Google Wifi should be under 192.168.200.1/24
- Configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow 2 more Wifi points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.2~192.168.86.3
- Set up Google Wifi Mesh network by adding additional Google Wifi points one by one, and verify that they get IP addresses with in the range of what's reserved in step 2
If you are setting up with solution 2, connect the LAN port of Google Wifi primary unit and the WAN port of additional Google Wifi points to the switch.
- Sometimes one Google Wifi point may have two mac addresses, so you may need to reserve more IP addresses.
Note: It is highly recommended not to connect any other devices to the Google Wifi network when setting up the limited DHCP address range. Because the IP address in the pool may accidentally be assigned to other devices that are supposed to be assigned to Google Wifi points (satellites), eventually mess up the pool range.
Step 3: Use DHCP from Gold for devices in the wireless mesh network
- For solution 1: Connect the LAN port on Google Wifi primary unit to Port 2 on Firewalla Gold.
- For solution 2: Connect the switch to Port 2 on Firewalla Gold.
Now, any device connecting to the Google Wifi network should be able to get an IP address from Gold. (They should get IP addresses under 192.168.210.0/24.)
Step 4: Configure Gold to not allocate IP for Google Wifi points (satellites)
Google Wifi points may accidentally get IP addresses from Gold If the DHCP allocation from Google Wifi expires. This may break mesh setup. When this happens:
1. Firewall App will get a New Device Alarm on google wifi points.
2. Find the Wifi points devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
2. For each Wifi point device, tap on "IP Address", select "Do not allocate". This only needs to be done once.
3. Reboot Wifi point to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.
Thank you for this document, but does this scenario create a "double NAT" for the devices on the Mesh?
No, there is no double NAT ... This special trick turns the Google wifi (which doesn't want to be an AP) into an AP
How stable is this setup? I'm considering the Gold and currently running Google WiFi. I may end up going with different access points in the future but was hoping to run the Gold along with Google WiFi for a period.
There are a few people using it, should be usable. If you are going to a new mesh, avoid google/nest wifi, it is probably the only mesh out there refuse to support AP or bridge mode.
I must have done something wrong ... My entire wifi went down .... Tutorials like this ... If they are done using video ... That would be much easier...
This guide worked well for me, but one thing to note:
Using the Google Home App to add the router and points requires the mobile device to ALSO connect to the same WiFi network; I had to set aside some additional IP's to get the access points added to the mesh.
A separate question I have: where can I add a switch in this setup for my other devices that also need to be on the same network?
Ah, I think I see. So, the idea is that 210 and Google WiFi router's .86 are going to broadcast in the same VLAN but since you're limited the DHCP range on the Nest WiFi, it's not to push address and default gateway to devices?
I haven't gotten my gold yet, but here's my thoughts.
@Tyler Jones - I'm going to need to add a switch as well. Hoping I can use the 4th port on the firewalla and share that interface with the .210 network in the above example to add additional switch ports to the setup.
@John Lin - Seems that way to me and the idea of 2 DHCP servers broadcasting on the same Vlan seems less than ideal. Hoping it's stable though. Seems blocking the access points ability to pull IPs from the .210 segment after it happens the first time will keep it to a minimum though and you may just have to keep an eye out for any devices that inadvertently pull a .86 the first time they join the network, assuming there's an IP or 2 left open in the DHCP scope for device mgmt/additional Mac addresses on the access point network.
FYI for anyone that’s interested I got this working although getting the mesh network stable proved tricky. All of the steps mentioned are relevant including the fix when the mesh network eventually moves over to the wrong subnet.
One thing I’ve noticed is that google nest hub devices [just seems to be the display] does not seem to accept the DHCP relay request from Firewalla, it only likes the mesh subnet which is rather annoying...
Any questions hit me up, I’m a Cisco engineer.
Was unable to setup my Google Wifi using this tutorial. I have 80+ devices and although I followed step by step I always have 1 or more AP going down. I'm so sad because right now my gold is sitting on my desk...
I'm having an odd issue where one device is trying to pull an IP from the mesh network and failing. Sometimes a reboot will work, but after a while it goes back to the mesh DHCP server. Using a static IP works fine, but is annoying to manage.
OK just got my Firewalla Gold. Question. Do I have to reset all of my Google WIFI pucks and rebuild from scratch? Or can I just make these adjustments within the app, w/o having to reset and rebuilding everything?
You can save yourself a lot of trouble by getting different wifi pucks that support AP mode. But answer your question, yes, it's easier to factory reset them and start from scratch. And make sure to name your SSID something temporary or your wifi devices will jump in and take the puck IPs.
@Jason what would you suggest? I also have Google Wifi (1st gen) and it's a nightmare to configure properly and very unstable...
Thanks for your help.
What is suggested for best wifi AP?
We could probably debate that for weeks. :) I can tell you what I went with and why.
I went with the TP-Link Deco X60 (Three pack.)
They are super easy to configure, support WiFi-6, support ethernet backhaul, and were relatively inexpensive.
I directly wired each one to a port on the Firewalla and then created a single network for all of them.
Great. Thanks for the info. Does it have a way to limit time of clients? For example, set a usage limit of 1 hour per day for a particular client device?
Yes and No. Unfortunately when you put most of these devices in AP mode they loose all of their intelligence. In router mode these have a ton of advanced functionality as do most of the others. I don't have a good answer for you off the top of my head.
Gotcha. I'm hoping to see that feature supported by firewalla gold :)
But I just re-read you previous response about wiring each AP to a port- what is the advantage of that? I thought these operate as a mesh network already so aren't you wasting ports which could be used for something else?
My house is three floors (basement, main, and 2nd). While the mesh does work, signals from the 2nd floor get relayed through main floor and down to the basement where the router is. Since my house was pre-wired for ethernet I "backhauled" the traffic so that each AP gets a full gig to itself. Devices latch on to whichever AP has the best performance based on the location. The main reason that I got rid of the google nest mesh is because it didn't support this and internet speeds upstairs were not great.
Each AP also has a port coming out of it that you can connect to other devices or a switch. I could have also connected a switch to the firewalla and then the APs to the switch, but again I wanted maximum throughput on the WiFi.
@Jason, these Deco X60's. I have been reading up some reviews on em. How do you like it around the house? And how well do they go beyond your home? My current home is built like a faraday cage. I get great signal inside, but outside not so much...I haven't upgraded to WIFI 6 yet, but with all the trouble it takes to get Firewalla gold to work with it, i might just move on to a different setup.
Hopefully this will help. Here is my setup and it works flawlessly. I followed the instructions above and the physical connection are exact.
So before you do the physical connection, on the Google WiFi go into the LAN settings, make sure its on a different IP schema, e.g. 172.x.x.x or 10.x.x.x. Now restart all your Google WiFi mesh, e.g. router and points. Once they come up, make sure all of them are pulling the new IP schema. Now configure your Firewalla exact to the instructions in the article, but skip the step of configuring your Google WiFi to 192.168.86.x. Now power down all your Google WiFi's so that nothing is connectioning to any of them. Now do the physical connection like the diagram. In your Firewalla, delete any devices that it discovered, except for the Firewalla. Now power up the Google WiFi. You should start seeing devices connecting to it, but instead of pulling the IP from Google WiFi it will pull an IP from Firewalla. You should now see devices populate into Firewalla. Some devices won't show up for a couple of minutes or an hour. You will see Google WiFi point pull from 192.168.200.x which is fine, but all your other devices non-Google WiFi will pull from the 192.168.210.x IP scope.
Hope that helps you guys and the network setup is very stable. I rebooted everything several times and everything connected backup with no issues. I tested the blocks using the Firewalla policies, and it worked with no issues. Only thing that this setup will not work with is the VPN, but may have an idea of how to fix that (will update once I get that working)
Hope this helps.
@CYSecHD, thank you, will get someone in our team to verify your steps and enhance our directions.
You're welcome. Guess I'm gluten for yelling by my family. The many different possiblities I had dancing in my head, but still was thinking logically through the original setup on the article. Just to test the original write up again, I changed the network settings on the Firewalla Gold to the tee of the original article, it worked, but not stable. After doing some packet capture and looking through the captures, it appears that there seems to be some network flapping on the GW. It was getting confused once you set Do Not Assign. With the actual IP being assigned by the wireless LAN which we forced to Firewalla DHCP, Firewalla was not assigning the IP. The LAN of the Points, two of the Points were getting the x.x.86.x IP. One was still tie to a x.x.210.x IP. And kept dropping. So here is what worked, setup everything like the original article. Only caveat is that when the Points pick up a x.x.210.x don't select "Do Not Assign". Instead choose Reserve the IP's. This will be the LAN side. Restart the main GW router. Wait until it comes up. Test the connection. You should still have access via the Google WiFi app to the other Points. Go to each one, and make sure their LAN IP's are set to the one you want, in the original article, it's x.x.86.x. For the Pints that are not, restart them. Once they come up, it should pull the right LAN IP. If not it should still communicate. Go to the the GW app and go to the AP that you are working on, do a Move Point and go through the motions. It should pick up tan IP from the right scope. Repeat for the other ones. Now that you have all of the GW mesh up, go back to the GW app and do a reboot on all Points including the router. Wait until they come up, and if all the stars align, everything should work. The only caveat to this is, if you have a Guest wifi turned on, GW will automatically assign a separate VLAN which you can't control or change. Which stinks meaning you have to put all your stuff that you want to monitor in the LAN of GW. Those that you don't want to monitor and separate from internal LAN, you through them onto the Guest, but makes me a bit nervous because still transverse on the same connection. Probably more secure if I disable the Guest network and setup a cheap wireless WiFI 6 Router and use the other port on Firewalla to separate the connection for Guest.
Hopefully this helps so that you guys don't have to waste your GW or Nest investment. It's a pain, but would be cool if one day, Firewalla can make a combination box that is also a TAP/packet broker with enhance capabilities. If not, there is always the RPI route. Cheers everyone.
And if I wanted to have 2 ISPs used (e.g., xfinity and ATT fiber), the ISP can be connected to Port 1?
@vibhu, yes you can use port 1 + port 4. Or you can rearrange the example
Hi folks I really appreciate your efforts but with my network setup this isn't quite working: I have got three nest wifi routers and three nest wifi points. The three routers connected to the house lan cabling via switches and of course the points in mesh. (Google home app shows 6 points participating to the mesh). I am not sure what I did wrong but the setup at the top was very unstable for me. it seems like @CYSecHD has got a slightly different approach, and from what I understand it doesn't involve re-setting up the wifi mesh as "fresh" but rather just involves changing its IP subnet (and limiting the DHCP range as in the tutorial?) .
It would be good if you could clarify a bit more this tutorial with how to approach this with a deployed mesh without having to factory reset it. In general - as it seems like Google won't listen to our request of supporting bridge mode when the mesh is on, it would really be appreciated if you awesome guys at Firewalla implemented a Layer 2 mode. It won't just be helpful in this case but it would also expand the usefulness of your Gold box to other scenario, e.g. it's rather common to deploy layer 2 firewalls in complex network setups.
Layer 2 mode thread to upvote HERE: https://help.firewalla.com/hc/en-us/community/posts/360043319834-Unifi-USG-Firewalla-configuration?page=1#community_comment_1500000248742
So when I first set mine up I only had one router and one wifi point, I have since added two more for wifi stability around the house.
I had issues with the DHCP reservation on the first wifi point but subsequent nodes seem to have picked the addresses up fine.
My DCHP address pool only has space for 2 IP's, with the default gateway being on the node that's connected to Firewalla. Haven't needed to reboot. I also stuck to the original article and didn't try to reserve the IP's, your mileage may vary here judging by the articles above.
It should be as simple as extending the range of addresses (changing the last octect). Just make sure that the address isn't being used anywhere and that nothing is likely to refresh or try to call on DCHP in that time.
As I got this working I thought I’d share some tips (still please give us layer 2 🔥!)
-> you don’t need to factory reset your google WiFi <-
- make sure you have cellular data signal on your phone
- use google home app
1) prepare your firewalla gold by configuring the subnets as per tutorial. Do it with all its lan ports disconnected via Bluetooth . Prepare enough Ethernet patch cables for the firewalla connections. Do not connect them now
2) disconnect all your Ethernet connected devices BUT leave any secondary google WiFi router you may have connected
3) change the WiFi password to something else temporary - make sure you have cellular signal on your phone
4) you should now be connected via cellular to your home network and see no other device connected. All your WiFi points and routers should be connected. If yes to both continue to 5) else troubleshoot
5) change your google WiFi dhcp subnet and pool. I used 10.0.0.x . Allow space in the pool for 1 IP address for the main router (10.0.0.1), one IP per each Wi-Fi point and for any secondary router
6) verify all your mesh nodes are back online
7) time to connect your firewalla - plug all its eth ports as per tutorial
8) restore your WiFi password to what it was originally
Now that bridge mode is available (in beta) would it work If we setup the network as in Solution 2 , and we set the Gold in bridge mode?
the idea is :
- Google main AP gets WAN IP from ISP modem
- Firewalla Gold gets IP from Google main AP
- all devices get IPs from Google main AP
- all traffic is still routed through Gold as Google main AP WAN is connected to Gold as per Solution 2 diagram.
Please sign in to leave a comment.