Google Wifi or Nest Wifi Mesh network with Gold Series (Beta) – Firewalla

Follow

Comments

43 comments

  • Avatar
    Tyler Jones

    This guide worked well for me, but one thing to note:

    Using the Google Home App to add the router and points requires the mobile device to ALSO connect to the same WiFi network; I had to set aside some additional IP's to get the access points added to the mesh.

    A separate question I have: where can I add a switch in this setup for my other devices that also need to be on the same network?

    3
    Comment actions Permalink
  • Avatar
    Chris Dillard

    How stable is this setup? I'm considering the Gold and currently running Google WiFi. I may end up going with different access points in the future but was hoping to run the Gold along with Google WiFi for a period.

    2
    Comment actions Permalink
  • Avatar
    CYSecHD

    You're welcome. Guess I'm gluten for yelling by my family. The many different possiblities I had dancing in my head, but still was thinking logically through the original setup on the article. Just to test the original write up again, I changed the network settings on the Firewalla Gold to the tee of the original article, it worked, but not stable. After doing some packet capture and looking through the captures, it appears that there seems to be some network flapping on the GW. It was getting confused once you set Do Not Assign. With the actual IP being assigned by the wireless LAN which we forced to Firewalla DHCP, Firewalla was not assigning the IP. The LAN of the Points, two of the Points were getting the x.x.86.x IP. One was still tie to a x.x.210.x IP. And kept dropping. So here is what worked, setup everything like the original article. Only caveat is that when the Points pick up a x.x.210.x don't select "Do Not Assign". Instead choose Reserve the IP's. This will be the LAN side. Restart the main GW router. Wait until it comes up. Test the connection. You should still have access via the Google WiFi app to the other Points. Go to each one, and make sure their LAN IP's are set to the one you want, in the original article, it's x.x.86.x. For the Pints that are not, restart them. Once they come up, it should pull the right LAN IP. If not it should still communicate. Go to the the GW app and go to the AP that you are working on, do a Move Point and go through the motions. It should pick up tan IP from the right scope. Repeat for the other ones. Now that you have all of the GW mesh up, go back to the GW app and do a reboot on all Points including the router. Wait until they come up, and if all the stars align, everything should work. The only caveat to this is, if you have a Guest wifi turned on, GW will automatically assign a separate VLAN which you can't control or change. Which stinks meaning you have to put all your stuff that you want to monitor in the LAN of GW. Those that you don't want to monitor and separate from internal LAN, you through them onto the Guest, but makes me a bit nervous because still transverse on the same connection. Probably more secure if I disable the Guest network and setup a cheap wireless WiFI 6 Router and use the other port on Firewalla to separate the connection for Guest.

    Hopefully this helps so that you guys don't have to waste your GW or Nest investment. It's a pain, but would be cool if one day, Firewalla can make a combination box that is also a TAP/packet broker with enhance capabilities. If not, there is always the RPI route. Cheers everyone.

    1
    Comment actions Permalink
  • Avatar
    Phillip Marquez

    My Nest WiFi Pros (3) reset this evening (for whatever reason, an update maybe?) and to my dismay one of the mesh pucks wouldn't connect.

    After some troubleshooting it looks like some speakers are now Thread border routers and they're trying to take up the DHCP spots normally used by my mesh pucks. 

    Some background: I have all my devices (80+) using FW static IPs (except the WiFi half of the mesh pucks, those are getting 192.168.86.x DHCP addresses from the primary Nest WiFi) which has proven rock solid with performance and no loss of functionality (VPN, DNS, Family Protect, the various blocks, etc. I even went so far as to manually rename all the devices in Google Home WiFi so I could setup groups and rules there as well (e.g. timers for kids' devices) since they were all generic names which makes configuring groups in the WiFi Pro config impossible.  When I got my FW I struggled with the instructions in OP but after sleeping on it I came up with an idea similar to some of the above posts - using temp password to isolate just the Nest WiFis to isolate and name appropriately to easily find them on a temp IP block, return the WiFi password to what all my devices are expecting then renaming and assigning static IPs to everything.  Once every device has its static IP, change IP block in Nest WiFi Pro back to 192.168.210.1 (this forces all those DHCP addresses to reset - no need to wait for them to time out) then wrap up the instructions from the OP.  After I put in the sweat to rename and assign static IPs (I already had a spreadsheet which I used prior to the FW which included MACs and desired last octets, so this helped immensely), I haven't had to touch a thing.

    OK, I thought, no problem - I'll just assign a static IP and add it to my spreadsheet.  Only problem is, for the first border router, that MAC address is already assigned (and weirdly, is actually using) a static IP in FW.  BUT, in the Nest WiFi devices list, I uncovered 2 devices with the same MAC address -- the first was "--" (this is the FW static IP which doesn't show up in the WiFi Pro device list), but the 2nd was taking up a 192.168.86.x IP address assigned by the WiFi Pro DHCP.  I couldn't for the life of me figure out if it was even possible to force a 2nd IP to that MAC address (I know next to nothing about Thread), so I gave up and opened up a few more DHCP addresses in the Nest WiFi Pro config and immediately my pucks came online.

    The end result is: my pucks are back on the WiFi DHCP along with the Thread border routers.  The remainder of my FW and Nest Wifi config remain the same and after a few hours of testing, all appears to be back to how it was prior to the issue happening this evening.  Solid speed, functionality appears to be untouched, etc.

    I figured I'd drop this here in case someone else is in the same boat and misses any border routers taking up their restricted/limited WiFi DHCP addresses.  Honestly, I'm not even sure how I caught it in the first place but that was the turning point for me to track down what was going on.

    1
    Comment actions Permalink
  • Avatar
    Ncdoty

    Unfortunately during my set up I had to allow a wider range of ip addresses for my Google wifi pucks than there were pucks (absolutely could not get it running otherwise).  Now my android phones seem to get assigned ip addresses within the 192.168.86.x range and while they show up on firewalla app, all of the monitoring and blocking features fail to work properly. Any suggestions? 

    1
    Comment actions Permalink
  • Avatar
    Shawn Damon

    I must have done something wrong ... My entire wifi went down .... Tutorials like this ... If they are done using video ... That would be much easier...

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    There are a few people using it, should be usable.    If you are going to a new mesh, avoid google/nest wifi, it is probably the only mesh out there refuse to support AP or bridge mode.   

    1
    Comment actions Permalink
  • Avatar
    Jason McKee

    We could probably debate that for weeks. :)  I can tell you what I went with and why. 

    I went with the TP-Link Deco X60 (Three pack.)

    They are super easy to configure, support WiFi-6, support ethernet backhaul, and were relatively inexpensive. 

    I directly wired each one to a port on the Firewalla and then created a single network for all of them.

    1
    Comment actions Permalink
  • Avatar
    CYSecHD

    Hopefully this will help. Here is my setup and it works flawlessly. I followed the instructions above and the physical connection are exact.

    So before you do the physical connection, on the Google WiFi go into the LAN settings, make sure its on a different IP schema, e.g. 172.x.x.x or 10.x.x.x. Now restart all your Google WiFi mesh, e.g. router and points. Once they come up, make sure all of them are pulling the new IP schema. Now configure your Firewalla exact to the instructions in the article, but skip the step of configuring your Google WiFi to 192.168.86.x. Now power down all your Google WiFi's so that nothing is connectioning to any of them. Now do the physical connection like the diagram. In your Firewalla, delete any devices that it discovered, except for the Firewalla. Now power up the Google WiFi. You should start seeing devices connecting to it, but instead of pulling the IP from Google WiFi it will pull an IP from Firewalla. You should now see devices populate into Firewalla. Some devices won't show up for a couple of minutes or an hour. You will see Google WiFi point pull from 192.168.200.x which is fine, but all your other devices non-Google WiFi will pull from the 192.168.210.x IP scope.

    Hope that helps you guys and the network setup is very stable. I rebooted everything several times and everything connected backup with no issues. I tested the blocks using the Firewalla policies, and it worked with no issues. Only thing that this setup will not work with is the VPN, but may have an idea of how to fix that (will update once I get that working)

    Hope this helps.

    1
    Comment actions Permalink
  • Avatar
    James Hector

    Thanks for this guide. I followed this setup at home and it has been flawless since installing my Gold SE. It's improved my network incredibly.

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    Now that bridge mode is available (in beta) would it work If we setup the network as in Solution 2 , and we set the Gold in bridge mode? 

    the idea is : 

    - Google main AP gets WAN IP from ISP modem 

    - Firewalla Gold gets IP from Google main AP

    - all devices get IPs from Google main AP

    - all traffic is still routed through Gold as Google main AP WAN is connected to Gold as per Solution 2 diagram. 

    0
    Comment actions Permalink
  • Avatar
    jmraffin

    Hi, any word if the new Nest Wifi Pro will allow it to be set up in AP mode?

    0
    Comment actions Permalink
  • Avatar
    Gabi

    @Ncdoty, did you get this resolved? 

    I have Google Wifi, which is more temperamental than the kids at home.

    I am thinking of replacing ISP Router (Eero) with a Firewalla.

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @vibhu, yes you can use port 1 + port 4.  Or you can rearrange the example

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @CYSecHD, thank you, will get someone in our team to verify your steps and enhance our directions.

    0
    Comment actions Permalink
  • Avatar
    hoops

    Gotcha. I'm hoping to see that feature supported by firewalla gold :)

    But I just re-read you previous response about wiring each AP to a port- what is the advantage of that? I thought these operate as a mesh network already so aren't you wasting ports which could be used for something else?

    0
    Comment actions Permalink
  • Avatar
    Jason McKee

    I'm having an odd issue where one device is trying to pull an IP from the mesh network and failing. Sometimes a reboot will work, but after a while it goes back to the mesh DHCP server. Using a static IP works fine, but is annoying to manage.

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    I haven't gotten my gold yet, but here's my thoughts.

    @Tyler Jones - I'm going to need to add a switch as well. Hoping I can use the 4th port on the firewalla and share that interface with the .210 network in the above example to add additional switch ports to the setup.

    @John Lin - Seems that way to me and the idea of 2 DHCP servers broadcasting on the same Vlan seems less than ideal. Hoping it's stable though. Seems blocking the access points ability to pull IPs from the .210 segment after it happens the first time will keep it to a minimum though and you may just have to keep an eye out for any devices that inadvertently pull a .86 the first time they join the network, assuming there's an IP or 2 left open in the DHCP scope for device mgmt/additional Mac addresses on the access point network.

    0
    Comment actions Permalink
  • Avatar
    hoops

    What is suggested for best wifi AP?

    0
    Comment actions Permalink
  • Avatar
    Jeff Duvio

    OK just got my Firewalla Gold. Question. Do I have to reset all of my Google WIFI pucks and rebuild from scratch? Or can I just make these adjustments within the app, w/o having to reset and rebuilding everything?

    0
    Comment actions Permalink
  • Avatar
    Vibhu Mittal

    And if I wanted to have 2 ISPs used (e.g., xfinity and ATT fiber), the ISP can be connected to Port 1?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    No, there is no double NAT ...   This special trick turns the Google wifi (which doesn't want to be an AP) into an AP

    0
    Comment actions Permalink
  • Avatar
    Jeff Duvio

    @Jason, these Deco X60's. I have been reading up some reviews on em. How do you like it around the house? And how well do they go beyond your home? My current home is built like a faraday cage. I get great signal inside, but outside not so much...I haven't upgraded to WIFI 6 yet, but with all the trouble it takes to get Firewalla gold to work with it, i might just move on to a different setup.

    0
    Comment actions Permalink
  • Avatar
    sk0rp10

    Hi folks I really appreciate your efforts but with my network setup this isn't quite working: I have got three nest wifi routers and three nest wifi points. The three routers connected to the house lan cabling via switches and of course the points in mesh. (Google home app shows 6 points participating to the mesh). I am not sure what I did wrong but the setup at the top was very unstable for me. it seems like @CYSecHD has got a slightly different approach, and from what I understand it doesn't involve re-setting up the wifi mesh as "fresh" but rather just involves changing its IP subnet (and limiting the DHCP range as in the tutorial?) . 

    It would be good if you could clarify a bit more this tutorial with how to approach this with a deployed mesh without having to factory reset it. In general - as it seems like Google won't listen to our request of supporting bridge mode when the mesh is on, it would really be appreciated if you awesome guys at Firewalla implemented a Layer 2 mode. It won't just be helpful in this case but it would also expand the usefulness of your Gold box to other scenario, e.g. it's rather common to deploy layer 2 firewalls in complex network setups. 

     

    Layer 2 mode thread to upvote HERE:  https://help.firewalla.com/hc/en-us/community/posts/360043319834-Unifi-USG-Firewalla-configuration?page=1#community_comment_1500000248742 

    0
    Comment actions Permalink
  • Avatar
    Matt Hudson

    No it hasd bridge mode for a single point but no AP mode or bridged mode for mesh.

     

    The guide does work for the new Nest Wifi Pro however as another user mentioned I had to add an extra few addresses in the google wan dhcp scope to get all 3 points meshed together.  After that it worked fine after the last 2 steps were completed

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Pejman

    Can you double check with TP-Link again? they are pretty good with AP/Bridge mode support. I have not heard any router they have not supporting. (AP mode or bridge mode)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Michael, the problem with Google / Nest Wifi is, it does NOT do access point or bridge mode when in mesh, this is a limitation on the google side. It has nothing to do with Firewalla. All the major mesh (orbi, eero, velop ... ) have true bridge/AP mode when in a mesh. Google is the only one that supports bridge only on one unit, not a mesh.

    What you see here is just a way for us to get around that problem, until google starts to support bridge mode in mesh. Feel free to post to their forums and may be they listen to customers like we do :)

    0
    Comment actions Permalink
  • Avatar
    Pejman

    I have TP-Link Omada and purchased the Firewalla gold. my problem is that the Omada router doesn't have any bridge mode so I can't put the Firewalla between my ISP and Omada router. 

    I tried to setup the Firewalla using other option available to put the Firewalla between my main switch and the Omada Router (Firewalla in bridge mode). now the issue is I can't do any port forwarding because when I open it on my router, the Firewalla blocks it and doesn't support the port forwarding in the bridge mode.

    anyone managed to setup Firewalla and Omada router and use the full capability of Firewalla ?

    0
    Comment actions Permalink
  • Avatar
    Michael Marrah

    Should DHCP service on the switch be enabled?

    0
    Comment actions Permalink
  • Avatar
    Pejman

    Hi, 

    thanks for your prompt reply. TP-link supports all that when it is not being managed via Omada SDN. once you use a Omada controller to control all the TP-link devices in the network, then I don't see any functionality of putting the TP-link gateway in to bridge mode. 

    0
    Comment actions Permalink

Please sign in to leave a comment.