- This article also applies to the Nest Wifi.
- To configure Google or nest Wifi with Blue series boxes, see Setup Guide: Mesh Routers Simple and DHCP modes
- To configure Google or nest Wifi with Purple series boxes, see Google Wifi or Nest Wifi Mesh network with Purple (Beta).
The best way to set up a mesh network with Firewalla Gold series boxes in router mode is to configure the mesh network in AP Mode/Bridge Mode.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla Gold LAN port.
However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial provides a workaround. This workaround is NOT perfect, if you have any issues, please let us know. You can also help convince Google/Nest to support "AP mode". This is the best solution.
If you don't want to use up all your ports on Firewalla Gold you can also set up the Google Wifi mesh network with VLANs as shown here for Firewalla Purple. Note this requires a managed switch.
There are two recommended solutions for using Google Wifi with Firewalla.
Solution 1: Wireless Backhaul
Use this configuration when you cannot connect the Points to the Google Wifi Router with Ethernet. Configuration 2 is preferable when you have a choice.
There will be three network subnets created:
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google points (satellites) (e.g. 192.168.86.0/24).
- Gold - Port 3, managed by Gold. This subnet is only used for Google Wifi's WAN IP (e.g. 192.168.200.0/30).
- Gold - Port 2, managed by Gold. This subnet is used for the remaining Wifi devices (e.g. 192.168.210.0/24).
Solution 2: Wired Backhaul
Use this configuration when you can connect the Points to the Google Wifi Router with Ethernet. This is the preferred option.
Network configuration steps remain the same.
ISP -> Gold Port 4
Gold Port 3 -> WAN port of the Primary Unit
Gold Port 2 -> Your Switch -> LAN port of the Primary Unit
-> WAN port of the Point (satellite)
-> Other devices
The idea is the LAN port of the Primary Unit and WAN port of the Point satellite are in one ethernet network (for subnet 192.168.86.1/24), and other devices and Gold port 2 are also in another ethernet network (for subnet 192.168.210.1/24). Both subnets are using the same physical ethernet network. Wi-Fi Clients that need an IP will ask Google Wifi for one, but there will be none for it to give and the request will go upstream to Firewalla DHCP server.
Configuration:
Step 1: Set up Local Networks in Gold
- Make sure Firewalla Gold is running in Router Mode. (See Mode) in the Firewalla app).
- Create a dedicated local network on Port 3. (e.g. start IP 192.168.200.0 end IP 192.168.200.3)
- Create another local network on Port 2. This network can include Port 1 if you like or be separate. (e.g. 192.168.210.1/24). However, Port 2 and Port 3 must be configured for different local networks.
Note:
1. Here is the tutorial on how to manage networks on Gold.
2. We'll use the subnets above as an example in this guide.
Do not connect Firewalla port 2 to the switch at this time.
Step 2: Set up a Google Wifi Mesh network with a limited DHCP address range
- Connect the WAN port of the Google Wifi primary unit to FWG's Port 3, then follow the official guide to set up the Google Wifi primary device. Double check that the WAN IP of Google Wifi should be under 192.168.200.1/30 (between 192.168.200.0-192.168.200.3). Once the Google primary unit is running, you should see the Google router appear as a device in Gold. If you are using New Device Quarantine, make sure the Google Wi-Fi isn’t quarantined.
- In the Google app, configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow two Wifi Points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.2-192.168.86.3; for three Wifi Points use 192.168.86.2-192.168.86.4.
- Set up Google Wifi Mesh network by adding additional Google Wifi points one by one, and verify that they get IP addresses within the range of what's reserved in step 2.
If you are setting up with configuration 2, connect the LAN port of the Google Wifi primary unit (Router) and the WAN port of additional Google Wifi Points to the switch. As you connect them, you should see the Google wifi satellites appear in the Google router.
Note: We recommend not connecting any other devices to the Google Wifi network while setting up the limited DHCP address range. This is because the IP address in the pool may be assigned to other devices that are supposed to be assigned to the Google Wifi Points.
Unfortunately, Google Wifi and nest Wifi do not allow IP reservations for the Points which would ensure that they don't create conflicts or get IPs from Firewalla. However, users of these APs report that usually once the router gives them an IP they tend to be "sticky" for a long time. A power cycle shouldn't cause it to get a new IP, but a factory reset (and subsequent setup) quite likely will. So in most cases, it shouldn't be a problem if you add one Point/Puck at a time and limit the IP range to be just big enough. Once you know if the units you have require one or two IPs and allow for that this workaround should not allow other devices to get IPs from the Google/nest router.
- Sometimes one Google Wifi Point may have two mac addresses, so you may need to reserve more IP addresses as needed. Just be sure the number of addresses you allow doesn't exceed what is needed for the Google or nest Wifi.
Step 3: Use DHCP from Gold for devices in the wireless mesh network
- For solution 1: Connect the LAN port on the Google Wifi primary unit to Port 2 on Firewalla Gold.
- For solution 2: Connect the switch to Port 2 on Firewalla Gold.
Now, any device connecting to the Google Wifi network should be able to get an IP address from Gold. They should get IP addresses under 192.168.210.0/24. in this example.
Step 4: Configure Gold to not allocate IP for Google Wifi Points (satellites)
Google Wifi points may accidentally get IP addresses from Gold If the DHCP allocation from Google Wifi expires. This may break the mesh setup. When this happens:
- The Firewalla app will get a New Device Alarm on google wifi points.
- Find the Wifi point devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
- For each Wifi point device, tap on "IP Address", and select "Do not allocate". This only needs to be done once.
- Reboot Wifi point to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.
Comments
49 comments
Disappointing that some of the advice from firewalla is to not use Google Nest WiFi. My entire home network has been running on this solution for over a year without issue. Until there's a true solution for this problem, my firewalla gold is sitting on my desk collecting dust.
@Michael, the problem with Google / Nest Wifi is, it does NOT do access point or bridge mode when in mesh, this is a limitation on the google side. It has nothing to do with Firewalla. All the major mesh (orbi, eero, velop ... ) have true bridge/AP mode when in a mesh. Google is the only one that supports bridge only on one unit, not a mesh.
What you see here is just a way for us to get around that problem, until google starts to support bridge mode in mesh. Feel free to post to their forums and may be they listen to customers like we do :)
Should DHCP service on the switch be enabled?
@ Michael Marrah... in my setup I do not use DHCP on the switch as firewalla has to serve as the DHCP server for all devices to track them. Hopefully you figured this out in the last four months:-) (noting for future readers).
Hi, any word if the new Nest Wifi Pro will allow it to be set up in AP mode?
No it hasd bridge mode for a single point but no AP mode or bridged mode for mesh.
The guide does work for the new Nest Wifi Pro however as another user mentioned I had to add an extra few addresses in the google wan dhcp scope to get all 3 points meshed together. After that it worked fine after the last 2 steps were completed
I have TP-Link Omada and purchased the Firewalla gold. my problem is that the Omada router doesn't have any bridge mode so I can't put the Firewalla between my ISP and Omada router.
I tried to setup the Firewalla using other option available to put the Firewalla between my main switch and the Omada Router (Firewalla in bridge mode). now the issue is I can't do any port forwarding because when I open it on my router, the Firewalla blocks it and doesn't support the port forwarding in the bridge mode.
anyone managed to setup Firewalla and Omada router and use the full capability of Firewalla ?
@Pejman
Can you double check with TP-Link again? they are pretty good with AP/Bridge mode support. I have not heard any router they have not supporting. (AP mode or bridge mode)
Hi,
thanks for your prompt reply. TP-link supports all that when it is not being managed via Omada SDN. once you use a Omada controller to control all the TP-link devices in the network, then I don't see any functionality of putting the TP-link gateway in to bridge mode.
My Nest WiFi Pros (3) reset this evening (for whatever reason, an update maybe?) and to my dismay one of the mesh pucks wouldn't connect.
After some troubleshooting it looks like some speakers are now Thread border routers and they're trying to take up the DHCP spots normally used by my mesh pucks.
Some background: I have all my devices (80+) using FW static IPs (except the WiFi half of the mesh pucks, those are getting 192.168.86.x DHCP addresses from the primary Nest WiFi) which has proven rock solid with performance and no loss of functionality (VPN, DNS, Family Protect, the various blocks, etc. I even went so far as to manually rename all the devices in Google Home WiFi so I could setup groups and rules there as well (e.g. timers for kids' devices) since they were all generic names which makes configuring groups in the WiFi Pro config impossible. When I got my FW I struggled with the instructions in OP but after sleeping on it I came up with an idea similar to some of the above posts - using temp password to isolate just the Nest WiFis to isolate and name appropriately to easily find them on a temp IP block, return the WiFi password to what all my devices are expecting then renaming and assigning static IPs to everything. Once every device has its static IP, change IP block in Nest WiFi Pro back to 192.168.210.1 (this forces all those DHCP addresses to reset - no need to wait for them to time out) then wrap up the instructions from the OP. After I put in the sweat to rename and assign static IPs (I already had a spreadsheet which I used prior to the FW which included MACs and desired last octets, so this helped immensely), I haven't had to touch a thing.
OK, I thought, no problem - I'll just assign a static IP and add it to my spreadsheet. Only problem is, for the first border router, that MAC address is already assigned (and weirdly, is actually using) a static IP in FW. BUT, in the Nest WiFi devices list, I uncovered 2 devices with the same MAC address -- the first was "--" (this is the FW static IP which doesn't show up in the WiFi Pro device list), but the 2nd was taking up a 192.168.86.x IP address assigned by the WiFi Pro DHCP. I couldn't for the life of me figure out if it was even possible to force a 2nd IP to that MAC address (I know next to nothing about Thread), so I gave up and opened up a few more DHCP addresses in the Nest WiFi Pro config and immediately my pucks came online.
The end result is: my pucks are back on the WiFi DHCP along with the Thread border routers. The remainder of my FW and Nest Wifi config remain the same and after a few hours of testing, all appears to be back to how it was prior to the issue happening this evening. Solid speed, functionality appears to be untouched, etc.
I figured I'd drop this here in case someone else is in the same boat and misses any border routers taking up their restricted/limited WiFi DHCP addresses. Honestly, I'm not even sure how I caught it in the first place but that was the turning point for me to track down what was going on.
Thanks for this guide. I followed this setup at home and it worked OK.
Update: Since installing I still was finding some inconsistencies in the network performance. I decided to change to Eero and placed in Bridge mode. This has been flawless and solved any issue I had on the network previously.
Unfortunately during my set up I had to allow a wider range of ip addresses for my Google wifi pucks than there were pucks (absolutely could not get it running otherwise). Now my android phones seem to get assigned ip addresses within the 192.168.86.x range and while they show up on firewalla app, all of the monitoring and blocking features fail to work properly. Any suggestions?
@Ncdoty, did you get this resolved?
I have Google Wifi, which is more temperamental than the kids at home.
I am thinking of replacing ISP Router (Eero) with a Firewalla.
Thanks
I followed this tutorial, starting with just accounting for 1 IP address per point (not including the "router"/Google base station plugged into the Firewalla Gold). This was enough for 2 of the 3 points I tried to add but the third one would not connect. I looked at the IP assigned to each one and realized they were off by 2 from each other, and then remember the comment in the article about allowing multiple IPs per device. So I went to 2 per point and everything went smoothly from there. Now everything is working well. Keep in mind I had to reset the entire Google network to factory settings because they are apparently terrible at forgetting IP addresses.
So long story short, I followed this article using Solution 1 (wireless backhaul) and allowing 2 IPs per point. I bought a 4-pack of Google G6ZUC and so I gave it a range of X.X.86.20 to X.X.86.25 for 6 total IP addresses. Then I connected the LAN port on the Google "router"/base station to the LAN port on the Firewalla Gold.
After that, the first device I connected to the new wifi was assigned an IP from the Firewalla LAN network and I have since reconnected all my devices to the new network and they have all gotten IP addresses from Firewalla. I can monitor traffic from each and block/unblock as normal.
Thank you for the excellent article. I can confirm that G6ZUC needs 2 IP addresses per point (not including "router").
I'm trying to set up my Firewalla gold with Google Wifi. When I try to add the first google wifi router, and try to set it up in Google Home app, it tells me the device has no internet connection. Is Firewalla blocking it? I tried to hook something up to lan port 3 just to see if it got connection, and it did not. When i did a speed test with Firewalla, it was clearly getting a connection. I don't understand why there doesn't seem to be connectivity to Port 3 to set up the google wifi. Is the unit faulty?
Did you configure LAN Port 3 as part of your LAN? Tap on the network manager and make sure it can DHCP
Initially could not get it to work. Taking each step in sequence and restarting the wifi network at each step was the key to success.
Steps.
Router LAN IP to 10.0.0.1 Subnet Mask 255.255.255.0 DCHP Pool Start 10.0.0.2 End 10.0.0.5
(Tried to have the Pool End being 10.0.0.3 but my 3rd Google Puck could not obtain an IP and therefore connect to mesh)
5. Restarted Mesh network and confirmed that each Google device had an IP of 10.x…
6. Followed the digram for Port 3 only to make sure the Firewalla was part of the network and Mesh network integrated.
7. Followed with Port 2 integration.
Note: Firewalla will discover the Mesh Network LAN connection but will not assign an IP to them. In my case it discovered it for Port 2 connection and later for NAS. (Ignore them)
8. Finally once the network is stable change the SSID and Password back to original
Works great.
Firewalla handles all of the DCHP workload.
Did anyone have issues with not able to run speed test with gfilber app ? Also I have seen the extender and main coming up from the other port that google fiber i set up for no IP but not clear why it would show up.
Guide: Assigning Consecutive IP Addresses to Google/Nest Wifi APs with Firewalla Gold
This guide is for anyone trying to get their Google or Nest Wifi mesh access points (APs) to receive consecutive IP addresses when using Firewalla Gold in Router Mode. After many failed attempts, this method worked for me using a 6-puck setup.
Problem
The APs often receive non-consecutive IP addresses.
Setting a restricted DHCP range too early can cause setup failures in the Google Home app.
This guide addresses these issues, especially during Step 2 of the Firewalla + Google Wifi integration tutorial.
Step-by-Step Instructions
1. Set up a temporary Google Wifi network
Use the Google Home app to set up your primary Google Wifi router.
Choose a temporary SSID and password (you can switch back to your original network settings later).
Don’t restrict the DHCP range or worry about IP assignments at this stage.
2. Add all mesh points (APs)
Add each additional Google/Nest Wifi puck through the Google Home app.
Do not restrict the DHCP range yet — setup needs extra IPs for temporary connections, including your phone.
Example: For 6 APs, I used a DHCP range
192.168.86.20 – 192.168.86.40.3. Identify the assigned IPs
After all mesh points are installed, open the Google Home app and record the IP address of each AP.
You’ll likely find that the IPs are not consecutive, with some numbers skipped.
4. Adjust the DHCP range
Once setup is complete and all APs are online, go to your Google Wifi DHCP settings and narrow the range.
The new range should:
Be just large enough to include all APs + one extra IP (usually for your phone).
Be in a different part of the subnet, not overlapping with previously assigned IPs.
Example: For 6 APs, I used
192.168.86.201 – 192.168.86.206.The primary puck will remain at
192.168.86.1, while the other 5 should shift into the new range.5. Reboot the mesh network
Restart the primary Google/Nest Wifi router and all connected mesh points.
After rebooting, the APs should request new IP addresses from the restricted range and receive consecutive assignments.
6. Remove the unused IP
One IP in the restricted range may not be used (Hopefully the first or last).
Remove this IP from the DHCP range.
Tips
Don’t restrict the DHCP range during setup—this can cause the Google Home app to fail when adding devices.
Only apply the DHCP restriction after all APs are installed and stable.
Be patient—this process will take time. Have a good book and plenty of coffee ready!
Please sign in to leave a comment.