Will Firewalla work on any home network?
Firewalla is a very flexible device that can operate in many different ways to fully adapt to your network. If you already have some network equipment you may want to find a network topology that helps you integrate Firewalla in where you can. In some cases, Firewalla may replace or obviate some of your equipment. In other cases, you may need something extra to complete your new network.
- Augment Mode. Firewalla can augment your existing network with a simple plug-and-play installation, with very little change to your existing network. These are our traditional "Simple" and "DHCP" modes.
- Router/Bridge Mode. These two modes are unique to the firewalla gold and purple. Here you can make these units the main router.
To learn more about the different modes, see: How does Firewalla Intercept Traffic? Which Firewalla mode to use?
What is the best mode for the Gold and Purple?
"Router mode". When in router mode, the Firewalla Gold and Purple will be able to run all the features, this includes things like Smart Queue and Policy-based Routing features. Firewalla Gold and Purple are full routers with robust Firewall and Network performance reporting.
There are no compatibility issues when your Gold or Purple runs in the router (or bridge) mode. What you need to watch out for is to make sure your ISP device is a modem or a router can be put in bridge mode. And your Wifi/Mesh can do AP/Bridge mode. (This guide will help you with this topic)
For the most basic network, you need the following functional parts:
- One WAN connection converted to ethernet (e.g. DSL or Cable modem, Fiber ONT, etc.)
- One Router
- Wi-Fi or a Network switch
Recommended configurations
Router mode
|
WAN → |
Firewalla Gold/Purple → (Router mode) |
Switches/Wi-Fi APs (AP or Bridge mode) |
|
Examples
|
Examples
|
Pros of running Firewalla Gold/Purple in Router mode
- Enables all Firewalla features.
- Since the Purple and the Gold have extremely powerful CPUs, by offloading routing and filtering to these devices, your WiFi and LAN will likely be a bit faster.
- Allows you to easily replace components with new and better technology such as Wi-Fi 6 (802.11ax) without tossing otherwise good equipment as you might in an integrated modem/router/wifi box.
- Using separate network "components" may get advanced features like VLAN and WLAN network segments that are often not available in inexpensive combo units.
- Allows you to switch internet providers without redesigning your network. Moving from DSL to Fiber? Remove your modem and connect Firewalla to your Fiber ONT. Done in a flash.
If you have:
- A Modem...
- Run Firewalla in router mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A direct Ethernet feed such as out of a Fibre ONT...
- Run Firewalla in router mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A combined router with Wi-Fi...
- You need a WAN connection (modem, Fibre connection, etc.)
- Run Firewalla in router mode.
- Put the router/Wi-Fi box into AP mode (some routers will call it bridge mode) and use the Wi-Fi (see "Switches/Wi-Fi APs" above)1
- A combined Modem + Router + Wi-Fi...
You can either:
- Use your existing box as a modem (bridge mode) which disables the router
and Wi-Fi- In this configuration you will need separate Wi-Fi APs (see "Switches/Wi-Fi APs" above)1
- Or, get a simple modem and reuse the integrated box for Wi-Fi-only AP mode (or sometimes called Bridge mode).
- In this case, you would need separate Wi-Fi AP(s).
- Use your existing box as a modem (bridge mode) which disables the router
- A router that you can not replace. This happens mainly in small businesses. Here you can add firewalla Gold/Purple to the existing router in "Transparent Bridge Mode", and attach switch / Wifi behind the Gold / Purple.
Examples
Below are some of the most common examples taken right from customer postings and help tickets. This list will grow over time but for the most part, you should be able to identify scenarios that are pretty similar to yours and help you if you get stuck.
(if you have examples that are not mentioned here, please feel free to post it here https://help.firewalla.com/hc/en-us/community/topics/115000362573-Installation-Configuration-and-Operation, we may add them to this guide in the future)
1. XFINITY modem (not Gateway)
Examples: Motorola MB8611, NETGEAR Nighthawk Multi-Gig Cable Modem with Voice CM2050V, MOTOROLA MG7540
XFINITY Modem → Gold (port 4) (router mode, WAN Port)
→ Gold (port 1) → AP/Wifi/Mesh → wireless devices
→ Gold (port 2) → switch
→ desktop(s)
→ Security Alarm system
→ ...
→ Gold (port 3) →
OR
XFINITY Modem → Purple (router mode) → switch → AP/Wifi/Mesh → wireless devices → wired device(s)
When you have a modem, setup is usually extremely easy!
2. XFINITY Gateways
Examples: XB6/XB7, XB3
XFINITY Gateway (bridge mode) → Gold (router mode) → AP/Wifi/Mesh → wireless devices
→ wired devices
→ switch (optional) → wired devices
OR
Gateway (Bridge mode) → Purple (router mode) → switch → AP/Wifi/Mesh
→ wired devices
Unlike a single-purpose modem, "Xfinity Gateways and xFi Gateways are all-in-one devices that deliver Internet and Voice connectivity, whole-home WiFi coverage, network control and speed for the ultimate connected experience." Before anything else, find out what equipment you have.
See information about XFINITY bridge mode.
3. Verizon/Fios
Examples: Verizon G3100 and G1100ONT → Firewalla Gold (router mode) (port 4)
→ Gold (port 1) → G3100 (from FWG LAN port). [Do NOT turn off DHCP]
→ MoCA → Verizon Set top boxes
→ Gold (port 2) → switch → devices
→ AP/Wifi/Mesh (bridge mode)
In this scenario, the install has a fiber connection and also set-top boxes. Some customers used MoCa connections and got rid of the G3100 completely.
More on: Working Verizon FIOS setup with G3100 and Firewalla Gold.
If you need more information about setting your current router to AP mode, see this article: Using your existing router in bridge/AP mode.
For Purple, see https://help.firewalla.com/hc/en-us/articles/4405807840275-Configuring-Triple-Play-on-Firewalla-Purple for how to accomplish this with a managed switch and VLANs.
4. Router Replacement: Eero
WAN → Gold (Router mode) (port 4)
→ Gold (port 1) → Eero Main Unit(bridge mode)
→ switch → Eero child units (ethernet backhaul)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...
or
WAN → Purple (Router mode [right side] (WAN port)
Purple (LAN port [left side]) → switch → Eero Main Unit (bridge mode) → Eero child units (ethernet backhaul)
→ desktop
→ NAS
→ ...
Eero is one of the most popular routers used by our customers. Deploying/installing Firewalla is really simple. All you need to do is connect the eero to the Gold / Purple LAN port and then change it to bridge mode. If you are doing ethernet backhaul, make sure you connect the eero children units to the Eero LAN, not the Firewalla LAN.
See this discussion for more info about eero setup.
5. Router Replacement: ASUS
Examples: ASUS RT-AX92U, NETGEAR Nighthawk AX8WAN → Gold (Router mode) (port 4)
→ Gold (port 1) → ASUS RT-AX92U (bridge mode) (continues to serve guest Wi-Fi)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...
If you don't need VLANs you can substitute an unmanaged switch for the managed switch. Port 3 in this example shows how you can have a different network segment coming right off Firewalla Gold. Since there are only 3 ports this approach has limitations and 802.1Q VLANs allow more flexibility. See Building network segments for more on network segmentation.
Reference:
AT&T / IP Pass-through mode
| WAN → | Router (pass-through mode, Wi-Fi disabled and Firewall Filters disabled) → |
Gold/Purple (router mode) → |
Devices |
|
Examples
|
Examples
|
Examples
|
Description
A special use case for routers that are commonly used by AT&T U-verse where the router may provide the authentication for internet service or where there is a service like VOIP. If you want Wi-Fi devices protected by Firewalla, you need to add separate Wi-Fi APs in this case.
In this configuration, your router stays in place but forwards all traffic to Firewalla.
Pros
- Use a much better router than ISPs provide
- All Firewalla features are fully functional
- No need to replace the Gateway if you don't want to.
Cons
- Requires separate Wi-Fi APs
Examples
6. BGW210 or BGW320
BGW210 (passthrough mode) → Firewalla Gold (router mode) → switch → AP
→ Devices
If you have an ISP router like BGW210...
- Run BGW210 in passthrough mode.
- Run Firewalla in router mode.
- Add APs for Wi-Fi (see "Switches/Wi-Fi APs" above)1
References
- Configuring IP Passthrough with an AT&T BGW210-700 and a UDM Pro
- Video: How to configure the AT&T BG210 to enable IP Passthrough features in 5 minutes!
- Video: AT&T Router Passthrough Mode Setup Guide
7. Virgin
Examples: Super Hub 1, 2 or 2ac, Hub 3, or Hub 4Hub 3 (modem mode) → Gold (Router mode) (port 4)
→ Gold (port 1) → AP/Wifi/Mesh (bridge mode)
→ Gold (port 2) → switch → devices
→ ...
In this scenario, you will configure the Hub as a stand-alone DOCSIS3 cable modem and get separate APs so that all Wi-Fi devices are protected by Firewalla. This also allows you to place your APs where they give you the best signal.
You can find more information from Virgin directly at https://www.virginmedia.com/help/virgin-media-hub-modem-mode#hub3orhub4
8. Charter
Charter modem → Purple → Netgear GS105Ev2 (managed switch) → Netgear Orbi (AP mode)
→ Computers
→ ...
With Purple, it is especially likely you will want some kind of switch because there is only one LAN ethernet port.
9. CenturyLink
(fiber) → CenturyLink ONT → Gold/Purple (router mode) → Switch → Netgear Orbi (AP mode)
→ ...
CenturyLink requires a PPPoE connection, so have your credentials ready usually your century link email and password, and configure the WAN with the appropriate VLAN tag (Last we heard, they use 201). You will need an AP or a router in AP mode for your Wi-Fi.
10. Aruba WAPs
Examples: AP22
11. Access Point: TP-Link APs
WAN → Firewall Gold (Router Mode) → Switch → TPLink Archer C6 (AP mode) → Computer(s)
→ TPLink EAP-245 (with optional VLANs)
→ TPLink EAP-245 (with optional VLANs
→ XBOX
→ ...
12. Access Point: UniFi WAPs
WAN → Firewall Gold (Router mode) → managed switch → Unifi AP(s)
→ Unifi Controller running in docker
→ ...
You can run the Unifi Controller in a docker container on Firewalla, a NAS, or a Raspberry Pi. No UDM, UDP Pro or CloudKey is required. A managed switch is recommended so you can use network segmentation.
Triple Play mode
| WAN → |
Gold/Purple (router mode) → |
Switch/AP (optional) → | Devices |
|
Examples
|
You can set up VLANs on Gold and run IPTV and Phone through your switch if you need more ports. |
|
Description
Used when there is double/triple-play service (Voice, Internet, TV) For FWG you can use port-based or VLANs for the triple play. FWP requires VLANs.
- If you have an ISP router...
- Set your router aside. You don't need it. Better yet, return it and stop paying a rental fee.
- You may want a managed switch if you are short of ports
Pros
- Use a much better router than ISPs provide
- Don't rent a router from ISP.
- Enables all Double/Triple play features
Cons
- May require buying or renting an inexpensive modem if the ISP modem doesn't allow disabling DHCP.
- Some additional effort is required for the initial setup. Don't worry, you got this!
Modem (ISP) → Gold (Router Mode) (port 4)
→ Gold (port 3/VLAN 61) → IP TV
→ Gold (port 2/VLAN 62) → IP Phone
→ Gold (port 1/VLAN 60) → switch → AP/Wifi/Mesh
→ computer
→ Devices
References
Typical Variations
Below are some setup variations that also work well with Firewalla, when to use them, and the pros/cons of each.
Bridge mode
Gold
| WAN → | Router (Router mode) → |
Gold/Purple (Bridge mode) → |
Switch/AP → | Devices |
|
Examples
|
Examples
|
Examples
|
|
Purple
Note in this configuration of Purple the router goes to the LAN port and the WAN port goes to the switch or AP.
Description
Bridge mode is typically used when you have an existing router that provides some essential features that you want to keep in place. For this configuration:
- Firewalla must be between your router and a switch or AP.
- APs must connect behind Firewalla. So a router with built-in Wi-Fi is not a great candidate. However, if you are able and willing to disable the Wi-Fi and add separate Wi-Fi behind Firewalla that is fine.
For techies, Firewalla's Bridge mode is a layer 2 firewall. Your existing router will remain your router. In bridge mode, blocking features, protection features, and the ad blocked will work the same way as in router mode. You can monitor all VLANs in this configuration as well.
If you have:
- A Router (such as UDM)
- You will need a modem or WAN source
- Use your original Router configure to router mode.
- Firewalla Gold/Purple in Bridge mode
- You could consider using a LAG connection to your switch for performance/redundancy
- A switch or separate APs
Pros
- Maintains the features of your existing router
- Firewalla provides IDS/IPS
- Minimal network rewiring
Cons
- Doesn't allow the use of all Firewalla features because Firewalla is not your router
- VPN Client (all features under the VPN Client button)
- Policy-Based Routing (all features under the route button)
- Smart Queue (all features under the Smart Queue button)
- Site to Site VPN (If another Firewalla box established a site to site VPN connection to the Box (as server site) in bridge mode, need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
- Can be somewhat more complicated. Some things are managed in Firewalla and some in the Router.
- This configuration doesn't support Routers with built-in Wi-Fi
Example
13. Unifi UDM Pro
Modem (ISP) → UDM Pro (Router) → Firewalla Gold/Purple (Bridge Mode) → USW (switch) → Unifi AP(s)
→ Devices
→ ...
Multi-WAN
|
WAN1 → WAN2 → |
Gold (router mode) → | Devices |
|
Examples
|
Examples
|
Description
Unlike the rest of the examples, this has example is about the WAN side of the network, not the LAN. Multi-WAN can be used with any of the other LAN configurations.
This is used when you want to use two different ISP connections for redundancy (failover mode) or increased bandwidth (load balancing). Firewalla Purple multi-WAN limited to one ethernet and one Wi-Fi connection. It doesn't matter what the WAN connections are: Fiber, LTE, DSL, or Fixed wireless.
If you have two WAN sources...
- Run Firewalla Gold in Router mode and configure Multi-WAN.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- Firewalla Feature Guide: Multi-WAN
What is the best mesh for router mode?
We recommend Mesh unit that can do access point mode when the mesh is on. This way, the mesh will only be responsible for making wifi connections and passing on the routing part to the router. (your wifi will likely be much more efficient) If you configure the mesh in router mode, it will still work with Firewalla, only Firewalla will not be able to see/control all the devices under the Mesh.
What is the best Access Point for router mode?
Any access point should work nicely with the Firewalla router mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold-or-Purple-
Comments
1 comment
An example of a Starlink with failover to cellular modem would be great!
Please sign in to leave a comment.