Will Firewalla work on any home network?
Firewalla is a very flexible device that can operate in many different ways to adapt to your network fully. If you already have some network equipment, you may want to find a network topology that helps you integrate Firewalla where you can. In some cases, Firewalla may replace or obviate some of your equipment. In other cases, you may need something extra to complete your new network.
- In Simple or DHCP Modes, Firewalla can augment your existing network with a simple plug-and-play installation that requires very little change to your existing network.
- In Router or Bridge Mode, Firewalla is your network's main router. These two modes are unique to the Gold and Purple.
To learn more about the different modes, see: How Does Firewalla Intercept Traffic? Which Firewalla Mode Should I Use?
What is the best mode for the Gold and Purple?
Router Mode. When in Router Mode, the Firewalla Gold and Purple will be able to run all features, including things like Smart Queue and Policy-Based Routing. Firewalla Gold and Purple are full routers with robust firewall and network performance reporting.
There are no compatibility issues when your Gold or Purple runs in either router or bridge mode. What you need to watch out for is whether you have an AP, wireless mesh, or non-ISP router that can run in AP/Bridge mode. Keep reading to learn more.
For the most basic network, you only need the following functional parts:
- One WAN connection converted to Ethernet (e.g., DSL or Cable modem, Fiber ONT, etc.)
- One Router
- A Wi-Fi access point or a network switch
Recommended configurations
Router Mode
|
WAN → |
Firewalla → (In Router Mode) |
Switches/Wi-Fi APs (In Access Point or Bridge Mode) |
|
Examples
|
Gold or Purple only |
Examples
|
Pros of running Firewalla Gold or Purple in Router Mode
- Enables all Firewalla features.
- Since the Purple and Gold have extremely powerful CPUs, your Wi-Fi and LAN will likely be a bit faster by offloading routing and filtering to these devices.
- Allows you to easily replace components with new and better technology such as Wi-Fi 6 (802.11ax) without tossing otherwise good equipment as you might in an integrated modem/router/Wi-Fi box.
- Using separate network "components" may get advanced features like VLAN and WLAN network segments often unavailable in inexpensive combo units.
- Allows you to switch internet providers without redesigning your network. Moving from DSL to Fiber? Remove your modem and connect Firewalla to your Fiber ONT. Done in a flash.
If you have:
- A Modem...
- Run Firewalla in Router Mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A direct Ethernet feed such as out of a Fibre ONT...
- Run Firewalla in Router Mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A combined router with Wi-Fi...
- You need a WAN connection (modem, Fibre connection, etc.)
- Run Firewalla in Router Mode.
- Put the router/Wi-Fi box into Access Point Mode (also known as Bridge Mode) and use the Wi-Fi (see "Switches/Wi-Fi APs" above)1
- A combined Modem + Router + Wi-Fi...
You can either:
- Use your existing box as a modem (Bridge Mode) which disables the router and Wi-Fi
- In this configuration you will need separate Wi-Fi APs (see "Switches/Wi-Fi APs" above)1
- Or, get a simple modem and reuse the integrated box for Wi-Fi-only Access Point Mode (also known as Bridge Mode).
- In this case, you would need separate Wi-Fi AP(s).
- Use your existing box as a modem (Bridge Mode) which disables the router and Wi-Fi
- A router that you can not replace. This happens mainly in small businesses. Here you can attach your Firewalla Gold or Purple to the existing router in Transparent Bridge Mode, then attach a switch or Wi-Fi access point behind your Firewalla.
Examples
Below are some of the most common examples of network setups from customer postings and help tickets. This list will grow over time, but for the most part, you should be able to identify scenarios that are similar to yours and help you if you get stuck.
If you have examples that are not mentioned here, please feel free to post them here: https://help.firewalla.com/hc/en-us/community/topics/115000362573-Installation-Configuration-and-Operation. We may add them to this guide in the future.
1. XFINITY modem (not Gateway)
Examples: Motorola MB8611, NETGEAR Nighthawk Multi-Gig Cable Modem with Voice CM2050V, MOTOROLA MG7540
XFINITY Modem → Gold (port 4) (Router Mode, WAN Port)
→ Gold (port 1) → AP/Wi-Fi/Mesh → wireless devices
→ Gold (port 2) → switch
→ desktop(s)
→ Security Alarm system
→ ...
→ Gold (port 3) →
OR
XFINITY Modem → Purple (Router Mode) → switch → AP/Wi-Fi/Mesh → wireless devices → wired device(s)
When you have a modem, setup is usually effortless!
2. XFINITY Gateways
Examples: XB3/XB6/XB7/XB8
For an overview of XFINITY Gateways and user guides, please take a look at this article.
XFINITY Gateway (bridge mode) → Gold (Router Mode) → AP/Wi-Fi/Mesh → wireless devices
→ wired devices
→ switch (optional) → wired devices
OR
Gateway (Bridge mode) → Purple (Router Mode) → switch → AP/Wi-Fi/Mesh
→ wired devices
Unlike a single-purpose modem, "Xfinity Gateways and xFi Gateways are all-in-one devices that deliver Internet and Voice connectivity, whole-home Wi-Fi coverage, network control, and speed for the ultimate connected experience." Before anything else, find out what equipment you have.
Please note that all ports are not equal on some XFINITY gateways. For example on the XB8, port 4 is a 2.5G port and ports 1-3 are 1G ports.
See information about XFINITY bridge mode.
3. Verizon/Fios
Examples: Verizon G3100 and G1100ONT → Firewalla Gold (Router Mode) (port 4)
→ Gold (port 1) → G3100 (from FWG LAN port). [Do NOT turn off DHCP]
→ MoCA → Verizon Set top boxes
→ Gold (port 2) → switch → devices
→ AP/Wi-Fi/Mesh (bridge mode)
In this scenario, the installation has a fiber connection and set-top boxes. Some customers used MoCa connections and got rid of the G3100 completely.
More on: Working Verizon FIOS setup with G3100 and Firewalla Gold.
If you need more information about setting your current router to AP mode, see this article: Using your existing router in bridge/AP mode.
For Purple, see https://help.firewalla.com/hc/en-us/articles/4405807840275-Configuring-Triple-Play-on-Firewalla-Purple for how to accomplish this with a managed switch and VLANs.
4. Router Replacement: eero
WAN → Gold (Router Mode) (port 4)
→ Gold (port 1) → eero Main Unit(bridge mode)
→ switch → eero child units (Ethernet backhaul)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...
or
WAN → Purple (Router Mode [right side] (WAN port)
Purple (LAN port [left side]) → switch → eero Main Unit (bridge mode) → eero child units (Ethernet backhaul)
→ desktop
→ NAS
→ ...
Eero is one of the most popular routers used by our customers. Deploying/installing Firewalla is really simple. All you need to do is connect the eero to the Gold / Purple LAN port and then change it to bridge mode. If you are doing Ethernet backhaul, make sure you connect the eero children units to the eero LAN, not the Firewalla LAN.
See this discussion for more info about eero setup.
5. Router Replacement: ASUS
Examples: ASUS RT-AX92U, NETGEAR Nighthawk AX8WAN → Gold (Router Mode) (port 4)
→ Gold (port 1) → ASUS RT-AX92U (bridge mode) (continues to serve guest Wi-Fi)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...
If you don't need VLANs you can substitute an unmanaged switch for a managed switch. Port 3 in this example shows how you can have a different network segment coming right off Firewalla Gold. Since there are only 3 ports this approach has limitations and 802.1Q VLANs allow more flexibility. See Building network segments for more on network segmentation.
Reference:
AT&T / IP Passthrough mode
| WAN → |
Router (passthrough mode, Wi-Fi disabled and Firewall Filters disabled) → |
Gold/Purple (Router Mode) → |
Devices |
|
Examples
|
Examples
|
Examples
|
Description
A special use case for routers that are commonly used by AT&T U-verse is where the router may provide the authentication for internet service or where there is a service like VOIP. If you want Wi-Fi devices protected by Firewalla, you need to add separate Wi-Fi APs in this case.
In this configuration, your router stays in place but forwards all traffic to Firewalla.
Pros
- Use a much better router than ISPs provide
- All Firewalla features are fully functional
- No need to replace the Gateway if you don't want to.
Cons
- Requires separate Wi-Fi APs
Examples
6. BGW210 or BGW320
BGW210 (passthrough mode) → Firewalla Gold (Router Mode) → switch → AP
→ Devices
If you have an ISP router such as the BGW210...
- Run BGW210 in Passthrough Mode.
- Run Firewalla in Router Mode.
- Add APs for Wi-Fi (see "Switches/Wi-Fi APs" above)1
At a high level, on the AT&T device:
- Disable all firewall and packet filters.
- Disable DHCP. Firewalla will be your DHCP server.
- Configure the mac address of the Firewalla with, "DHCP fixed" selected using your Firewalla WAN mac as shown below.
- Optionally, disable the Wi-Fi on the AT&T box. The only reason to leave it on is that is an easy way to login to the management console for the AT&T box. Devices connected to the AT&T Wi-Fi will not be protected by Firewalla.
Note that in this configuration Firewalla will get a private IP for itself from the AT&T box (e,g. 192.168.0.72) rather than the public IP. This is because this is "passthrough" not a bridge mode and is expected behavior.
References
- Configuring IP Passthrough with an AT&T BGW210-700 and a UDM Pro
- Video: How to configure the AT&T BG210 to enable IP Passthrough features in 5 minutues!
- Video: AT&T Router Passthrough Mode Setup Guide
7. Virgin
Examples: Super Hub 1, 2 or 2ac, Hub 3, or Hub 4Hub 3 (modem mode) → Gold/Purple series (Router Mode) (port 4)
→ Gold (port 1) → AP/Wi-Fi/Mesh (bridge mode)
→ Gold (port 2) → switch → devices
→ ...
In this scenario, you will configure the Hub as a stand-alone DOCSIS3 cable modem and get separate APs so that all Wi-Fi devices are protected by Firewalla. This also allows you to place your APs where they give you the best signal.
You can find more information from Virgin directly at https://www.virginmedia.com/help/virgin-media-hub-modem-mode#hub3orhub4
8. T-Mobile 5G Gateways
Examples: Nokia 5G21 / Arcadyan KVD21
Some 5G Gateways are very limited in how they can be configured. For example, there is no passthrough mode and DHCP can't be disabled. Therefore a double NAT configuration may be your best option.
5G Gateway (router mode with Wi-Fi disabled) → Gold/Purple series (router mode) → switch / Wi-Fi access points
→ Computers
→ ...
Notes:
- Disable all Wi-Fi on the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
- Do not connect devices other than the Firewalla to the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
- Make sure the IP range for the Gateway is different from your Firewalla.
- You will need Wi-Fi access points or a router in AP mode behind your Firewalla.
- Port Forwarding is challenging on this device because of CGNAT. See below.
References
If you can't figure out how to disable the Wi-Fi on your Gateway, check the manual or search Youtube for "Nater Tater" and the name of your gateway.
If you need help with setting up port forwarding, search for "nater tater 5G port forward".
Note, Firewalla can not provide support for modifying your Gateway. You can post to the youtube channel or to our community where other customers may be able to help you.
9. Charter
Charter modem → Purple → Netgear GS105Ev2 (managed switch) → Netgear Orbi (AP mode)
→ Computers
→ ...
With Purple, it is especially likely you will want some kind of switch because there is only one LAN Ethernet port.
10. CenturyLink
(fiber) → CenturyLink ONT → Gold/Purple (Router Mode) → Switch → Netgear Orbi (AP mode)
→ ...
CenturyLink requires a PPPoE connection, so have your credentials ready usually your century link email and password, and configure the WAN with the appropriate VLAN tag (Last we heard, they use 201). You will need an AP or a router in AP mode for your Wi-Fi.
11. Aruba WAPs
Examples: AP22
12. Access Point: TP-Link APs
WAN → Firewall Gold (Router Mode) → Switch → TPLink Archer C6 (AP mode) → Computer(s)
→ TPLink EAP-245 (with optional VLANs)
→ TPLink EAP-245 (with optional VLANs
→ XBOX
→ ...
13. Access Point: UniFi WAPs
WAN → Firewall Gold (Router Mode) → managed switch → Unifi AP(s)
→ Unifi Controller running in docker
→ ...
You can run the Unifi Controller in a docker container on Firewalla, a NAS, or a Raspberry Pi. No UDM, UDP Pro, or CloudKey is required. A managed switch is recommended so you can use network segmentation.
Triple Play mode
| WAN → |
Gold/Purple (Router Mode) → |
Switch/AP (optional) → | Devices |
|
Examples
|
You can set up VLANs on Gold and run IPTV and Phone through your switch if you need more ports. |
|
Description
Used when there is double/triple-play service (Voice, Internet, TV). For FWG you can use port-based or VLANs for the triple play. FWP requires VLANs.
- If you have an ISP router...
- Set your router aside. You don't need it. Better yet, return it and stop paying a rental fee.
- You may want a managed switch if you are short of ports
Pros
- Use a much better router than ISPs provide
- Don't rent a router from ISP.
- Enables all Double/Triple play features
Cons
- May require buying or renting an inexpensive modem if the ISP modem doesn't allow disabling DHCP.
- Some additional effort is required for the initial setup. Don't worry; you got this!
Modem (ISP) → Gold (Router Mode) (port 4)
→ Gold (port 3/VLAN 61) → IP TV
→ Gold (port 2/VLAN 62) → IP Phone
→ Gold (port 1/VLAN 60) → switch → AP/Wi-Fi/Mesh
→ computer
→ Devices
References
Typical Variations
Below are some setup variations that also work well with Firewalla, when to use them, and the pros/cons of each.
Bridge mode
Gold
| WAN → |
Router (Router Mode) → |
Gold/Purple (Bridge Mode) → |
Switch/AP → | Devices |
|
Examples
|
Examples
|
Examples
|
|
Purple
Note in this configuration of Purple the router goes to the LAN port and the WAN port goes to the switch or AP.
Description
Bridge Mode is typically used when you have an existing router that provides some essential features that you want to keep in place. For this configuration:
- Firewalla must be between your router and a switch or AP.
- APs must connect behind Firewalla. So a router with built-in Wi-Fi is not a great candidate. However, if you can and are willing to disable the Wi-Fi and add separate Wi-Fi behind Firewalla, that is fine.
For techies, Firewalla's Bridge Mode is a layer 2 firewall. Your existing router will remain your router. In Bridge Mode, blocking features, protection features, and Ad Block will work the same as in Router Mode. You can monitor all VLANs in this configuration as well.
If you have:
- A Router
- You will need a modem or WAN source
- Use your original router configure to router mode.
- Firewalla Gold/Purple in Bridge mode
- You could consider using a LAG connection to your switch for performance/redundancy
- A switch or separate APs
Pros
- Maintains the features of your existing router
- Firewalla provides IDS/IPS
- Minimal network rewiring
Cons
- Doesn't allow the use of all Firewalla features because Firewalla is not your router
- VPN Client (all features under the VPN Client button)
- Policy-Based Routing (all features under the route button)
- Smart Queue (all features under the Smart Queue button)
- Site-to-Site VPN (if another Firewalla box has established a site-to-site VPN connection to the Box (as server site) in Bridge Mode, you will need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
- Can be somewhat more complicated. Some things are managed in Firewalla, and some in the router.
- This configuration doesn't support Routers with built-in Wi-Fi
Example
14. Unifi UDM Pro
Modem (ISP) → UDM Pro (Router) → Firewalla Gold/Purple (Bridge Mode) → USW (switch) → Unifi AP(s)
→ Devices
→ ...
Multi-WAN
|
WAN1 → WAN2 → |
Gold (Router Mode) → | Devices |
|
Examples
|
Examples
|
Description
Unlike the rest of the examples, this example is about the WAN side of the network, not the LAN. Multi-WAN can be used with any of the other LAN configurations.
This is used when you want to use two different ISP connections for redundancy (failover mode) or increased bandwidth (load balancing). Firewalla Purple multi-WAN is limited to one Ethernet and one Wi-Fi connection. It doesn't matter what the WAN connections are: Fiber, LTE, DSL, or Fixed wireless.
If you have two WAN sources...
- Run Firewalla Gold in Router Mode and configure Multi-WAN.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- Firewalla Feature Guide: Multi-WAN
What is the best mesh for Router Mode?
We recommend Mesh units that can be in Access Point Mode. This way, the mesh will only be responsible for making Wi-Fi connections and passing on the routing part to the router (your Wi-Fi will likely be much more efficient). If you configure the mesh in Router Mode, it will still work with Firewalla; however, Firewalla will not be able to see or control all the devices under the mesh.
What is the best Access Point for Router Mode?
Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold-or-Purple-
Comments
1 comment
An example of a Starlink with failover to cellular modem would be great!
Please sign in to leave a comment.