Firewalla Router Mode Configuration Guides




  • Avatar
    Stephanie Hudson

    An example of a Starlink with failover to cellular modem would be great!

    Comment actions Permalink
  • Avatar
    H F


    In this document,

    Firewalla Router Mode Configuration Guides

    under the heading: 

    What is the best Access Point for Router Mode?

    Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see

    You say one can use the info linked to install "on the Gold/Purple"....

    But when one goes to that linked article, the article starts off with

    • This is for Firewalla Gold series boxes n Router Mode only.
    • Installing Unifi Controller on Firewalla Purple series boxes is not recommended due to memory restriction.

    SO the obvious question is:      Which is correct?

    Can the UniFi Controller be run on a Purple ?

    Can the UniFI Controller be run on a Purple SE ?

    Thank you for clarifying  the information and for correcting the 2 articles.


    Comment actions Permalink
  • Avatar
    Limbos Rebirth0c

    FYI - the last blurb about BGW320 passthrough mode is a bit misleading/incorrect.  

    In passthrough mode, the BGW320 will indeed assign (pass-through) the public ip address to Firewalla (and thus all the incoming traffic as well).  In fact, the BGW320 will retain it's own (separate) public IP address, in addition to the "primary" public IP assigned to Firewalla.

    However as the blurb correctly mentions, passthrough mode is definitely not a bidirectional bridge - more like a 1-way bridge.  Inbound traffic may hit (or be copied to) Firewalla directly, but Outbound traffic is still subject to a double-nat hop, through the BGW320's private IP address, and then out through the public IP.  

    This means it's really only necessary to configure BGW320 passthrough mode if direct inbound connectivity is desired to Firewalla (if you need to open/forward a port from the greater internet).  As a bonus, not configuring passthrough (and leaving the BGW320 settings at default) lets the BGW320 block all the unsolicited traffic, freeing up resources on Firewalla.  

    For my purposes (remote connectivity, not gaming) I use Tailscale (which does NAT Firewall hole punching) so Firewalla doesn't actually need to be reachable directly the public internet.  Further, since the outbound double-nat hop can't be avoided, there's really no benefit to be had (in my opinion - for better VPN performance) by enabling passthrough.  So I've just reset my BGW320 to default settings, kept Firewalla in router mode, and accepted the fact that my VPN performance might suffer (initial inbound connections will need to be coordinated by an external STUN/TURN server, and established connections may be "relayed" through that same server (as opposed to directly to my home network) if I'm connecting remotely from inside another NATted network).  Tailscale transparently handles all of this.  

    However, if I want to avoid the relay for established connections, I can just use my phone's hotspot.

    Perhaps Firewalla's VPN feature might benefit from passthrough - but I haven't tested it.  

    Comment actions Permalink

Please sign in to leave a comment.