Firewalla Router Mode Configuration Guides

Follow

Comments

5 comments

  • Avatar
    Stephanie Hudson

    An example of a Starlink with failover to cellular modem would be great!

    1
    Comment actions Permalink
  • Avatar
    H F

    Hi,

    In this document,

    Firewalla Router Mode Configuration Guides

    under the heading: 

    What is the best Access Point for Router Mode?

    Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold-or-Purple-

    You say one can use the info linked to install "on the Gold/Purple"....

    But when one goes to that linked article, the article starts off with

    • This is for Firewalla Gold series boxes n Router Mode only.
    • Installing Unifi Controller on Firewalla Purple series boxes is not recommended due to memory restriction.

    SO the obvious question is:      Which is correct?

    Can the UniFi Controller be run on a Purple ?

    Can the UniFI Controller be run on a Purple SE ?

    Thank you for clarifying  the information and for correcting the 2 articles.

     

    0
    Comment actions Permalink
  • Avatar
    Limbos Rebirth0c

    FYI - the last blurb about BGW320 passthrough mode is a bit misleading/incorrect.  

    In passthrough mode, the BGW320 will indeed assign (pass-through) the public ip address to Firewalla (and thus all the incoming traffic as well).  In fact, the BGW320 will retain it's own (separate) public IP address, in addition to the "primary" public IP assigned to Firewalla.

    However as the blurb correctly mentions, passthrough mode is definitely not a bidirectional bridge - more like a 1-way bridge.  Inbound traffic may hit (or be copied to) Firewalla directly, but Outbound traffic is still subject to a double-nat hop, through the BGW320's private IP address, and then out through the public IP.  

    This means it's really only necessary to configure BGW320 passthrough mode if direct inbound connectivity is desired to Firewalla (if you need to open/forward a port from the greater internet).  As a bonus, not configuring passthrough (and leaving the BGW320 settings at default) lets the BGW320 block all the unsolicited traffic, freeing up resources on Firewalla.  

    For my purposes (remote connectivity, not gaming) I use Tailscale (which does NAT Firewall hole punching) so Firewalla doesn't actually need to be reachable directly the public internet.  Further, since the outbound double-nat hop can't be avoided, there's really no benefit to be had (in my opinion - for better VPN performance) by enabling passthrough.  So I've just reset my BGW320 to default settings, kept Firewalla in router mode, and accepted the fact that my VPN performance might suffer (initial inbound connections will need to be coordinated by an external STUN/TURN server, and established connections may be "relayed" through that same server (as opposed to directly to my home network) if I'm connecting remotely from inside another NATted network).  Tailscale transparently handles all of this.  

    However, if I want to avoid the relay for established connections, I can just use my phone's hotspot.

    Perhaps Firewalla's VPN feature might benefit from passthrough - but I haven't tested it.  

    EDIT: 
    I have been able to resolve the "double-nat" (or double-outbound-hop) problem by setting FW to bridge mode, disabling BGW320 DHCP, and using a standalone DHCP server  (Home assistant add-on in my case) that hands out the BGW320's private IP address as the gateway.  

    0
    Comment actions Permalink
  • Avatar
    MAJ. Jimmie Scott

    The brake down and Documation is well done and thought out. Will help the average user plan out their system.  User photos are good and interesting to view.  

     

    I have a Gold in the home and office. Home has 61 devices attached, with no problems and good traffic flow. Office system has VOIP and CAD support environment. Both have handled overseas intrusions and IP attacks on each system. Blocking countries and selected IP is a blessing.  Tracking events is easy on the PDA and desktop. The addition of the mounting rack is a huge help with cable management and mounting.

    0
    Comment actions Permalink
  • Avatar
    MAJ. Jimmie Scott

    ATT Fiber install BGW-320-500

    0
    Comment actions Permalink

Please sign in to leave a comment.