Will Firewalla work on any home network?
Firewalla is a very flexible device that can operate in many different ways to adapt to your network fully. If you already have some network equipment, you may want to find a network topology that helps you integrate Firewalla where you can. In some cases, Firewalla may replace or obviate some of your equipment. In other cases, you may need something extra to complete your new network.
- In Simple Mode
or DHCP Mode
- In Router or Bridge Mode, Firewalla is your network's main router. These two modes are unique to the Gold and Purple.
To learn more about the different modes, see: How Does Firewalla Intercept Traffic? Which Firewalla Mode Should I Use?
What is the best mode for the Gold and Purple?
Router Mode. When in Router Mode, the Firewalla Gold and Purple will be able to run all features, including things like Smart Queue and Policy-Based Routing. Firewalla Gold and Purple are full routers with robust firewall and network performance reporting.
There are no compatibility issues when your Gold or Purple runs in either router or bridge mode. What you need to watch out for is whether you have an AP, wireless mesh, or non-ISP router that can run in AP/Bridge mode. Keep reading to learn more.
For the most basic network, you only need the following functional parts:
- One WAN connection converted to Ethernet (e.g., DSL or Cable modem, Fiber ONT, etc.)
- One Router
- A Wi-Fi access point or a network switch
Recommended configurations
Router Mode
|
WAN → |
Firewalla → (In Router Mode) |
Switches/Wi-Fi APs (In Access Point or Bridge Mode) |
|
Examples
|
Gold or Purple only |
Examples
|
Pros of running Firewalla Gold or Purple in Router Mode
- Enables all Firewalla features.
- Since the Purple and Gold have extremely powerful CPUs, your Wi-Fi and LAN will likely be a bit faster by offloading routing and filtering to these devices.
- Allows you to easily replace components with new and better technology such as Wi-Fi 6 (802.11ax) without tossing otherwise good equipment as you might in an integrated modem/router/Wi-Fi box.
- Using separate network "components" may get advanced features like VLAN and WLAN network segments often unavailable in inexpensive combo units.
- Allows you to switch internet providers without redesigning your network. Moving from DSL to Fiber? Remove your modem and connect Firewalla to your Fiber ONT. Done in a flash.
If you have:
- A Modem...
- Run Firewalla in Router Mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A direct Ethernet feed such as out of a Fibre ONT...
- Run Firewalla in Router Mode.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- A combined router with Wi-Fi...
- You need a WAN connection (modem, Fibre connection, etc.)
- Run Firewalla in Router Mode.
- Put the router/Wi-Fi box into Access Point Mode (also known as Bridge Mode) and use the Wi-Fi (see "Switches/Wi-Fi APs" above)1
- A combined Modem + Router + Wi-Fi...
You can either:
- Use your existing box as a modem (Bridge Mode) which disables the router and Wi-Fi
- In this configuration you will need separate Wi-Fi APs (see "Switches/Wi-Fi APs" above)1
- Or, get a simple modem and reuse the integrated box for Wi-Fi-only Access Point Mode (also known as Bridge Mode).
- In this case, you would need separate Wi-Fi AP(s).
- Use your existing box as a modem (Bridge Mode) which disables the router and Wi-Fi
- A router that you can not replace. This happens mainly in small businesses. Here you can attach your Firewalla Gold or Purple to the existing router in Transparent Bridge Mode, then attach a switch or Wi-Fi access point behind your Firewalla.
Examples
Below are some of the most common examples of network setups from customer postings and help tickets. This list will grow over time, but for the most part, you should be able to identify scenarios that are similar to yours and help you if you get stuck.
-
Router Mode:
- XFINITY - not a Gateway
- XFINITY - Gateways
- Verizon/Fios - Gateway/Router that won't let you Bridge
- EERO
- Router Replacement: ASUS/Netgear
- AT&T / IP Passthrough mode
- BGW210/BGW320 - IP Passthrough
- Virgin Super Hub
- T-Mobile Gateways
- Charter
- CenturyLink
- Aruba WAPs
- TP-Link APs
- UniFi WAPs
- UniFi Routers with Integrated Wi-Fi
- Triple Play Mode
- Bridge Mode
- Multi-WAN
If you have examples that are not mentioned here, please feel free to post them here: https://help.firewalla.com/hc/en-us/community/topics/115000362573-Installation-Configuration-and-Operation. We may add them to this guide in the future.
1. XFINITY modem (not Gateway)
Examples: Motorola MB8611, NETGEAR Nighthawk Multi-Gig Cable Modem with Voice CM2050V, MOTOROLA MG7540
XFINITY Modem → Gold (port 4) (Router Mode, WAN Port)
→ Gold (port 1) → AP/Wi-Fi/Mesh → wireless devices
→ Gold (port 2) → switch
→ desktop(s)
→ Security Alarm system
→ ...
→ Gold (port 3) →
OR
XFINITY Modem → Purple (Router Mode) → switch → AP/Wi-Fi/Mesh → wireless devices → wired device(s)
When you have a modem, setup is usually effortless!
2. XFINITY Gateways
Examples: XB3/XB6/XB7/XB8
For an overview of XFINITY Gateways and user guides, please take a look at this article.
XFINITY Gateway (bridge mode) → Gold (Router Mode) → AP/Wi-Fi/Mesh → wireless devices
→ wired devices
→ switch (optional) → wired devices
OR
Gateway (Bridge mode) → Purple (Router Mode) → switch → AP/Wi-Fi/Mesh
→ wired devices
Unlike a single-purpose modem, "Xfinity Gateways and xFi Gateways are all-in-one devices that deliver Internet and Voice connectivity, whole-home Wi-Fi coverage, network control, and speed for the ultimate connected experience." Before anything else, find out what equipment you have.
Please note that all ports are not equal on some XFINITY gateways. For example on the XB8, port 4 is a 2.5G port and ports 1-3 are 1G ports.
See information about XFINITY bridge mode.
3. Verizon/Fios
Examples: Verizon G3100 and G1100ONT → Firewalla Gold (Router Mode) (port 4)
→ Gold (port 1) → G3100 (from FWG LAN port). [Do NOT turn off DHCP]
→ MoCA → Verizon Set top boxes
→ Gold (port 2) → switch → devices
→ AP/Wi-Fi/Mesh (bridge mode)
In this scenario, the installation has a fiber connection and set-top boxes. Some customers used MoCa connections and got rid of the G3100 completely.
More on: Working Verizon FIOS setup with G3100 and Firewalla Gold.
If you need more information about setting your current router to AP mode, see this article: Using your existing router in bridge/AP mode.
For Purple, see https://help.firewalla.com/hc/en-us/articles/4405807840275-Configuring-Triple-Play-on-Firewalla-Purple for how to accomplish this with a managed switch and VLANs.
Example: CR1000A as an Access point or AP
If you have a CR1000A and want to use it for Wi-Fi instead of as a router, use the following steps. We'll use FWG
ONT → Firewalla Gold(Router Mode) (port 4)
→ Firewalla Gold (LAN port) → CR1000A (LAN port) (se below)
Note your ONT may look something like this.
- Connect the Firewalla port 4 to the ISP Ethernet. If there is an ONT or modem, reboot them first and then enable Firewalla in Router mode. Don't connect anything else yet. Note the IP range of the LAN you create. You will need this in a few steps down.
- Once you have Firewalla paired to your app, connect a device over ethernet to Firewalla port 1, 2, or 3. Using this connection, test your internet.
- Next configure the CR1000A as an Access point. Connect a device over ethernet to a CR1000A LAN port and configure as follows to disable DHCP and NAT for the CR1000A making it a Wifi.
- Login to the default IP address of the CR1000A, http://192.168.1.1
- Go to Advanced > Network Settings > Network Connections > Network Home/office > Settings
- Temporarily put the CR1000A in the same IP range as the Firewalla LAN you created previously and apply changes.
- You may need to relogin to the CR1000A as the IP address has changed from the default you connected to. Change the address accordingly and log back in.
- Connect an open LAN port on the CR1000A to an open port on Firewalla and reboot the CR1000A.
- Login to the default IP address of your CR1000A using the IP you set previously.
-
Go to Advanced > Network Settings > Network Connections > Network Home/office > Settings
-
- Disable DHCP Server.
- Disable Broadband Ethernet Connection so that you can use that port as part of your LAN instead of as a WAN connection. Apply changes.
-
- Reboot the CR1000A again.
- When the CR1000A is ready, you should see it as a devic on Firewalla. You may want to do an IP reservation for the CR1000A on Firewalla at this point and reboot the CR1000A again.
- When the CR1000A is back up, you can test your wifi and the ethernet ports on the CR1000A.
- https://youtu.be/Vf1sTkxxjLs?si=L4kIEwEKc5QCI9sH
-
https://www.verizon.com/supportresources/content/dam/verizon/support/consumer/documents/internet/verizon-router-guide.pdf
4. Router Replacement: eero
WAN → Gold (Router Mode) (port 4)
→ Gold (port 1) → eero Main Unit(bridge mode)
→ switch → eero child units (Ethernet backhaul)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...or
WAN → Purple (Router Mode [right side] (WAN port)
Purple (LAN port [left side]) → switch → eero Main Unit (bridge mode) → eero child units (Ethernet backhaul)
→ desktop
→ NAS
→ ...Eero is one of the most popular routers used by our customers. Deploying/installing Firewalla is really simple. All you need to do is connect the eero to the Gold / Purple LAN port and then change it to bridge mode. If you are doing Ethernet backhaul, make sure you connect the eero children units to the eero LAN, not the Firewalla LAN.
See Using your existing router in bridge/AP mode (Gold/Purple) for more info about eero setup.
5. Router Replacement: ASUS/Netgear
Examples: ASUS RT-AX92U, NETGEAR Nighthawk AX8 or any router that has an Access Point mode (sometimes called, "bridge mode")WAN → Gold (Router Mode) (port 4)
→ Gold (port 1) → ASUS RT-AX92U (bridge mode) (continues to serve guest Wi-Fi)
→ Gold (port 2) → Ethernet switch → desktop
→ Sonos
→ IoT Bridge
→ NAS
→ ...If you don't need VLANs you can substitute an unmanaged switch for a managed switch. Port 3 in this example shows how you can have a different network segment coming right off Firewalla Gold. Since there are only 3 ports this approach has limitations and 802.1Q VLANs allow more flexibility. See Building network segments for more on network segmentation.
Reference:
AT&T / IP Passthrough mode
| WAN → |
Router (passthrough mode, Wi-Fi disabled and Firewall Filters disabled) → |
Gold/Purple (Router Mode) → |
Devices |
|
Examples
|
Examples
|
Examples
|
Description
A special use case for routers that are commonly used by AT&T U-verse is where the router may provide the authentication for internet service or where there is a service like VOIP. If you want Wi-Fi devices protected by Firewalla, you need to add separate Wi-Fi APs in this case.
In this configuration, your router stays in place but forwards all traffic to Firewalla.
Pros
- Use a much better router than ISPs provide
- All Firewalla features are fully functional
- No need to replace the Gateway if you don't want to.
Cons
- Requires separate Wi-Fi APs
Examples
6. BGW210, BGW320
The same steps work for any of these devices. We will use BGW210 but the steps are more or less the same for these units.
BGW210 (passthrough mode) → Firewalla Gold (Router Mode) → switch → AP
→ Devices
If you have an ISP router such as the BGW210...
- Run BGW210 in Passthrough Mode.
- Run Firewalla in Router Mode.
- Add APs for Wi-Fi (see "Switches/Wi-Fi APs" above)1
On the AT&T device:
- Disable all the Advanced Firewall settings.
- Disable the packet filters.
- Enable IP passthrough.
- Cascaded Router: Off
- You can leave DHCP on for the LAN.
- Reboot everything.
- Optionally, disable the Wi-Fi on the AT&T box. The only reason to leave it on is that is an easy way to login to the management console for the AT&T box. Devices connected to the AT&T Wi-Fi will not be protected by Firewalla. If you leave the wifi on you may want to leave DHCP active as well but choose a non-conflicting IP range than you use on Firewalla networks. The only reason to leave Wi-Fi active is to make it easy to login to the BGW box if needed for administration.
Your configuration may look slightly different, but the passthrough fixed mac address must be the Firewalla WAN mac address.
Note that in this configuration Firewalla will get a private IP for itself from the AT&T box (e.g. 192.168.0.72) rather than the public IP. This is because this is "passthrough" not a bridge mode and is expected behavior.
References
- Configuring IP Passthrough with an AT&T BGW210-700 and a UDM Pro
- Video: How to configure the AT&T BG210 to enable IP Passthrough features in 5 minutues!
- Video: AT&T Router Passthrough Mode Setup Guide
7. Virgin
Examples: Super Hub 1, 2 or 2ac, Hub 3, or Hub 4Hub 3 (modem mode) → Gold/Purple series (Router Mode) (port 4)
→ Gold (port 1) → AP/Wi-Fi/Mesh (bridge mode)
→ Gold (port 2) → switch → devices
→ ...
In this scenario, you will configure the Hub as a stand-alone DOCSIS cable modem and get separate APs so that all Wi-Fi devices are protected by Firewalla. This also allows you to place your APs where they give you the best signal.
You can find more information from Virgin directly at https://www.virginmedia.com/help/virgin-media-hub-modem-mode#hub3orhub4
8. T-Mobile 5G Gateways
Examples: Nokia 5G21 / Arcadyan KVD21
Some 5G Gateways are very limited in how they can be configured. For example, there is no passthrough mode and DHCP can't be disabled. Therefore a double NAT configuration may be your best option.
5G Gateway (router mode with Wi-Fi disabled) → Gold/Purple series (router mode) → switch / Wi-Fi access points
→ Computers
→ ...
Notes:
- Disable all Wi-Fi on the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
- Do not connect devices other than the Firewalla to the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
- Make sure the IP range for the Gateway is different from your Firewalla.
- You will need Wi-Fi access points or a router in AP mode behind your Firewalla.
- Port Forwarding is challenging on this device because of CGNAT. See below.
References
If you can't figure out how to disable the Wi-Fi on your Gateway, check the manual or search Youtube for "Nater Tater" and the name of your gateway. e.g. "How To Add A Router To T-Mobile Home Internet 5G Gateways - Tips and Tricks"
If you need help with setting up port forwarding, search for "nater tater 5G port forward".
Note, Firewalla can not provide support for modifying your Gateway. You can post to the youtube channel or to our community where other customers may be able to help you.
9. Charter
Charter modem → Purple → Netgear GS105Ev2 (managed switch) → Netgear Orbi (AP mode)
→ Computers
→ ...
With Purple, it is especially likely you will want some kind of switch because there is only one LAN Ethernet port.
10. CenturyLink
(fiber) → CenturyLink ONT → Gold/Purple (Router Mode) → Switch → Netgear Orbi (AP mode)
→ ...
CenturyLink usually requires a PPPoE connection, so have your credentials ready usually your CenturyLink email and password, and configure the WAN with the appropriate VLAN tag (Last we heard, they use 201). You will need an AP or a router in AP mode for your Wi-Fi.
References
11. Aruba WAPs
Examples: AP22
12. Access Point: TP-Link APs
WAN → Firewall Gold (Router Mode) → Switch → TPLink Archer C6 (AP mode) → Computer(s)
→ TPLink EAP-245 (with optional VLANs)
→ TPLink EAP-245 (with optional VLANs
→ XBOX
→ ...
13. Access Point: UniFi WAPs
WAN → Firewall Gold (Router Mode) → managed switch → Unifi AP(s)
→ Unifi Controller running in docker
→ ...
You can run the Unifi Controller in a docker container on Firewalla, a NAS, or a Raspberry Pi. No UDM, UDP Pro, or CloudKey is required. A managed switch is recommended so you can use network segmentation.
Triple Play mode
| WAN → |
Gold/Purple (Router Mode) → |
Switch/AP (optional) → | Devices |
|
Examples
|
You can set up VLANs on Gold and run IPTV and Phone through your switch if you need more ports. |
|
Description
Used when there is double/triple-play service (Voice, Internet, TV). For FWG you can use port-based or VLANs for the triple play. FWP requires VLANs.
- If you have an ISP router...
- Set your router aside. You don't need it. Better yet, return it and stop paying a rental fee.
- You may want a managed switch if you are short of ports
Pros
- Use a much better router than ISPs provide
- Don't rent a router from ISP.
- Enables all Double/Triple play features
Cons
- May require buying or renting an inexpensive modem if the ISP modem doesn't allow disabling DHCP.
- Some additional effort is required for the initial setup. Don't worry; you got this!
Modem (ISP) → Gold (Router Mode) (port 4)
→ Gold (port 3/VLAN 61) → IP TV
→ Gold (port 2/VLAN 62) → IP Phone
→ Gold (port 1/VLAN 60) → switch → AP/Wi-Fi/Mesh
→ computer
→ Devices
References
14. UniFi integrated Routers
Some customers have a UniFi routers with integrated Wi-Fi that they want to use with Firewalla such as Dream Router or Dream Wall.
Note, unlike UDMP which allows Firewalla to be used in Bridge mode, Unifi routers with integrated Wi-Fi does not lend itself to using Firewalla in Bridge mode.
This is because is a router/wifi/controller, but lacks an AP or bridge mode, this solution is similar to the solutions described here:
The only difference is that UDM allows you to disable DHCP. So, rather than the steps required on Google Wifi to configure the Google router to give the Google sattelites IP addresses, just configure UDM using the steps described in the articles above and disable DHCP on the UDM. The UniFi APs will get IPs from Firewalla.
Typical Variations
Below are some setup variations that also work well with Firewalla, when to use them, and the pros/cons of each.
Bridge mode
Gold
| WAN → |
Router (Router Mode) → |
Gold/Purple (Bridge Mode) → |
Switch/AP → | Devices |
|
Examples
|
Examples
|
Examples
|
|
Purple
Note in this configuration of Purple the router goes to the LAN port and the WAN port goes to the switch or AP.
Description
Bridge Mode is typically used when you have an existing router that provides some essential features that you want to keep in place. For this configuration:
- Firewalla must be between your router and a switch or AP.
- APs must connect behind Firewalla. So a router with built-in Wi-Fi is not a great candidate. However, if you can and are willing to disable the Wi-Fi and add separate Wi-Fi behind Firewalla, that is fine.
For techies, Firewalla's Bridge Mode is a layer 2 firewall. Your existing router will remain your router. In Bridge Mode, blocking features, protection features, and Ad Block will work the same as in Router Mode. You can monitor all VLANs in this configuration as well.
If you have:
- A Router
- You will need a modem or WAN source
- Use your original router configure to router mode.
- Firewalla Gold/Purple in Bridge mode
- You could consider using a LAG connection to your switch for performance/redundancy
- A switch or separate APs
Pros
- Maintains the features of your existing router
- Firewalla provides IDS/IPS
- Minimal network rewiring
Cons
- Doesn't allow the use of all Firewalla features because Firewalla is not your router
- VPN Client (all features under the VPN Client button)
- Policy-Based Routing (all features under the route button)
- Smart Queue (all features under the Smart Queue button)
- Site-to-Site VPN (if another Firewalla box has established a site-to-site VPN connection to the Box (as server site) in Bridge Mode, you will need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
- Can be somewhat more complicated. Some things are managed in Firewalla, and some in the router.
- This configuration doesn't support Routers with built-in Wi-Fi
Example
14. Unifi UDM Pro models
If you have Dream Machine Pro Max, Dream Machine Pro, Dream Machine Special Edition, you can use it with Firewalla as follows:
Modem (ISP) → UDM (Router) → Firewalla Gold/Purple (Bridge Mode) → USW (switch) → Unifi AP(s)
→ Devices
→ ...
Multi-WAN
|
WAN1 → WAN2 → |
Gold (Router Mode) → | Devices |
|
Examples
|
Examples
|
Description
Unlike the rest of the examples, this example is about the WAN side of the network, not the LAN. Multi-WAN can be used with any of the other LAN configurations.
This is used when you want to use two different ISP connections for redundancy (failover mode) or increased bandwidth (load balancing). Firewalla Purple multi-WAN is limited to one Ethernet and one Wi-Fi connection. It doesn't matter what the WAN connections are: Fiber, LTE, DSL, or Fixed wireless.
If you have two WAN sources...
- Run Firewalla Gold in Router Mode and configure Multi-WAN.
- You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
- Firewalla Feature Guide: Multi-WAN
What is the best mesh for Router Mode?
We recommend Mesh units that can be in Access Point Mode. This way, the mesh will only be responsible for making Wi-Fi connections and passing on the routing part to the router (your Wi-Fi will likely be much more efficient). If you configure the mesh in Router Mode, it will still work with Firewalla; however, Firewalla will not be able to see or control all the devices under the mesh.
What is the best Access Point for Router Mode?
Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software and some of them can be installed on the Gold series see this article.
Note you can use Unifi switches and APs with Purple or Gold series boxes. If you have a Firewalla Purple box, just run the controller somewhere else. This can be a computer, Raspberry Pi, NAS, etc.
Comments
5 comments
An example of a Starlink with failover to cellular modem would be great!
Hi,
In this document,
Firewalla Router Mode Configuration Guides
under the heading:
What is the best Access Point for Router Mode?
Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold-or-Purple-
You say one can use the info linked to install "on the Gold/Purple"....
But when one goes to that linked article, the article starts off with
SO the obvious question is: Which is correct?
Can the UniFi Controller be run on a Purple ?
Can the UniFI Controller be run on a Purple SE ?
Thank you for clarifying the information and for correcting the 2 articles.
FYI - the last blurb about BGW320 passthrough mode is a bit misleading/incorrect.
In passthrough mode, the BGW320 will indeed assign (pass-through) the public ip address to Firewalla (and thus all the incoming traffic as well). In fact, the BGW320 will retain it's own (separate) public IP address, in addition to the "primary" public IP assigned to Firewalla.
However as the blurb correctly mentions, passthrough mode is definitely not a bidirectional bridge - more like a 1-way bridge. Inbound traffic may hit (or be copied to) Firewalla directly, but Outbound traffic is still subject to a double-nat hop, through the BGW320's private IP address, and then out through the public IP.
This means it's really only necessary to configure BGW320 passthrough mode if direct inbound connectivity is desired to Firewalla (if you need to open/forward a port from the greater internet). As a bonus, not configuring passthrough (and leaving the BGW320 settings at default) lets the BGW320 block all the unsolicited traffic, freeing up resources on Firewalla.
For my purposes (remote connectivity, not gaming) I use Tailscale (which does NAT Firewall hole punching) so Firewalla doesn't actually need to be reachable directly the public internet. Further, since the outbound double-nat hop can't be avoided, there's really no benefit to be had (in my opinion - for better VPN performance) by enabling passthrough. So I've just reset my BGW320 to default settings, kept Firewalla in router mode, and accepted the fact that my VPN performance might suffer (initial inbound connections will need to be coordinated by an external STUN/TURN server, and established connections may be "relayed" through that same server (as opposed to directly to my home network) if I'm connecting remotely from inside another NATted network). Tailscale transparently handles all of this.
However, if I want to avoid the relay for established connections, I can just use my phone's hotspot.
Perhaps Firewalla's VPN feature might benefit from passthrough - but I haven't tested it.
EDIT:
I have been able to resolve the "double-nat" (or double-outbound-hop) problem by setting FW to bridge mode, disabling BGW320 DHCP, and using a standalone DHCP server (Home assistant add-on in my case) that hands out the BGW320's private IP address as the gateway.
The brake down and Documation is well done and thought out. Will help the average user plan out their system. User photos are good and interesting to view.
I have a Gold in the home and office. Home has 61 devices attached, with no problems and good traffic flow. Office system has VOIP and CAD support environment. Both have handled overseas intrusions and IP attacks on each system. Blocking countries and selected IP is a blessing. Tracking events is easy on the PDA and desktop. The addition of the mounting rack is a huge help with cable management and mounting.
ATT Fiber install BGW-320-500
Please sign in to leave a comment.