Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

Firewalla Router Mode Configuration Guides

Avatar
Client Support
  • Updated
Follow

Will Firewalla work on any home network?

Firewalla is a very flexible device that can operate in many different ways to adapt to your network fully. If you already have some network equipment, you may want to find a network topology that helps you integrate Firewalla where you can. In some cases, Firewalla may replace or obviate some of your equipment. In other cases, you may need something extra to complete your new network.

  • In Simple or DHCP Modes, Firewalla can augment your existing network with a simple plug-and-play installation that requires very little change to your existing network.
  • In Router or Bridge Mode, Firewalla is your network's main router. These two modes are unique to the Gold and Purple.

To learn more about the different modes, see: How Does Firewalla Intercept Traffic? Which Firewalla Mode Should I Use?

 

What is the best mode for the Gold and Purple?

Router Mode. When in Router Mode, the Firewalla Gold and Purple will be able to run all features, including things like Smart Queue and Policy-Based Routing. Firewalla Gold and Purple are full routers with robust firewall and network performance reporting.

 

There are no compatibility issues when your Gold or Purple runs in either router or bridge mode. What you need to watch out for is whether you have an AP, wireless mesh, or non-ISP router that can run in AP/Bridge mode. Keep reading to learn more.

 

For the most basic network, you only need the following functional parts:

Basic Network Diagram featuring Internet, Router, and WiFi APs

  1. One WAN connection converted to Ethernet (e.g., DSL or Cable modem, Fiber ONT, etc.)
  2. One Router 
  3. A Wi-Fi access point or a network switch 
    •  

Recommended configurations

Router Mode 

Firewalla Gold diagram featuring Internet, Gold/Purple in Router Mode, and Switch/WiFi Aps

WAN →
(In Bridge Mode, if an option)

 Firewalla →
(In Router Mode) 		 Switches/Wi-Fi APs
(In Access Point or Bridge Mode)

Examples

  • Cable Modem
  • DSL Modem
  • Fiber cable ONT/Fiber
  • Direct Ethernet
Gold or Purple only

Examples

  • Access Points
    • Mesh (Amplifi Alien, eero, Google Wi-Fi, Orbi, TP-Link, etc.)
    • Unifi
    • Aruba
  • Managed or Unmanaged Switches

 

Pros of running Firewalla Gold or Purple in Router Mode

  • Enables all Firewalla features.
  • Since the Purple and Gold have extremely powerful CPUs, your Wi-Fi and LAN will likely be a bit faster by offloading routing and filtering to these devices.
  • Allows you to easily replace components with new and better technology such as Wi-Fi 6 (802.11ax) without tossing otherwise good equipment as you might in an integrated modem/router/Wi-Fi box.
  • Using separate network "components" may get advanced features like VLAN and WLAN network segments often unavailable in inexpensive combo units.
  • Allows you to switch internet providers without redesigning your network. Moving from DSL to Fiber? Remove your modem and connect Firewalla to your Fiber ONT. Done in a flash.

 

If you have:

  • A Modem...
    1. Run Firewalla in Router Mode.
    2. You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
  • A direct Ethernet feed such as out of a Fibre ONT...
    1. Run Firewalla in Router Mode.
    2. You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
  • A combined router with Wi-Fi...
    1. You need a WAN connection (modem, Fibre connection, etc.)
    2. Run Firewalla in Router Mode.
    3. Put the router/Wi-Fi box into Access Point Mode (also known as Bridge Mode) and use the Wi-Fi (see "Switches/Wi-Fi APs" above)1
  • A combined Modem + Router + Wi-Fi...
    You can either:
    • Use your existing box as a modem (Bridge Mode) which disables the router and Wi-Fi 
      • In this configuration you will need separate Wi-Fi APs (see "Switches/Wi-Fi APs" above)1
    • Or, get a simple modem and reuse the integrated box for Wi-Fi-only Access Point Mode (also known as Bridge Mode).
      • In this case, you would need separate Wi-Fi AP(s).
  • A router that you can not replace. This happens mainly in small businesses. Here you can attach your Firewalla Gold or Purple to the existing router in Transparent Bridge Mode, then attach a switch or Wi-Fi access point behind your Firewalla.

 

Examples

Below are some of the most common examples of network setups from customer postings and help tickets. This list will grow over time, but for the most part, you should be able to identify scenarios that are similar to yours and help you if you get stuck.

If you have examples that are not mentioned here, please feel free to post them here: https://help.firewalla.com/hc/en-us/community/topics/115000362573-Installation-Configuration-and-Operation. We may add them to this guide in the future.

 

1. XFINITY modem (not Gateway)

Examples: Motorola MB8611, NETGEAR Nighthawk Multi-Gig Cable Modem with Voice CM2050V, MOTOROLA MG7540

XFINITY Modem → Gold (port 4) (Router Mode, WAN Port)
                         → Gold (port 1) → AP/Wi-Fi/Mesh → wireless devices
                         → Gold (port 2) → switch 
                              → desktop(s) 
                              → Security Alarm system
                              → ...
                         → Gold (port 3) →

       OR

XFINITY Modem → Purple (Router Mode) →  switch  → AP/Wi-Fi/Mesh → wireless devices
                                                → wired device(s)

When you have a modem, setup is usually effortless!

 

2. XFINITY Gateways 

Examples: XB3/XB6/XB7/XB8

 

For an overview of XFINITY Gateways and user guides, please take a look at this article.

 

XFINITY Gateway (bridge mode) → Gold (Router Mode) → AP/Wi-Fi/Mesh → wireless devices 
                                                   → wired devices  
                                                   → switch (optional) → wired devices

          OR

Gateway (Bridge mode) → Purple (Router Mode) → switch → AP/Wi-Fi/Mesh 
                                             → wired devices

Firewalla Purple alongside Xfinity Gateway and Orbi Router

 

Unlike a single-purpose modem, "Xfinity Gateways and xFi Gateways are all-in-one devices that deliver Internet and Voice connectivity, whole-home Wi-Fi coverage, network control, and speed for the ultimate connected experience." Before anything else, find out what equipment you have.

 

Please note that all ports are not equal on some XFINITY gateways. For example on the XB8, port 4 is a 2.5G port and ports 1-3 are 1G ports. 

 

See information about XFINITY bridge mode.

 

3. Verizon/Fios

Examples: Verizon G3100 and G1100
ONT → Firewalla Gold (Router Mode) (port 4)
                  → Gold (port 1) → G3100 (from FWG LAN port). [Do NOT turn off DHCP]
                                  → MoCA → Verizon Set top boxes
                  → Gold (port 2) → switch → devices
                                           → AP/Wi-Fi/Mesh (bridge mode)

In this scenario, the installation has a fiber connection and set-top boxes. Some customers used MoCa connections and got rid of the G3100 completely.

More on: Working Verizon FIOS setup with G3100 and Firewalla Gold.

If you need more information about setting your current router to AP mode, see this article: Using your existing router in bridge/AP mode. 

 

For Purple, see https://help.firewalla.com/hc/en-us/articles/4405807840275-Configuring-Triple-Play-on-Firewalla-Purple for how to accomplish this with a managed switch and VLANs. 

 

4. Router Replacement: eero

WAN → Gold (Router Mode) (port 4)
      → Gold (port 1) → eero Main Unit(bridge mode)  
                                 → switch → eero child units (Ethernet backhaul)          
      → Gold (port 2) → Ethernet switch → desktop  
                                        → Sonos  
                                        → IoT Bridge  
                                        → NAS 
                                        → ...

or 

WAN → Purple (Router Mode [right side] (WAN port)
Purple (LAN port [left side]) → switch → eero Main Unit (bridge mode) → eero child units (Ethernet backhaul)   
                                       → desktop  
                                       → NAS 
                                       → ...

Eero is one of the most popular routers used by our customers. Deploying/installing Firewalla is really simple. All you need to do is connect the eero to the Gold / Purple LAN port and then change it to bridge mode. If you are doing Ethernet backhaul, make sure you connect the eero children units to the eero LAN, not the Firewalla LAN.

See Using your existing router in bridge/AP mode (Gold/Purple) for more info about eero setup.

 

5. Router Replacement: ASUS

Examples:  ASUS RT-AX92U, NETGEAR Nighthawk AX8
WAN → Gold (Router Mode) (port 4)
      → Gold (port 1) → ASUS RT-AX92U (bridge mode) (continues to serve guest Wi-Fi)
      → Gold (port 2) → Ethernet switch → desktop  
                                        → Sonos  
                                        → IoT Bridge  
                                        → NAS 
                                        → ...

If you don't need VLANs you can substitute an unmanaged switch for a managed switch. Port 3 in this example shows how you can have a different network segment coming right off Firewalla Gold. Since there are only 3 ports this approach has limitations and 802.1Q VLANs allow more flexibility. See Building network segments for more on network segmentation.

Reference:

 

 

AT&T / IP Passthrough mode 

Firewalla Gold diagram featuring Internet, AT&T Router in passthrough mode, Gold/Purple in router mode, and Switch/WiFi APs

WAN →  Router
(passthrough mode,
Wi-Fi disabled and Firewall Filters disabled) 		Gold/Purple
(Router Mode)		 Devices 

Examples

  • DSL 
  • ONT/Fiber

Examples

  • AT&T BGW210 in passthrough mode
  

Examples

  • APs
  • Switches

 

Description

A special use case for routers that are commonly used by AT&T U-verse is where the router may provide the authentication for internet service or where there is a service like VOIP. If you want Wi-Fi devices protected by Firewalla, you need to add separate Wi-Fi APs in this case.

In this configuration, your router stays in place but forwards all traffic to Firewalla.

 

Pros

  • Use a much better router than ISPs provide
  • All Firewalla features are fully functional 
  • No need to replace the Gateway if you don't want to. 

Cons

  • Requires separate Wi-Fi APs

Examples

6. BGW210 or BGW320 

BGW210 (passthrough mode) → Firewalla Gold (Router Mode) → switch → AP
                                                                  → Devices

If you have an ISP router such as the BGW210...

  • Run BGW210 in Passthrough Mode.
  • Run Firewalla in Router Mode.
  • Add APs for Wi-Fi (see "Switches/Wi-Fi APs" above)1

At a high level, on the AT&T device:

  1. Disable all firewall and packet filters. 
  2. Disable DHCP. Firewalla will be your DHCP server. 
  3. Configure the mac address of the Firewalla with, "DHCP fixed" selected using your Firewalla WAN mac as shown below. 
  4. Optionally, disable the Wi-Fi on the AT&T box. The only reason to leave it on is that is an easy way to login to the management console for the AT&T box. Devices connected to the AT&T Wi-Fi will not be protected by Firewalla. 

AT&T Router settings displaying IP Passthrough settings and recommended configurations

 

Note that in this configuration Firewalla will get a private IP for itself from the AT&T box (e,g. 192.168.0.72) rather than the public IP. This is because this is "passthrough" not a bridge mode and is expected behavior. 

 

References

 

7. Virgin

Examples: Super Hub 1, 2 or 2ac, Hub 3, or Hub 4
 
Hub 3 (modem mode) → Gold/Purple series (Router Mode) (port 4)
                         → Gold (port 1) → AP/Wi-Fi/Mesh (bridge mode) 
                         → Gold (port 2) → switch → devices
                                   → ...

In this scenario, you will configure the Hub as a stand-alone DOCSIS3 cable modem and get separate APs so that all Wi-Fi devices are protected by Firewalla. This also allows you to place your APs where they give you the best signal.

You can find more information from Virgin directly at https://www.virginmedia.com/help/virgin-media-hub-modem-mode#hub3orhub4

 

8. T-Mobile 5G Gateways

Examples: Nokia 5G21 / Arcadyan KVD21

Some 5G Gateways are very limited in how they can be configured. For example, there is no passthrough mode and DHCP can't be disabled. Therefore a double NAT configuration may be your best option.

5G Gateway (router mode with Wi-Fi disabled) → Gold/Purple series (router mode) → switch / Wi-Fi access points
                                                           → Computers
                                                           → ...

Notes: 

  • Disable all Wi-Fi on the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
  • Do not connect devices other than the Firewalla to the Gateway. If you connect to the gateway you will bypass Firewalla and get unexpected and unintended results.
  • Make sure the IP range for the Gateway is different from your Firewalla. 
  • You will need Wi-Fi access points or a router in AP mode behind your Firewalla. 
  • Port Forwarding is challenging on this device because of CGNAT. See below.

References

Community Post

If you can't figure out how to disable the Wi-Fi on your Gateway, check the manual or search Youtube for "Nater Tater" and the  name of your gateway. 

If you need help with setting up port forwarding, search for "nater tater 5G port forward".

Note, Firewalla can not provide support for modifying your Gateway. You can post to the youtube channel or to our community where other customers may be able to help you.

 

9. Charter

Charter modem → Purple → Netgear GS105Ev2 (managed switch) → Netgear Orbi (AP mode)
                                                           → Computers
                                                           → ...

With Purple, it is especially likely you will want some kind of switch because there is only one LAN Ethernet port.

Network configuration with Firewalla Purple

 

10. CenturyLink 

(fiber) → CenturyLink ONT → Gold/Purple (Router Mode) → Switch → Netgear Orbi (AP mode)
→ ...

CenturyLink requires a  PPPoE connection, so have your credentials ready usually your century link email and password, and configure the WAN with the appropriate VLAN tag (Last we heard, they use 201). You will need an AP or a router in AP mode for your Wi-Fi. 

 

Network configuration with Firewalla Gold

 

11. Aruba WAPs

Examples: AP22

Recommended example home network configuration for Aruba Access Points

12. Access Point: TP-Link APs

WAN → Firewall Gold (Router Mode) → Switch → TPLink Archer C6 (AP mode) → Computer(s)
                                           → TPLink EAP-245 (with optional VLANs)
                                           → TPLink EAP-245 (with optional VLANs
                                           → XBOX
                                           → ...

 

 

13. Access Point: UniFi WAPs 

WAN → Firewall Gold (Router Mode) → managed switch → Unifi AP(s)
                                                   → Unifi Controller running in docker
                                                   → ...

You can run the Unifi Controller in a docker container on Firewalla, a NAS, or a Raspberry Pi. No UDM, UDP Pro, or CloudKey is required. A managed switch is recommended so you can use network segmentation.

 

 

Triple Play mode 

Firewalla Gold with set up VLANs for IPTV, Phone, and Access Points

WAN → 

Gold/Purple (Router Mode)

 Switch/AP (optional) Devices

Examples

  • Modem
   You can set up VLANs on Gold and run IPTV and Phone through your switch if you need more ports.
  • IPTV
  • IP Phone
  • Switches
  • switch/APs

 

Description

Used when there is double/triple-play service (Voice, Internet, TV). For FWG you can use port-based or VLANs for the triple play. FWP requires VLANs.

  • If you have an ISP router...
    • Set your router aside. You don't need it. Better yet, return it and stop paying a rental fee.
    • You may want a managed switch if you are short of ports

Pros

  • Use a much better router than ISPs provide
  • Don't rent a router from ISP.
  • Enables all Double/Triple play features

Cons

  • May require buying or renting an inexpensive modem if the ISP modem doesn't allow disabling DHCP.
  • Some additional effort is required for the initial setup. Don't worry; you got this!

 

Modem (ISP) → Gold (Router Mode) (port 4) 
               → Gold (port 3/VLAN 61) → IP TV
               → Gold (port 2/VLAN 62) → IP Phone
               → Gold (port 1/VLAN 60) → switch → AP/Wi-Fi/Mesh
                                      → computer
                                      → Devices

 

References

 

 

Typical Variations

Below are some setup variations that also work well with Firewalla, when to use them, and the pros/cons of each.

Bridge mode 

Gold

Firewalla Gold recommended variation that works, pros/cons, and when to use them

 

WAN → Router
(Router Mode) 		Gold/Purple
(Bridge Mode) 		Switch/AP → Devices

Examples

  • Modem 
  • ONT/Fiber

Examples

  • UDM SE
  • UDM Pro
  • USG
  

Examples

  • APs
  • Switches
  • Desktop/Laptop
  • Tablet
  • Phone
  • Printer

 

Purple

Note in this configuration of Purple the router goes to the LAN port and the WAN port goes to the switch or AP. 

 

Firewalla Purple recommended configuration, router connected to the LAN port and WAN port goes to the switch or access point

 

Description

Bridge Mode is typically used when you have an existing router that provides some essential features that you want to keep in place. For this configuration:

  1. Firewalla must be between your router and a switch or AP.
  2. APs must connect behind Firewalla. So a router with built-in Wi-Fi is not a great candidate. However, if you can and are willing to disable the Wi-Fi and add separate Wi-Fi behind Firewalla, that is fine.

For techies, Firewalla's Bridge Mode is a layer 2 firewall. Your existing router will remain your router. In Bridge Mode, blocking features, protection features, and Ad Block will work the same as in Router Mode. You can monitor all VLANs in this configuration as well.

If you have:

  • A Router
    • You will need a modem or WAN source
    • Use your original router configure to router mode.
    • Firewalla Gold/Purple in Bridge mode
      • You could consider using a LAG connection to your switch for performance/redundancy
    • A switch or separate APs

Pros

  • Maintains the features of your existing router
  • Firewalla provides IDS/IPS
  • Minimal network rewiring 

Cons

  • Doesn't allow the use of all Firewalla features because Firewalla is not your router
    • VPN Client (all features under the VPN Client button)
    • Policy-Based Routing (all features under the route button)
    • Smart Queue (all features under the Smart Queue button)
    • Site-to-Site VPN (if another Firewalla box has established a site-to-site VPN connection to the Box (as server site) in Bridge Mode, you will need to add a static route on the server-side gateway, which routes the client networks via Firewalla's IP)
  • Can be somewhat more complicated. Some things are managed in Firewalla, and some in the router.
  • This configuration doesn't support Routers with built-in Wi-Fi 

Example

14. Unifi UDM Pro

Modem (ISP) → UDM Pro (Router) → Firewalla Gold/Purple (Bridge Mode) → USW (switch) → Unifi AP(s)
                                                                                    → Devices
                                                                                    → ...

Network configuration using Unifi UDM Pro and Firewalla Purple

 

 

Multi-WAN 

Multiple WAN configuration with Firewalla Gold in Router Mode connected to switch or WiFi access points

WAN1 → 

WAN2 → 

 Gold (Router Mode) Devices 

Examples

  • DSL 
  • ONT/Fiber
  

Examples

  • APs
  • Switches

 

Description

Unlike the rest of the examples, this example is about the WAN side of the network, not the LAN. Multi-WAN can be used with any of the other LAN configurations.

This is used when you want to use two different ISP connections for redundancy (failover mode) or increased bandwidth (load balancing). Firewalla Purple multi-WAN is limited to one Ethernet and one Wi-Fi connection. It doesn't matter what the WAN connections are: Fiber, LTE, DSL, or Fixed wireless. 

If you have two WAN sources... 

  • Run Firewalla Gold in Router Mode and configure Multi-WAN.
  • You may want to choose some Wi-Fi Access Points (see "Switches/Wi-Fi APs" above)1
  • Firewalla Feature Guide: Multi-WAN

What is the best mesh for Router Mode?

We recommend Mesh units that can be in Access Point Mode. This way, the mesh will only be responsible for making Wi-Fi connections and passing on the routing part to the router (your Wi-Fi will likely be much more efficient). If you configure the mesh in Router Mode, it will still work with Firewalla; however, Firewalla will not be able to see or control all the devices under the mesh. 

 

What is the best Access Point for Router Mode?

Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software and some of them can be installed on the Gold series see this article.

Note you can use Unifi switches and APs with Purple or Gold series boxes. If you have a Firewalla Purple box, just run the controller somewhere else. This can be a computer, Raspberry Pi, NAS, etc. 

 

Relevant Links

Related articles

Comments

3 comments

Sort by Date Votes
  • Avatar
    Stephanie Hudson

    An example of a Starlink with failover to cellular modem would be great!

    1
    Comment actions Permalink
  • Avatar
    H F

    Hi,

    In this document,

    Firewalla Router Mode Configuration Guides

    under the heading: 

    What is the best Access Point for Router Mode?

    Any access point should work nicely with the Firewalla Router Mode. Some of the access points may require controller software, and some of them can be installed on the Gold/Purple see https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold-or-Purple-

    You say one can use the info linked to install "on the Gold/Purple"....

    But when one goes to that linked article, the article starts off with

    • This is for Firewalla Gold series boxes n Router Mode only.
    • Installing Unifi Controller on Firewalla Purple series boxes is not recommended due to memory restriction.

    SO the obvious question is:      Which is correct?

    Can the UniFi Controller be run on a Purple ?

    Can the UniFI Controller be run on a Purple SE ?

    Thank you for clarifying  the information and for correcting the 2 articles.

     

    0
    Comment actions Permalink
  • Avatar
    Limbos Rebirth0c
    • Edited

    FYI - the last blurb about BGW320 passthrough mode is a bit misleading/incorrect.  

    In passthrough mode, the BGW320 will indeed assign (pass-through) the public ip address to Firewalla (and thus all the incoming traffic as well).  In fact, the BGW320 will retain it's own (separate) public IP address, in addition to the "primary" public IP assigned to Firewalla.

    However as the blurb correctly mentions, passthrough mode is definitely not a bidirectional bridge - more like a 1-way bridge.  Inbound traffic may hit (or be copied to) Firewalla directly, but Outbound traffic is still subject to a double-nat hop, through the BGW320's private IP address, and then out through the public IP.  

    This means it's really only necessary to configure BGW320 passthrough mode if direct inbound connectivity is desired to Firewalla (if you need to open/forward a port from the greater internet).  As a bonus, not configuring passthrough (and leaving the BGW320 settings at default) lets the BGW320 block all the unsolicited traffic, freeing up resources on Firewalla.  

    For my purposes (remote connectivity, not gaming) I use Tailscale (which does NAT Firewall hole punching) so Firewalla doesn't actually need to be reachable directly the public internet.  Further, since the outbound double-nat hop can't be avoided, there's really no benefit to be had (in my opinion - for better VPN performance) by enabling passthrough.  So I've just reset my BGW320 to default settings, kept Firewalla in router mode, and accepted the fact that my VPN performance might suffer (initial inbound connections will need to be coordinated by an external STUN/TURN server, and established connections may be "relayed" through that same server (as opposed to directly to my home network) if I'm connecting remotely from inside another NATted network).  Tailscale transparently handles all of this.  

    However, if I want to avoid the relay for established connections, I can just use my phone's hotspot.

    Perhaps Firewalla's VPN feature might benefit from passthrough - but I haven't tested it.  

    0
    Comment actions Permalink

Please sign in to leave a comment.