- A managed switch is required to set up Google Wi-Fi/Nest Mesh network with Firewalla Purple in router mode.
- The instructions below are another way to set it up on Firewalla Gold. See Google Wifi or Nest Wifi Mesh network with Gold (Beta) for a port-based approach.
The best way to set up a mesh network with Firewalla in router mode is to configure the mesh network in AP Mode/Bridge Mode.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla's LAN port. However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial introduces a workaround.
This workaround is NOT perfect, if you have any issues, please do let us know via firstname.lastname@example.org. And if you can, convincing Google/Nest to support AP mode is the best solution.
There are two proposed solutions:
For a standard mesh setup, refer to this solution.
If you are doing ethernet backhaul, refer to this solution.
We'll use the subnets below as example in the rest of this guide.
There will be three networks created:
- The main network, managed by Firewalla, connected to Purple's LAN Port. (e.g. 192.168.210.0/24).
- VLAN for Google wifi's Primary Unit, managed by Firewalla, connected to Purple's LAN Port. (e.g. 192.168.200.0/24, VLAN 88).
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google satellites (e.g. 192.168.86.0/24).
Note: Your Google Wifi/ Nest Wifi Mesh network should already be setup before adding Firewalla Purple to the network.
Step 1: Set up Local Networks in the Firewalla app
- Make sure Firewalla Purple is running in Router Mode.
- Create a local network on LAN Port as the main network, 192.168.210.1/24.
- Create a VLAN on LAN Port for google Wi-Fi primary unit, 192.168.200.1/24, VLAN 88.
Here is the tutorial on how to manage networks on Firewalla boxes.
Step 2: Set up a Managed Switch
When you are using Firewalla Purple in this setup, a managed switch is required to handle the VLANs. We will show two examples, a Netgear switch and a UniFi switch. The same setup would work with Firewalla Gold as well.
a. Netgear switch
In this example, we use a Netgear 8-Port managed switch.
- Login to the Switch's Admin page, go to Switching → VLAN → VLAN Configuration.
- Add a VLAN: VLAN ID: 88, Name: Google Wi-Fi, Member Ports: g4 (tagged), g5 (untagged)
(VLAN 1, 22, 4080 are the default VLANs on Netgear switch, you can leave them there.)
- Save the configuration.
1. Go to VLAN → Port PVID Configuration.
2. Apply PVID configuration: Port g5, PVID 88, VLAN Member: 1, 88
3. Save the configuration.
b. UniFi switch
In this example, we use a UniFi USW-Lite-16-PoE managed switch running Network 6.5.55 with the new user interface. All of these features are also found in other versions of the controller but might be named slightly differently.
For this example, we assume you have already set up your main network.
Add the VLAN Network:
- Login to the UniFi controller, go to Settings → Networks → Add New Network
- Add a VLAN: Name: Google Wifi and open Advanced to set the VLAN ID to 88. Set DHCP Mode to None and turn off DHCP Guarding.
- Choose Add Network.
Configure the ports:
In this example, we will use port 15 to connect the switch to the mesh WAN port as a trunk port and port 16 will connect the switch to the mesh's LAN port.
- Go to UniFi Devices and select the switch you are connecting the nest/google Wifi to and Settings.
- Select port 15 and note the current Port Profile.
- Select Manage port Profiles and edit the profile you had assigned to that port.
- Set the main network as your native network (a) if it isn't already, and add the new VLAN network (Google Wi-Fi) to the Tagged Networks (b) to make a "trunk" that has allows both the main network and the VLAN traffic allowed to flow through this port. If you have other VLANs they can be included in the Tagged Networks as well. No problem.
- Apply changes.
- Go back to UniFi Devices and select the switch again and go to Settings.
- Select port 16.
- Give the Port a Name. This is just to help you remember how your switch is configured so call it what you like.
- Under Port Profile choose the VLAN you created previously.
- Apply changes.
- Go back to UniFi Devices and select the switch again → Settings and port 16 and choose the Port Profile you just created with VLAN 88.
- Apply Changes to save the configuration.
Step 3: Set up Google Wifi Mesh network with a limited DHCP address range
- Connect the LAN Port of Firewalla purple to Port 4 (with VLAN 88, tagged) on the managed switch.
- Connect the WAN Port of the Google Wifi primary unit to Port 5 (with VLAN 88, untagged) on the managed switch.
Double-check that the WAN IP of Google Wifi should be under 192.168.200.1/24
- Configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow 2 more Wifi points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.5~192.168.86.6
- Reboot all Wi-Fi satellites, wait for the mesh network to fully boot up, and make sure the satellites getting IP addresses within the dhcp range 192.168.86.5~192.168.86.6
- For solution 1, connect the LAN Port on Google Wifi primary unit to the other Ports(with no VLAN) on the managed switch.
For solution 2, connect the LAN Port of Google Wifi primary unit and the WAN Port of additional Google Wifi points(satellites) to the other Ports(with no VLAN) on the managed switch.
- Sometimes one Google Wifi point may have two mac addresses, so you may need to reserve more IP addresses.
- It is highly recommended not to connect any other devices to the Google Wifi network when setting up the limited DHCP address range. Because the IP address in the pool may accidentally be assigned to other devices that are supposed to be assigned to Google Wifi points (satellites), eventually mess up the pool range.
Now, any device connecting to the Google Wi-Fi network should be able to get an IP address from Firewalla. (They should get IP addresses under 192.168.210.0/24.)
Step 4: Configure Firewalla to NOT allocate IP addresses for Google Wi-Fi points (satellites)
Google Wifi points may accidentally get IP addresses from Firewalla if the DHCP allocation from Google Wifi expires. This may break the mesh setup.
When this happens:
- Firewalla App will get a New Device Alarm on google wifi points.
- Find the Wifi points devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
- For each Wifi point device, tap on "IP Address", select "Do not allocate". This only needs to be done once.
- Reboot Wi-Fi satellites to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.
Is it possible to do this with an unmanaged switch (with 2 uplink ports?). Otherwise, are there instructions for the Ubiquiti-way of setting up VLANs. I can't seem to get it functioning just yet and not sure about their tagging / untagged equivalent.
Also, I have found that it's best to temporary change your wifi password for Nest Wifi to ensure only the Mesh Network selects their IPs.
@Robert, Sorry for the inconvenience, a VLAN-supported switch is required for this setup.
We'll be working on the example using the Ubiquiti switch, which will be updated in this doc once ready. Thanks for asking.
Did anyone get casting to their Google Speaker (inside the second Google Nest Wifi puck) working? I followed the solution 1 setup here exactly and these instructions (https://help.firewalla.com/hc/en-us/articles/360049613014-Firewalla-Gold-when-network-is-segmented-will-I-be-able-to-use-AirPlay-and-Chromcast-cross-networks) for my switch, but I still cannot see or cast to the google nest wifi puck speaker. A couple of details:
- Used the netgear GS305E to setup a VLAN for Google Wifi Primary Unit and a VLAN for Main Network (connected ethernet port on Google Wifi Puck back to Switch VLAN for Main Network)
- Enabled mDNS on my Google Wifi Primary Unit Network and my Main Network
- If I start playing music via voice on the speaker, I can see it and control it via spotify/google home app. Neither app can start music from the speaker. Google Home doesn't let me add the speaker to a speaker group or connect to it to cast my audio.
- My Wifi Puck (and the google speaker) has an IP of 192.168.86.5... Firewalla is not aware of this IP/Network as it is managed by Google, so it may be a non-starter...
UPDATE: Just to see if I could get broadcast messages to Firewalla, I added a ISP connection via the purple's wifi adapter to the Google Nest Wifi network and assigned the purple an IP of 192.168.86.6 statically. I could start songs on the Nest Wifi puck speaker in both spotify and google home, but I could not make speaker groups work as Firewalla was blocking the traffic from the device I was starting the music on to the 192.168.210.255 broadcast address (even when I paused the Traffic inbound from the internet rule that kept firing). I think there is something to this. I am curious as to why the Google Wifi Primary Unit and Secondary Puck cannot (or at least according to solution 1) be on the same user VLAN for the main network (by statically assigning them IPs outside of the DHCP pool). Does anyone know the reason these two devices have to be on their own network?
UPDATE 2: So I decided to go for it and put the Nest Wifi Primary as 192.168.210.2 and the Secondary Puck (Speaker) as 192.168.210.3 on the Main Network. I made the Nest Wifi Primary DHCP pool only one address (192.168.210.3). So far everything appears to be working. The Secondary Puck works in speaker groups now too. The only possible downside I see is that technically devices that get their IP reservations from the Nest Wifi Primary (which should only ever serve the Secondary Puck an IP) have a default gateway of 192.168.210.2 and traffic routes over the Google Primary WAN port to Firewalla. All other devices connected to the Main LAN via Google Nest Wifi get an IP from Firewalla and a default gateway of 192.168.210.1, routing internet traffic through the Google Primary LAN port to the switch to Firewalla (which was happening before anyways). Posting this here in case someone has any concerns/recommendations for this work around.
UPDATE 3: Using IP addresses in the Main Network (192.168.210.0/24) for the Google Nest WiFi Router and WiFi point caused significant performance issues on my Google TV connected to the point. I didn't see any issues from other devices but reverted these settings back to the recommended 192.168.86.0/24 IPs in the diagram here.
If anyone finds a good solution for getting the speaker to work for casting I'd love to hear about it!
I have the TP Link TL-SSG116E switch. It shows VLAN in the admin settings. Will this work?
For Solution 1 (only) and with only WiFi devices in the network, can I connect the purple LAN port to the Google WiFi WAN port and then follow the instructions?
@Kevin, you need to create VLAN's to have Nest work with the purple. See the red and yellow, they are different networks.
I am trying to setup Solution 1 using a Netgear GS108Ev3 managed switch. The interface differs from the one above but the big issues is the switch is only giving me option for VLAN ID 1 though 8. Any suggestions?
@kevin I'm using a Netgear GS308E and my interface isn't the same as the instruction either. Although I haven't tried it yet (waiting for a time that I can take down the entire network) I was able to set it up by going to VLAN > 802.1Q > Advanced. There I was able to setup a VLAN ID 88 as shown in the instructions.
The PVID stuff was harder to figure out, but I set mine as follows.
The Netgear UI is really bad! Best of luck!
Has anyone got the Solution 1 to work with a Firewalla Gold, a Netgear managed Switch and Google Nest Wifi router with 2 access points? I am not able to get this to work.
I set up solution 2 as described with Purple SE & Netgear managed switch & everything is working but a few things and the search hasn't turned anything up.
- Under devices, it doesn't show live throughput
- When I try Wi-Fi Speed Test I get a message stating "Before continuing, please enable WLAN/Wi-Fi on your phone and connect it to the local network of this Firewalla box.
- It seems random which network (Google Wi-Fi or Main Network) devices have connected to.
Please sign in to leave a comment.