- A managed switch is required to set up Google Wi-Fi/Nest Mesh network with Firewalla Purple in router mode.
- The instructions below are another way to set it up on Firewalla Gold. See Google Wifi or Nest Wifi Mesh network with Gold (Beta) for a port-based approach.
The best way to set up a mesh network with Firewalla in router mode is to configure the mesh network in AP Mode/Bridge Mode.
If you just have one Google Wifi unit, you can turn on bridging mode and attach it to the Firewalla's LAN port. However, the Google Wifi mesh network doesn't support AP Mode or Bridge mode (when the mesh is enabled). This tutorial introduces a workaround.
This workaround is NOT perfect, if you have any issues, please do let us know via firstname.lastname@example.org. And if you can, convincing Google/Nest to support AP mode is the best solution.
There are two proposed solutions:
For a standard mesh setup, refer to this solution.
If you are doing ethernet backhaul, refer to this solution.
We'll use the subnets below as example in the rest of this guide.
There will be three networks created:
- The main network, managed by Firewalla, connected to Purple's LAN Port. (e.g. 192.168.210.0/24).
- VLAN for Google wifi's Primary Unit, managed by Firewalla, connected to Purple's LAN Port. (e.g. 192.168.200.0/24, VLAN 88).
- Google Wifi LAN, managed by Google Wifi. This subnet is only used for Google satellites (e.g. 192.168.86.0/24).
Note: Your Google Wifi/ Nest Wifi Mesh network should already be setup before adding Firewalla Purple to the network.
Step 1: Set up Local Networks in the Firewalla app
- Make sure Firewalla Purple is running in Router Mode.
- Create a local network on LAN Port as the main network, 192.168.210.1/24.
- Create a VLAN on LAN Port for google Wi-Fi primary unit, 192.168.200.1/24, VLAN 88.
Step 2: Set up a Managed Switch
When you are using Firewalla Purple in this setup, a managed switch is required to handle the VLANs. We will show two examples, a Netgear switch and a UniFi switch. The same setup would work with Firewalla Gold as well.
a. Netgear switch
In this example, we use a Netgear 8-Port managed switch.
- Login to the Switch's Admin page, go to Switching → VLAN → VLAN Configuration.
- Add a VLAN: VLAN ID: 88, Name: Google Wi-Fi, Member Ports: g4 (tagged), g5 (untagged)
(VLAN 1, 22, 4080 are the default VLANs on Netgear switch, you can leave them there.)
- Save the configuration.
1. Go to VLAN → Port PVID Configuration.
2. Apply PVID configuration: Port g5, PVID 88, VLAN Member: 1, 88
3. Save the configuration.
b. UniFi switch
In this example, we use a UniFi USW-Lite-16-PoE managed switch running Network 6.5.55 with the new user interface. All of these features are also found in other versions of the controller but might be named slightly differently.
For this example, we assume you have already set up your main network.
Add the VLAN Network:
- Login to the UniFi controller, go to Settings → Networks → Add New Network
- Add a VLAN: Name: Google Wifi and open Advanced to set the VLAN ID to 88. Set DHCP Mode to None and turn off DHCP Guarding.
- Choose Add Network.
Configure the ports:
In this example, we will use port 15 to connect the switch to the mesh WAN port as a trunk port and port 16 will connect the switch to the mesh's LAN port.
- Go to UniFi Devices and select the switch you are connecting the nest/google Wifi to and Settings.
- Select port 15 and note the current Port Profile.
- Select Manage port Profiles and edit the profile you had assigned to that port.
- Set the main network as your native network (a) if it isn't already, and add the new VLAN network (Google Wi-Fi) to the Tagged Networks (b) to make a "trunk" that has allows both the main network and the VLAN traffic allowed to flow through this port. If you have other VLANs they can be included in the Tagged Networks as well. No problem.
- Apply changes.
- Go back to UniFi Devices and select the switch again and go to Settings.
- Select port 16.
- Give the Port a Name. This is just to help you remember how your switch is configured so call it what you like.
- Under Port Profile choose the VLAN you created previously.
- Apply changes.
- Go back to UniFi Devices and select the switch again → Settings and port 16 and choose the Port Profile you just created with VLAN 88.
- Apply Changes to save the configuration.
Step 3: Set up Google Wifi Mesh network with a limited DHCP address range
- Connect the LAN Port of Firewalla purple to Port 4 (with VLAN 88, tagged) on the managed switch.
- Connect the WAN Port of the Google Wifi primary unit to Port 5 (with VLAN 88, untagged) on the managed switch.
Double-check that the WAN IP of Google Wifi should be under 192.168.200.1/24
- Configure DHCP address range in Google Wifi primary unit so that the number of available IP addresses is N (N=number of additional Wifi points)
For example, to allow 2 more Wifi points in the Google Wifi mesh network, you can set the DHCP address range as 192.168.86.5~192.168.86.6
- Reboot all Wi-Fi satellites, wait for the mesh network to fully boot up, and make sure the satellites getting IP addresses within the dhcp range 192.168.86.5~192.168.86.6
- For solution 1, connect the LAN Port on Google Wifi primary unit to the other Ports(with no VLAN) on the managed switch.
For solution 2, connect the LAN Port of Google Wifi primary unit and the WAN Port of additional Google Wifi points(satellites) to the other Ports(with no VLAN) on the managed switch.
- Sometimes one Google Wifi point may have two mac addresses, so you may need to reserve more IP addresses.
- It is highly recommended not to connect any other devices to the Google Wifi network when setting up the limited DHCP address range. Because the IP address in the pool may accidentally be assigned to other devices that are supposed to be assigned to Google Wifi points (satellites), eventually mess up the pool range.
Now, any device connecting to the Google Wi-Fi network should be able to get an IP address from Firewalla. (They should get IP addresses under 192.168.210.0/24.)
Step 4: Configure Firewalla to NOT allocate IP addresses for Google Wi-Fi points (satellites)
Google Wifi points may accidentally get IP addresses from Firewalla if the DHCP allocation from Google Wifi expires. This may break the mesh setup.
When this happens:
- Firewalla App will get a New Device Alarm on google wifi points.
- Find the Wifi points devices in the Firewalla app (usually, the name is Google, Inc. and the IP address is under 192.168.210.0/24)
- For each Wifi point device, tap on "IP Address", select "Do not allocate". This only needs to be done once.
- Reboot Wi-Fi satellites to get an IP from the Google Wifi primary unit.
Important: Never set "Do not allocate" for the Google Wifi primary unit, otherwise the whole Google Wifi mesh will lose the internet.