Initial Setup - First LAN IP/Netmask
I bought a Firewalla Gold Plus over the holidays. Now I'm finally getting around to setting it up. This is my first Firewalla config, so please be gentle, because I can almost guarantee that I (a non-networking guy) will type out things that you networking guys will like, "oh sweet baby jeebus..." All apologies up front, and please feel free to correct me because the goal here is to learn. Also up front, the TLDR.
TLDR: In Router mode, when creating my first LAN segment, the Firewalla app forces me to use a '255.255.192.0' (or '/18') netmask. Is there a way bypass this and use a '255.255.0.0' ('/16') netmask?
The non-TLDR is I've got a home network that has a mesh router for the home and a layer 3 managed switch for a home lab. The network is completely flat (I think that's the right term), using '10.10.0.0/16'. The router is configured such that it's restricted to managing only a portion of the network IP space, and the managed switch is configured to manage a different portion, but points to the router's IP as the default gateway. This configuration, to me anyway, is a "it may not be right, but from what I understand about networking, it'll work" setup. And it does work.
The eventual goal is to wire the house for ethernet, set the mesh routers to run in access point mode and plug them into the new ethernet, use VLAN's to control the "poor man's segmentation" that I'm using for the router vs managed switch, and have the Firewalla Gold control everything.
The more immediate goal is to take a phased approach, and do what I can now with minimal disruption to the wife, who works from home.
So my thought in doing this was to integrate the Firewalla into this poor man's approach. In this, I was hoping to create the first LAN on the Firewalla as '10.10.0.0/16', give it a unique IP, and configure the mesh router and managed switch to use the Firewalla IP as the default gateway, then come up to speed with the Firewalla features while I wire the house for ethernet.
The problem is, no matter what private IP space I type into the Firewalla (10.x.x.x, 172.16.x.x, or 192.168.x.x) it requires a netmask of 255.255.192.0. So my primary question is, is there a way to forcibly set this, via command-line or something, to '10.10.0.0/16'? To me, this is a logical (and least disruptive) "next step" in my phased approach. My secondary question would be, is there a better, even more logical "next step?"
Thank you in advance,
"That guy"
-
Any reason you are picking a /16 mask? This means you are creating a network for 65,000 devices.
Large masks will cause issues with device discovery and also waste lots of memory maintaining stats on devices you will never have.
a /18 mask is 16000 devices, which is already far beyond what a typical home can handle.
-
The reason for that was not a technical one, but more a human one. I'm using the 3rd octet as a visual designation of the purpose of the devices (e.g. 10.10.250.x is IoT devices, 10.10.200.x is general WiFi, 10.10.150.x is home lab, etc.). These aren't exact examples, but it gives the idea.
I'd like to eventually get to a point where I have VLAN's controlled by Firewalla that maps to a similar construct , but using '/24' networks (e.g. VLAN 250 = 10.10.150.x/24 is IoT devices, VLAN 200 = 10.10.200.x/24 is general WiFi, etc.).
But I don't know how to configure that yet using the Firewalla as a primary gateway, without totally bringing down everything for (what is to me) a huge learning curve, which will impact the wife. -
Thank you very much for you input, both of you. Also, my appologies for the delayed response. I had to travel for work.
Ah.
This is really simple.Create your VLANs. They won't impact devices until you move them over.
Migrate devices when it is convenient. Make sure to remove or adjust any IP reservations in the process.
As to the response, and please correct me if I am wrong, but isn't this a "phase 2" or 3 suggestion? To my limited understanding, this is very much advice that I'd like to take. Before I can though, wouldn't I need to first get the Firewalla IP'd on my existing network (10.10.0.0/16)?
So unless I'm completely misinterpreting what you wrote, (which is quite possible) this leaves me with the original question: In Router mode, when creating my first LAN segment, the Firewalla app forces me to use a '255.255.192.0' (or '/18') netmask. Is there a way bypass this and use a '255.255.0.0' ('/16') netmask?
Is there a way to do this via command-line? Can I use standard Debin/Raspbian command-line steps to forcibly set the 'br0' interface, which maps to 'LAN1', to an IP/netmask? Is this possible to bypass the restrictions of the Firewalla app in this way? Also, assuming this does work, will there be a process to get the Firewalla app to recognize the Firewalla firewall at the new IP? Remember, if this can be done, the intention that this not be a permanent solution. It's to do this temporarily in order to implement the next phase, which is creating VLAN's and migrating devices.
Or...
Is there some other, maybe even unintuitive, way of doing this that's unknown to a newbie like me? Spit-balling, but could I do something like:
- Assign 1 port to bridge mode.
- Plug my mesh router into this port.
- Assign the other ports to router mode.
- Configure the VLAN's (VLAN 250 = 10.10.250.x/24 is IoT devices, VLAN 200 = 10.10.200.x/24 is general WiFi, etc.).
- Configure network routes in a way that I don't yet understand, such that everything on the new VLAN's can still talk to everything on the bridge port?
Is this even a thing in the networking world, where 1 port is bridge, and other ports have VLANS, but network routes allow communication? Even spitballing, this sounds very complicated, and would be easier if I could just assign an IP/netmask to the Firewalla on a '10.10.0.0/16' subnet.
Thank you again.
-
The Firewalla cannot act in both bridge and router modes simultaneously.
If I understand correctly, you would like to connect the Firewalla to your existing network, move some devices behind the Firewalla, so they use the Firewalla as their router, and leave other devices in your regular network, and have everything work like that until you move everything behind the Firewalla. Is that correct?
If so, my advice is to forget the phased approach and just move to the Firewalla in one go. But, if you wanted to try a phased approach, I think you would need to follow these steps:
- Add the Firewalla as a client to your existing network by connecting the Firewalla WAN port to your network.
- Define your LANs on the Firewalla.
- Move devices into the Firewalla LANs incrementally.
This requires that the LANs you define on the Firewalla do not overlap with your existing LANs. So, you'll need to move to 10.11.0.0/16 or something for the Firewalla LANs.
You must also decide whether to turn on Source NAT on the Firewalla. If you leave it on for your WAN connection (connected to your existing network), all the clients connected to the Firewalla will appear as the Firewalla to the rest of the network. That's not great for visibility, but it means you don't need to mess with the routing for your existing network. If you leave Source NAT off on the Firewalla, you will need to add routes to your existing router and switch to route the Firewalla networks (e.g., 10.11.0.0/16) to your Firewalla.
As you can see, even the phased approach will require that you re-address all your devices. I don't know how difficult that will be for you.
Please sign in to leave a comment.
Comments
7 comments