FWP SE with T-Mobile and eero
I have just purchased a Firewalla Purple SE, and I'm really excited to set it up.
My ISP is T-Mobile Home Internet, and I currently have an Arcadyan KVD21 5G gateway with three eero 6 Pros. The KVD21 currently handles DHCP, DNS, etc. The eero 6 Pros are in bridged mode and use wireless for the backhaul.
My goal is to attach the KVD21 to the WAN port on the FWP and attach the gateway eero to the LAN port:
KVD21 (router) <-WAN-> FWP <-LAN-> eero gateway (bridged) <-wireless-> eero satellites
My current challenges include bufferbloat, the inability to set any custom DNS, MTU, etc. network-wide, the inability to set local IP reservations, the lack of visibility into how much data my devices are using, and so on.
The gateway from T-Mobile offers very few options for anything. The eero features covered some of the aforementioned items, but that goes away once putting them into bridged mode. I did that because I lost IPv6 completely on the LAN otherwise.
What is the best way to approach setting up the FWP SE in this environment and with some of these goals in mind?
- Which Firewalla mode will allow me to get IPv6 addresses on my LAN devices connected to my eero mesh satellites?
- Will this mode allow me to use any kind of SQM or QoS to reduce bufferbloat (I recognize this is difficult with 5G)?
- I'm not worried about double-NAT at this point. T-Mobile's use of CGNAT, blocking inbound for IPv6, etc. makes it virtually impossible to open any inbound traffic anyways.
- I'm also wanting to setup a Docker container to replace my Raspberry Pi that currently runs Pi-hole for a few specific LAN clients.
- Any other configuration concerns that I should be worried about?
TL;DR - My ISP gateway won't let me disable router mode, but I want to have things like SQM and IPv6 through my new FWP SE. Is this possible?
-
Just in case of confusion "Verizon FIOS" is not a cellular service and does respond to DHCPv6 requests, but I see threads talking about stability issues and turning off IA_NA. This thread and another "Verizon 5G Home Internet setup tips" I summarized a bunch of info on, are talking about 5G Cellular provided internet - the providers modem/router only sends IPV6 RA and ignores DHCPv6, and only advertises a /64 via those RA packets.
I'd recommend FW get hold of one of these Verizon / T-mobile services and do some experimentation! Ping me directly if you want me to try some stuff, as I'd love to help you get this working in the product so I can use it.
-
My understanding, although I'm no IPV6 expert, is that FW needs to support RFC 7278. Google searches suggest this is what Android and IOS do so that when acting as a hotspot so attached devices get IPV6 addresses. I don't know how other router providers have solved it, and I wondered if "passthrough" in some of the other products also by passed other functionality such as firewall features!
-
What you need is router mode, which works best on SMQ, and ipv6 support.
-
Thank you for the prompt reply and the guide link!
As I alluded to previously, the eeros could not hand out IPv6 addresses when in router mode.
I've read various things explaining the cause of this including the T-Mobile gateway not supporting prefix delegation, only offering a /64 prefix, etc. Solutions I've read include using a passthrough mode, using DHCPv6, etc. I may be mixing up some of the details though...
Will this be a problem with Firewalla's router mode?
-
I've heard of a few approaches so far for working IPv6 with T-Mobile Home Internet.
One is to use IPv6 NAT, using the one address given to the firewall and handing our internal addresses to the rest. Doesn't seem like something supported by the Firewalla UI, and I'm hesitant to mess with things directly (in case an update breaks it, etc.)
The other is some kind of IPv6 "passthrough" option that some devices support. I think some of the companies included Linksys or Netgear, pfSense, and Mikrotik.
IQrouter specifically provides instructions for setting up what they call IPv6 DHCP relay:
T-Mobile gateway - IPv6 DHCP Relay – IQrouter (zendesk.com)
Maybe that's just a fancy way of saying IPv6 NAT?
All I know is this is my biggest deal breaker so far with Firewalla. Anything to get it working (NAT, passthrough, relay, etc.) would be hugely appreciated. Having to move everything through T-Mobile's IPv4 CGNAT isn't ideal. When I have working IPv6 (using bridge mode), more than half of my network traffic utilizes it (based on Pi-hole requests), so it isn't like the old days where IPv6 isn't really used much yet.
I'm loving everything else about Firewalla otherwise.
- I get great visibility into what is going on in my network.
- SQM is helping upload bufferbloat wonderfully. Looking forward to adaptive mode to see if it can help downloads as well.
- The built-in ad and threat blocking is good enough to negate my need for Pi-hole currently.
- I ended up upgrading to a regular Purple. With 50-70 clients and the number of features I'm using, I wanted the extra processor cores.
Edit: Maybe scratch Mikrotik off the list. I've seen so many posts with so many vendor names that I'm mixing them up now.
-
Here's where a few people bring up the option for passthrough:
Please sign in to leave a comment.
Comments
12 comments