How to: Using Firewalla in router mode between two Fritz!Boxes

Well, I wanted to get the most secure network I can easily get and expanded my network to a more complex setup. But in Germany there is only a small amout of Cable-Routers allowed to connect and so the FRITZ!Box is the cable router to deal with. While they are easy to handle and really good in WLAN they don't got some features other routers got. Therefore I had to look how to setup my network that it works.

I tried it with the 6590 but it should be the same with most other Fritz!Boxes, too.

1. Preparing the Fritz Cable Router 6590

This was not as easy as it sounds, cause the bridge mode was removed in a previous Fritz!OS Version. But you can still enable it although it has been hidden from the UI. I show you how to enable it again:

• login to Fritz!Box
• Click on Setup in the side menu and then on "Sicherung" (Backup) in the same menu
• You need to create a backup-file. You may be ask to enter a code in a connected dect phone or press a button on the Fritz!Box
• Safe you backup and create a copy. If you are doing something wrong you can restore this copy.
• Next step is to change the backup-file with a text editor (I recommend Notepad++).
• Find in the group "webui" the line with "lanbridges_gui_hidden = yes;"

• change this value from "yes" to "no". Please be aware with this line ending with ;

• Fritz!Box is using a checksum so we need to change that too. Copy the whole text in the text editor and insert it on this site: https://www.mengelke.de/Projekte/FritzBox-JSTool, then click on "berechnen" ("calculate").
• Again mark and copy the whole text from the textfield of this website and replace the text in the text editor
• Safe the backup-file
• Go back to Fritz!Box UI -> System -> Sicherung ("Backup) and choose the tab "Wiederherstellen" ("Restore").
• Upload your file and restart the Fritz!Box

Now you should have a new function. Let us take a look on it.

2. Setting up the Fritz!Box 6590 cable router

• Login into your Fritz!Box.
• Choose in the side menu Internet -> Zugangsdaten ("Access data / details" / "login data).
• On the top menu you will find a new tab "Bridge-Anschlüsse" as third entry. Choose that.
• You can then choose the LAN-Ports you want to use in Bridge-Mode. For my Fritz!Box LAN-Port 1 wasn't available, only Ports 2 to 4. So I chose LAN 2.
• Disable the WLAN from your Router (or shall we say modem by now?). Because that WLAN would not be protected by Firewalla!
• If your router is no longer accessible, don't worry. Connect your computer directly to another port that is not in bridge-mode.

Please consider: This Lan-Port is now no longer managed by the Firewall. The integrated DHCP Server and the integrated Firewall are no longer available. Every packet is routed directly to the internet (and from the internet to the choosen port). But you got your Firewalla doing that job with more features!

While connected to the Bridge-Port (LAN 2 for me), the Fritz!Box Cable router isn't accessible by the way. You can solve this problem with attaching a device to one of the LAN-Ports not in Bridge-Mode.

3. Integrate your Firewalla

• Connect your Firewalla to the port from your Fritz!Box you set into Bridge-Mode
• Your Firewalla should be in Router-Mode.
• Connect it to the WAN-Port of your Firewalla.
• The Firewalla now should have full internet access.

I will not describe how to setup your Firewalla at all, cause there are some installation guides here available.

4. Adding another Fritz!Box as WLAN-Router

I bought a new Fritz!Box 4060 as WLAN-Router. Of cause it works with every other Fritz!Box, too, or with another brand. I tried Synology that got a lot of more features but wasn't able to provice WLAN for all of our house - even not with a second one as Access Point (AP).

Be aware: In the following description the Fritz!Box is no longer the one we setup previously, but the second one we use for secure WLAN-Networking.

• Attach your WLAN-Router to the Firewalla. I choose LAN-Port 2 from my Firewalla Gold, because LAN-Port 1 is for the ethernet-Mainnetwork and LAN-Port 3 is for the managed VLAN network.
• If your router isn't accessible don't worry. You can attach a computer to another LAN-Port from your Fritz!Box WLAN-Router.
• Login to your Fritz!Box.
• In the side menu choose Heimnetzwerk (Homenetwork) and then Netzwerk (Network). In the Top-Menu there should be a Tab "Netzwerkeinstellungen" ("Network configuration / options"). Click that!
• Now you can choose the operation mode. Set it to "IP Client". Then you choose via LAN.
• You had to setup a search domain for your Firewalla Network. This domain name is specified as "DCHP Domainname" directly following the operation mode.
• The WAN Port can be switch to LAN 4 (or howmany ports you got), so that it can be used as LAN-Port, too.
• Safe that configuration.

The Fritz!Box WLAN-Router shall now be available in your Firewalla as device. Free it from Quarantine.

5. Mesh Network

I added another access Point (I bought an Fritz!Repeater 1200 ax) so that the WLAN is better all over the house.

• It is found by the Fritz!Box WLAN-Router. You can configure that with clicking on Heimnetz ("Homenetwork)" -> Mesh
• Under "Mesh Einstellungen" (Mesh configuration) you need to setup your Fritz!Box WLAN-Router as "Mesh-Master".
• Set "Diese FRITZ!Box ist Netzwerkgerät (IP-Client) im Heimnetz eines anderen Routers." (This Fritz!Box is Network device (IP-Client) in Homenet of another Router).
• You should set the Heimnetz-Zugang ("Homenet Access") to LAN.

Finally you setup your Cable-Router, Firewall and WLAN-Router with additional Access Points.