Site to Site VPN
Is it possible to set up a site-to-site VPN between a firewalla and a non firewalla firewall?
-
I have to say, this is an unacceptable answer. I paid many hundreds of dollars for what I thought was the best solution on the market. Now I find out that the $25 Mango router I recently bought is more capable as a VPN device.
Everything is there on the firewalla, but because of the iptables abstraction, I can't figure out the last piece of the puzzle. I just need forwarding working over the wg0 interface. Why is this so difficult?
-
Here is the updated answer: as of 9/6/2025, we now support IPSEC VPN via https://help.firewalla.com/hc/en-us/articles/4409866753427-Firewalla-Managed-Security-Portal-Introduction#h_01JZJTWQGQHASDMHFS41VF4DSP
-
So, the answer to complexity is to charge for a service? All my research points to wireguard being the superior VPN technology. Just as secure as IPSEC and performs up to 20% faster.
The only piece of the puzzle I need answers for is how to configure iptables to forward packets though the wireguard interface. Is the cli documented for making those changes in a way that survives the router being rebooted?
-
The reason is, due to how IPSEC can be configured, a web interface is required. This is why the MSP is there.
If you are talking about WireGuard site to site, firewalla does support it already, see https://help.firewalla.com/hc/en-us/articles/5515850433683-Firewalla-Site-to-Site-VPN
If you want WireGuard site to site with another box (that's not firewalla) you will have to manually do the routes.
-
How did you setup routes on Firewalla? You can follow Firewalla Policy & Content Based Routing. If you still have issues, you can contact help@firewalla.com with more details so we can understand your setup better.
-
Just to help others, After a dozen exchanges with help@firewalla.com, nothing even resembling a solution to my problem was ever offered. I couldn't even get help setting up a static route to a dedicated wireguard VM that would work for devices in my network. Oddly, the firewalla itself could ping devices in the other site, but when presented with a packet destined for the remote network, I could not figure out what happened to the packet, but it was never delivered to the locally connected wireguard VM for routing across to the other site.
I have given up on firewalla. I already had omada access points, so I capitulated and bought a VPN gateway for ~$100. Solved my issue, though not without some more trial and error (Omada controller doesn't support wireguard very well).
I really, really wanted to keep using my firewalla gold se, but in the end, I don't have time for the friction involved. I suspect eventually, Omada will leave me disappointed as well, but I am of an age where most things do.
-
My ticket was related to static routing (and as it turns out policy routing). It was an attempt to work around the inexplicable refusal to support wireguard Site to Site with anything other than another Firewalla device. It is relatively trivial to improve the wireguard support simply by allowing the user to specify the remote subnets for setting in the AllowedIPs field in the wireguard configuration file.
Please sign in to leave a comment.
Comments
10 comments