Segmentation, Different Subnets, NO VLANs, Double Nat
-
The only way you can do it is via firewalla's bridge mode, but that will require your wifi to run behind the firewalla (you can't have wifi running via the XB8). Please see https://help.firewalla.com/hc/en-us/articles/1500012304202-Firewalla-Transparent-Bridge-Mode
-
Ok thank you for the response. I’m a bit confused.
Are you saying that the fact that the WiFi cannot come from the XB8 before the Firewalla is unique to the FW unit? For example, I don’t need the FW to monitor the traffic going to and from the IOTs. I guess kind of like a DMZ. I find that no matter what I do (again VLANs aside) the only way to successfully setup my IOT devices has to be using the XB8’s WiFi.Is it because the FW will not connect to the internet with a Private IP?
What about something like let’s say the new Arris DOCSIS 3.1 modem — then firewalla — then an AP for IOT devices that sits in a DMZ and then behind it another firewall or router that gets it internet from the DMZ? This way there’s a dual firewall DMZ with the IOT devices allowed to do whatever they want. Restricting them only causes connection issues. Then you have another firewalls, or opnsense appliance or idk, ASUS router and then behind that is your real private network with a different subnet and obv diff private ip. And then your own private AP or WiFi as well.
Is a setup like this doable at all or possible with just the XB8 and FWG? I know the XB8 had a DMZ option.
-
Xfinity ISP 2k Plan — XB8 in Router mode with WiFi enabled — Use only XB8’s WiFi for IOT devices
Xfinity ISP 2k Plan — XB8 in Router mode - Firewalla Gold Plus in Router Mode — Possible Switch for additional Ethernet connections
Your goal is
Use the XB8 and the Xfinity App to control and organize the IOT Devices
Let Gold Plus manage those devices connecting behind the switch.
Not allow IOT Devices to access other devices behind the switch.
This plan is doable if you don't need Gold Plus control IOT devices. Gold plus will block inbound traffic by default, which means IOT device couldn't access other devices behind Gold Plus.
Please be aware that other devices connecting to the switch will be in double NAT. If you don't need to open port, no need to set DMZ.
-
I do for the most part understand your point and recommended configuration. The biggest issue as I somewhat mentioned/hinted at previously is if you use anything other than the XB8’s WiFi for “WiFi”, the Xfinity app will not recognize these devices.
Albeit, I have not tried FWG in Bridge/Transparent mode so maybe that will make a difference but correct if I’m wrong pls:
You are saying keep the XB8 in Router mode but since you don’t want the XB8’s WiFi before the FW then disable all the WiFi on the XB8. Therefore, the XB8 is not in Bridge mode however also will not broadcast WiFi.
Then have the FWG connected in its Bridge mode with a switch behind it and AP behind that to allow only IOT connections on that AP.
The problem is going to be when the XB8’s WiFi is turned off and kept in router mode or the XB8 is changed to Bridge mode, Xfinity knows their device is not broadcasting any WiFi and will therefore not show anything connected to a separate AP setup way behind the XB8. At last that is my understanding.
-
If you need XB8’s WiFi, it must work as a router.If you want to control some local traffic, FWG needs to work in router mode and manage a separate local network (the one for devices connect to the switch). If you want both, your original post should work. The disadvantage is your wired devices will be in double NAT. FWG can only see and control those devices connected to the switch; XB can only see WiFi devices and FWG.
Please sign in to leave a comment.
Comments
5 comments