Firewalla Gold as a Router
Just upgraded from a Blue to Gold. While I'd intended to run the Gold in standalone router mode, I'm not yet sure it's ready for prime-time.
In particular, port-forwarding is constrained to the primary interface (WAN IP), and doesn't seem to account for multiple addresses -- irrespective of WAN netmask. E.g., I have a /24 IANA-assigned address space, static, coming into the router, and need to be able to specify the WAN IP/port as a source, along with an internal (LAN) IP/port in order to route traffic appropriately.
If I'm running 5 mail servers, each have a unique WAN IP (via external DNS), and each would -- as an example -- need a different IP/port binding for SMTP (TCP-25). No way to do that in the current app; at least not that I've discovered. I'm sure I could muck around with the Gold's route-rules and fake it, but that sort of defeats the multi-faceted purpose of the Gold; routing + protection.
So, the Blue-to-Gold replacement is limited to Simple-mode at the moment, until the capabilities are enhanced.
-
Yes. I have 254 static (IANA-assigned) addresses assigned by my service-provider on the WAN side. For each of those WAN addresses, I need to -- at a minimum -- be able to specify a WAN IP/port (unable to do so today) that maps to a LAN IP/port for port-forwarding. That will handle many of my pseudo-routing needs (as a poor-man's route-table) via port-forwarding.
I get that LAN IP/port assignment is available today, but with Gold not recognizing that I have 254 addresses on the WAN side, in the current app, I cannot specify the inbound IP in port-forwarding.
As an example, I have public DNS records that have an email server on a WAN address of XX.XX.XX.50, and another on XX.XX.XX.51 for 2 different domains. For obvious reasons of DNS records (DKIM, SPF records, ARP, separation, etc.) these have to be separated. So then, I have 2 mail servers that are handing each domain. On the internal LAN, they are 2 different physical machines; subsequently 2 different IP addresses. Unless I can specify a port-forward from WAN XX.XX.XX.50 port 25 to LAN XX.XX.XX.125 port 25 AND a WAN XX.XX.XX.51 port 25 to LAN XX.XX.XX.126, port-forwarding is not useful.
I get that these would be 2 distinct port-forward rules, but again, being unable to specify the WAN IP/port it's not possible.
-
No redundancy needed at the moment; e.g., delegating one of port 1-3 as a WAN port. However, looking forward to that when it comes out.
Agreed that I’m atypical as a residential customer. I have a reasonably-sized data center in my house (independent power, cooling, etc.), and have always carried a /24 static address space since 1995.
That said, I have to believe that there are many more than one of ‘me’ that have more than a single static (IANA public) address. Moreover, many small businesses that I frequent have a similar setup (2+ IANA-assigned public IP addresses), which makes it difficult for me to be an all-in advocate for Firewalla Gold as a standalone router solution.
This configuration is probably much more prevalent than you think in the small/medium business (SMB) world. Further, many SMB owners that I’ve talked to, have 1G reciprocal circuits — meaning that they probably have Ethernet encapsulation, rather than MOCA. So, Ethernet cable plugged directly into the Gold (BTW, that’s what I tried in my own home network, and it worked *great* until I ran into the limited routing / port-forwarding problem.)
Again, Gold works really well in Simple mode, and is a great — and highly responsive — substitute for the replaced ‘Blue’ model. There are simply some basic capabilities that are needed to sell to a SMB / Advanced-SOHO market; e.g., advanced routing and/or pinholes and multi-dimensioned port-forwarding.
Also the inability to specifiy the local LAN DNS space as anything other than ‘.lan’ is a problem for many of these SMBs — which I’ve described in another thread.
So then, absent these capabilities, I cannot be an advocate for the Gold in ‘router’ mode. Great product — and I’ve been an early adopter — but in the current environment, it’s simply a faster “Blue”.
Please sign in to leave a comment.
Comments
5 comments