AT&T Fiber with Arris BGW210 to Firewalla
I an on the list for the next production round of Firewalla Gold devices. So I decided to reach out and see if anyone has already configured this to work with the AT&T Arris BGW210. With the Arris you cannot turn off the router functions, so I will either need to use IP Pass-through, Cascaded Router mode, or Public Subnet mode. However, I am not sure which to use. The key point to me is that I will need to be able to do port forwarding to one of my computers.
My guess is, once I get it and fiddle around with it, I will figure it out. I just wanted to check if someone already figured it out and I could just do what they did.
Ultimately, I will also want my Google Wifi on one of the segments, which also can't effectively turn off Router functions, but I will ask about that in another post (or read another post since it probably already exists). I will want the Port forwarding to work into the Google Wifi space as well.
Check out this tutorial for google wifi https://help.firewalla.com/hc/en-us/articles/360048869274-Firewalla-Gold-Tutorial-Google-Wifi-Mesh-network-with-Gold-Beta-
There is a little trick that will allow your google wifi to act like an access point or bridge... Google as you said, doesn't want ever run in bridge / AP mode ... (unlike other major router manufactures)
I believe I have figured out a workable solution.
-On your AT&T Arris box make sure DHCP is still enabled (I had mine disabled and it was causing configuration options not to be available, casuing more headaches)
-You will have to figure out a way to get the MAC address for the WAN port on the firewalla. Unsure of a good way to do this, but the way I did this was to setup Firewalla as a regular network device instead of a router at first, then using ARP to grab the MAC address. You can also get it from the Firewalla mobile app once the firewalla is connected to your phone under settings > about. Then after saving that off somewhere, I factory reset the Firewalla back.
-On your AT&T Arris box go to Firewall > IP Passthrough. Set the passthrough mode as DHCPS-fixed. Here you will input the Firewalla MAC address. Make sure to save the changes and possibly reboot if necessary.
-You can now setup the Firewalla from scratch again and use DHCP mode.
Here is basically the same procedure (uses a netgear device, but essentially the same process)
You actually don't even need to remember the MAC address with the BGW210. Under DHCPS-Fixed, the available clients will show up in a drop-down, one of which will be the Firewalla. Choose it and save, then reboot the Firewalla (or realistically just unplug/replug the cable) so it gets the new passthrough IP.
Some questions on AT&T BGW210:
1. I initially had it in Simple mode. The porn filter was not working. Is that standard with AT&T?
2. So followed the above and set BGW210 to DHCP-Fixed and moved to Firewalla to DHCP mode. Initially it fail but then it worked. But now I get "Invalid Local Subnet" warning. Porn filter still not working.
Well I fixed it. The difference was Apple's Private Internet Relay which i disabled. I rebooted all devices, now it all seems to be working.
I am having some issued getting the BGW210 and Firewalla Gold to work for port forwarding.
My FG is in router mode. I have turned on IP Passthrough with DHCPS-fixed set for my Firewalla mac address. The internet and DHCP functions are working. However, port forwarding is not.
My external IP address (which has been essentially static for 4 years with my BG210 is 1xx.2xx.2xx.4x. Previously when I performed a whatismyip check I would get this ip address. However, now that I am using Firewalla as my primary router, when I perform and ip check with whatismyip, it appears my "external IP" address is: 188.8.131.52 (this is different than my LAN IP which I have set to 192.168.0.x).
Any ideas on what I'm doing wrong and not able successfully port forward, which I think is related to why my IP address is not accurately returned on whatismyip site.
I can confirm that I did get port forwarding to work. Let's check some other settings besides IP Passthrough and see if something else is different.
Under Home Network - Status, I see that Cascaded Router Status is Disabled, IP Passthrough Status is On (Public IP address)
Under Home Network - Subnets & DHCP, I see that DHCP Server Enable is On, Public Subnet Mode is Off, Cascaded Router Enable is Off.
Under Firewall - IP Passthrough, I see Allocation Mode is Passthrough, Passthrough Mode is DHCPS-fixed, and the Pasthrough Fixed MAC Address is my Firewalla Gold. The lease is still at 10min.
Under Firewall - Advanced, I see off, on, on, off, off, on, off, on
I don't think any of the other tabs are related to Port forwarding.
If you still can't get it to work, one time I was having trouble I hard reset the modem and then went in and just changed the IP Passthrough settings and then rebooted the modem and the firewalla gold and everything worked fine.
You know one last thing before I go. In the actual Firewalla app. Are you port forwarding using "Rules" or are you going down to "Ports". Under rules you will see things like "Traffic from Internet / [PC Name Here], Local Port UDP XXXX / Inbound only, Always". Under Ports you will see "Ports Forwarded" [Mapping Name] / UDP XXXX / Always, forwarded as XXXX". I think the one under "Ports" is the important one for external from the internet and the "Rules" one is good for when you are doing network segmentation and you want ports to cross your segments.
Okay, I think I said too much. Let me know if any of that helped or if you already figured it out. Don't be afraid to ask more questions if this didn't help.
So thanks for that detailed settings review.
I have all my settings the way you have. Unfortunately, I am only able to get things to work if I disable IP6. So currently I have IP6 disabled on the Arris and FWG and I am able to have everything work perfectly.
Any reason I need to have IP6 enabled?
I just double checked and I have IPv6 turned on on the Arris, but I also have it turned off on the FWG. I've been in this configuration for a year plus and I have noticed no negative impact of having IPv6 turned off on my FWG.
If you are hosting any actual servers with server OSes such as Windows Server 20XX, there may be some issues, but for the rest of us, there doesn't seem to be any issues.
Please sign in to leave a comment.