Setting up multi-network (gold) with Mesh Router

Comments

16 comments

  • Avatar
    Scott Chapman

    OK, doing a little more reading on Eeros, it appears they have no VLAN support what so ever, they actually do MAC address isolation to support their guest network.

    I presume I can actually do something similar with the Gold? That might at least be able to give me the moral equivalent of a separate IoT network (setting up device specific rules). 

    Is there any concept of device profiles that would help me here?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You can do it this way:

    Change Eero to bridge mode and create a guest network.  All the guest network traffic will come from the eero nodes, based on this, you can apply policies. (such as rate limit, no adult content ...).  

    1
    Comment actions Permalink
  • Avatar
    Scott Chapman

    Thanks for the quick response, I appreciate the help thinking through this...

    So, not sure how that would actually work. The eero would be using a single SSID and would be coming into FWG on a single port. So everything will come in on the same network.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Here is my understanding.

    1. When the eero is in bridge mode, you can create a guest network, that will have a new SSID say "guest"

    2. All the "SSID guest" traffic will have the source IP as the eero unit.

    3. To apply policy to SSID guest, you just need to apply policy to the Eero IP.  (tap on devices->[find eero device]->[turn on porn block for example] will be applied to all guest traffic.   

    0
    Comment actions Permalink
  • Avatar
    Scott Chapman

    Hmmm... Interesting. I assume that would also work if I wanted to set up an isolated IoT network instead.

    I'm actually considering swapping my eero pro 6 for a tp-link deco x60 mesh network (less than half the price) since I really only need AP...

    DO you happen to know anything about how the TP-Link devices work in this scenario?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We did a posting on the X60 and eero pro 6 before;  We like both.  The X60 (costco version) is decent and the price point is perfect (around $200).   And it works nicely with Firewalla Gold in AP mode.  We did not test this unit's guest access in AP mode, so not sure if it will work the same way as the eero.

    The Eero wifi 6 is definitely faster, and with our unofficial test, it is likely to have a better range.  Plus we know the eero support is really good.

    If you need best value for the $, TPLink is good.   But if you have a few extra $, eero is not bad either.

     

    0
    Comment actions Permalink
  • Avatar
    Scott Chapman

    ya! I actually saw your post on it!

    i've read that the X60 isn't great if you need to do wifi mesh. Good news is that I am able to do wired backhaul.

    In your testing, were you wired or wifi for backhaul?

    0
    Comment actions Permalink
  • Avatar
    Scott Chapman

    Oh! in what you were saying above about how Eero guest network works, it sounds like the eero is still doing DHCP for the guest network even though it is bridge mode?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, in bridge mode, the guest network is behind a NAT inside the eero.   this is the reason you see guest traffic coming from eero to firewalla and ... firewalla can control it just by key the eero node.

    0
    Comment actions Permalink
  • Avatar
    Scott Chapman

    Gotcha, thanks!

    In your testing (where you ended up with eero is definitely faster than tp-link) what kind of backhaul were you using? WIred or wifi?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We did not use ethernet backhaul.  (without it, the performance is still very good)

    Backhaul is a bit tough on wiring in bridge mode.  Eero for example, all the satellites will need to be wired to the Eero main unit (or a switch connecting to it).   I think TP-Link is the same. 

    1
    Comment actions Permalink
  • Avatar
    Scott Chapman

    Yea, I've read the TP-Link is pretty slow in wifi backhaul

    As far as wiring goes, I was planning on adopting the recommended wiring for Eero; essentially ONT -> FWG -> Eero (with everything downstream from that).

    Will the above suggestion on Guest network still work with that wiring? Seems like all devices will look like they are coming from the Eero?

    0
    Comment actions Permalink
  • Avatar
    IHaveABigNetwork

    Yes it will. That's how I use them.

    1
    Comment actions Permalink
  • Avatar
    Scott Chapman

    OK, cool. I'll give it a shot once mine arrives (hopefully it will ship soon! ;-) )

    0
    Comment actions Permalink
  • Avatar
    Andrew Trieger

    Curious if this end up working.  My setup is firewalla purple as main router. wired to main Eero.  then "inside" of network goes from 2nd port of that main eero to gigabit switch and rest of house, which has 3 more eeros (so backhaul is ethernet) and 2 wireless eeros, backhaul is wifi.   Eeros in bridge mode. 

    firewalla: quarantine is on, if someone joins main network and happens to know my weak password, they're isolated.

    turn on guest network ON EERO, it makes MyNetGuest, does dhcp / nat on the eero for me in 192.168.11.x subnet when my main network is 172.x.x.x    The eero as I say does the NAT and then puts package on the network with it's own source IP, so to the firewalla it looks like the eero is doing the traffic which is then allowed by the quarantine.

    However, I only do this for large gatherings, temporarily because it's definitely double-nat to the Net and I dont like the traffic having to be isolated by mac address which guests can and do change and then it falls outside any groupings so I just turn on, dont care about that traffic for a few days when folks around or visiting and turn off guest network.  I also am concerned about doing any restrictions on the IPs of the eeros, that could screw up their inter-communication or their own needs to the Net... by mac address wouldn't affect them but then clients easily can fall out of that pool.  

    For longer running IoT subnets or anything else I do entirely with the firewalla, create a new subnet in the app, have an iot device join the main ssid and then place that mac address into that subnet on firewalla.  (I dont know how to have TWO SSID's broadcast from same eeros if that's even possible).  If the device ever changes it's mac address it will be quarantined, so it wont work but at least I'll know.  Mostly only phones automatically change virtual mac addresses.

     

    The end result is:

    main network - you need to know password, but many do.  If they havent been here ina. while or I removed them from firewalla and they join, they're quarantined, reliably.

    guest network - short lived. just turn on in eero app, done.  phones/guests automatically join password-less MainNetGuest network, traffic allowed by firewalla but as eeros are doing the Nat they dont allow anything destined for local subnet (like file servers, TVs, audio players).  After a gathering, I turn off.  You could leave on, it's not insecure, I just dont like.

    iot or other networks - long lived.  create in firewalla, device joins, firewalla manually place in new network. works forever, if device changes mac addr gets quarantined.  Friends who's devices I allow to main network past quarantine still work as the default is the Main network, so a friend who wants to stream to my appletv say.

     

    0
    Comment actions Permalink
  • Avatar
    Scott Chapman

    I see, interesting. So basically everything in your house is connected directly (wifi or wired) to your Eero network, then Eero -> FWG -> WAN?

    I was kind of hoping I could do VLAN tagging or something similar with the wifi so that the FWG could identify the traffic on the IoT SSID and quarantined?

    0
    Comment actions Permalink

Please sign in to leave a comment.