Disable ARP Poisoning and DHCP Server

Follow

Ken Watson

• November 16, 2020 18:11

Overview

How to install my Firewalla Blue into my network without using either ARP poisoning or replacing my DHCP server with my Firewalla's DHCP server?

Details

Here are the 4 mode choices on my Firewalla Blue device:

(1) Simple Mode. For long-term, reliable use, the Simple Mode (arp poisoning) is not the best for me. It is an easy, brain-dead-simple method to install, but since the Firewalla and the real gateway are constantly fighting for the same IP address, by its very nature it doesn't catch all traffic. ARP poisoning is not consistent enough for my network's long-term use.

(2) DHCP Mode. A better mode for many, as it directs all traffic to the Firewalla box in an appropriate manner, but it forces you to use the DHCP server on the Firewalla box instead of the router's DHCP server. My network uses DHCP to push out custom configurations to specific devices, so needs to be a full-featured DHCP server. The Firewalla appears to only hand out IP addresses, and doesn't allow custom options, static leases, changeable lease expiration, multiple address pools, etc.

(3) Limited Mode. A "limited" functionality mode that turns off the Firewalla arp poisoning and DHCP server, but unfortunately disables filtering also. This is nearly exactly the mode I need, because it does not rely on ARP poisoning, and it disables the DHCP server. However, it appears to be intended for troubleshooting only, as it disables monitoring, one of the core reasons for using a Firewalla box.

(4) Experimental Simple Mode. A mode very similar to Simple Mode, but uses other methods to trick devices into sending packets to the Firewalla box. I have been unable to find details on these other methods.

Problem

What I need Firewalla to do is to monitor and filter all traffic that it receives, What I need Firewalla NOT to do is to attempt to configure my network to send those packets to the Firewalla device.

In other words, I would like the Firewalla to act as a 2nd gateway on my network. A host that is assigned my primary router as gateway will have a path to the Internet that is unfiltered and does not use Firewalla. Alternatively, a host that is assigned the Firewalla as gateway will send send packets to the Internet through the Firewalla and thus will be subject to all the filtering, logging, blocking that the Firewalla provides. My own DHCP server will take care of which host gets configured to which gateway.

Additionally, DNS would work the same way as just described. A host can utilize DNS from the router, or a host can use the filtered DNS provided by the Firewalla, depending solely on what DNS server that host has been assigned to the host.

Suggested New Mode?

(x) Gateway Mode. The Firewalla box acts simply as another gateway on the network, applying all its magic to packets that are sent to it en route to the Internet, but does not make any effort toward configuring hosts to send packets to the Firewalla. At first glance it would seem that this mode would work exactly the same as DHCP Mode with a disabled DHCP server and no private network.

Via SSH, I can disable DHCP via /home/pi/firewalla/extensions/dnsmasq.conf by commenting out each DHCP-related option. But, being outside of the application framework, this change does not survive a reboot.

Thanks for any suggestions.

K

0

• 

  Firewalla

  • November 16, 2020 21:58

  With limited mode, I think the rules still should work once you have packets going through the system.  Did you try it? 

  0

  Comment actions Permalink
• 

  Ken Watson

  • November 16, 2020 22:21

  I thought I did. The Monitoring icon turned red, and the Ad Block and Family icons turned orange, so I didn't put much effort into trying it out. Let me check again to make sure and will post back here with the results.

  K

  0

  Comment actions Permalink
• 

  Ken Watson

  • November 20, 2020 23:16
  • Edited

  After further digging, it does appear that the Firewall rules do indeed work in Limited Mode. Given that Limited Mode still monitors the same as DHCP Mode, it is curious that Firewalla indicates otherwise in so many places.

  From my phone app:

  • "Box monitoring is off" warning message on the main page
  • "Family" icon is orange, not blue
  • "Ad Block" icon is orange, not blue
  • "Monitoring" icon says "Off" and is red

  From "How does Firewalla Intercept Traffic?" https://help.firewalla.com/hc/en-us/articles/115004292514-How-does-Firewalla-Intercept-Traffic-

  • "In this mode, Firewalla simply turns off monitoring..."

  
  From "Monitoring Mode" https://help.firewalla.com/hc/en-us/articles/115004274593-Monitoring-Mode

  • In chart, Limited Mode shows monitoring feature as disabled

  If the Firewalla device has all the same features enabled in Limited Mode as in DHCP Mode (except for the DHCP server), then why does the app and web documentation seem to say the opposite? Could it be that some feature really is not working and it has escaped my notice?

  0

  Comment actions Permalink
• 

  Firewalla

  • November 21, 2020 00:11

  this is because in limited mode, there is no automatic way for users to divert traffic to firewalla.  Hence, it is disabled.  If you manually send stuff over ... then it will work.

  0

  Comment actions Permalink

Please sign in to leave a comment.