How to install my Firewalla Blue into my network without using either ARP poisoning or replacing my DHCP server with my Firewalla's DHCP server?
Here are the 4 mode choices on my Firewalla Blue device:
(1) Simple Mode. For long-term, reliable use, the Simple Mode (arp poisoning) is not the best for me. It is an easy, brain-dead-simple method to install, but since the Firewalla and the real gateway are constantly fighting for the same IP address, by its very nature it doesn't catch all traffic. ARP poisoning is not consistent enough for my network's long-term use.
(2) DHCP Mode. A better mode for many, as it directs all traffic to the Firewalla box in an appropriate manner, but it forces you to use the DHCP server on the Firewalla box instead of the router's DHCP server. My network uses DHCP to push out custom configurations to specific devices, so needs to be a full-featured DHCP server. The Firewalla appears to only hand out IP addresses, and doesn't allow custom options, static leases, changeable lease expiration, multiple address pools, etc.
(3) Limited Mode. A "limited" functionality mode that turns off the Firewalla arp poisoning and DHCP server, but unfortunately disables filtering also. This is nearly exactly the mode I need, because it does not rely on ARP poisoning, and it disables the DHCP server. However, it appears to be intended for troubleshooting only, as it disables monitoring, one of the core reasons for using a Firewalla box.
(4) Experimental Simple Mode. A mode very similar to Simple Mode, but uses other methods to trick devices into sending packets to the Firewalla box. I have been unable to find details on these other methods.
What I need Firewalla to do is to monitor and filter all traffic that it receives, What I need Firewalla NOT to do is to attempt to configure my network to send those packets to the Firewalla device.
In other words, I would like the Firewalla to act as a 2nd gateway on my network. A host that is assigned my primary router as gateway will have a path to the Internet that is unfiltered and does not use Firewalla. Alternatively, a host that is assigned the Firewalla as gateway will send send packets to the Internet through the Firewalla and thus will be subject to all the filtering, logging, blocking that the Firewalla provides. My own DHCP server will take care of which host gets configured to which gateway.
Additionally, DNS would work the same way as just described. A host can utilize DNS from the router, or a host can use the filtered DNS provided by the Firewalla, depending solely on what DNS server that host has been assigned to the host.
Suggested New Mode?
(x) Gateway Mode. The Firewalla box acts simply as another gateway on the network, applying all its magic to packets that are sent to it en route to the Internet, but does not make any effort toward configuring hosts to send packets to the Firewalla. At first glance it would seem that this mode would work exactly the same as DHCP Mode with a disabled DHCP server and no private network.
Via SSH, I can disable DHCP via /home/pi/firewalla/extensions/dnsmasq.conf by commenting out each DHCP-related option. But, being outside of the application framework, this change does not survive a reboot.
Thanks for any suggestions.
Please sign in to leave a comment.