Best way to set up my new network
First off, my ISP is Xfinity and I have the Gigabit service plan (1200 Mb/s+). I have the new NETGEAR Nighthawk AX6000 DOCSIS 3.1 WiFi 6 Cable Modem/Router combo (CAX80 model) with an added Antivirus Protection NETGEAR Armor subscription. I am going to have it on one end of the house and then run two 100' Cath 8 ethernet cables under the house connecting a secondary router together in their two respective Link Aggregation ports which is a feature on both units and will obviously be enabled on both units. The secondary router is the NETGEAR Nighthawk X10 AD7200 R9000 Smart WiFi Router flashed with DD-WRT firmware. This router will be set in AP Mode. Finally, I have the Firewalla Gold unit which I purchased for additional and maximum security. My question is which is the best way to go about successfully installing this setup with the Firewalla Gold unit? Please feel free to leave any advice, comments, questions or criticisms. Thank you for any help and your time in advance.
So you are only going to get a 1 Gb connection this way. If you can find a modem that supports LAG, it creates a single interface using one IP to FWG. https://forums.xfinity.com/conversations/your-home-network/wan-aggregation/602db156c5375f08cd4d3533
For example, SB8200 https://arris.secure.force.com/consumers/articles/General_FAQs/SB8200-Link-Aggregation-Setup
So SB8200 (two cables) > ports 3&4 Gold (router mode) WAN LAG
FW ports 1&2 LAN LAG > NETGEAR Nighthawk X10 AD7200 R9000 Smart WiFi Router. I will enable Link Aggregation mode on this router as well and switch this router to AP mode. Then connect the Firewalla Gold device to the NETGEAR router via their two Link Aggregation Ethernet ports using two Cat8 Ethernet cables.
Personally, I think putting everything through a VPN is unnecessary. There may be specific things you want through a VPN and you can use PBR for that. But to each their own.
I assume you want the Nighthawk AX6000 because of the additional connection speed?
- Given what you outlined, you could use Gold in DHCP mode. also see DHCP Setup
- You could also use the AX6000 in bridge mode and Firewalla in Router mode . The down side is then only the AD7200 would provide Wi-Fi.
Yes, so ideally I think I would like to use the Firewalla unit in Router mode as that would provide me the best security. However, even though the Firewalla unit supports quite fast speeds it still isn’t as fast as either of the other units I have. And yes I also don’t want to disable the wireless capabilities of the primary unit (NETGEAR Nighthawk AX6000 DOCSIS 3.1 WiFi 6 Cable Modem/Router combo (CAX80 model).
What I am trying to achieve is this:
Primary unit (AX6000 cable modem/ router combo) will go at one end of the house, closest to the incoming coaxial cable from outside. The secondary unit (AD7200 R9000, purely a router with wireless capabilities) will go at the other end of the house. Both support Link Aggregation (which increases overall speeds) by connecting two Ethernet cables to the two specifically labeled ports on the devices. So I have two 100’ Ethernet cables that I will run under the house to connect the two units together. The Link Aggregation feature uses two Ethernet ports on each device.
The secondary Router I flashed with DD-WRT firmware to make it faster and more powerful, especially with WiFi. And that’s the goal on both ends of the house with this setup. WiFi that is faster and covers more dead spots. In addition, I will run a VPN like ExpressVPN on the secondary router to encrypt the entire network. Finally, this secondary router will be set to AP Mode so the primary cable modem/router combo will handle all the routing.
I guess I’m thinking I should put the Firewalla Gold in DHCP or Simple mode and just keep plug it in to a regular Ethernet point. The question is, which device to I plug it into if I go that route? The primary cable modem/router device or the secondary device which is the router in AP mode?
So, if ideally you want it in Router mode, you could buy a modem (Nighthawk CM1100 ~$115), Then go Modem-> Firewalla-> AX6000->R9000, with both the AX6000 and R9000 in AP mode. The downside is I think in AP mode you'll lose the Netgear Armor use (at least I assume you would).
You could also do as Michael Bierman said above (2), and buy and Cheap WiFi6 AP, but again I think you'd lose the Netgear Armor.
So the DHCP or Simple mode may be what you want if you want to keep Netgear Armor and Firewalla. In that case, you'd plug it into the main router, and DHCP mode would probably be preferred.
Ok yes. Thank you both for the responses. They’re much appreciated. And so yes, I would like to have both the Netgear Armor protection as well as the Firewalla security. That being said, as much as I would like to use the Firewalla in Router Mode the hardware I have isn’t returnable and I’m not interested in buying any additional devices. So that means the primary device does have to be the Router while the Firewalla can’t. I do have a question about double NAT. If I hook the Firewalla device up to the primary router in DHCP mode, should I turn one of the NATs off in either device and if so, which one?
You'd turn off DHCP on the one acting as a router,
For NAT, your router would be doing network translation (as normal), so say you have an outside IP of 18.104.22.168. Internally the DHCP server "hands out" IP addresses of say 10.10.0.1-10.10.0.254. When device 10.10.0.X wants to go to google, the router keeps a table (NAT) that says "hey device 10.10.0.x just sent out a request to google, I told google to respond on port xxx, when I get a response from google on that port, I need to send it to 10.10.0.x."
With a double NAT your router see Firewalla with an IP address (say 10.10.0.1), but then the Firewalla will hand out IP addresses to everything else, so instead of the device getting an IP of 10.10.0.x maybe you tell it to use 10.10.10.x.
So now device 10.10.10.x wants to go to google, it hits the Firewalla which stores the info in the NAT "when I hear back from Google on port xxx it goes to 10.10.10.x", then it goes to the Router, which also has to put the info in its table (NAT) but it sees it as "I got a request from 10.10.0.1 (firewalla) for Google, when i hear back I'll send it to Firewalla" (which then sends it back to the device).
Once the response is "internal" no other translation is needed, for the "other" router doesn't do any translations (but there's nothing to turn off as it's in AP mode).
I've heard from Network guys that double NAT is "bad" and maybe if it can be avoided it should be, but I've never gotten a good reason why it's bad. I know there are some routers that have "small" routing tables and maybe that's the reason, but I ran in a double NAT configuration for years and never had an issue, and noticed no speed or other improvement when I eventually switched to direct ethernet connection to the router, and your devices are all higher end so definitely won't have an issue.
Thanks everyone for all your help and advice. After some back and forth the past couple of weeks I went ahead and was able to return the NETGEAR Nighthawk AX6000 DOCSIS 3.1 WiFi 6 Cable Modem/Router combo (CAX80 model) and the money I spent on the NETGEAR Armor subscription was refunded. So now this is what I was like to do.
The Arris S33 cable modem has two Ethernet ports, one for 2.5 Gb/s and one for 1 Gb/s. I will only be using the one 2.5 Gb/s port as I only have the one IP address from Xfinity which is their Gigabit speed.
From the Arris cable modem I will plug a single Cat8 Ethernet cable directly into the Firewalla Gold unit and enable it into Router mode. It will be my only device in router mode. I also will enable Link Aggregation mode for the first two Ethernet ports.
The final device in line will be the
NETGEAR Nighthawk X10 AD7200 R9000 Smart WiFi Router. I will enable Link Aggregation mode on this router as well and switch this router to AP mode. I will then connect the Firewalla Gold device to the NETGEAR router via their two Link Aggregation Ethernet ports using two Cat8 Ethernet cables.
Does this sound like a good/correct setup? Also, I want to install a VPN server connection in the Firewalla unit in order to encrypt my entire home’s network and any devices connected to it. So here is the issue I have. I own subscriptions to ExpressVPN, NordVPN and IP Vanish. Over the past few years I have wanted to try various popular ones to see the differences and which one I like best. For my purposes I believe ExpressVPN is best. They have great security, great speeds and use RAM servers so no information is stored on their servers. However, I have not setup ExpressVPN in the Firewalla Gold unit yet. Has anyone done this and/or have any advice about it? Also, if anyone wants to comment on my network build please feel free. Thank you all again.
@john re:VPN, express VPN only supports OpenVPN and their own flavor, so you can’t use WireGuard with firewalla and expressVPN.
I have used Firewalla’s VPN client with a couple of VPN providers and had no issues. Assuming that openVPN works for you, expressVPN should be just fine, but again, I would at least consider the need to send all traffic through a VPN. What is your goal? There may be better ways to accomplish it.
Thanks for your responses, especially the first one earlier today. I canceled my S33 order and ordered the SB8200. I also then made sure to do more research about Link Aggregation so I would understand why the S33, even with the faster single 2.5Mbps port, would not get that fast of a connection through the Firewalla Gold router and then into the Netgear WiFi router in AP Mode.
So basically now, I will have the SB8200 cable modem first in line, then the Firewalla router in router mode second and last the Netgear AD7200 R000 wireless router in AP mode. All devices will be connected to each other with two Cat8 Ethernet cables a piece to each device’s LAG ports. Link Aggregation will obviously will be enabled on all 3 devices as well.
As for your question about using a VPN, my former home network was hacked into at the end of last year. I had what I thought was good security like Kaspersky Total Internet Security running on my desktop PC, a good cable modem and a top of the line ASUS router. I had always changed the admin/password on any modems and routers I’ve ever owned. Long story short, I eventually learned I actually was a clear and easy target as was many of my accounts. I won’t go into too many details but the point is that as I’m rebuilding my desktop PC with new hardware and my entire home network with new hardware, I’m trying to take advantage of every security feature available in today’s world. That’s actually how I came across the Firewalla Gold device to begin with (when researching additional security for my new home network). I guess I just feel like while a VPN server setup with my router will sacrifice some connection speed, it will give me an added layer of security on my entire home network and any device connected to it.
And also about the Policy Based vs Router Based VPN you mentioned. I’m not looking to tunnel into or access my home network when I’m away from my home. I have no need for that. I do however have a desire to have VPN servers run by companies like ExpressVPN encrypt my entire network and any device connected to it as well as protecting any internet browsing or personal/private information accessible in my network. That’s my idea regarding that type of VPN.
Good deal. I think you are still misunderstanding PBR though.
PBR is not for tunneling back to home at all. Let's say you have a WAN connection and a VPN client set up. You want to connect to work—but not over your WAN, only over your VPN. That is what PBR can do for you. Connect "this thing: (device, app, website, etc.) over this connection (VPN and not WAN) (or other way around). It is a policy about how to connect. You will need to use this even if you keep to your current plan.
Well what you say is very true as actually “PBR” is something I had to Google when you first posted it because I wasn’t familiar with that acronym. I did read about the differences between Policy and Router Based but maybe I’m still fuzzy on exactly what details I need to know more about.
Regarding VPNs, I know you can usually have a couple of options within compatible routers that offer you to use 3rd party VPNs like ExpressVPN, Nord, etc. One option uses the VPN to allow you to remotely tunnel back to your home network securely. Another option allows you to run the VPN you’ve subscribed to so the router has to connect to their servers first before any internet activity is available for access on your home network. This is where the encryption of the total network and any devices connected to it comes in rather than just a single device running a VPN service. If I’m somewhat wrong here in my understanding please correct me.
Now, what you described and called “PBR” (Policy Based Routing) is essentially what I do have to do with my work laptop…at least I think this is what you’re talking about. I have a WiFi adapter on my company issued laptop. I can connect to a wireless network and get an internet connection however I can’t access my company’s intranet until I launch and connect through what VPN program they use (Pulse Secure). Once I do that my internet connection is protected by whatever polices/encryption my company has setup with Pulse.
Similarly, I can setup my home network with WiFi access and then any device with a wireless adapter and knowing the passcode to the WiFi connection can connect to it. Or like I do with my desktop computer (to have a faster connection), I can connect directly to the router through an Ethernet cable. Either way, I’m somewhat protected by my router’s firewall but not completely. In this instance, Xfinity openly shares my IP address as well as controlling the DNS servers my network devices are using to access the internet. If a method like DNS hijacking is used (something I believe was used on me amongst other methods), neither Xfinity nor my router nor my antivirus software would necessarily catch this. Actually Xfinity is notorious for seemingly not even caring if this is happening to their customers. I can try to combat this by manually changing what DNS servers my device’s Ethernet adapter uses through Windows software and change them to DNS server addresses like 22.214.171.124 or 126.96.36.199 to go through Quad9 for example, however Xfinity is also known for somehow overriding this particular method and still redirecting through to their DNS servers (most likely to continue to track and record customer activity). The final option is to install a VPN service and run it only from one device like say my desktop. Similarly to my work laptop scenario, once my desktop PC is connected to my home network I connect immediately to ExpressVPN and then my real IP address is hidden and all my internet activity is directed through ExpressVPN’s encrypted DNS servers. Believe it or not there are mentions of Xfinity even trying to block VPN connections but because their customers complained so much about this particular issue they seem to allow most all VPN services to be used on their internet service now. So using a 3rd-party VPN like this will protect my desktop computer’s internet connection and activities (and prevent any DNS hijacking attempts directly against my desktop PC) but will not protect my entire network in the same manner. Perhaps though, this is where having the Firewalla device as my router adds the additional security and protection I need to as only having to use a VPN on specific devices rather than my entire network?
Sorry for the long winded posts. The past few months I have learned, and continue to learn about internet security and how often hacking and various other malicious activities occur right under our noses without most people knowing these attacks even exist and how easily even an amateur hacker can compromise most home networks. Your thoughts?
One option uses the VPN to allow you to remotely tunnel back to your home network securely.
In this case that is VPN Server. You don't need a VPN subscription for this. You connect with a device + VPN software + a Profile to your Firewalla.
Another option allows you to run the VPN you’ve subscribed to so the router has to connect to their servers first before any internet activity is available for access on your home network. This is where the encryption of the total network and any devices connected to it comes in rather than just a single device running a VPN service. If I’m somewhat wrong here in my understanding please correct me.
This is Firewalla's VPN Client. Your device will not be running any VPN. Firewalla will and you can instruct any or all traffic to use the VPN instead of your default ISP traffic.
Device > Firewalla (3rd party VPN) > Destination.
In both cases traffic is encrypted. But anytime you use https traffic is also encrypted. These are different kinds of encryption. With HTTPS, your ISP can only see the domains you visit. They can not see the contents of the traffic. That has nothing to do with network security—that is a privacy issue. If your concern is Privacy then yes, a VPN is an option or something like Apple Private Relay.
I can connect to a wireless network and get an internet connection however I can’t access my company’s intranet until I launch and connect through what VPN program they use (Pulse Secure). Once I do that my internet connection is protected by whatever polices/encryption my company has setup with Pulse.
That is not PBR. Let's say your work used an OpenVPN based VPN service. Without going through all of the trouble you just described you could say, "anytime I connect to my company servers use this VPN." WIth PBR you could set that for one device or for all devices. You would now automatically connect securely to your work. No one—even on your own network could see that traffic. Traffic to Netflix from the same device would not use the secure work connection so your workplace would not be able to track your personal activities. It would be like you were running VPN on the laptop without all the fuss. You could also broaden that to allow other devices (say a mobile device) the same access. This is extremely convenient. The caveat is Firewalla only supports OpenVPN and WireGuard at the moment so this may or may not be an option available to you.
...Either way, I’m somewhat protected by my router’s firewall but not completely. In this instance, Xfinity openly shares my IP address as well as controlling the DNS servers my network devices are using to access the internet.
You are confusing a lot of things here.
- XFINITY does not control your DNS. You can use any DNS provider you like. See more on this below.
- Every ISP controls your IP address. The IP CIDR range for every IP is public information. That is how networks work. Bad actors can (and do) scan IP addresses all day, every day, looking for open ports to attack. This is not unique to any ISP. This is automated and very quick and cheap. The fact that your IP address can be randomly tested is also part of how the internet works. That is why we should all have something like Firewalla to protect us and use sensible measures to protect our networks like not opening ports unless necessary and if we do need ports open for a legitimate need, wall these devices or apps off from the rest of network to protect everything else. By default, Firewalla allows zero inbound traffic so unless you mess with it, your network is secure from these probes.
- Not sure if you were referring to this, but XFINITY also uses every Wi-Fi AP they have to share Wi-Fi with their customers when they are away from home. However, those are on separate networks and unless they really screw things up should not be a concern for your home network. I know of no instance where that has been an issue. I know when I was an XFINITY customer I did not use their router (and AP) in part because I preferred not to host this.
I can try to combat this by manually changing what DNS servers my device’s Ethernet adapter uses through Windows software and change them to DNS server addresses like 188.8.131.52 or 184.108.40.206 to go through Quad9 for example, however Xfinity is also known for somehow overriding this particular method and still redirecting through to their DNS servers (most likely to continue to track and record customer activity).
If you use Firewalla's DNS you can choose your DNS provider without changing all your devices. You can also use DoH or Unbound on Firewalla which makes it impossible for an ISP to do anything at all. This has nothing to do with VPN. Both DoH and Unbound mean your ISP would have zero insight into your DNS traffic.
To an extent there is overlap between security and privacy but they are not the same thing.
Thank you Michael for such a thorough and detailed explanation. After sometime here is what I’m slowly going with:
My setup right now is Xfinity cable/modem (ISP - XB7) in Bridge Mode (WiFi is disabled) first in line from the ISP. Then I have that as my WAN plugged into WAN Ethernet port on FWG (router mode & DHCP) from the XB7 2.5 Gbps port.
One Ethernet port on my FWG is plugged into a MOCA adapter. This enables all my coaxial cable in my house to have MOCA 2.5 adapters that convert internet access from coaxial cable to Ethernet of which I have two more adapters connected. These are governed by the FWG as well.
This setup so far works great. The question I have is about adding WiFi. Xfinity’s XB7 modem/router does have the ability but I don’t want my WiFi from that device so it will stay in Bride Mode. I have the Netgear X10 AD7200 R9000 wireless router that I am going to hook up to the FWG for WIFi. It will go in AP mode.
My question is, should the R9000 in AP mode be plugged into the FWG and a Second LAN created?
The R9000 has a 10G LAN SPF+ Ethernet port. Is there any benefit to using that port to an empty port on the FWG?
Finally, the R9000 does support Link aggregate mode. Is there any benefit in enabling two ports on the FWG as LAG ports and then enabling LAG mode on the R9000 (created as a LAN2 in this case) and then connect the LAG ports from FWG to appropriate LAG ports on the R9000?
Thanks in advance for the help!
Yes, this is great. You are describing basically this configuration.
Yes, you can use the R90000 in AP mode. Connect it to an open port on Gold. Unless you want the Wi-Fi on a different network, add the port you will use for it to the same network. Typically the only reason to move an AP to a separate network is if you are going to have a separate Wi-Fi for say, IoT devices.
I don't see any benefit to LAG to R9000 for Wi-Fi. But, if you plan to use the Ethernet off that for some important device, it might make sense.
Thank you again Michael for the fast response and good advice. I am also hoping this thread will help many others so I will also bring up a few more points we have discussed and a few additional questions I have for you or anyone else that would like to contribute.
First off, it took me a while to post back to you again because I decided to go back and do a lot more research. Your comments and explanations about the different VPN technology and the way they work had me realizing that before I set up this home network again, I want to be absolutely sure I know what I’ve set up and how to access it and control it but importantly, keep it secure. I believe I mentioned early on that my original home network was hacked into a handful of months ago (I won’t go into too many details on exactly what happened) and since then I’ve had to do a lot of research involving reading articles, forums, watching videos and listening to audio about IT and network security. Essentially I realized that if I truly wanted a secure network that I needed to know a lot more about IT (and even a basic understanding of hacking and the cheap available hacking software and tools that are unfortunately so easily available) than the rudimentary understanding I previously had.
A quick note regarding the VPN discussion. I ultimately did try to use various VPN client profiles (the most popular ones you can thing of) in order for my entire FWG LAN network to use the associated VPN services. Without WiFi they all dropped my internet speeds quite a bit even though many claim to still be quite fast. Also, as you pointed out, I’m not so much concerned with privacy as I am security. Yes, privacy is a concern too of course but ultimately security is my goal and I was finally able to grasp the various differences in VPN use after your post. In fact, I believe the reason my internet speeds dropped so much was due to the limitation you pointed out about how the FWG currently only supports OpenVPN and WireGuard and not all 3rd-party VPNs necessarily go well with either of those or don’t support one or are moving away from the other, or whatever, so less overall options. Therefore, if and when I do use some of my 3rd-party VPN subscriptions, I will most likely keep them to a device by device basis but also keep the profiles setup in my FWG if needed for any reason.
Some of my research is what turned me onto MOCA technology and how useful it can be so that was a road I went pretty far down. I have Xfinity’s Gigabit service but even after a tech coming out and examining my connections, splitters, ground block, etc., I can say that coming straight from the one orange 2.5 Gbps Ethernet port on the XB7 connected to the initial incoming ISP coaxial cable (so before any splitters) using a Cat8 Ethernet cable, the best speeds I could obtain on my computer were right around 980 Mbps. Their claim is “up to 1200 Mbps” for the Gigabit plan so I did agree with the Xfinitny tech that the speeds were within spec. The XB7 does have the ability to activate MOCA on the coaxial cables if you use it as a Router but in Bridge mode it does not which is why I have 3 MOCA 2.5 adapters (one connected to a coaxial cable coming off the same splitter as the XB7) and then plugged into the FWG via Ethernet. This then enables MOCA even with the XB7 in Bridge mode (or any router that doesn’t actively support MOCA for that matter). The other two adapters I have plug their Ethernet connections directly into computers and I easily get anywhere from 500 to 800 Mbps on those connections at any given time. Also, the MOCA 2.5 specification integrates additional security on their adapters now such as enhanced privacy, link security and additional abilities and control in regards to password protection than previous MOCA specs.
Then came the information and research of switches and VLANS. I did start to consider adding a minimalistic type layer 2 managed switch after the FWG in order to create multiple VLANS on both the wired side and WiFi side of my overall LAN for another layer of security. I looked into all kinds of company’s switches like SonicWall, Netgear, and UniFi amongst others. Ultimately though, for my purposes, I’m not sure I need to go the route of a switch however VLANs I think are something that could be useful for me. The reason being, my original home wireless network had maybe two wired connected devices and about 15 other wireless connected devices (some of which do require ports to be opened and some of which were and are IoT devices). This was all set up with different hardware than I have now. For example, the Netgear R9000 is brand new as is the FWG and the XB7. I started to look into how to deal with VLANs using the FWG as there is documentation and tutorials on it on the website. I should also point out that the R9000 supports both a Bridge mode and an AP mode but I only plan on using it for WiFi. Anything that needs an Ethernet connection would most likely just use a MOCA adapter. Also, this should be mentioned as well. Netgear does not actually support VLANs in almost any of their routers however I got a very good deal on this R9000 and was able to flash it with DD-WRT firmware which does support VLANs. As far as WiFi goes I would actually like to have quite a few VLANs created for the various connected devices but I’ll admit that I’m on IT information overload. Switch tech and VLANs are something I am struggling a bit with but doing my best to wrap my head around it all. This is one reason I brought up putting the WiFi from the R9000 in AP mode on a second LAN. Then, possibly creating VLANs on various wirelessly connected devices on the second LAN. However, I’m not sure if this is all possible without a switch and just the FWG as far as VLANs go.
The Link Aggregation question was about seeing if that would help the bandwidth of the WiFi by driving the internet signal through two Ethernet cables instead of just one. The one negative of the FWG is the bottle neck of the 1Gbps max allowable speeds per Ethernet port of which there are only 4 which includes the WAN port. I know that previously the FWG did not support LAG for quite some time and then eventually the developers came out with an updated firmware which now supports LAG across 3 Ethernet ports. That’s great but I’m not sure a firmware update would start supporting faster individual speeds per port. Maybe but as for now if you have an ISP that truly does provide you with more than a 1Gbps internet speed you wouldn’t be able to get those speeds through the FWG unless you had a cable modem that also supported LAG. This however eventually will become an issue due to the available amount of total ports the FWG currently has. That’s actually why I think MOCA technology pairs very well with the FWG when it comes to wired connections. WiFi though and VLANs and whether a switch is needed or not is still something I am working on learning about and understanding properly before finally implementing my wireless devices into my home network.
As an additional note, given that the R9000 is an older router which I may still use to extend coverage, something like “NETGEAR Orbi Pro WiFi 6 Tri-Band Mesh Router (SXR80) for Business or Home | VLAN, QoS |Coverage up to 3,000 sq. ft, 100 Devices | AX6000 802.11 AX (up to 6Gbps)” may be more appropriate. Yes it’s a bit overkill for my situation but it does support LAN/WAN LAG and is tri-band and supports up to 4 separate SSID VLANs. The questions are will it work the same in AP mode while I let the FWG do all the routing and for the price is it worth degrading its capabilities by putting it into AP mode? Not sure. Just thinking out loud…
Please sign in to leave a comment.