Firewalla Gold info

SRPSRP LAMember Posts: 113
100 Comments 25 Agrees 25 Likes 5 Awesomes
✭✭✭
edited March 14 in Devices & Security

@Dalek @Schorsch64 @seh2000 @OU812 @Bzglwrtz @Shooter

Hello All,

As promised in the outage thread I started to delve into the Firewalla Gold today. I'm creating a new topic here as suggested by @rooted@Marc.

TL;DR - the Firewalla Gold is pretty flexible; it's not very plug and play & to get it working well with Fingbox involves jumping through some hoops - although it seems that one can get it to mimic the unknown device join blocking functionality of FB on its own at least. However, it does appear to rely on a Firewalla backend service for security features to function. :/

It's probably worth stating that my ideal scenario when I purchased the FWG was if it played nicely with my Fingbox. It seems the two devices have some overlap in functionality yet each is designed to do things the other doesn't.

As those on the outage thread may recall I purchased the FWG in a rush of nerdish adrenaline when @Bzglwrtz forwarded a link to the device. I knew going in I'd probably need to run the FWG in router mode rather than their simple mode where it functions like a Firewalla Blue or Red and uses ARP spoofing similar to Fingbox. As outlined on this community here https://help.fing.com/knowledge-base/firewall-compatibility/ there is a way to get FWB/R and FB devices working together but it results in falling back to the FW intrusion detection behavior of notification of any new device joining your network rather than the blocking by default and asking for access permission that FB does. I much prefer the latter functionality.

The open questions then were as follows:

Could router mode allow me to have FB work as now, how much of a headache would it be integrating FWG into my network topology and, perhaps most importantly given uptime challenges we've all been facing recently, was the FWG reliant upon a front/backend connection to some Firewalla service that when down/unreachable/overloaded (as any distributed infrastructure experiences from time to time) would all the security features go kaput!

Before setting it up today I read a few reviews. This one https://dongknows.com/firewalla-gold-review/ was interesting for a couple of reasons. For the reviewer, the router setup was too complex and he fell back to simple mode - from my trawling of Firewalla's community site this doesn't match the generally held opinion which is that the router is great. Secondly, he does outline the need for a connection between the Firewalla device and a Firewalla backend. His observations are rooted in privacy concerns and he provides a link to Firewalla's comments on their policy and what is stored/communicated - I believe, however, this is a statement for FWB/R not FWG. More on this later.

I posted some questions to the Firewalla community and got some responses from a Firewalla representative.

Here's the thread you all may find interesting.

https://help.firewalla.com/hc/en-us/community/posts/1500000522462-Firewalla-Gold-pre-setup-advice

My main takeaways from this are:

I will need to use the FWG in full router or DHCP mapping mode - which is subtly different from that on FWB/R  but still essentially sets the FWG up to serve DHCP addresses. See https://help.firewalla.com/hc/en-us/articles/115004304114-Everything-about-Firewalla-DHCP-Mode- and note the FWG, unlike B/R, puts the device on the same subnet as the network you're plugging into, rather than an overlayed subnet.

Regardless, if I get either mode above working I can still use Fingbox as is.

You can jump through some hoops and perhaps get default unknown device blocking functionality by quarantining some or all of your network. TBD how this works vs. Fingbox.

Lastly, although not 100% confirmed, my current takeaway from this thread, and some subsequent private back and forth with the FW help desk, is that there appears to be a theoretical single point of failure for at least some security functionality if the FW cloud infrastructure suffers downtime/issues. The 'don't worry about it - servers just always work nowadays' comment made me smile!

Apologies for the wall of text. I hope some of you find this helpful and I'll update this thread if people are still interested if I get more clarity on the FW backend connection and how it works in practice once I've figured out where in the network topology to insert the FWG - at the root, in front of everything else, seems most appropriate but for me this means fiddling about in an outside cupboard and reorganizing a whole bunch of PoE switches, routers and modems. <sigh>

Cheers,

Schorsch64seh2000

Answers

  • Schorsch64Schorsch64 Member Posts: 37
    10 Comments 5 Awesomes 5 Likes 5 Agrees
    ✭✭
    Thanks a lot @SRP this is an interesting post! I’m also interested to use a Firewalla, either Blue Plus or Gold but cannot find a shop to purchase from in Europe, are you based in the US? I sent an email to the Firewalla support team a couple of days ago asking them where to buy in the European Union but did not get any response (yet).... let’s see..
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    No problem. Yes, I'm based in Los Angeles. Hopefully, they can just ship you one internationally.
  • Tony_GTony_G Member Posts: 7
    First Anniversary First Answer 5 Awesomes Name Dropper

    Hi all!

    I have the FWG and FBv1 and it works just fine. FWG in router mode hooked up to a Nighthawk R7000 (in AP mode as the FWG is the router) and FB in lan port 1 of the R7000. So far so good!

    Both FWG and FB have similar functions such as quarantine/blocking of new found devices connected to your network. It's just a matter of deciding which one you want to take care of that functionality. So, for every similar functions you find just decide which box handles what.

    SRPUnknownGimparoo
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited March 16

    Hi @Tony_G - that's great to hear, particularly as your setup with an R7000 in AP mode mirrors part of my network exactly! :)

    How do you find the FWG as a router? Fast, reliable, easy to tinker with? I'd love to hear which features you stayed with on the Fingbox vs. which you use the FWG for if you don't mind sharing that information.

    One issue I'm noodling ATM is that my modem has a router built in and currently acts as the primary DHCP server for my network. I think I need to either stop this serving addresses (TBD if this is possible) or set it to a different subnet and insert the FWG on the 'old' subnet in order to not require resetting all of the static IP assignments I have for certain devices. The only problem with the latter approach is I'll need to replicate any port forwarding settings across both devices I think.

    Finally, is the FWG the only Firewall you run or do you have any others active - I'm wondering if I should additionally leave the firewall active in my ISP modem/router in front of the FWG.

    It's these challenges that has the FWG still sitting on my desk crying 'Set me up!!!' :)

    Cheers,

    S.

    Tony_G
  • Tony_GTony_G Member Posts: 7
    First Anniversary First Answer 5 Awesomes Name Dropper
    Hi @SRP!
    First of all, sorry for the long read that follows.
    I own both FW Blue and Gold. When I moved from my last house I only had FB connected to my network and it worked like a charm. I backed it in Indiegogo and set it up as soon as I got it. My main concern back then was if any of my neighbors were trying to make an intrusion into my Wi-Fi network and for that purpose the FB was and still is my main solution for monitoring that type of problem. Let's remember FB is a solution for Wi-Fi connections (inside your network). I was also interested in FW Red at that moment because it offered another "layer" of protection (incoming and outgoing connections to the internet) to my network but since both units use the same kind of way of connecting to your router and re-routing traffic (ARP spoofing) I thought both units wouldn't play nice together. Both are basically telling your router "hey! I'm a router too. Please re-route all incoming/outgoing traffic thru me first before you do anything", for which I thought I would be creating a mess in network traffic so I ditched the idea at first. Anyhow, I ended up backing the FW Blue because I was itching to know how well the product work and to play with the different features of it.  I have to say the Blue unit is excellent and gave me an insight of how much data was going in and out of my network and where from any of my devices. Still, I wasn't so sure on connecting the FB alongside it so I left it disconnected for a while. After that, they came out with the Gold unit and when I noticed they were advertising it's routing capabilities and multi ports that's when I decided this was the perfect setup to have both systems together in my network. It wasn't until recently that I put them together and up to this day everything is just fine. However, like I said in my last post, you need to setup your Wi-Fi router as an AP so DHCP is disabled there and handled only by FWG. In case you have a modem/router combo unit you can only connect the FWG in simple mode which is the router within a router setup I mentioned above. In that case both FWG and FB would have to do ARP spoofing and potentially creating a traffic mess in your network (just my opinion as I haven't tested it myself but I thought it could create complications later on). My setup is as follows:
    1. Netgear CM500 as my modem w/ internet service from Comcast
    2. FWG WAN port connected to modem's WAN port and working in Router Mode
    3. Lan port 1 from FWG connected to WAN port of Nighthawk R7000 and working in AP mode (FWG handles DHCP and assigns all IP addresses of devices that connect to Nighthawk's Wi-Fi and the rest of Lan ports available)
    4. FB connected to Lan port 1 of Nighthawk
     With this setup FWG does it's thing and doesn't interfere in any way with things that FB does because FB is re-routing the traffic at the AP level (Nighthawk) and serving the purpose of monitoring at that level (Wi-Fi intrusions and the function of blocking traffic for devices using Wi-Fi and Lan ports as well) while FWG is working on monitoring the whole traffic in and out to the internet. So, even if they have some similar features, both serve a different purpose.
    To answer your question:
    Connection is very stable and consistent almost all the time so I know the whole thing is working as it should. When there's drops in the connection in my case I know is Comcasts doing but that rarely happens anyway. The FWG is rather easy to work with. However, be advised that since the Gold unit has more features than its other colored siblings it does need some knowledge from basic to intermediate networking (but probably you're more knowledgeable than myself). May I say you can do VLAN with this unit! You can isolate Lan connected devices in it's own ports and to chose if you want devices connected in a specific port to see others in other ports or to have them completely out of the main network. Think about the possibilities here: servers, IoT devices, etc. Creating network segmentation is something I haven't played with yet, but soon I'll try it. I have an Odroid HC-1 and a HC-4 that I plan to use to create a web server (HC-1) and a NAS (HC-4). Neat stuff!  FWG is packed with great features and it also handles IPv6. Anyway, FW website has all info you need to set it up correctly and to setup any extra features you want to test in your network.
    You said in your last post that you own a modem/router combo unit. In this case the only thing you can do as mentioned earlier is to connect it in simple mode (just as any of FW siblings by default). However, now that I remember it does have a DHCP Mode that creates an underlying network with DHCP control which means that you will need to disable DHCP in your router to let FWG handle it. I didn't think about it but you could still be able to use both FWG an FB that way.  Hmmm...  You need to check the explanation on the modes for FWG at their website. Since in DHCP mode you are creating an internal underlying network maybe the ARP spoofing used in simple mode works differently and let you use both devices without problems. I'll check that too. I still prefer my method though. 
    With the static IP's and port forwarding, if FWG is the router it will change everything and you will have to setup the device IP's and ports once again one by one. If you disable your router's DHCP probably the same will happen. How do you propose setting that subnet you're talking about?
    FWG is the only firewall I'm currently running in my network. I used to have a software based firewall that I don't even remember in one of my old computers that would basically run 24/7 but not anymore. Setting it up was time consuming and not too user friendly, plus the amount of electricity of that machine running all the time... Just imagine it. I've heard about other products but I haven't taken the time to sit down and read for a while. Work, work, work....  What other firewall do you use? Anyway, FWG could be able to handle your other firewall's rules and just run only one system. Probably multiple firewalls with customized rules made by the user can create complications at some point, especially when trying to detect which one is causing problems with certain connections. But I don't know about that.
    And finally, about the similar features they both share and where do I prefer to use them I could say the following:
    Even if I can block devices in FWG, I prefer FB to handle that task since it is already monitoring my network's Wi-Fi and Lan ports in Nighthawk. Basically, I'm letting FWG be just my firewall and FB do the rest it already knows how to do well.  Also, FB already gives me insights on what's going on in my connection when my family arrives or leaves the house. FWG can detect the presence of devices in the network as well by allowing it to advise when a device connects or leaves the network, but as mentioned above I prefer FWG to do what it is supposed to do best and the same w/ FB.
    Once again, sorry for the long read. For any other questions I'm here, even though I'm not a techie kind of guy but I can still try. We learn together!

    SRPseh2000Bzglwrtz
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited March 21

    @Tony_G Please don't apologize for the long read. That was packed full of information that was incredibly useful to me & I'm sure others following this thread. Thanks for spending the time on your reply.

    I think my modem/router allows me to run it in bridge mode with no DHCP lease serving or routing with NAT occurring on the device so I'm hoping I can just plug the FWG next in line here and have it be my root node router in essence. If this plan encounters issues I'll either get a new DOCSIS3.1 modem and ditch the modem/router combo or fall back on the DHCP mode on the FWG as you suggest.

    Regarding extra firewalls I don't run any other than the one built into the ISP device since all my other routers run in AP mode. I had thought about separating one off for IoT devices in router mode with its own subnet and DHCP range then I'd be able to run the inbuilt firewall there additionally hence my question. Upon reading more about the FWG I'll probably just use quarantining instead.

    Many, many thanks again for the information. Like you I instinctively prefer the thought of the FB & FWG working in concert to handle the stuff they're good at so it's great to hear of a real world case where that's happening.

    Cheers,

    S.

    seh2000Tony_G
  • seh2000seh2000 IrelandMember, Beta Tester Posts: 110
    10 Comments 5 Agrees First Answer First Anniversary
    ✭✭✭
    @Tony_G @SRP
    Thanks for the write-ups!!!!
    Quick question, perhaps more for Tony - have you used/looked at the buffer bloat settings? The guy that I know who also got the Gold mentioned, but he not played - yet - with that...
    I am thinking replacing mu Edgerouter ER4 with t FW Gold...
    Cheers Steen
  • Schorsch64Schorsch64 Member Posts: 37
    10 Comments 5 Awesomes 5 Likes 5 Agrees
    ✭✭
    Just received my Firewalla Blue Plus  :) will integrate it into my network over the weekend and see how it works, also in co-existence with my FingBox ....
    Tony_Gseh2000SRP
  • Tony_GTony_G Member Posts: 7
    First Anniversary First Answer 5 Awesomes Name Dropper

    Hi guys!

    So sorry for the super late reply. I've been very busy these days.

    @SRP

    Have you connected that FWG yet? How did it go? If not, take a time to write down the current settings of your network with as much detail as you need and go into your router and download it's configuration file so you don't have to start from 0 if you need to turn back to it in case something goes wrong. It's a kind of network mapping I do when implementing stuff and to keep tabs on what I ad and settings to remind me later. I also found this info the other day and even though it says is for the Red, Blue and Blue Plus you should check it out. https://help.firewalla.com/hc/en-us/articles/360021737793-How-to-keep-your-network-unchanged-in-DHCP-mode?omnisendAttributionID=email_campaign_604ee3f0b1b5330bcc434c10&omnisendContactID=5d38d76acea1f36211e70c8c&utm_campaign=campaign%3A+Firewalla%3A+Paring+Multiple+Phones+and+DHCP+Mode+Trick

    @seh2000

    Regarding the buffer bloat settings, do you mean Smart Queue feature of FWG? That's the traffic prioritization feature of the unit with FQ-Codel settings (Fair queuing controlled delay) which balances your network's traffic load and optimizes bandwidth for devices with most traffic use. I still haven't tried that feature because I'm checking how my network behaves without it and to see if there's any bottlenecks with the current use me and my family give to the network with the amount of devices we currently use. I will give it a try later though. Also, that ER-4 you have is a great unit for what I've seen. It's basically a FWG but with an added SFP port. Ubiquity is known for its great software and hardware solutions for networking. I personally haven't tried any of their products but I've heard great things from other people that have. By reading it's datasheet I find it to be packed with features that go hand in hand with the FWG. And it also has QoS integrated if that is what you're looking for. However, even if they have similar features the ER-4 looks like is cheaper than FWG. In the end, I guess it depends on what your needs are. FWG is a great combination of hardware and software and if you add to it the functionality of FB you will be controlling and monitoring all aspects of your network (Internet, lan connections and Wi-Fi). Btw, I was just playing around with the live demo of the ER-4 dashboard they have in the following link (https://unms-demo.ui.com/dashboard) and it seemed daunting at first view but as I kept looking around is not bad to work with (at least for me). It looks like is more suitable for small enterprise network environments where you need to have a centralized management system to control other hardware and settings. But not bad at all for the $199 price tag. FWG is imo more user friendly and comparable to the ER-4 in terms of functionality. I love my FWG man! You'll probably love it too if you get one.

    @Schorsch64

    Man I'm glad you got it! I would like to know how you make it work in your network alongside FB when you get some time. The Blue Plus unit is great and has more features than the regular Blue. Take the time to play with it and let us know.

    One more thing before I go:

    I've been reading all about FB having certain problems since a month ago or so. I thought mine was out of trouble but in the last 2 days it shows as disconnected for a few mins and comes back. It does that twice at night or early morning. Is not too bad as many other people report here with constant disconnections but is still an annoyance. Has any of you experienced that?

    seh2000SRPSchorsch64
  • seh2000seh2000 IrelandMember, Beta Tester Posts: 110
    10 Comments 5 Agrees First Answer First Anniversary
    ✭✭✭
    @Tony_G
    Thanks for the comprehensive update and yes the ER-4 is cheaper then the FWG, as you and the guy I know here (he got 2 by the way) both are super happy, I'll have to have a long chat with the wife :)
    You are right on Buffer Bloat = Smart Queue which works pretty fine on the ER4 so I am interested to find out how good/great it works on the FWG. I am only using on my upstream where I have reached A+ using the speed test from DSL Reports and same latency on DL/UL.
    What I lack on the ER-4 is the parental controls which I see FWG got, I been using FingBox to top internet for son, but with the instability FB shown the past time I am looking for other option, which perhaps FWG could offer.
    I am by the way using PiHole for adverts and as own DNS server.
    Keep us posted on future events :)
     Steen
  • BzglwrtzBzglwrtz Member Posts: 46
    10 Comments 5 Agrees 5 Likes Name Dropper
    ✭✭
    Tony_G said:
    you need to setup your Wi-Fi router as an AP so DHCP is disabled there and handled only by FWG. In case you have a modem/router combo unit you can only connect the FWG in simple mode which is the router within a router setup I mentioned above.

    That's my concern with the FWG, I've got a router/AP as my WAN link, with the FWG I'd need to disable the AP in the router and add another AP downstream of the FWG so it can control WiFi traffic.  Unless the FWG can do ARP spoofing upstream to get the WiFi traffic alongside the existing control of through traffic that it does as a router.

    The FW guys are doing a lot of development work on this which is nice, see e.g. this recent announcement about WireGuard support among other things.  However it looks like the FWB+ can do this as well, so a pure ARP-spoofing-based solution which doesn't require a new AP would appear to be feasible.
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited April 16
    Hello All,

    I finally bit the bullet and reconfigured my system with the FWG amongst the cobwebs and cables yesterday. It probably took me about 3 hours to get things up and playing nicely again but TBH this had more to do with my laziness around not wanting to reset a number of static iP devices than anything else. The advice from @Tony_G to spend some time jotting down the state of your current setup beforehand was really useful. If I hadn’t done that in detail there were a number of occasions when I’d have run into trouble, one being caused by the WAN IP address allocated by my ISP flipping for the first time in 5 years. This meant a dynamic DNS mapping needed updating. If I hadn’t noted all that stuff down it would have stumped me for much longer. Another tip I’d add is to turn off all your MAC filtering rules and new device blocking before commencing. I’d erroneously missed switching this off on one of my routers which caused some issues for a while. 

    Now I’m out the other side, so to speak, I have to say the FWG is pretty awesome. I started off hating the lack of a fully featured web interface and then ended up loving the Bluetooth and internet link from the mobile app. This was useful for those situations when you mess something up and need to connect a lone PC to the device in an attempt to find the IP address that your router has disappeared to or where I’ve needed to resort to a factory reset at times in the past. I can see the remote access being useful in the future for sure.

    I set the FWG up in router mode and put my Arris cable modem/router into bridge mode (although having played with it this isn’t strictly necessary and I could have had that still running its DHCP serving and wireless if I’d have decided to). The FWG is now essentially the root router in my network. I set up two logically and physically separate LAN networks on the FWG fairly easily, one for my IoT security system and another for the remainder of my network. The firewall rules are impressively flexible, blocking traffic to/from LANs/VLANs, devices, addresses independently along with a host of other conditions based on traffic source, destination, type, location etc.

    There are a couple of slightly annoying quality of life kinks that need to get ironed out like no ability to edit port forwarding rules without delete and reentry, plus a requirement to enter both TCP and UDP port forwards separately. By and large though everything was really solid from a configuration flow standpoint.

    The FWG Is very ‘chatty’ when you first set it up. The amount of notifications you’ll receive about video watching, gaming, unusual uploads, port scanning etc. is a little overwhelming initially. I guess I’m conditioned to have the ‘fear’ when my network pings me repeatedly. :)

    The sheer amount of insight you can get into your traffic and connections is pretty wild though so I’ll take the initial noise for access to the depth any day. It’s just a case of managing all those alerts into some non metronomic scheme when you first start that takes some time.

    The FWG appears to play perfectly with the Fingbox, although now my FB only watches three quarters of my total devices due to the LAN split. My next step is to overlay a VLAN too so I’m thinking that would result in the need for additional FBs too potentially. This hasn’t been an issue so far though TBH. The quarantining of newly joined unknown devices is really good on the FWG. There’s no device identification per se but the FB was handy as a reference to transfer over info. I still like the fact that my FB is watching my Wi-Fi APs and all the other good stuff like geofencing, speed tests, named user tracking and presence etc. I’ll probably use the FWG moving forward for parental and access control though. Like a number of folks said they’re pretty complimentary devices although the areas of overlap are a reassuring failover redundancy while the Fingbox service remains patchy and somewhat unstable.

    One thing that’s worth mentioning is the FWG totally relies on the Firewalla backend, much like Ubiquiti devices do, which is definitely something to be aware of given recent security breach developments at that company. I’m yet to fully grok what proportion of day to day function the backend contributes to. It’s certainly heavily involved in the setup and configuration though.

    The FWG really does an awful lot and I feel like I’ve only just begun to scratch the surface. It’s already made me wish I had multi SSID APs that I could bind to VLANs without connecting these to switch ports....oh and I’ve ended up ordering a raft of managed switches so I can play some more.

    Anyway, I’m off to the land of VLAN - I hope folks find this stream of consciousness useful. :)

    Cheers,

    S.
    Tony_G
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    Hey @Tony_G, Have you managed to set up VLANs on your FWG?
  • Tony_GTony_G Member Posts: 7
    First Anniversary First Answer 5 Awesomes Name Dropper

    I haven't yet. I was waiting to finish a few things I have to do first at home and now I have to do a backup of my laptop and reinstall the system. It's taking me ages to organize everything with so many things I'm doing around the house and at work. After that, I will be working my Nas and I'll probably try to setup a VLAN.

    Btw, did I read somewhere you got yourself a Deeper Connect device? I also got it! Actually two of them: the mini and the nano they were giving to the backers that had to wait a long time for their shipment. Have you used it? If so, what do you think of it? I still haven't connected mine but it's something I want to check soon as well.

    Take care!

  • GimparooGimparoo Member, Beta Tester Posts: 6
    5 Likes First Comment First Anniversary Photogenic
    I have used both the FW Blue and Gold.. the Gold is my router and the Blue is ready for a new user. My network is like this.. Google Fiber Gigabit to my FWG, I have a Netgear RAX200 setup in AP mode with my FingBox v2 connected to it to stop WiFi intrusion, my FWG quarantines new devices and I set rules for how they are handled. I have 85 devices on my network and everything runs perfectly. I too am a backer of the FWG and FWB through Indiegogo and have had this setup for 9 months now. Can't say enough about the FWG or my FingBox v2 devices!  

    Port 1 of my FWG is my incoming Google Fiber, Port 2 is my Netgear RAX200 in AP mode, Port 3 is a Netgear switch to handle my ethernet traffic devices, Port 4 goes to my office Netgear switch and rules set up for each port to handle the different traffic incoming/outgoing.
    I'm very impressed with how well and stable my network has been with this setup.

    if anyone is interested in a Firewalla Blue device, contact me and we can discuss further....  I'm in Austin, TX  :)
    Tony_Gseh2000SRP
  • seh2000seh2000 IrelandMember, Beta Tester Posts: 110
    10 Comments 5 Agrees First Answer First Anniversary
    ✭✭✭
    Gimparoo said:
    I have used both the FW Blue and Gold.. the Gold is my router and the Blue is ready for a new user. My network is like this.. Google Fiber Gigabit to my FWG, I have a Netgear RAX200 setup in AP mode with my FingBox v2 connected to it to stop WiFi intrusion, my FWG quarantines new devices and I set rules for how they are handled. I have 85 devices on my network and everything runs perfectly. I too am a backer of the FWG and FWB through Indiegogo and have had this setup for 9 months now. Can't say enough about the FWG or my FingBox v2 devices!  

    Port 1 of my FWG is my incoming Google Fiber, Port 2 is my Netgear RAX200 in AP mode, Port 3 is a Netgear switch to handle my ethernet traffic devices, Port 4 goes to my office Netgear switch and rules set up for each port to handle the different traffic incoming/outgoing.
    I'm very impressed with how well and stable my network has been with this setup.

    if anyone is interested in a Firewalla Blue device, contact me and we can discuss further....  I'm in Austin, TX  :)
    Quick question - you had the FingBox V1? I ask as I am still on the V1 and as my wi-fi is on the 5GHz then the V1 don't do me any good on the wi-fi, but not sure if it is worth the cost for an upgrade. For going FWG the boss in the house has said no...Austin cool, have family in Plano...
  • Tony_GTony_G Member Posts: 7
    First Anniversary First Answer 5 Awesomes Name Dropper

    @Gimparoo

    Wow, that's awesome! 85 devices in your network? Have you had any bottlenecks so far with your setup. Any slowdowns? Or probably many of your devices are not used at the same time while connected? It's impresive what the FWG can do being a small device. I will consider changing my Nighthawk R7000 for a modern WiFi6 router as I'm having a few problems with it lately. It kinda gets stuck sometimes to the point of having to restart it to make my WiFi work again. It also changes sometimes the connection to FB from 1Gb to 100Mb and I have to unplug FB and plug it again so it can reconfigure it back to 1Gb.

    Great setup you have there!

    seh2000
  • GimparooGimparoo Member, Beta Tester Posts: 6
    5 Likes First Comment First Anniversary Photogenic
    Thanks Tony….  and no bottlenecks or slowdowns, with FWG you can adjust routes and “Smart Queue” to accommodate extra use when called for like gaming or camera uploads to a cloud (which can get heavy sometimes, like Nest). With Google Fiber gigabit up/down bandwidth, it’s hard to cram too much data!  I average 2 TB of usage a month!  

    I had a similar problem with my R7900, that’s why I upgraded to the RAX200, big difference!
    seh2000Tony_G
  • GimparooGimparoo Member, Beta Tester Posts: 6
    5 Likes First Comment First Anniversary Photogenic

    Quick question - you had the FingBox V1? I ask as I am still on the V1 and as my wi-fi is on the 5GHz then the V1 don't do me any good on the wi-fi, but not sure if it is worth the cost for an upgrade. For going FWG the boss in the house has said no...Austin cool, have family in Plano...
    It’s worth the upgrade to v2, I was having the same concerns and v2 took care of that allot better!
    seh2000
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited May 4

    Hey @seh2000 I realise it's an outlay but the 5Ghz & 2.4Ghz functionality of the V2 is critical IMO if you run 5Ghz SSIDs. You naturally want Wi-Fi AP monitoring at the very least on all your SSIDs and the 5GHz speed vs. 2.4GHz means in 90% of my use cases I'm using this frequency unless I'm really at a distance from an AP. The dual band fencing is nice too. However, if you only run 2.4GHz SSIDs there's no functional difference IMO. If you use both I think it's worth an upgrade.

    Regarding the FWG outlay, I like others can't say enough good things about it the more I use it, however, it's not cheap. It sounds like the Blue Plus gives you a lot of the core functionality if you run in DHCP mode albeit at a 500Mb/s throughput but I'll let others who have one chime in on the device. From a support standpoint it certainly appears that Firewalla is actively updating features and has a future roadmap across FWG and FWB+ with a slight trailing roll out to the blue.

    Finally, to answer @Tony_G I have ordered a Deeper Connect but I'm still in the queue for it to arrive sadly.

    On the VLAN front I've had to replace all my household unmanaged switches, many of which are buried in walls so this has taken some time and involved some Amazon order/return/reorder cycles. It's sounds like we're similarly challenged when it comes to finding time to play with this stuff so I've gone in sprints followed by lulls.

    I ended up going with Netgear's GC108PP and GC110P switch models after a couple of missteps because they're a nice 'pro-sumer' device that's competively priced with a lot of enterprise level features and crucially still have individual browser based web GUIs for full setup as an option. I've got the main trunking switch which connects all others left to replace then I'll be trying out VLANS.

    Another mental back and forth has been selecting MU-MIMO APs which automatically bind SSIDs to VLAN ids. I've got some TP-Link EAP620s which I like because they have a web interface as well as the cloud option (as you can see I've developed a healthy anti cloud obsession post the Ubiquiti breach), however, these should really be mounted on the ceiling and I want them on the floor or shelves so it's yet TBD what performance I get in this configuration. The alternative path is to use a Ubiquiti Unifi FlexHD which whilst designed to sit on a desk doesn't have a web configuration GUI but requires controller software to be run from a PC ideally consistently. You can run it once to setup stuff and then I'm told things work rather well if left alone with no live monitoring, however, I do like my browser based straight to IP address GUIs. I guess I'm an old fashioned stick in the mud!!! :)

    I'll keep this group posted on the experience I have with things as I roll them out if folks are interested.

    Finally, I absolutely love the new Firewalla blocked flow feature which shows what the Firewalla has squashed by device or network in the past 24 hours plus I set up both client VPN and server VPNs (which allow you to effectively join your home network from afar and benefit from all Firewalla protections) and both work very well albeit at a slightly depressed connection speed.

    Cheers,

    Steve

    Gimparooseh2000Tony_G
  • GimparooGimparoo Member, Beta Tester Posts: 6
    5 Likes First Comment First Anniversary Photogenic
    SRP said:

    Finally, I absolutely love the new Firewalla blocked flow feature which shows what the Firewalla has squashed by device or network in the past 24 hours plus I set up both client VPN and server VPNs (which allow you to effectively join your home network from afar and benefit from all Firewalla protections) and both work very well albeit at a slightly depressed connection speed.

    Glad to see so many others using and enjoying the FWB/G, I’ve turned several friends and family members to the use of the FWG.
    I am using the beta firmware/app version and have never run across issues on my setup…. 85 devices, 60 rules.

    I too have love the VPN Client/Server abilities of the FWG, this has been a game changer for me!
    seh2000SRPTony_G
  • seh2000seh2000 IrelandMember, Beta Tester Posts: 110
    10 Comments 5 Agrees First Answer First Anniversary
    ✭✭✭
    @SRP 85 devices :) I only got 40 or so :) , I am using Zyxel GS1900 switches and they have so far done good, plus I have a TP-Link SG-1005P to power Raspberry PIs that I use as DNS servers (PI-Hole) and for some other stuff, a Netgear EX8000 as AP. 
    @Gimparoo I use mainly the 5Ghz band so yea, I guess I'll do the upgrade. Just with the Fingbox issues we have seen lately I have hold back on it.

    I have a customer who privately uses 2 FWG (at work he sues Ciscio and FortiGates) and he say the same as you two great product and is super happy, he try also to get me to buy one :) 
  • SRPSRP LAMember Posts: 113
    100 Comments 25 Agrees 25 Likes 5 Awesomes
    ✭✭✭
    edited May 4

    You've got me beat on devices by 15 and rules by a lot.

    I'm particular interested to see where they take target lists in the future and the potential for these to be dynamically updated from community sourced and maintained lists.

    seh2000GimparooTony_G
Sign In or Register to comment.