Firewalla has shared numerous times that the IDS/IPS that it is using is Zeek, formerly Bro, which is a well respected open-source Network Security Monitoring platform that has been around for 20+ years. I get it, it is not Snort or Surricata, but dissing it shows a lack of understanding of what it is. Firewalla makes it easy to SSH into the box. Firewalla runs Debian Linux, it uses IPtables, and support expansion using Docker. For example, there are plenty of folks who runs Pi-Hole DNS sinkholes on the FWG. Policy-based routing is also supported. I run certain traffic destined for certain countries or IP subnets through an interface configured for always-on VyprVPN, and my remaining traffic through other interfaces depending on the tagged VLANS. I'm also using Multi-WAN. I fail to see how you can't manage this device locally if Firewalla ever went belly up given the SSH access and its use of open-source technologies. pfSense is a great firewall too. It should be, its been in development for 17 years. Sounds like it was a good choice for you. Firewalla Gold was a good choice for me. I manage firewalls for a global company with 20+ offices on 3 continents, but when I am home I just want something that works and Firewalla has done a great job re-inventing the firewall for home, home-office, and the SMB market making it easy to achieve reliable and complex network configurations with just a few clicks.
I couldn’t find a reason to keep it. I cancelled. Maybe if you like the combo?
I LOVE that firewalla is not charging me a subscription.
If FW ever releases new hardware I will seriously consider it.
This might help as a workaround: LightDims Get all 6 Kinds. Every kind of Light Dimming sheet we make. Original Strength, Black Out Edition, Silver Edition, White, Customizable Original Strength, & Customizable Black Out Edition https://www.amazon.com/dp/B01DX1IW2U/ref=cm_sw_r_cp_api_glt_fabc_707EJA3S7V4WVXKCPG8T
I'd go to https://nordvpn.com/servers/tools/ and let their website tell you what your best vpn server is. Click show available protocols and then download the UDP configuration ( ovpn ). Once you have that config file use it to create a new VPN profile on your FWG using their app. You'll need your Nord username, password, and that file. Switch profiles and see if that helps. You can have multiple profiles but can only connect to one at a time.
Hopefully that helps you. I've had good success using this method.
wireguard is a connectionless protocol, so there isn't a connection at the protocol level. So, even you setup with a invalid wireguard server, it will appear to be connect, until your application data doesn't load ...
I run ExpressVPN on at least 3 devices at a given time via the VPN client . It has been working flawlessly.
I wish I could swap different profiles per device, instead of one profile for all devices.
Future request ?
And the VPN will hide your public IP. DoH only hides your DNS queries. VPN providers route DNS thru their servers anyway to prevent DNS leaks.
I didn't like toxic kids running LANC and trying to troll my son with IP Stressors. FWG will pull 3074 /3544 player public IPs when grouped in Xbox parties as well.
Hello u/Expensive-Fox-8586
While I really appreciate you shedding some light on the concerns you uncovered, presenting them in a more digestible form would be really appreciated. I think a big selling point for Firewalla is it's usability and reduced hassle to set up in comparison to a DIY solution. Therefore, I'd really like to know where it's short-comings are.
From digging through the first couple of paragraphs, it seems you main concern is regarding kill-switch functionality - Could you try to summarize this concern in one paragraph?
You also mention, when you reboot Firewalla all rules are bypassed? Can someone confirm this? I would also prefer if Firewalla as a GW is offline, I lose WAN connectivity temporarily.
Regarding DNS leak protection: Did you set up NordVPN in Firewalla or separately on your clients?
Thanks for your efforts and hope you could back to this thread after a good night's sleep and fresh mind :) Cheers!
I ran Kaspersky several years ago and also had similar problems with it. Ultimately, after much research, I just went with windows defender. No fuss no muss.
check out this site: https://www.av-comparatives.org/comparison/ I found it very helpful
/u/Magnous You might want to try using a service like OpenDNS if you want something like this. It will note all requests that come from your IP and give you nice charts. You will have to install an IP updater (There is probably a way to get that to run from your firewalla itself if you are clever.) or you can run it from a Mac or Windows device.
Thanks for the reply.
3 items on this list are particularly interesting to me:
​
The ability to create VLAN's is a biggie too.
Cheers
It looks like one of the port options for NordVPN is 443 TCP... so I think port blocking will not work for this application as that is going to block most websites these days... Maybe you could identify the traffic and block the destination ip(s) instead? Not a great answer but it might help you make some progress.
I have the 1.2Gb/40Mb plan and I get as high as 1.4 on a good day. I haven't seen a 2GB plan yet. You'll never see above 1Gb on cable unless you get a modem with a 2.5Gb port. I went with this one:
Get the FWP, put it in this pouch, and carry it around in your bag or briefcase.
Of course, you have to be a multi-millionaire to afford the FWP, but if you are, this is the way to go.
I have a FWG at home and my FWP with me everywhere I go. They were designed to work together, and do. Don't mess with what works. Let Firewalla, Inc. solve your networking problems, and focus your life on the things that actually matter.
Thanks for reminding me. You can use just one single type of cable for everything, namely this. By standardizing on the charger and these cables, you can bring the total cost of ownership way down, for all of your devices.
Needless to say, I am on a relentless war against USB-A. :)
Here come my downvotes! :D (for not endorsing the FWP)
I don't see the FWP as a great choice in a home setting, yes it's capable of doing the job, but over time as you've noted seem to be facing issues which FW has stated is a manufacturing issue; while i believe the design's compact size and lack of heat sinking/dissipation for air circulation is the underlying cause or adds to this also.
I had the FWG prior to FWG+. As a home solution it's great other than not having a full fledged functioning locally web hosted admin functionality. It does all I want in terms of a "home" router with some prosumer-ish features. And for the FWG+ it's hard to find as many 2.5gbe ports at a same price that combines a good ui/ux, and feature set.
Where do I wish the FWG/FWG+ was better? In areas that are more high-end prosumer/pro level... I wish there were more ports, it was fully 10gbe for Rj45, and had sfp+, along with POE++ support... And if those are things you're looking for, potentially consider this microtik L3 switch, boot it in router mode, instead of as a switch... And you probably have a single device that eliminates a few devices for most people. Why did I not buy that instead? It doesn't have POE++ as the switch I bought, and it's UI/UX while capable seems to have its quirks and learning curve that's not as friendly as the FW.
Since you also mentioned being on an Eero, you may also want to look into what your additional network needs are. Like if you want/need vlans to do network segmentation in the future. It's my understanding that the Eero's aside from their quirks don't support some of these functions.
Based on your description, problem is, most likely, with coaxial connection to the modem and, possibly, even outside your house. I don't see how any "smart" device can help - considering, that "smart", in most cases, requires internet connection and you would not have one exactly at a time you needed it most. Have you tried to troubleshoot what maybe the cause of coax signal loss by the modem? Have you tried to install coaxial cable booster(in case your cable signal is just at the low level, on the "border")? Something like this - https://www.amazon.com/Cable-Internet-Amplifier-Splitter-Terminators/dp/B07Y5PVDF7/ref=mp_s_a_1_3?keywords=coaxial+amplifier&qid=1669725142&sr=8-3 Any chance that modem itself is failing? I am sorry, I am not offering a solution but it feels like you are looking for a workaround but the cause will stay there.
Almost any smart plug will fit the bill. One such example, which I have used for years:
You can setup a schedule on the kasa app and it will get it done even with no internet connectivity at the time of power cycling. Set it, forget it and bob's your uncle.
P.S. I have posted link for US market.
That’s a meh piece of hardware. It only has Sfp+ for 10gbe. The rj45 ports are 1gbe…
Now something like this microtik L3 switch would be an ideal starting point in terms of hardware. However the app/software, and a full self/device hosted web portal would be a must in order for it to be a true option.
You just simply can't do what you have in mind, the app will not allow you to:
LAG 4 ports. 3 max
All ports must be on same subnet - no vlan, which is why it must be segregated for LAN/WAN traffic.
Just because a port is full duplex, doesn't mean it's only used for one thing. When you're streaming/downloading there is still an uplink connection being made to say "hey I got the data I asked for, send the next piece". And you can't dual purpose a port on the FW for LAN and WAN traffic, the app won't let you. As I mentioned earlier, the best you could hope for is a 5gbs through a FWG+ and that's only possible with LAGing 2 ports for WAN, and the other 2 for LAN.
You would need at minimum an 8 port 2.5gbe FW option to exist for what you want. And it would price itself out of competition, because there are better options for a 8 port 10gbe w/ SFP+ that have router capabilities (L3 switch basically).
When I was in your position and shopping upgrading my internet, one of the pieces I considered (instead of a FWG+), were Layer 3 switches. I considered buying this MikroTik-12-Port-Switch-CRS312-4C-8XG-RM
Is there possibly an update towards the stance? According to their GitHub they're on V1.8.2.
While it may not be as adopted yet, and primarily in use by ExpressVPN, supporting faster and more lightweight VPN protocols are a benefit to end users. Especially as FWG+ start making their way out into the wild. As my challenge now seems to be finding a vpn provider and WG server providing gig+ speeds.
Yeah, I mean at worst, one of these and your gonna be gtg.
Would suck cuz you're not using all those FWG ports.
yeah Firewalla definitely will be good for him and you can remotely manage it too.
On top of firewalla, you can also consider in https://pi-hole.net/ running on a raspberry pi.
Have fun exploring :)
I bit the bullet and went with the Gold. I figure I'm more future-proofed that way, but really - I can't see myself using VLANs anytime soon. I helped to justify my decision because I'll be able to repurpose my RPi 3B+ running pi-hole for something else and run a pi-hole container on the Gold.
I agree with you though... a Blue++ version that is just a much faster Blue+ would have been an easy decision for me.
I'm not using the Mail app but I'm sure there are other apps and services Apple uses the private relay feature with that are running on my system even though PR is switched off.
Since I'm using ProtonVPN with their DNS Servers I really would like to have that as the only privacy provider and being able to switch PR off entirely.
I understand that this service is useful for people who don't deep dive into their systems but Firewalla users are a different breed :D
I thought about deactivating PR via a mobileconf profile but honestly its not such a big deal to open that can of worms. I'll just accept that this is the way it currently is.
Thank you for your insights!
I have seen some odd behavior with NordVPN Wireguard. I am in South America and using NordVPN Wireguard to connect to US. When I go to , I show as US as expected. But if you do the leak test, it shows like Brazil or some other country. This affects many websites I go to like YouTube or Netflix. They can snoop out that I am noy coming from US and will block or show me the leaked dns country portal. Anyone else has seen this behavior from NordVPN?
I think the WireGuard functionality is fantastic from my limited understanding - very high speeds and efficiency (500mbps for Firewalla), and you can't hide all of your IP information that shouldn't matter for 99.9 percent of cases unless you're trying to hack into the fed or something.
Am I correct that WireGuard was pioneered by NordVPN, or did they just champion it more than other VPN companies?
It would be more clear if you just called your provider to avoid confusion. That’s the type of confusion companies who name themselves after existing technologies, and Tor Guard, are aiming for. I didn’t say is a bad provider. I just said they name their services after established technologies to confuse people into purchasing subscriptions. I don’t know much about OVPN.
I will say that Proton VPN is routinely considered the most secure VPN. They also have around 59 servers in the USA. Accounts come with highly secure email services and encrypted cloud storage. See .
That said, all OVPN providers work the same and all WG providers work the same. So the process of connecting an instance of the client to your VPN provider should be exactly as stated above.
With OVPN, yes. You upload the profile (.ovpn) file. You must also fetch your VPN login information from the provider’s website. This is different from an app or website login and should be two strings of random characters.
With WireGuard, you just import the profile (.config) file. It will automatically add the login information.
On Pandaeye0’s comment, I’ve never seen any profile file not able to be imported into Firewalla. But I’ve only used SurfShark, Nord, and Proton.
It would be more clear if you just called your provider to avoid confusion. That’s the type of confusion companies who name themselves after existing technologies, and Tor Guard, are aiming for. I didn’t say is a bad provider. I just said they name their services after established technologies to confuse people into purchasing subscriptions. I don’t know much about OVPN.
I will say that Proton VPN is routinely considered the most secure VPN. They also have around 59 servers in the USA. Accounts come with highly secure email services and encrypted cloud storage. See .
That said, all OVPN providers work the same and all WG providers work the same. So the process of connecting an instance of the client to your VPN provider should be exactly as stated above.
With OVPN, yes. You upload the profile (.ovpn) file. You must also fetch your VPN login information from the provider’s website. This is different from an app or website login and should be two strings of random characters.
With WireGuard, you just import the profile (.config) file. It will automatically add the login information.
On Pandaeye0’s comment, I’ve never seen any profile file not able to be imported into Firewalla. But I’ve only used SurfShark, Nord, and Proton.
It would be more clear if you just called your provider to avoid confusion. That’s the type of confusion companies who name themselves after existing technologies, and Tor Guard, are aiming for. I didn’t say is a bad provider. I just said they name their services after established technologies to confuse people into purchasing subscriptions. I don’t know much about OVPN.
I will say that Proton VPN is routinely considered the most secure VPN. They also have around 59 servers in the USA. Accounts come with highly secure email services and encrypted cloud storage. See .
That said, all OVPN providers work the same and all WG providers work the same. So the process of connecting an instance of the client to your VPN provider should be exactly as stated above.
With OVPN, yes. You upload the profile (.ovpn) file. You must also fetch your VPN login information from the provider’s website. This is different from an app or website login and should be two strings of random characters.
With WireGuard, you just import the profile (.config) file. It will automatically add the login information.
I had issues with our apple devices when I had them set to go out to Mullvad vpn. Once I took them off VPN, they worked with no issues. I haven't been able to find any flow that indicates they've been blocked. The only thing I can think of is that Apple sees the traffic coming from a VPN and disallows it.
Now, I just turn off VPN, updated device, turn on VPN. Not a big deal, but it would be nice to figure it out. I did try to route apple update specific traffic without the VPN but never found the actual solution. I saw a shiny object and moved on to something else :-)
Yes, I use StrongVPN to do this.
I route pervasive advertisers through a VPN that way it obfuscates any IP based targeting due to the shared IP address.
I then route selective domains & ports -- e.g. p2p, iptv -- through a VPN as well for privacy.
I use ExpressVPN via Firewalla so I can watch in-market baseball games on . Generally works great as I can easily toggle it on and off only when I am watching baseball. One drawback is that MLB occasionally gets wise and blocks an ExpressVPN IP address, so I have to move to a new city. With Firewall, I have to delete the entire profile and manually install one for another city. Now that I know how to do so, it's straightforward but learning how to the first time was tricky.
In terms of a Firewalla VPN, I would be interested, if the price was right and if it worked. The trick with VPNs for my, and many other people's use case, is that the VPN provider needs multiple servers globally and needs to stay up to date with the cat and mouse game with providers like MLB and Netflix. Maybe Firewall could white label someone else's but I am not sure you want to take that on.
I find this interesting as a service -- primarily because I believe firewalla's good intentions. Choosing the right VPN service has a lot to do with trust.
Some VPNs convince because they're cheap and have tons of servers (NordVPN, ExpressVPN). Others are popular because they are more transparent and "indie" than others (Mullvad, IVPN). Would be interesting to hear what your focus would be.
> Would it work to create a route for one computer only that sends Zoom traffic directly to the WAN, or would it still go through the VPN?
I believe that is what you are looking to do: split tunnel. You can setup the route not just for one computer but also for a group or a network, so that Zoom traffic goes outside of your WireGuard tunnel to Mullvad.
See here:
Chiming in to say that disabled IPv6 because I’d been trialing ProtonVPN which doesn’t yet support IPv6 addresses.
I have Fios in NYC, and FWP in router mode directly connected to my ONT and on Thursday night I decided to try enabling IPv6 again because I’ve not really been using VPN.
The next day I’d forgot that I’d enabled IPv6 again and noticed that my speed has dropped from ~900 Mbps to ~300 :(
I just stumbled on this post and disabled IPv6 and ran a speed test and I’m back to 900 Mbps again. Thank you so much for sharing - you probably saved me days of frustration!
After the comment about the logs, I decided to open a ticket with Firewalla. They looked at the box, and I assume the log, and told me it was my login credentials. And pointed me to the PureVPN help regarding login credentials. Using that I found I had an error in what I thought the credentials were and I am now connected. I appreciate all the comments and help.
It occurred to me that I should state what I did try. I downloaded the OpenVPN profiles from PureVPN. This is a zip file containing what appears to be a profile for each of their servers. They have both UDP and TCP profiles. I picked the one for the local node I have used from my computer for a long time. I then went into the Firewalla app and opened the VPN client. Then I created a new VPN Connection. I selected 3rd party VPN. Next I selected OpenVPN. I gave the profile a name, and put in my username and password. I then imported that profile I selected from the downloaded zip file. I don't know whether it matters whether I use UDP or TCP, but I actually created one VPN connection for each. Note that the PureVPN account userid/password and PureVPN app userid/password are different. I have tried using both userid's just to be sure that wasn't a problem. I have logged into my PureVPN account and the PureVPN app again to be sure I am using the correct userid/password in the appropriate place.
This might? work:
but I suspect the effort and outcome would likely not be as good as just using a free VPN. I used the free ProtonVPN for a few months before buying it, and it was really solid and only occasionally seemed slow.
Also, there's a cost to PoE+
The Firewalla Gold Plus is already on the upper price side of a prosumer firewall.
Netgear 8 port unmanaged switch without PoE
https://www.amazon.com/NETGEAR-Ethernet-Unmanaged-Protection-GS116NA/dp/B00MPVR50A
Netget 8 port unmanaged PoE+ switch
https://www.amazon.com/NETGEAR-16-Port-Gigabit-Ethernet-Unmanaged/dp/B08MBFLMDC
Not likely Firewalla is going to be able to get the price of PoE+ down as much, compared to the likes of a huge manufacturer such as Netgear either.
you want:
modem --> firewalla --> access point
right now you have two modems. basically, modem converts your telephone line into a digital format (modulator-demodulator) and vice versa. you generally need this to connect to your ISP's line.
firewalla is a router/firewall. think of it as the "brain" of your network. you generally want all your network traffic passing through the firewalla first (inbound and outbound). so, you want your firewalla connected to your modem and any other devices connected to your firewalla -- either directly or through an intermediary (network switch).
the last piece is the access point. this is what is broadcasting a WiFi signal. you want this if you are connecting devices to your network wirelessly. right now you have a modem instead of an access point, so you'd want to return one of the modems and buy an AP.
there are tons of good APs, but the "latest and greatest" use WiFi 6. I personally use TP-link/Omada since they have good hardware at a decent pricepoint.
I use DOH for everything on my FWG, I also route all my IOT devices out a wireguard vpn (VyprVPN) with NAT enabled in the VPN. I also have a few more rules like no TOR, Tim took you tube and the list goes on. I am hoping for a more granular option per interface in the future for DNS unless I am missing something now.
I ran into the same problem with Mullvad. I switched to having NextDNS act as my DNS filter and now Amazon plays fine. If I tunnel DNS through Mullvad exactly what you are describing takes place. I’ve decided to run DNS through NextDNS and all other traffic goes through Mullvad.
Oh, that’s interesting.
Just Mullvad - Amazon Prime doesn’t work Just Surfshark - Amazon Prime doesn’t work Both Mullvad and Surfshark- Amazon Prime plays fine
The only thing that I can think of there is that maybe Surfshark routes your traffic to a different datacenter when you are connected through the Mullvad VPN, and that other datacenter just happens to not be detected/blocked by Amazon. But, your normal Mullvad and Surfshark datacenters are detected as VPN providers and are blocked. I’ve never used Surfshark myself, but is it set to connect to the “closest” or “fastest” server maybe? The result of “closest” could be different when you are connected straight through your ISP verses connected through Mullvad. If so, you could potentially play around with different server locations to find which server currently works with Amazon Prime, but know that it’s ultimately a game of cat and mouse. Amazon is always looking to detect the VPN providers because they can be used for “region shifting” (which can be against their licensing terms with content owners) and VPN providers are usually looking to avoid that detection because their users obviously want to stream.
yes, amazon prime didnt like it before I put the VPN on the router, and just used that on a client; now, will Mullvad VPN on the router, it wont play videos with just that on, but when I use Surfshark AND leave the rotuer VPN on, it works fine..
of course, when its just the router VPN on, I have a different IP address than I do when I turn on Surfshark AND the router vpn as well..
IOT only needs a few meg of traffic which best I get is about 100 mb… I route my IOT thru a VyprVPN VPN with NAT also. I am fine with this for IOT, Wi-Fi I am getting 700-750 mb. I have everything wired in cat 6 with a gigabit switch. I have a comcast 900 mb internet connection and the xfinity gateway is in bridge mode.
Streaming 2 4k Apple TV’s 1 PS4, 1 Xbox series x and usually 2 iPads and 2 google mini’s and 1 hub max. Other than the mini/hub max everything is wired for streaming devices.
I use DoH with Next DNS and have a number of blocking policies and native tracking blocks setup…
I have recently looked into this, and there is a backward way to get NordVPN working with WireGuard on firewalla. It involves installing Linux and sacrificing your firstborn, or something like that. I didn’t read it all. Here are a couple of links
Oh, I didn't know that you changed that. What PureVPN does is separation of your account and the credentials for VPN connection. It's good security approach. Connection credentials can be found on billing tab as you mentioned. I keep them different..
Good that it works for you.
Saw this too. What it ended up being is that when you change your password on PureVPN the login password can be different that the VPN username password.
I changed my password and then assumed it had changed for the VPN username password too. But it had not.
Make sure your VPN password is the same in the account and billing section!
Sorry for the delay, I had to confirm.
Yes, with 7 day $0.99 deal you can select the Dedicated IP and Port Forwarding.
You will be charged for addons after 7 days if you decide to take a regular plan.
You can use coupon for users of my website, I updated the article - the code is there and will give you an additional 10%.
I checked and with the coupon code, 2 years plan, and addons: Dedicated IP with Port forwarding it's about $86.
The PureVPN chat is operated by real humans so you can get in touch with them anytime, in case you would like to use the money-back guarantee.
So, you can test it for 7 days and confirm that it will work for you.
If you would need some support, just let me know. I will do my best to help you.
Assuming you are running Firewalla as your router, and you have selected all devices in the Firewalla Wireguard VPN client settings, then they'll all be using Mullvad while connected to the LAN. You don't need any apps installed on your devices.
Away from home you would normally need the Mullvad app to be running, however, if you have Wireguard VPN server set up in Firewalla, you should also be able to see those VPN devices listed separately in the device list of the Firewalla VPN client. They will have a VPN badge.
The up shot is that if they are also selected along with the other devices, you don't need to use the Mullvad app away from home.
Away from home you connect back to your Firewalla LAN using the Wireguard app, which then connects you through to Mullvad.
Hope that makes sense.
You need to remember that your device connected through Wireguard rather than the LAN has a different ip address than when you're at home, so you just need to include it in the Firewalla Mullvad settings.
quick VPN/sort of N00B question; I am trying Mullvad, and generated a wiregard config file and imported it into firewalla. I assume it is working, since all my local devices IP range has changed from 192.168.49..... to 198.54.144......
Do I need to install the app on my local devices as well, to get VPN protection when I am on my home network, or, only need to use the app when leaving my home network?
Also, its a Wiregard config file; if and when I need to have VPN away from home, do I use the wiregard app or the Mullvad app?
thanks for helping, I am kinda embarassed that I am not sure about this!
Hi,
Try PureVPN - you can read review on my website - PureVPN review.
I used dedicated IP and port forwarding for crypto mining and it works without problems.
You can test it for one week - read about it on my blog - PureVPN $0.99 deal
This won’t work as the VPN provider is now your firewall for traffic going over the VPN.
Your VPN provider will need to specifically provide support to work around CGNAT - PureVPN and some others do this with dedicated IP and a member dashboard that allows you to open ports.
I’m not recommending one VPN provider vs another but whoever you choose you’ll need to confirm they can do this.
GSkill 8GB DDR3 (REV A) (May come in one pack, I needed a spare.)
Search previous posts on this page for "ram", I put up several photos and notes I think.
It should come with one, but it would be better if it was one of those semi firm EVA cases like this one (but in the right size of course).
As my experience and all my current using Linux system and FWG, OpenVPN UDP is quite stable to work with NordVPN, I don’t usually use WireGuard unless it is a mobility device or work in a internet censored country.
Once it is done, you can check it by go to NordVPN’s website directly, and it’s’ banner will tell you the status (for iOS device you need to disable Apple private relay service first or NordVPN will show in a incorrect status, though you are actually connected with both of them)
Right, so before I got the Firewalla, my family and I’ve been using the NordVPN app on our individual devices - all iOS - as a matter of security. Right now, I’m basically looking to geo filter and disable certain apps from use on specific devices, right now, specifically Skype. I thought I could do this with Firewalla but did not account for NordVPN. I had it in my head that Firewalla would work behind any device’s request for a NordVPN proxy… not sure I’m explaining this right…
Thanks. So yeah, that’s the first option for the config file so I chose that. I couldn’t figure out how to download it or find where it went on iOS so I used my Mac, copy/pasted in a text file and emailed it to myself, then copy/pasted it in the app setting. No idea if I messed things up but the app said I was successful.
However, I’m still unable to monitor devices that I know use the local NordVPN app to open a proxy server. So… what else do I need to do?
Hey, that’s exactly what I’ve done - still doesn’t tell me which to pick, OpenVPN or Wireguard or whatever. Also, I still can’t see specific activity of the device currently using NordVPN. What do I need to do after doing what that link tells me to do. 🤷🏽♀️
I put these under my Firewalla and it seemed to help with the temperature
Conical Rubber Bumpers Black - 16 PC Combo - Tall Rubber Feet Spacers for Electronics, Computer Equipment, Speakers, Car Truck Bug Deflector, Cheese Boards, Furniture, Cabinet Door https://www.amazon.com/dp/B075KZBR2Y/ref=cm_sw_r_cp_api_i_NA5X47NW7QVN206CPP81?_encoding=UTF8&psc=1
A big plus not mentioned so far, if you have a laptop and get out of the house, a VPN client will offer you some privacy "on the road" . Most good VPN clients work on smartphones and PC/Macs.
I look at them Firewalla and VPNs as different, though overlapping tools in the tool box.
The problem with client VPNs is that you are trusting that company not to log your activity and such. Some have limited free offerings (like ProtonVPN) which may be a decent option if you don't travel a lot.
Also from ProtonVPN Support:
Kindly note that we have forwarded this information to our development team for future improvements. Hopefully, the scenario you are requesting might become available in the upcoming future, but at this point, we will be unable to provide any specific time frame for that to happen.
So maybe sometime in future it may be possible to set up two separate ProntonVPN WireGuard tunnels/profiles using differnet IP addresses but for now it is not possible.
You are right! I just tried it. I have the second profile in firewalla and it can establish a connection but I can’t load anything. So yes it doesn’t work and we are unable to add multiple profiles because it has to have the same IP with ProtonVPN u/firewalla
Thanks yet again for your response u/brightstarlight84.
I was still having issue creating the second profile using IP 10.2.0.3/32 so I raised a ticket with ProtonVPN Support.
Here is part of their response saying that IP 10.2.0.3/32 cannot be used...
Moreover, regarding the situation with the WireGuard connection, please note that we are not using the IP address 10.2.0.3 when establishing a connection with our VPN servers through the WireGuard protocol, and therefore, please note that currently, it is not possible to configure a connection with our ProtonVPN servers using the 10.2.0.3 IP address.
I use NordVPN at the moment. As soon as I use it with NextDNS I see the content filtering gets bypassed. Also, I am not able to connect to my Ring Cameras so that's another issue with the VPN I need to address. And I want all my devices going through the VPN.
Can I ask how are you directing traffic through the VPN? Do you have a VLAN where you send everything to the tunnel? Do you have it always on? Policy based routing?
I’ve tried to see what is my best case to do this and can’t figure it out. I used to have a separate SSID on my wireless setup, mapped to a separate VLAN and that would go through Mullvad. I then would jump between SSIDs, if I wanted to jump in or off the tunnel. However, I quickly realized it os easier to just install the WireGuard client on the device to turn a VPN on and off.
Just looking for ideas.
Thanks for the tip. I was very close to pulling the trigger with Mullvad but already have an active subscription with another service that doesn’t have the config generator for WireGuard yet. That’s the only reason I held off but I think I will do it.
Yes on a Purple.
We have a pretty good connection into Nord Miami - I don't think I've measured anything less than 800mbps. The base medium latency is 6.4ms so that probably helps.
Getting NordVPN to work with Firewalla involves a little bit of poking around to configure. Here are some notes
That appears to be VPN server speed. I've honestly never used a VPN server but interested to try connecting to it remotely. I'm in hotels all the time. But I'm taking VPN server to mean that you're hosting your own VPN and not connecting to service provider; ie Surfshark, NordVPN, ExpressVPN.
Basically if I'm going to install a VPN on my purple to connect to a third party like NordVPN I was wanting to know what speeds people have seen. Even though I've ordered the purple I'm curious if that's the route I should go or if I should go with something like PFsense.
Based on the other comments, I’m understanding the following: 1. I still need to keep my NordVPN for anonymous-ISH browsing but you can never trust them/other services at the end of the day. 2. Nobody is truly anonymous on the internet.
I'll look into algo more, thank you!
However, I do have a Linode server today and pay $5 a month for it. It seems like it might be better to just pay NordVPN since it's cheaper per month and cancel the Linode Server.
Ah. https://www.amazon.com/12-Port-Gigabit-Managed-Multi-Gig-XGS1210-12/dp/B084MH9P8Q/ 2x10gbps ports, you just need a couple of SFP+ adapters whenever you're ready to use those ports. 2x2.5gbps ports, if you went with LACP you could create a 5gbps backhaul to another switch or whatever. All for under $200.
A brand spankin' new $1500 Netgear Orbi WiFi 6-E Router and "Satellites" have 2.5gbps ethernet ports on them, so this switch would support them nicely, so yeah that's future proof.
Any luck with this?
I am experiencing same issue as commented here:
Adding two WireGuard peers to a router
Problem is, you can’t create two different networks locally with the same network address. ProtonVPN should, I think, be agnostic to what your local network is. You’ll have to give one of them a different local one.
Yes. I just installed ExpressVPN on Firewalla Gold to watch games in market. Works flawlessly with my Roku
Only, minor side effect is since I set the ExpressVPN location to Salt Lake City, I see ads for businesses in that city now.
Firewalla is just a client, I do not know if ExpressVPN provide wireguard config files, but I'm thinking at minimum you can download OpenVPN config to use.
ExpressVPN is just giving you the canned response.
Are you sure that Netflix on the FireTV is actually going through the VPN? PIa has some streaming optimized nodes, but they have never really claimed (or been good at) to be the choice for content block bypassing. NordVPN supposedly does a good job of that.
I disagree with Nord being a 5 for ownership and logs. I was a Nord fan for many years and used them on everything and anything happily with virtually no issues and found their interface easy and fast. Connections were fast and reliable however I have read extensive insight recently on back end discussions about them becoming part of the big chinese data vacuum cleaner and also about them not being transparent about their ownership ties to ad networks
Going by what I'm reading these days - Mullvad seems to be the most popular for data security and privacy etc at the moment, however I will admit their connectivity is not as stable as Nord when used on Android
An interesting piece of trivia in my case is that I've noticed more often than not whenever I first put a MSISDN onto a VPN - there are connection issues and blocks constantly for the initial 3 weeks of usage
I used to like ExpressVPNs speed and usability until I read a backend discussion somewhere about their ties to the big chinese data vacuum cleaner via holding companies etc
For Wireguard specifically, I switched to Mullvad vpn in order to
import the config with a QR code rather than messing with a command
line tool to get it to work. I wanted to keep it as simple as
possible.
There are a few
options out there for out of the box Wireguard setup with QR codes to
import the wireguard config into FW. There are not a lot out there
yet as wireguard is still relatively new(ish).
p { margin-bottom: 0.1in; line-height: 115%; background: transparent }a:link { color: #000080; so-language: zxx; text-decoration: underline }
Some things seem to have changed (as expected) when they got bought out by the larger company that owns several of the big VPN names now (the "parent" company now owns Private Internet Access, ExpressVPN, CyberGhost VPN, and a few others; not to mention known for that man-in-browser adware, monetization, and spying done by them that other spyware and malware companies used, to say the least). :-) Not to say they're bad, and they're some of the most known and rated services, with various good features that make them all stand out in their own right. You just have to realize that, accept that, and know/understand where they came from and their background (although they say they changed).
Yep! I got my Purple and have it plugged straight into the ONT line. I got rid of the G1100 and am only using the Purple for my router. I got a TP-Link Switch and TP-Link Access Point. Everything worked without a hitch.
If you still used the G1100, you'd probably disable everything but Wifi which would give you a switch and access point in one. I didn't like the idea of renting the G1100, so I just returned it and rolled my own. I also like that I have a lot more control over the wifi settings.
Hopefully, you already have an Ethernet line in from your ONT, otherwise, you should have Verizon come switch it from COAX to Ethernet. Converters are expensive and you're going to limit yourself to 100Mbps (if that)
Been running with this in mine for over a year. Be advised, if you need to re-flash the image - you’ll need to get back to your original 4GB config.
TP-Link AC750 Wireless Portable Nano Travel Router(TL-WR902AC) - Support Multiple Modes, WiFi Router/Hotspot/Bridge/Range Extender/Access Point/Client Modes, Dual Band WiFi, 1 USB 2.0 Port https://www.amazon.com/dp/B01N5RCZQH/ref=cm_sw_r_cp_api_glt_i_7M4DZHS9VZE08Z43HE0T
This works well.
Used WSL on Windows with Ubuntu to run the script. Followed by sudo apt install qrencode && qrencode -t ansiutf8 < for easy config.
Great to see NordVPN / wireguard with a Firewalla Purple doing 806 Mbps down / 893 Mbps up with 10 ms latency on a 1G up/down connection.
Confirmed that and a Grandstream work as well.
My understanding is that Nord doesn’t provide config files for Wireguard/Nordlynx. Looks like there are ways to generate them yourself though through a user generated script. Haven’t tried this so not sure if it works.
USB to RJ45 console cable, this is what you need. I have one that looks like this, but not exact one, should work https://www.amazon.com/OIKWAN-Compatible-Opengear-Aruba,Juniper-Switches/dp/B075V1RGQK/
Thanks, Chris!
Are you a hardware or software designer, or both? Is Firewalla, Inc. your company?
Just ask, "Would Steve Jobs have liked this?" When the answer is finally yes, you'll know that you're on to something. :)
At some point in the future, when the supply chain problems abate, you may want to go after the high end of the portable firewall/router/VPN market by designing a Purple-like device that looks more industrial and sturdy, and has a display. Here's one visual example for inspiration: https://www.amazon.com/Netgear-Nighthawk-MR1100-GSM-Unlocked/dp/B07G5KWZ3H/.
I would actually segment the market exactly as Steve Jobs did with the MacBooks: ordinary ones, and MacBook Pros. In your case, it would be more ordinary (i.e. inexpensive) Firewallae, and then Firewalla Pros. You can (and should) make a lot of money by pursuing the high end of the market. Compete on solutions, not on prices.
One of the mistakes that Apple made was to have too many products. That caused market confusion and maintaining all of those product lines was very expensive.
I love what Firewalla has done. There's so much potential. I'm excited for your future.
Good Luck,
Artem
Thanks for the recommendation, I think I need just a little bit more space… found it at Amazon, if there is anyone interested, Bellroy Tech Kit
I don't think it's the fstab issue. I recreate the mount point and set up the group and use and permissions and then do sudo mount -a and it mounts. I put a couple files there but on reboot it's all gone.
And the drive is this: Transcend 512GB SATA III 6GB/S MTS430S 42 mm M.2 SSD 430S Solid State Drive TS512GMTS430S https://www.amazon.com/dp/B07MSQMGLT/ref=cm_sw_r_apan_glt_i_109GW3V3M08WBMYNZDP0
I hope this helps a bit.
Artem
I too went for it. Configuration couldn’t be simpler through the Mullvad Configuration page. I simply scanned the QR code with FW to import WireGuard confit.
No VPN: 350Mbps DL 25Mbps UL Mullvad: 342Mbps DL 23Mbps UL NordVPN (OpenVPN): 150Mbps DL 20Mbps UL
TBH I’m kind of blown away by the performance. :)
Im looking at possibly replacing the Netgear equipment I have that is what was my old network, and replace them with something newer and a little more enterprise level. I started looking at these TPLinks first as I have about 2.5 acres in the country so I’d like to be able to have access on all of my property. I already have a 70foot radio tower so that won’t be and issue. My question is what should I pick up. I was thinking of one of these for outside and a TP-Link EAP610 | Omada Business WiFi 6 AX1800 Wireless Gigabit Access Point| Support Mesh, OFDMA, Seamless Roaming & MU-MIMO | SDN Integrated with PoE. My home is a single story 3 bedroom 2 bath home so nothing huge. I would like to have a central interface for creating and managing new SSIDs and I would want coherence between channels so that they connect to a single SSID and it figures out if 5ghz or 2.4ghz is best. It also needs to be able to have a hidden SSID and VLAN tagging
I have a satellite internet connection coming into a router I have setup in Bridge mode. That going into a FWG and that going into a Cisco 3750 48 port PoE Layer 3 managed switch. The access points will hang off the Cisco and be powered by them. I’m all honesty I would like to keep this as cheap as possible as I’ve already spent a good chunk on this network upgrade.
Do you think I could get away with 1 inside AP and 1 outside AP? Obviously I think this should do ok with the outside but I’m not real familiar with TPLinks Wireless products so any advise is helpful
My way is: 1) on the mullvad site generate a config file on my windows PC 2) place the file on my Google Drive 3) in the Firewalla start Wireguard config and import the Mullvad config from the Google drive 4) enable it
It's certainly a longer discussion on why to use reverse proxies when publishing webapps.
I recommend starting with this article and doing a bit of research on the topic
https://www.cloudflare.com/en-au/learning/cdn/glossary/reverse-proxy/
Look like your correct:
NetRange: 108.162.192.0 - 108.162.255.255 CIDR: 108.162.192.0/18 NetName: CLOUDFLARENET NetHandle: NET-108-162-192-0-1 Parent: NET108 (NET-108-0-0-0-0) NetType: Direct Allocation OriginAS: AS13335 Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2011-10-28 Updated: 2021-05-26 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Ref: https://rdap.arin.net/r