Firewalla Arrived
It's always exciting to get new stuff, but I gotta admit that this new firewall has been a bit of a disappointment.
It's been about a week since I've ordered it. As one does, I've spent that week looking through the installation and configuration documents, and even diving into the support and other topics from those pages. With that and 35 years experience doing these things, I felt prepared.
I was especially excited when I found in one of the pages that the Firewalla runs Ubuntu! I had honestly vacillated between getting this box and just putting a little workstation, or maybe a Mini PC, with dual (or more) Ethernet adapters in this spot, and just run the things I need to run as I know I can run them. I liked the small size and low-power aspects of the packaged device, the 4x2.5Gbe ports (1 WAN, 3 LAN, or whatever), and their bundle of UI stuff to help configure it all without diving into trying to find or make something myself.
Unboxing the package was about what you'd expect. Inside the shipping box was another box that fit so tight it made me wonder why they put the one in the other. It seemed to offer just a cardboard layer of protection, and hide the couple bits like labels that give hint to what it contains. Inside the inner box was a business card sized piece of paper that directs one to the installation web page, with brand stickers on the back; no other documentation or details printed anywhere in the box. Beneath the stickers was the Styrofoam box that held the router. Beneath that was a cardboard box that held the power supply and its cable, and a mounting plate and a couple bags with screws in them.
The unit itself is heavy. Not in an uncomfortable way, but like it's a sold device. I imagine it's all heat sink and metal casing, as the power supply is external. All of the ports on the device came with little blockers in them, which is counter to all the other devices I've had, as they either enjoy a little airflow through the ports, or it just doesn't matter.
The first thing the installation page does is direct you to download the installation app. That's the same installation page I started with before, so I was familiar. I waited and started.
I plugged the unit into power and tried to pair it with the app. The instructions say to connect it to the Internet (or network) first, but I hoped it would skip past that. I've already got stuff running, and hoped to be able to configure the router before putting it into place. That didn't work, so I bundled everything up and headed to the data center.
No one else was home, so I figured now was as good of a time as any to get it done. The video and straight-forward directions made this seem like it might be an interruption that lasts a few minutes. I pulled the ISP-connected wire from my router and connected it to the Firewalla.
For better or worse the device requires a Bluetooth connection to start working on it, so I fired it up on my phone. After working with it for a while, I realize I dislike this convenience. The screen and keyboard on the phone are fine for many things, but the details one might have to enter, and the amount of stuff they try to fill on my 6-inch screen left me wanting for at least my tablet, if not a desktop. I persisted.
After pairing, the device tries to connect to the Internet using DHCP out of the box. I have a static IP, so I needed to wait for that to fail to enter my details. New IP, subnet mask, gateway, and DNS were quick and easy. My ISP binds my connection to a MAC address, which the Firewalla supports, so I bonked into the advanced settings and disabled IPv6 and changed the MAC address. The app seemed to make the appropriate network changes, validated the network, and started checking for updates.
Usually, I'd expect the box to come with a good and working set of software. Whether it was put in the box with fresh software the day they sent it to me, or it used software from their last development and packaging cycle months ago, I would expect it to work. I would have liked it to boot, giving me the details and information it had, opting for me to start monitoring and configuring the device, and then offer me an update if necessary. But it chose to do it by itself at the very beginning of the process.
I waited as it searched. I waited as it installed. I waited as it started the services. And I waited as it copied encryption keys for app access. I waited over an hour for that last one. After the first bunch of minutes, I did a different task in the house, checking on the progress of each step as it happened to pass through. It took about 15 minutes or so to download and install the updates, but after an hour, I decided it was clearly stuck.
I checked the Internet, sharing my phone's cellular also with my iPad. I found I wasn't alone. Many people had hit this spot, and some had success just restarting, and others had to re-flash the device before starting again.
I just killed the app, and started over with the pairing. It went through the same process, including setting the configuration and downloading updates (so it didn't store them anywhere permanent?), and got stuck at the same spot. I did this three more times, hoping one of them would be successful. The variation I tried to throw in there (because doing the same thing exactly the same should get the same result), was making sure my phone was connected to a charger (it was starting to get low), making sure it was close to the Firewalla and didn't move after it paired, and tapping the screen occasionally so it wouldn't sleep.
I actually went through the start of the process more times, because it seems that the app will stop its pairing effort if the screen turns off, or you task switch away, as one might need to do when the phone is the only Internet capable device. This was also disappointing. I get that the device pairing wasn't complete, but did the Bluetooth fail? Is it dependent on getting to the Internet that much? It killed the app once when the screen darkened, which was disappointing, too.
It was about three hours of retrying and waiting by this time, people had started coming home, and I was hearing discontent because the Internet wasn't available in the house. So I did what another success story suggested, and I reconnected my old gear (as I'd just pulled the WAN cable to plug it into the Firewalla), and the Internet returned for the house and servers.
I connected the Firewalla WAN port to a LAN switch, and restarted the process. It got an IP from my LAN's DHCP server, and I was able to leverage the WiFi (through the same network) instead of cellular on my phone. The pairing went as fast, except it accepted the DHCP and didn't offer me a chance to make different network (or other) configuration choices. It stepped through the checks, downloads, and installations of updates, and ultimately gave me a success message! I was elated.
Except the router was configured wrong. It was plugged into the LAN behind the WiFI router it is mean to protect. It created its own DHCP network configuration, and was trying to NAT traffic to client devices (that weren't plugged in). Except for that, it worked.
I poked at the interface and changed its LAN DHCP network to match my edge router's static IP network. I made sure NAT was turned off (it was on by default, which made sense since it had created a 192.168 network). And then I changed its WAN network (labeled ISP 1, but whatever). It warned it would reboot, so while it did that, I pulled the cable from its WAN port that is plugged into my LAN switch, and moved the ISP cable from the old router to the Firewalla port. I also optimistically pulled the old router LAN (which is a public IP subnet) connections and plugged them into the Firewalla. If it was going to work, it was going to keep working.
Very quickly, I started getting "status OK" alerts from my network monitors, and alerts of new e-mail arriving through my server. I ran a ping from a hardwired server that isn't on the public network; it got through the switch and WiFi router to and through the Firewalla to the Internet. Clearly the Firewalla was working and my servers were able to to connect and transact their software. I tilted my head a little, like a puppy dog, as I understood the Firewalla should be configured by default to stop all inbound traffic, which didn't seem to be the case since my mail server started receiving (and sending) mail. I figured maybe it was related to turning off the NAT, and resolved to diagnose that later, and in the meantime rely on the servers' and router's firewalls. I mean, it's acting like I want it to, routing traffic to the servers; I just expected to need to add route or firewall rules to let it happen.
Sadly, I couldn't see the router in the app any more. It was listed, but wouldn't connect. Peeking at some of the bits, I see that the configuration in the app had the IP address for the router as the one it received when it was connected to the LAN. I looked for a way to edit the IP address, but while I could change the name of the router in the configuration, I couldn't say "it's got this address now" in any way I could see.
So I thought "maybe I can pair with it again." I hit the pair button, which found the device, I scanned the barcode again, and it started the configuration all over! It failed with DHCP and forced me to enter the manual configuration again. Curiously, it remembered the network details, but seemed to have forgotten the MAC address. But it also wouldn't let me edit the MAC address! I don't know if something in an update changed that ability, or maybe it's in a weird place because it kind of worked before.
While this was happening, I started getting "things are offline" alerts from the network monitors, as it seems the pair-again attempt and lost MAC address made the Firewalla unable to connect to the ISP. Well, it connected, but wasn't allowed to transact traffic.
I put the old router back in place, and the network alerts turned around, and traffic started flowing again. I returned to my desk to peek at this stuff, and try to learn what I'm doing wrong. I found one article that seems to describe how to do what I'm doing. I've already changed the router's LAN to use the subnet it's supposed to deliver, and ensured that NAT is turned off. I'll poke at a few more settings and see what's up.
I also thought I'd get all this off my chest. Plus people are home and using the Internet, so I've got to wait a while (or make them unhappy) to try again.
I plan to reconfigure the Firewalla's WAN with the right settings, and while it's rebooting, remove it from the LAN. I'll wait a while with the app off, as the article suggests, before trying to connect it to the Internet. I'll wait a while more before trying the app. If the article is correct, it should connect again. If it does, I'll attach its LAN clients, and hopefully all will work again.
I gotta say, I'm a lot more disappointed in this device than I hoped I would be. I've done this with Bay Networks (which is no more), Cisco, Unifi, TP-Link, Netgear, ASUS, and DD-WRT on more than a few routers. Plus routing on Ubuntu servers and workstations, Windows servers, and between Ethernet and WiFI on a Raspberry Pi.
That I couldn't configure it first is really disappointing. This is the first piece of equipment that required the Internet to continue. All the others allow the device to boot and then usually establish an Ethernet connection to a web, console, or SSH session for the configuration. That this has Bluetooth (and maybe some others do, too), is kind of neat, and saves from that step of connecting. It should really have allowed me to boot and configure it before connecting it, and even allow me to readdress it without failing to reconnect.
I might be missing something, but it's been about 5 hours of trying to get this to work, and I'll be really steamed if it won't work again because I can't edit the MAC address! I can get around that by coordinating a configuration change with my ISP using the MAC address of the Firewalla port, but that will enter its own time trouble.
I'll follow up after I give it a whirl later.
