I got the Firewalla running, kind of, but had to revert because it still doesn't behave.

I'm trying again, but I still can't get the Firewalla to behave.

I spent a lot of time yesterday morning an afternoon trying to get the router to both route and continue to function with the app. According to the help article, after I got the router running by connecting it to the LAN, I changed its WAN IP and powered it off. I waited much more than 10 minutes before reconnecting it. I attached its WAN port and the WiFi router, but not the other servers. Shortly after, the things on the WiFi started behaving, so the router was "working." However, even after waiting many more five minutes, I could get the app to connect, but I still wasn't able to get the app to behave. It was inconsistent. I could use the app to change some of the settings, but it wouldn't change others. I couldn't change the firewall rules to disable the inbound block for example, but I could change the WAN address from static to DHCP. When I did this, and plugged it back into the LAN, the app would fill with all manner of details about what the router was doing.

I disconnected the Firewalla and returned my old router, again.

Pause for a second, and let's see if I can tap this out right. It might help visualize what I'm trying to do, if you get network line art. The whole thing I'm trying to do is replace the EDGE router.

 { Internet } -- [ ISP 10.0.0.133/30 ] - [ 10.0.0.134/30 EDGE 10.1.1.129/29 ] -+- [ 10.1.1.131/29 WiFi 192.168.1.1/24 -] - { LAN }
                                                                               +- [ 10.1.1.133/29 Server ]

That's representative, but obfuscated. In English, my ISP defined a small subnet for my edge router's static IP using a /30 network. Through this they route a small /29 subnet, giving me 5 usable addresses, from 129-134 on the subnet. There I attach my beefy WiFi router, which has wired and wireless connections on my LAN, providing Internet connections via NAT. Also attached to the edge router are a couple of servers, providing mail and web and such to the Internet. There are a couple of addresses available in my subnet for future use.

So, I've got this nailed down. It works with the repurposed WiFi router at the edge, which I've noted before sometimes seems overwhelmed, and doesn't seem to deliver the ISP's full potential bandwidth. Also noted before, I'd bought a different wired router for the purpose, but it only provides NAT, which is what brought me to the Firewalla.

In all my attempts yesterday, when I disrupt my network, and connect the Firewalla to the ISP connection, it fails to finish its installation. I can get it to install by attaching it to the LAN. I haven't tried to connect it to my current edge router, as I need to change its LAN side to the same address range, and that won't work for a number of reasons.

This morning I thought to start completely over. I used the app to tell my disconnected Firewalla to do a reset. I then also cleared the app cache and data. I decided to try again using my iPad, which is paired with a keyboard, to remove that one frustration. I connected my iPad to my phone's hotspot, and disconnected the phone from my WiFi. I ran through the Firewalla installation again.

This time, though, while connected to the ISP, it somehow got a DHCP address (which surprised me because there shouldn't be a DHCP server on my static IP subnet with the ISP, and the address it got wasn't on my subnet), and finished with the settings. I again readdressed the Firewalla's LAN and DHCP settings to be the subnet it's supposed to be. Everything seemed to be fine, except the app started to not do some of the things it should do. I connected my WiFi router to the Firewalla, and nearly instantly was able to ping through it to the Firewalla and beyond to Internet addresses. Alas, I didn't turn off NAT or the Inbound firewall off before I readdressed the router, and one of the things the app wouldn't let me do is turn them off. I was able to use the app to get an SSH console password, and then a wired device on the LAN to SSH into the Firewalla. That all worked.

Some weird things didn't work on the LAN, either. I checked the WiFi router, and it was trying to use its upstream as the DNS server, so I changed its configuration to use Google's DNS, and things started working. I did a few other tests, and it seemed like the Firewalla was participating in the whole network correctly, except that I couldn't get to the things on my network side from the Internet side. The WiFi router should respond to Internet pings (required by tunnelbroker.net to allow me to use an IPv6 tunnel there), but it wouldn't respond.

I returned the connections to the waiting old edge router, and all the things returned to normal.

Since the Firewalla is configured correctly, I shut it down via the app, and will try again later. All the network play is frustrating the wife, who can't stream or work on her laptop without it, so I'll wait until tomorrow to try again, as she plans to be out most of the day. So I'm again at step 2 of scenario B on the help steps to change the router's IP address.