Firewalla Attempts Again
I'm going to give it one more morning of effort.
I can get the thing to connect, and even to route traffic to the the WiFi and servers. But I can't do it in a way where I can get its management app to make configuration changes.
A quick reminder of what I'm trying to do:
{ Internet } == [ ISP 10.0.0.133/30 ] = [ 10.0.0.134/30
EDGE
10.1.1.129/29 ] -+- [ 10.1.1.134/29 Server ]
+- [ 10.1.1.133/29 Server ]
+- [ 10.1.1.130/29
WiFi
192.168.1.1/24 -] - { LAN }
In this case, I'm replacing the repurposed WiFi router with the Firewalla, labeled EDGE in the diagram. I spread it out a little from the previous, because I realized it's a bit wide for the article view. Remember, I'm using real static IPs, but these obfuscated addresses work just the same.
Last night I reset the Firewalla and shut it down using the app. I had already unplugged all of the network cables, restoring Internet using the old router I'm trying to replace.
This morning, I powered on the Firewalla and plugged in the ISP/WAN and WiFi(->LAN) cables, into ports 4 and 1 respectively. I disconnected my phone from the WiFi and fired up its hotspot. I connected my iPad to my phone's hotspot. I prepped the phone to display the Firewalla barcode (handy tip from the website, which should really either be a second sticker they provide, or a hint they give in the install docs...so inconvenient to have to flip the router over to view it). I fired up the Firewalla app on my iPad instead of the phone, so I could use the paired keyboard and leverage the larger screen.
The app greeted me with an empty display, as the reset removed the previously configured box. I bonked the [+] button (which should really be a real button), and started the installation (again).
It reminded me to plug in the Firewalla. Check. It thought for a few moments as it sought the Firewalla via Bluetooth. I knew it would find it, because the iPad already connected to it, as it's done it before. It prompted me to scan the barcode, so I waved the image on the phone in front of the camera, and it moved on.
Here's where the installer becomes inconsistent, and where I wish it had any kind of "let me provide information" before it starts. It sometimes pops up a "define your ISP connection" selection, including DHCP, Static IP, PPoE, and a couple others. More often, it dives in and tries to get DHCP. Through this exercise, I've learned my ISP offers DHCP, as well as my static IP. I guess that's handy, but it's getting in my way. Today, it skipped the prompt and dove right in with a DHCP connection.
This usually completes without trouble, and it did again today. However, it's now using the wrong IP address, and it's also randomized a LAN subnet to use.
So I did what I've done a dozen times by now. On the Firewalla app on my iPad, I bonk the Network icon and see the two default networks. I pick the one it's labeled "ISP 1" and then select to edit it. I enter the correct IP details, turn off IPv6, add some DNS servers, and change the MAC address to the one my ISP expects. It balks (sometimes) at the disabling of IPv6, because it's also turned on for the LAN, so I edit that and turn it off also. I then save the configuration. I thinks a bit, seems happy, but says the Internet isn't there. I run the offered diagnostics, and everything passes. I wait a little while, and the Internet gets recognized, and the warning disappears.
I press on, and edit the LAN. Here I change its IP to the subnet I need, and (now) turn off DHCP. All of the things that plug into it will use static IPs anyway. I save the edits, and it thinks for a bit.
At the app's main screen, it spins a "refreshing" wheel at the top for a bit, but comes back with a "last updated" time a bunch of minutes in the past. This will again never change, and is the beginning of my thinking that all is not well. I also notice that if I go into the gear icon, it tells me the IP address is the one it received from the DHCP, and not the one I set it to in the edit.
This is a bit I get wrong sometimes. I know I need to turn off the inbound firewall for the servers to get their necessaries. At least until I figure out how to make proper inbound firewall rules. And I need to turn off NAT. What I need to do is do these things before I change the addressing. The most successful attempt I've had was when I did this first, then changed the addresses. Even in that event, once the WAN IP changed, the app became inconsistent.
So, those are the same steps, more or less, that I've been doing all of my attempts over the last few days. Now I'm going to reset the box and try something a little different.
This is getting long. I'm going to start another post to track my madness.
