.

Friday, September 15, 2017

Google Wifi Behind a Firewall


More specifically behind a FIOS firewall but really much of the information below applies to any firewall you might put Google Wifi behind. I’ll dig into what you need to know and how to make some key services work while buried in a double-NAT, double firewall deployment.
Google Wifi (gWifi) is a relatively new mesh networking solution from Google that has a simple goal: Provide stupid easy, crazy fast, blanketed wifi coverage for your entire house regardless of size. This is done via very small (4.17” diameter) but very aesthetically pleasing Wifi “Points”, as Google calls them, that you place in key areas of your home to provide coverage. One Wifi Point will act as primary and connect via a BaseT Ethernet cable to your existing modem or router. The other Points will connect to the primary wirelessly and expand the signal of a single Wireless LAN (WLAN). The gWifi solution operates on both the 2.4GHz and 5GHz bands but unlike most other wireless routers, gWifi enables seamless and automatic switching between the bands as required, using a single SSID. Every client available today is supported here: 802.11a/b/g/n/ac. No need to set up and manually switch between discrete SSIDs for each band. gWifi will place your device on the best possible band given its capabilities and proximity to the gWifi Points.
Easily one the prettiest networking devices around
With the primary router cabled to the FIOS router, there is one additional switched Ethernet port available on that device and two ports available in each secondary mesh Point for wired Ethernet clients. Need more coverage? Add more gWifi Points. Unlike most routers there is no web interface here to access for management, you must use the gWifi app installed on your mobile device. The available features are intentionally limited to keep ease of use high, so those looking for advanced features like VPN may not find what they need here. Luckily, everything I need appears to be intact: custom DNS, DHCP reservations and port forwarding. Another important callout is that you cannot currently change the IP range that gWifi uses for DHCP assignment, it is and always will be 192.168.86.0/24. If this range is already in use on your network for some reason, gWifi will shift to 192.168.85.0/24. **Update - Google has now made it possible to change both the router LAN address as well as the DHCP pool range, so .86 is no longer required. If you don't care or have a good reason to change, honestly, just leave the default.

General setup is fairly simple: Connect an Ethernet cable to the WAN port of your primary gWifi Point from the switch side of your modem or firewall and power on. Download the gWifi app to your phone or tablet, find the device and follow the prompts to configure. Additional Points are easily added through the setup process which will help to ensure ideal placement for maximum coverage. Connect your wireless clients to the new network like normal and you’re done. The rest of this post will dig into more advanced topics around presenting services connected to the gWifi network out to the internet, or to clients connected to the FIOS network.

View of my gWifi mesh network

Network Architecture

In Google’s Wifi documentation, the clear preferred deployment model is the Google router connected directly to a broadband modem. This enables Google Wifi to be the primary router, AP and firewall of the house brokering all connections to the internet. Well, what if you don’t have a cable modem because you have FIOS or similar service? Or don’t really want gWifi as your barrier to the big bad web? In my particular case I use FIOS for internet access only, my TV service is provided via PlayStation Vue so I have no Set Top Boxes (STB) and my phone service is provided by Ooma. For those of us with FIOS, we have ONT boxes in our garages that connect to a router inside the house. If you have speeds >100Mbps this connection is made using a Cat5e cable instead of coax for lower speeds. I’ve read that while it appears possible to successfully replace the FIOS router with gWifi, there are some mixed results doing this. Really, this should only be considered if you are an internet-only customer in my view. If you have STBs, this won’t work as you need a coax connection between them and the router to complete the MoCa network. The easiest thing to do is simply leave the FIOS router in place as is and install the gWifi pieces behind it.
What this will create, is 2 stateful firewalls, directly connected LAN to WAN, each with their own separate subnets, with the Google device having a leg in both networks. Leave DHCP enabled on the FIOS router to serve the clients directly connected via the Ethernet switch, including the WAN port of the Google router. There is no way currently to manually specify a static IP address for the gWifi router, so it must receive via DHCP. **Update - you can now set a static IP for the WAN side of the primary gWifi router if you wish! 
Important to note that the gWifi router can be put into bridge mode, thus making your FIOS router ‘primary’ but doing so will disable the mesh capabilities of the gWifi system. Only do this if you have a single gWifi router or knowingly want to disable mesh (why buy gWifi??).

The diagram below displays my home network and how I installed the gWifi system. The FIOS router is still my primary firewall and gateway to the internet, everything ultimately connects behind this device. I have a few devices that connect directly to the FIOS network and a 1Gb run that goes between floors that feeds the primary gWifi router from the FIOS router. The only device I have currently hard wired to the gWifi network is my media server (Plex/ NAS). This gives me 1Gb wired end to end from my PC to my NAS downstairs. All other devices like my PS4, Smart TVs, kid and Chromecast devices connect via wifi. The gWifi devices are depicted as G1, G2 and G3 below.


You’ll notice that the G1 router depicted above, has two IP addresses, 192.168.1.22 on the WAN side and 192.168.86.1 on the LAN side. The .22 address was assigned via DHCP from the FIOS router which I reserved so the G1 device will always receive this IP. This is important as we will configure an upstream static routing rule later that will point to this address, so we need it to not change. The gWifi routers will assign all IPs to all clients they service directly, wired or wireless. The G2 and G3 routers simply serve as extensions of G1 and will serve any clients that connect via proximity. By default, any device attached to the FIOS network (192.168.1.0) will have no knowledge of the .86 network, nor how to get to anything that lives there. So we have to tell the FIOS router how to find the .86 network, if I ever want my PC to connect to file shares hosted my my NAS, for example.

The main configuration activities I’ll cover here are:
  • Reserving IP addresses
  • Routing between networks
  • Port Forwarding key services
  • Configuring the Windows Firewall
  • Plex remote access

Reserving IP Addresses

In FIOS

First, find the IP assigned to the WAN side of the Google router via the gWifi app under Network Device Settings: Settings > Network & general > wifi points > [primary device] :

Login to the FIOS router and navigate to: Advanced > IP Address Distribution, then click the “Connection List” button. Find the gWifi WAN IP assignment in the connection list, click the pencil to edit and check the box to set the “Static Lease type”. This will ensure that the Google WAN port will always receive this IP.

In gWifi

Port forwarding rules can only be applied to reserved IP addresses, so lock in any PCs or Servers you intend to be configured with rules. To reserve an IP address assigned to any client on the gWifi network, open the app and navigate to: Network & general > Advanced networking > DHCP IP reservations and tap the green + button in the lower corner. Select the chosen device in the list and tap next. The MAC address and type of device is displayed, along with the gWifi Point to which the device is attached. Accept the current IP assignment or change it to suit your needs and tap next to save. 

Routing

As the network exists right now, my PC can’t reach my media server on the .86 network as it doesn’t know how to get there. I could add a persistent route on my PC which would solve the problem for my PC, but a better option would be to configure a global routing rule on the FIOS router. This will enable any client on the FIOS network to be able to connect to the hosts or clients on the gWifi network. Let the router do its job: route traffic. The WAN port of the gWifi router is the gateway for any traffic destined to the .86 network. All traffic in or out of the .86 network will pass through this port. So my routing rule needs to send all traffic from the 192.168.1.0/24 network destined for the 192.168.86.0/24 network to 192.168.1.22. To illustrate this further, the image below depicts the connection from my PC to the the media server and associated hops along the way:
On the FIOS router, navigate to Advanced > Routing and click the “New Route” link in red. Enter the pertinent details and click apply. Traffic is now flowing in the right directions.


Port Forwarding

All network-accessible services, running on a PC or server, listen for connections via network ports, opened within those applications. TCP and UDP protocols with specific port numbers are assigned to applications and made available for access, such as HTTP (web server) listening on TCP 80. For my scenario, I have several ports that I need to open from my media server to make accessible to my PC. Per the diagram below, TCP 445 = SMB (file services), TCP 3389 = RDP and TCP 32400 = Plex server. Anything on the gWifi network that you wish to expose to the internet will need to be port forwarded on both the gWifi and FIOS routers, unless it advertises itself as a UPnP (Universal Plug and Play) capable service that can set its own rule on the router, which gWifi will allow. Plex happens to be one of those services, so TCP 32400 is automatically opened through the gWifi router. Currently there is no way to view or control UPnP-configured rules in the gWifi app, so you could have a slew of ports opened and not even know it. The only option at the moment is to disable UPnP entirely within the gWifi app. Hopefully Google will fix this in the near future.

The other two ports to be opened are done so with manual port forwarding rules in the gWifi app. Navigate to: Network & general > Advanced networking > Port forwarding and tap the green + button. Choose a device to forward a port from, which will only be possible if you reserved the IP address on that device. Select TCP, UDP or both as well as the internal and external ports. Both are required here. Tapping done will create the rule and set it as active.  
     

After this step all required rules are in place on both the FIOS and gWifi router and the media server is accessible from the FIOS network. The image below shows everything configured so far along with the traffic flow.


Windows Firewall

Because my media server is a Windows box, if you need to access resources connected to the gWifi network such as NAS or Plex, you must allow these connections through the Windows firewall. By default, the Windows Firewall blocks all inbound connections unless a specific rule exists otherwise. Create a new custom firewall rule on the PC or server allowing traffic from the gateway of the FIOS network: 192.168.1.1/24. This will treat all traffic sourced from the FIOS network as trusted. Remember this entire network segment is already behind a firewall to the internet, the FIOS router. So you can safely port forward hosts on the gWifi network to the inside of the FIOS network.  The new rule should be custom allowing all programs and all ports when applied to the remote IP address of the FIOS router. If you want to get more granular and only allow access to the specific ports you are exposing, that is an option as well.



Plex Remote Access

One additional step is required if you want to configure Plex with remote access. An additional port must be forwarded out from the FIOS router to allow an internal connection to TCP 32400. Log into the FIOS router and navigate to Firewall Settings > Port Forwarding. Add a new rule and make sure to click the Advanced button. Enter the IP addresses, ports and dropdowns per the screenshot below. Choose specify IP, enter the IP address of the Plex server, forward to port 32400. For the destination port, which is what will be exposed to the internet, you can either custom create the number or match the random 5-digit port generated in the Plex settings. Either way, these port numbers must match between the Plex server and the FIOS router. It’s probably best to not expose TCP 32400 directly to the internet. I don’t know of a Plex specific exploit but the service behind this port is well known so best not to advertise what it is.
 
Once the rule is in place and active, the Plex service should report as fully accessible. If the following dialog reports any issues, try specifying a manual public port and recreate the port forwarding rule on the FIOS router.
image

The diagram below depicts the remote access connection originating on the public internet, forwarding to the Plex service inside through both routers. Now your Plex server is accessible from anywhere on the internet. Remember that the public port can be any number you want.
image

Final Thoughts

Overall my experience with the gWifi system has been quite good. Elegant, unobtrusive, high performance and so simple. There’s a lot of high-end competition in the mesh wifi business right now and Google does a really good job, assuming you don’t require too many advanced features. Google also includes some decent performance testing tools in the gWifi app so you can gauge the performance of the speed to the internet, the wifi clients and the mesh itself as well as figure out where any problems might lie.
   

You can view a device’s network consumption real time and shut down any client you choose or give that device network priority for up to 4 hours. Being able to group and schedule internet access for particular devices is especially useful as a parent. If you have Sonos in the house, make sure to setup all devices using Standard mode connected to the new gWifi network. Boost mode will still work if required, but make sure to keep all devices on the same network for ease of interoperability. It appears problematic to have a controller on the other side of a firewall with all the Sonos devices behind it, due to the number of ports and connections required.

15 comments:

  1. How does the PC access the sonos in this situation, is there also port forwards you set up for each sonos device? Additionally, how do clients connected to G1-G3 send traffic to the PC or some other device not on G1-G3. For instance, if your NAS device was connected directly to the FIOS device.

    ReplyDelete
  2. Hi Anon, excellent questions! You highlight important scenarios here. In controlling Sonos from the PC example, that could work but you will need a ton of port forwarding rules to allow the various ports Sonos requires through the gWifi firewall, outlined here: https://sonos.custhelp.com/app/answers/detail/a_id/692/~/configuring-your-firewall-to-work-with-sonos
    After trying to get this to work for a bit, I just decided it wasn't worth the trouble and now control Sonos exclusively from mobile devices, which is fine honestly. If you decide to tackle this one, please come back here and let us know if you were successful.

    For the 2nd scenario you highlight, this works natively without any additional configuration. All traffic from .86 to .1 is outbound already, so any services listening on the .1 network, in this case RDP or SMB on PC or NAS, are readily available. The important point is that these connections have to be initiated from .86. There is currently no advanced filtering to allow active connections sourced in .1 to enter .86. But the gWifi router knows where to send connections to the .1 network so these requests will succeed.

    Thanks for stopping by!

    Peter

    ReplyDelete
  3. Sounds good, thanks for the response! I have been debating between setting up Google Wifi in this manner or using it in bridged mode. I have read you lose certain features by implementing Google Wifi in bridge mode but I am not sure if that really matters.

    If I set it up in standard mode and end up passing through sonos related traffic, I will be sure to let you know.

    ReplyDelete
    Replies
    1. Right, the biggest feature loss will be mesh mode since you have to put the primary router in bridge mode. I considered this too but now find the mesh capability far too valuable. Hard to believe now I was willing to accept poor coverage ANYWHERE with my previous single router setup... good luck!

      Delete
  4. Fantastic description. I’m in the same exact scenario as you describe above. I just set my GWiFi up with Fios. Went Fios LAN to GW WAN, the. Set up the second mesh point. I then set a status IP for the Primary GW Mesh point. I then went into Advance Routing and set up the flow from Fios to the Statis IP if the GW. I do have one issue. I have MacBook Air on my GW network with a 192.168.86.x address. I can’t see an AirPrint printer on my Fios 192.168.1.x network. I thought after doing the steps in your write up devices would be able to see each other without issue. Also, my Google Home is on the Fios network and when firing up Google Home app on my iPhone attached to the GW network the Google Home app can’t find any devices I have set up with Google Home like my Sony receiver or TV. IF I change the iPhone back to the Fios network WiFi, the Google Home app sees everything. I think I’m close, but might be missing something. Thanks.

    Patrick

    ReplyDelete
  5. Can I connect a lan cable to one of the gwifi points and a gaming device so I can use wired internet on that gaming device?

    ReplyDelete
    Replies
    1. Hi Larry (sorry for the delay), yes you can!

      Delete
  6. wow! followed your directions and everything is working now! thanks!

    ReplyDelete
  7. This is a really great article even in 2021, so thank you. Here's a question for you: I recently switched from FiOS Triple Play to Internet Only. I am about to upgrade my FiOS speed and want to avoid their new deluxe ($180/yr) super-router. My hope was to connect my first GW Puck (G1) in my basement directly to the ONT ethernet cable, then also connect a switch to the G1 that connects to a few hardwired PCs in the house that don't have WiFi. Then all other WiFi devices would connect to Pucks G2-G4. Can I do that and if so, will G1 be a sufficient firewall for all devices, not just WiFi based ones? Thanks! JB

    ReplyDelete
    Replies
    1. Hi JB, sorry for the delayed response. I'm curious if you tried this and if it worked. Assuming there are no WAN protocol limitations or deficiencies on the gRouter, you would just need FIOS approval/ authorization to add it to their network. There are also new laws in place that prevent an ISP from charging forever for a router like this, you might just look into buying it outright if you can. To answer your question on the firewall, absolutely G1 could do that assuming the features provided are good enough for you. The only limitation there would be the number of switched ports coming out of G1 but that could be resolved by adding a small external switch, if required.

      Delete
  8. I've been looking for a thorough guide like this for a while. Really appreciate the work. I just got a pfsense firewall and am facing the many reported challenges of the double NAT with gwifi. Your guide squashes all of the complaints I've read. Many thanks!

    ReplyDelete
  9. Great article. I do have a question though. Could we not setup 192.168.1.22 as DMZ address in the FIOS router and then avoid having to configure all those port forwarding rules? Would that work or is there any other way to avoid having to deal with all the port forwarding? Since G1 sits on the internal home network I don't see the advantage of the second firewall.

    ReplyDelete
    Replies
    1. Thanks and great question. To my knowledge, the only way to get around double NAT through 2 firewalls would be to make the gWifi router your primary device facing the internet, no ISP router/ firewall, assuming you have Ethernet egress and can do that with your service. Doing what you're suggesting here putting gWifi in DMZ mode by the ISP router would work, but gWifi is still a NATing firewall and anything you would want to publish publicly would still need to be forwarded out from the private google network. The 2 firewall situation isn't really an advantage per se, more of a situational solution, altho my ISP router has for more advanced logging and configuration options vs the gWifi. It also provides me a way to direct connect devices to bypass the google mesh entirely which I like.

      Delete
  10. I'd like to add another bit of information to this otherwise excellent article. Devices behind the gWifi are not pingable even after the static route is correctly set up. gWifi does not respond to ICMP pings on the WAN port and there is no option to enable it.

    ReplyDelete