Firewalla Gold SE + Google Wifi: The Complete Setup Guide

BackgroundWhy this is tricky

The ideal way to put a security firewall like Firewalla in front of a mesh WiFi system is to configure the mesh in Access Point (AP) or Bridge mode — let Firewalla handle all routing and DHCP, and demote the mesh to a dumb radio tower. This works perfectly with most mesh systems.

Google Wifi and Nest Wifi cannot do this. Google's mesh protocol requires the primary unit to act as a router. When you enable mesh mode, bridge/AP mode is disabled. There is no workaround for this at the Google level.

The solution is a multi-subnet architecture: Firewalla handles all client devices on one subnet, while Google Wifi's mesh protocol runs on a second, isolated subnet. The two networks are connected such that all internet traffic flows through Firewalla first, giving you full visibility and protection over every device.

Good news

You do not need a managed switch for this. The official Firewalla guide for Gold Series lists a managed switch as required only for the Purple. The Gold SE's multiple physical ports make it possible with a simple passive/unmanaged switch.

01Hardware & prerequisites

This guide is written for the following hardware. It applies to any combination of Google Wifi and Nest Wifi units.

Device	Role	Notes
Firewalla Gold SE	Main router / firewall	4 ports: 2× 2.5G, 2× 1G
Google Wifi primary unit (NLS-1304-25)	Mesh router / WiFi	2 ports: WAN + LAN
Google Wifi Points (AC-1304 or NLS-1304-25)	Mesh access points	When used as Points, both ports act as LAN
Unmanaged switch	Connects wired devices	Any brand; TP-Link TL-SG1016D works well
Fiber/cable ONT	ISP connection	Ethernet hand-off

Before starting, do a factory reset of your Google Wifi system and set it up fresh using the Google Home app. This avoids any legacy IP conflicts.

02Network architecture

The finished network uses three distinct IP ranges:

┌──────────────────────────────────────────────────────┐ │ INTERNET │ └──────────────────────┬───────────────────────────────┘ │ ┌─────────▼─────────┐ │ Firewalla Gold SE │ │ Port 4 ← WAN (ONT) │ │ Port 1 ← LAN (main) │ │ Port 3 ← Google WAN │ └──────┬────────┬────┘ │ │ ─────────────┘ └──────────────── │ │ ┌──────▼────────┐ ┌────────▼───────────┐ │ Passive Switch │ │ Google Wifi Primary │ │ 192.168.151.x │ │ WAN: 192.168.200.2 │ └──────┬────────┘ │ mesh: 192.168.86.x │ │ └────────┬───────────┘ Wired devices │ TVs, PCs, etc. Mesh Points (×4) 192.168.151.x 192.168.86.2–.5 (WiFi clients get 192.168.151.x from Firewalla via relay)

Subnet	Range	Purpose	DHCP server
Main LAN	`192.168.151.0/24`	All client devices (wired + WiFi)	Firewalla Port 1
Google WAN	`192.168.200.0/30`	Link between Firewalla and Google primary's WAN port only	Firewalla Port 3
Google Mesh	`192.168.86.0/24`	Internal mesh Points only — no client devices	Google primary

Why /30 for the Google WAN subnet?

A /30 subnet provides exactly 2 usable IP addresses — one for the Firewalla gateway (.1) and one for the Google router's WAN port (.2). This minimizes the chance of any other device accidentally getting an IP on this subnet. The DHCP pool is set to .2–.3 (2 addresses), but only the Google router will ever connect here.

03Step 1: Configure Firewalla ports

Open the Firewalla app. Go to Network Manager.

Port 4 — WAN

This should already be set as your WAN (internet) port from initial setup. Connect your ONT/modem here. No changes needed.

Port 3 — Google WAN subnet

Tap Port 3 → Create new network
Type: Local Network
IP address: 192.168.200.1
Subnet: /30 (or 255.255.255.252)
Enable DHCP: Yes
DHCP pool: Start 192.168.200.2, End 192.168.200.3

Important

Do not set the DHCP pool end to .2 only (a single address). Firewalla will reject this with a "DHCP invalid" error. Set it to .2–.3. Only the Google router's WAN port will ever connect to Port 3, so the extra address is harmless.

Port 1 — Main LAN

Tap Port 1 → Create new network (or edit if it exists)
Type: LAN
IP address: 192.168.151.1
Subnet: /24
Enable DHCP: Yes
DHCP pool: 192.168.151.2 – 192.168.151.254

Port 2 (optional)

Include Port 2 in LAN 1 if you want an extra ethernet port available on the Firewalla side. This is optional — you can leave it unassigned.

04Step 2: Limit Google Wifi's DHCP pool

This is the most important and least-obvious step. By default, Google Wifi assigns 192.168.86.x addresses to every device that connects — including your client devices (phones, laptops, TVs). You need to restrict this pool so it only has enough addresses for the mesh Points themselves, forcing all client devices to get IPs from Firewalla instead.

Open the Google Home app
Go to Wifi → Settings → Advanced networking → DHCP IP reservations (path varies slightly by app version — look for DHCP settings)
Set the DHCP pool range to exactly cover your Points:
Start: 192.168.86.2
End: 192.168.86.5 (for 4 Points; use .6 for 5 Points, etc.)
Save and allow the mesh to restart

Pro tip from the community

Temporarily change your WiFi password while doing this initial setup. This prevents phones and laptops from connecting to the mesh and grabbing one of the 4 reserved IPs before a Point can. Change it back once all Points show 192.168.86.2–.5 in the Google Home app.

05Step 3: Physical cabling

ONT/Modem ──────→ Firewalla Port 4 (WAN) Firewalla Port 3 ──→ Google Wifi primary WAN port (the port marked with a globe icon) Firewalla Port 1 ──→ Passive Switch (main LAN: all wired devices + wired Points) Passive Switch ──→ Wired Google Points (Living Room, Bedroom, etc.) Passive Switch ──→ Other wired devices (TVs, computers, etc.) Remaining Points ──→ Wireless mesh backhaul (no cable needed)

Critical: Google primary's WAN port, not LAN

The Google Wifi primary unit has two ports. The WAN port (marked with a globe/circle icon on older units, or labeled WAN) must connect to Firewalla Port 3. If you plug into the wrong port, Google will try to act as an upstream router and nothing will work correctly.

Wired vs. wireless Points

Wired Points (connected via ethernet to the passive switch) get faster, more reliable backhaul. Wireless Points use the WiFi signal for backhaul. Both types work fine in this setup. For best performance, wire as many Points as practical.

Note on Google Point ports

When a Google Wifi unit is operating as a Point (not the primary), both ethernet ports act as LAN ports — there is no WAN port. Plug it into the passive switch using either port.

06Step 4: Fix mesh Points getting wrong IPs

After cabling up, power everything on. You'll likely find that some or all of your mesh Points have grabbed 192.168.151.x addresses from Firewalla, instead of 192.168.86.x from Google. This happens because the Points' ethernet ports are connected to Firewalla's switch and Firewalla answers their DHCP requests first.

Fix this for each affected Point:

In the Firewalla app, go to Devices
Find the Point (it may show as "Google Wifi" or by its MAC address)
Tap the device → IP Address
Select "Do not allocate" — this tells Firewalla to stop offering this device a DHCP lease
Unplug the Point's ethernet cable, wait 10 seconds, plug back in (or reboot it from the Google Home app)
The Point will now request an IP from Google's DHCP server and receive a 192.168.86.x address
Repeat for each Point that had a wrong IP

How to identify which devices are Points

In the Firewalla app under Devices, look for devices with Google or AzureWave as the manufacturer (AzureWave makes the WiFi chips inside Google Wifi units). You can also cross-reference with MAC addresses shown in the Google Home app.

07Step 5: Verify the network

Once cabling and configuration are done, run through this checklist:

Check	Expected result	How to verify
Your phone's IP address	`192.168.151.x`	Phone WiFi settings or Firewalla Devices list
Google primary's WAN IP	`192.168.200.2`	Google Home app → Wifi → Settings
Each mesh Point's IP	`192.168.86.2–.5`	Google Home app → each Point's details
Internet on wired devices	Working	Browser test
Internet in all WiFi zones	Working	Walk the house and test
Firewalla Devices list	Shows all your devices with `151.x` IPs	Firewalla app → Devices

The "Points offline" warning — ignore it

The Google Home app will likely show your mesh Points as offline, even though WiFi is working perfectly throughout the house. This is a known cosmetic side-effect of having Google Wifi behind another router. Google's cloud-based status check can't reach the Points directly in this configuration.

The network is fine. Verify by checking that devices connect and get internet in every room — that is the real test, not the Google Home app's status screen.

Red pulsing light on Google primary

If the Google Wifi primary unit shows a red pulsing light after you connect everything, it almost always means the WAN IP hasn't been assigned yet. Try rebooting only the Google Wifi primary (not Firewalla). Give it 2 minutes to request a new DHCP lease from Firewalla Port 3. It should turn solid white. If the light stays red but WiFi devices have internet, the network is working — the light is Google's way of saying it can't reach Google's own servers to verify connectivity, which can happen behind certain firewalls.

08Step 6: Parental controls

One of Firewalla's strongest features is per-device or per-profile parental controls. Because all client devices (including those on WiFi) get their IPs from Firewalla, every device is fully visible and manageable.

Create a family profile

Firewalla app → Family → Add Member
Name the profile (e.g. your child's name)
Assign all of your child's devices to this profile (phone, tablet, laptop)

Recommended settings

Feature	Setting	Effect
Safe Search	ON	Forces safe search on Google, Bing, YouTube
Family Protect	ON	Blocks adult content, malware, phishing
Apps & Services	Block: YouTube, TikTok, Instagram, Snapchat, Discord	Blocks at DNS level, affects all devices in profile
VPN apps	Block all VPN services	Prevents tunneling around filters
Schedule	Bedtime rules (e.g. block 10pm–7am weekdays)	Cuts internet on schedule
Pause	On-demand button	Instantly cuts internet for the profile

Defeating MAC randomization

Modern iPhones and Android devices use MAC address randomization by default, which means a device can appear as "unknown" or "new" to Firewalla every time it connects, evading assigned controls. Disable this on your child's device:

iPhone: Settings → Wi-Fi → tap your network → turn off "Private Wi-Fi Address"
Android: Settings → Network → Wi-Fi → tap your network → Privacy → "Use device MAC"

09Step 7: New device quarantine

New device quarantine automatically blocks internet access for any unknown device that joins your network, and sends you a push notification. This catches unauthorized devices — a friend's phone, a game console your child sneaked in, or an unknown device.

Firewalla app → main screen → tap "+"
Find New Device Quarantine → toggle ON
A "Quarantine Group" is created with pre-built internet-blocking rules

When a new device joins, you'll get a notification. To release it: open the notification → swipe left on the device → Leave Group. Then immediately assign it to the right group (Kids, IoT, Personal, etc.).

Strongest protection: change the WiFi password

The most effective way to prevent unauthorized devices from joining is to use a WiFi password that your child doesn't know. This combines well with quarantine — even if they somehow learn the password, the device is still blocked until you approve it.

10Common gotchas & pitfalls

⚠ Pitfall: Wired devices on the passive switch getting 86.x IPs

If you see a wired device (TV, computer) with a 192.168.86.x address, it's connected to something on Google's subnet — possibly wired directly to the Google primary's LAN port instead of the passive switch. Verify that the passive switch is connected only to Firewalla Port 1, not to the Google Wifi primary's LAN port.

⚠ Pitfall: Chromecast or AzureWave device on wrong subnet

Chromecasts use AzureWave WiFi chips, so they may appear in Firewalla with an unfamiliar manufacturer name. If a Chromecast ends up on 192.168.200.x (the Google WAN subnet), set it to "Do not allocate" in Firewalla for that network, then reboot it so it joins the main 192.168.151.x network.

⚠ Pitfall: Casting / AirPlay not working across subnets

If you have devices on different Firewalla networks (e.g. a guest network), casting protocols like Chromecast and AirPlay may not work because they use mDNS, which doesn't cross subnet boundaries. Enable mDNS bridging in Firewalla between the relevant networks, or keep all casting devices on the same subnet.

⚠ Pitfall: DHCP pool rejection error on Port 3

Firewalla will reject a DHCP pool where start and end are the same address. If you try to set the Port 3 DHCP pool to .2–.2 (single address), you'll get a validation error. Set it to .2–.3 instead — both are in the /30 subnet and the extra address causes no problems.

✓ Tip: Disable monitoring on mesh Point devices in Firewalla

If you experience slow connectivity or strange behaviour, try disabling "Monitoring" for the mesh Point devices in Firewalla (Devices → Point → toggle off monitoring). Firewalla monitoring of the Points themselves is redundant — what matters is monitoring the client devices that connect through them, which continues to work regardless.

✓ Tip: my.firewalla.com shows "box unreachable"

The Firewalla web interface at my.firewalla.com communicates via AWS cloud relay. It can intermittently show "unreachable" even when the mobile app works fine. Try a different browser (Safari has known compatibility issues; Chrome or Firefox work better) or wait a few minutes. For diagnostics, try diag.firewalla.com.

11Known limitations of this setup

This setup works well, but you give up some things compared to running a mesh system that supports true AP mode:

Google Home app shows Points as offline. The app's status screen is unreliable in this configuration. Use Firewalla as your primary network management tool instead.
Google Wifi's parental controls are disabled. Since Firewalla is the real router, Google's own Family WiFi features won't work. Use Firewalla's parental controls instead — they are more powerful anyway.
Double NAT. Traffic goes through two NAT layers: Firewalla → Google primary → client devices. For most home use this is invisible, but it can occasionally affect peer-to-peer applications or gaming services that require port forwarding. If you need to port-forward, you must do it on both Firewalla and the Google router.
WiFi speed test from the Firewalla app may fail. The speed test feature requires your phone to be on Firewalla's local network. If it reports "connect to local network first," ensure your phone's IP is on 192.168.151.x, not 192.168.86.x.
Google Wifi features become unavailable. Priority devices, usage reports, and some Google Home integrations stop working when Google Wifi is behind another router.

Looking ahead

If you eventually want to eliminate the Google Wifi entirely, Firewalla now makes their own WiFi access points (AP7) that integrate natively with the Gold SE. These support true AP mode with Firewalla managing all routing and DHCP, with none of the complications described in this guide.

AppendixReference: IP addressing summary

# Firewalla Gold SE port assignments
Port 4  WAN         ← Fiber ONT
Port 3  192.168.200.1/30  ← Google Wifi primary WAN port
          DHCP pool: .2–.3
Port 1  192.168.151.1/24  ← Passive switch → wired devices
          DHCP pool: .2–.254

# Google Wifi internal mesh
Primary WAN  192.168.200.2    (assigned by Firewalla)
Primary LAN  192.168.86.1     (Google's own gateway)
Points       192.168.86.2–.5  (4 Points; expand for more)
DHCP pool    192.168.86.2–.5  (restricted: Points only)

# All client devices (phones, laptops, TVs)
IP range     192.168.151.x    (from Firewalla)
Gateway      192.168.151.1    (Firewalla Port 1)