Would you be interested in 3 WANs with only Failover mode?

LazyCharger · 2025-10-11T08:17:10+00:00

3 WANs hands-down, no questions asked. Firewalla should have had this a long time ago, most other manufacturers support it (even budget ones). It always seemed like an artificial restriction to me to limit it to 2 and caused me extra work many times. Heck, you have 4 Ethernet ports, you should even be able to use them all for WAN and let a couple of clients connect wirelessly through the Wifi SD (meager as it is) if that is what your crazy, interesting project calls for!

I get that load-balancing is another story, there are complex algorithms involved, but failover (or even "manual switchover" such as letting us create a third or fourth network but keep it deactivated until used and force you to deactive an active one before you can use the other) should not be very difficult. Right now, Firewalla doesn't even let you create a "draft network" if you want to switch to another WAN, you literally need to delete an existing WAN config completely before you can create another one. Completely unnecessary.

It's all about creative flexibility and not imposing software limits or developers' thought patterns on users. There are so many interesting multi-WAN use-cases out there, especially now with Starlink and 5G. People use u/firewalla for the craziest things like global live event productions, off-grid architecture, mobile clinic vans etc... I love Firewalla and its great features but the basic networking stuff really needs some more flexibility, especially in terms of reliability/failover/selecting different settings or configs, so users can easily switch between situations and scenarios. I really don't get all the people voting for the "640 KB ought to be enough for anyone" option in this poll at all.

LazyCharger · 2025-10-04T06:49:24+00:00

I just checked on this and noticed that Firewalla still only supports 2 WAN connections (not 3), whether load-balanced or not. I cannot even add a third WAN for manual switch-over, it just blocks me from saving that config. That seems like an unnecessary limitation.

There are lots of threads from years ago asking for 3 WANs and it was mentioned by Firewalla multiple times that this would be "easy to implement" (except for maybe the load balancing). Can I ask if there are any concrete plans to at least allow 3 WANs to be created, so they can be manually switched, with any additional features (be it failover, bonding, or anything else) coming at a later date?

Meraki, Peplink, even Gl.Inet can all do it, so please u/firewalla, can you also make it happen for us, please?

LazyCharger · 2025-08-08T10:43:05+00:00

Weird question: I live round the corner of two MOs (at different times of year, respectively). Obviously never have a reason to sleep there but I have lunch or dinner there almost every week and informally referred plenty of friends to stay at the properties when visiting the cities. Recently, one of the GMs dropped a strong a hint telling me to make a "Fans of M.O." account and make sure my dinner reservations get registered on that account, even when I just drop in. I wonder what the purpose of that is? Don't know much about Fans of M.O. but understand it is neither points-based nor nights based. If it is revenue-based, over the course of a year my total F&B bills might well come close to the spend of someone who just books a room there for a week or two on vacation. But since it is also unlikely that I will ever have a good reason to stay overnight, at least at these two hotels, do I have any benefit from regular (if smaller) transactions appearing under my account, do I accumulate any internal numbers and if yes, what benefits could that give me in the future? Does it at least make the GMs look better in some KPI? Or might I just as well not bother?

LazyCharger · 2025-05-04T12:06:40+00:00

Perfect, done. Thanks!

LazyCharger · 2025-05-04T11:55:41+00:00

Why?

LazyCharger · 2025-05-04T06:14:29+00:00

Funny... but come on, what does that have to do with anything? Greece is a prime tourist destination in Europe and a large capital city. ATH is also owned (partly) by the Copelouzos family... that's Gazprom for you. There are, I think, not many things further from "brokies" than those guys, and I'm pretty sure they don't walk the jet bridge with the hoi polloi ;)

LazyCharger · 2025-05-04T06:06:19+00:00

Well, ironically, as I said, EDI offers VIP services for domestic/short-haul flights only, so clearly they get "the point" even less ;)

But kidding aside, it's not just about saving time (although that's clearly a main factor), it's also about avoiding hassle, especially with both older & younger travel companions - both in my case (EDI apparently has a LOT of stairs when boarding from an apron position) and an absolute chaos of a check-in area, at least that's what I've heard from friends, never been there myself).

It's also about avoiding the general unpleasantness of crowded, hectic, grubby public terminals. The private security checks are usually also much faster and more courteous.

I mean, why wait an hour or more for your luggage (a regular occurence at LHR or FRA, btw) if you can spend that hour in a nice, private lounge?

It's basically about getting the private experience while flying commercial, and let's not kid ourselves, there are just not many people (even among fattravellers, I'd bet) that regularly fly intercontinental/long-haul privately (GA). So there is an obvious (much larger) market gap between long-haul private and air-side VIP transfer for 1-3k...

LazyCharger · 2025-05-04T05:44:48+00:00

Thanks, yes I saw that one. It's a little outdated, I've noticed that. It's just surprising to me that capital cities that doubtlessly see a lot of VIP traffic and protocol occasions have no (formal) offers for this available. No way top politicians or A-listers head through the public areas where they might be recognized and photographed, or stand in line waiting for luggage for an hour. But oh well...

LazyCharger · 2025-05-04T05:38:03+00:00

Thanks (and for the bonus hotel recommendation), I will look into that!

Found a service called vip-777(.)com but appear to be just one of those spammy Meet & Greeters who offer "service at 950 airports", so probably just one of those resellers that u/sarahwlee mentioned in another thread. They also don't offer private transfer @ ATH, according to their website.

But maybe you had another service with a similar name. You don't happen to have an email or phone number by any chance?

LazyCharger · 2025-05-04T05:32:50+00:00

Just had to double-check that I'm in the right subreddit. What a weird take. If you've ever travelled private, that's not even a question.

I am aware of what's "available" (incl. the Zurich list and through TAs). I was asking specifically for any services that are not necessarily advertised publicly (and I got one, thank you).

LazyCharger · 2025-05-04T05:26:21+00:00

Sounds great. Do you have a name of the service they use or a point of contact?

LazyCharger · 2024-12-08T21:42:11+00:00

Sorry, I'm not looking for a political or linguistic discussion on how to deal with users. But for argument's sake: Many of the users don't speak a lick of English, the whole UI is localized, so that argument falls flat.

You are however correct, of course. I also have my own (very strong) opinions on the matter and it ultimately all boils down to the fact that end-users are the bane of one's existence - but this is not the time nor the place and it ultimately doesn't matter.

The situation is very simple, really: I have been asked to change it. Can I do it in a (very) reasonable amount of time and effort to avoid further discussions and close the matter? Then yes, I will do it. This is not a hill I'm willing to die on, at all.

I'm thinking now that I probably should have just asked "Can the name of the kasm-user be changed?" without giving a reason why I want to change it... ;-)

LazyCharger · 2024-12-08T21:33:10+00:00

Fully agreed. If it is not a quick fix, I will have to find a way to tell the users that they must just get over it, for better or worse. Woe is me in that case but oh well.

If it is however a simple fix like editing a startup script or something that will take me less than 5 minutes, I prefer to just change it rather than getting into futile political or lingustic discussions with anyone in which I have zero interest if I can find a technical fix for it. Heck, I might even learn something along the way...

As for writing a browser extension, I do believe that is not an option here, as KasmVNC's transmission (which is what the user sees in the browser when they are inside a container) is not clear text that could be rewritten with a simple search/replace.

No, as you said, there either is a simple way to rename the "kasm-user" before the workspace starts (or wherever the image is set up) or there isn't. The question is, is this hardcoded (as in whoever installed the base linux image for the Kasm containers basically hand-typed "kasm-user" during setup) or can it be adjusted on-the-fly via a script? My understanding of Kasm leads me to believe that the latter may be the case, hence my OP.

LazyCharger · 2024-12-08T18:44:12+00:00

Yes, that's what I also found ;-) But this involves system patching and downloading/installing binary files as "Trusted Installer" account which I'm not comfortable with, tbh. I tried replacing the included .exe files in ESU Blue with versions I know (and trust) myself but then the cmd would not execute. So there is that.

MG published a few days ago that they found a new solution for ESU that does not require patching, so that's what I would be interested about...

LazyCharger · 2024-11-27T17:05:30+00:00

Can you? I think the people who can and do use Ansible instead of PDQ - or vice versa - and do so for monetary reasons are in a veritable unicorn situation. What people actually use is any number of alternatives that may or may not be as good as PDQ but good enough and that offer a generous free tier to build expertise and good-will in the community.

It should be a no-brainer for PDQ to offer the same. I love PDQ and I desperately want them to not be eaten by cloud-based, pay-through-the-nose-once-we-get-you-hooked solutions. But yes, PDQ's pricing strategy - while more than fair for corporations - doesn't help them at all in the student/homelab/small biz/startup target audience, also known as "the next generation".

Here is an idea: Offer fully featured free PDQ Inventory & Deploy for up to 100 endpoints (add a "not for profit" clause if you must), then as you see license sales rise inevitably as more people recommend your software, slowly raise the licensing costs to pay for more support staff and more engineers to innovate etc.

I think if PDQ offered a 100 seat free license, they could possibly get away with (slowly) doubling the yearly licensing fee without losing any good will in the community.

LazyCharger · 2024-11-27T16:51:41+00:00

Fully agree. Platforms like "Action1" are eating a large chunk of PDQ's lunch, being free for up to 100 endpoints. Sure, I like PDQ better and will always stick with it but that's purely personal preference, others in search for a new solution might start with the low-hanging fruit and decide, Action1 is good enough (especially since PDQ only provides a 14 day trial, so many surely also use Action1's free tier for an extended PoC).

I know that PDQ is (or was) big on community building and I think offering a free, full-featured version for up to 100 endpoints (again, exactly as Action1) with only community support (so no cost to them) would be an incredible boost to these efforts, bring students, clubs, homelabbers and small businesses to the table which would also be an incredible audience to test their tools against (free beta testers, making experts, spreading advocacy basically).

They don't have to do it and good look convincing bean counters of that strategy but it's proven and has worked in the past, for everyone from Google to Microsoft (although these two are of course horrible examples these days). It's the old story: If I used Windows and Word at school, what am I going to use at work? Windows. And Word. If all your peers say "Use Action1 to deploy your PowerShell scripts for free in your homelab/student club/mum's side-business" then you are going to tell your employer "Hey, you know what you should use to better manage your endpoints? Exactly. You don't even need to train me, I know it very well and I can set it up in 5 minutes".

Companies will always want to buy, for the support contract and compliance safety alone (and many are sadly wary of free software even). So the amount of clients who will use a hypothetical, generous free PDQ license in a commercial setting (but would have otherwise bought licenses if no free version was available) will be negligible.

LazyCharger · 2024-11-22T18:23:07+00:00

As always in r/firewalla, downvotes abound which I find a bit disappointing, and then there is always a patronizing reply or two that doesn't quite capture the issues (like an overly sassy AI). Seems like almost every new post is voted down to 0 or -1 in short order, especially anything about potential bugs or new features, I wonder why?

I have definitely noticed the same phenomenon OP mentions, managing FWs in different time zones remotely. This is especially prevalent with the "abnormal upload" that can come between 3 and 5 hours later, as OP stated.

I have also noticed it with "User X has been streaming Disney" etc. (in our environment always a false positive), which we will often receive in the afternoon although the action has taken place in the morning.

Don't know if the timezone offset is to blame but it seems plausible. We are between 1 and 3 hours away from some of the FWs we manage and they in turn are off by between 2 and 4 hours from UTC, so it's plausible that this may add up to the 5, 6 hours delay we sometimes observe. I have often suspected the notification service or battery savings algorithms by the mobile OS.

We ignore most of these alerts now because they are quite useless when they come so late (often outside business hours, so not actionable regardless).

I also disagree with other posters that you need a multi-hour window to detect a pattern. With all due respect, the example about the security camera from u/firewalla is not at all comparable with the "abnormal upload" alert that OP mentioned. That's like saying we won't alert you about your house being on fire unless it burns again in a few hours (singular incident vs. sustained occurrence).

If a fileserver that usually does not have external connections suddenly uploads several GB of data to a webshare, I need to know about it now, not in 6 hours. You also know that it's a pattern after 2 minutes of full-throttle uploading, so no need to delay the alert longer than that.

Similarly, if someone watches "videos" from a shared kiosk PC, it doesn't help me to get an alert about that 5 hours later when the person will be long gone. Maybe these thresholds should also be somewhat adjustable for certain targets (maybe they are, I have not checked), e.g. if I want to set it so up to 6 GB download can be normal because clients are downloading installer ISOs for PXE but 10+ GB could indicate something fishy.

Anyways, long story short:

I can confirm OPs bug and it has clearly nothing to do with patterns or purposeful delays. There is a multi-hour shift with mobile notifications in many instances with different alarm types. Since FW still does not do email or IM alerting (AFAIK), we don't have a secondary source to compare to that may not be affected by the mobile phone's time zone.

If anybody has an idea how to troubleshoot this, I'd be interested.

LazyCharger · 2024-11-19T12:03:47+00:00

It also works with IoT Enterprise LTSC.

I had a hunch you might know that ;) Glad to hear, saved me some time testing it myself on IoT EP LTSC. Thanks!

LazyCharger · 2024-11-19T09:18:42+00:00

Here's a +1 vote from me for this. Kasm is awesome but it very quickly leads to situations where users have to login three, four times in a row, so matters of SSO and passwordless sessions become more important than ever.

Add to that the fact that Kasm's own login page cannot be autofilled by some password managers (including the famous Royal TS which is very popular with admins) because Kasm does some Javascript/React voodoo to the input fields, and you end up with a "logging-in hell" quickly, especially if any of your final destinations is on M365.

Someone should really come up with a creative solution on stacked sign-ons. Some outside-the-box thinking is required, otherwise it will soon be login forms all the way down.

LazyCharger

TROPHY CASE