ISP Router Bridge Mode Guide | AIMF Security
📡 Reference Guide

ISP Router Bridge Mode

Step-by-step instructions for putting your ISP router into bridge or passthrough mode, so Firewalla becomes your primary router.

SOHO Network Hub → ISP Bridge Mode

What is Bridge Mode?

Bridge mode turns your ISP's router/modem combo into a simple modem. It stops doing routing, NAT, DHCP, and Wi-Fi - it just passes the internet connection through to your own router (Firewalla).

  BEFORE (Double NAT - Bad):
  Internet -> ISP Router (NAT #1) -> Firewalla (NAT #2) -> Devices
                                     ^ Double NAT causes VPN issues

  AFTER (Bridge Mode - Good):
  Internet -> ISP Modem (bridge) -> Firewalla (NAT #1) -> Devices
                                    ^ Single NAT, full control

💡 Why Bridge Mode Matters

  • Eliminates double NAT: VPN, gaming, and port forwarding work properly
  • Full Firewalla control: Firewalla manages all routing and firewall rules
  • Better performance: One less device doing NAT translation
  • Required for Advanced Mode: VLANs need Firewalla in Router Mode, which needs bridge mode

⚠️ Before You Start

  • Write down your ISP account credentials (you may need them)
  • Note your current ISP router's IP, Wi-Fi name, and password
  • Have a device connected via Ethernet to Firewalla (Wi-Fi will drop during the switch)
  • Do this during a time when internet downtime is acceptable (10-30 minutes)

Quick Reference

ISPCommon EquipmentBridge MethodDifficulty
AT&T FiberBGW320, BGW210IP PassthroughMedium
Verizon FiosG3100, G1100Bridge Mode or own ONTEasy
Xfinity (Comcast)xFi GatewayBridge Mode in adminEasy
CoxPanoramic WifiBridge Mode in adminEasy
SpectrumVarious modemsAlready bridged (modem only)None
Google FiberNetwork Box / JackDirect Ethernet from jackEasy

AT&T Fiber (BGW320 / BGW210)

AT&T IP Passthrough

AT&T gateways do not have true bridge mode. Instead, they use IP Passthrough, which forwards the public IP to your router while the gateway still handles authentication.

Steps:

  1. Connect Firewalla to the AT&T gateway via Ethernet
  2. Open a browser and go to 192.168.1.254
  3. Login with the credentials on the gateway sticker (or your AT&T account)
  4. Navigate to Firewall > IP Passthrough
  5. Set Allocation Mode to Passthrough
  6. Set Passthrough Mode to DHCPS-fixed
  7. Select your Firewalla from the device list (by MAC address)
  8. Click Save
  9. Restart the gateway

⚠️ AT&T Notes

  • AT&T gateways still do 802.1x authentication - you cannot fully bypass them
  • Disable the gateway's Wi-Fi radios to avoid interference (under Wi-Fi settings)
  • If you have AT&T TV, it may need the gateway's DHCP - test carefully

Verizon Fios (G3100 / G1100)

Verizon Bridge Mode

Verizon Fios is one of the easiest ISPs to bridge. If you have Ethernet from the ONT, you can bypass the Verizon router entirely.

Option A: True Bypass (Best)

  1. Check if your ONT (the box on the wall) has an Ethernet port
  2. If yes, connect Firewalla directly to the ONT Ethernet port
  3. Set Firewalla to Router Mode
  4. Firewalla will get a public IP via DHCP
  5. You can return the Verizon router to save the $15/month rental fee

Option B: Bridge Mode (if you need the Verizon router)

  1. Open a browser and go to 192.168.1.1
  2. Login with admin credentials (on the router sticker)
  3. Go to Advanced > Network Settings > Bridge Mode
  4. Enable Bridge Mode
  5. The router will reboot and stop doing NAT/DHCP
  6. Connect Firewalla to the router's LAN port

💡 Verizon Tip

If you have Fios TV, you may need to keep the Verizon router for the TV guide/DVR. In that case, use Option B (bridge mode) instead of full bypass.

Xfinity / Comcast

Xfinity Bridge Mode

Xfinity gateways support bridge mode through the admin interface or the Xfinity app.

Via Admin Interface:

  1. Open a browser and go to 10.0.0.1
  2. Login (default: admin / password)
  3. Navigate to Gateway > At a Glance
  4. Find Bridge Mode and set to Enable
  5. Confirm the change - the gateway will reboot
  6. Connect Firewalla to the gateway's Ethernet port

Via Xfinity App:

  1. Open the Xfinity app on your phone
  2. Go to Internet > Gateway
  3. Tap Advanced Settings
  4. Enable Bridge Mode

⚠️ Xfinity Notes

  • Bridge mode disables ALL Wi-Fi and routing on the gateway
  • Only ONE Ethernet port will work in bridge mode (usually port 1)
  • If you have Xfinity Voice, bridge mode may affect phone service
  • Consider buying your own modem to avoid the $14/month rental fee

Cox Communications

Cox Panoramic WiFi Bridge Mode

Steps:

  1. Open a browser and go to 192.168.0.1
  2. Login with admin credentials
  3. Navigate to Gateway > Connection > Local IP Configuration
  4. Set Gateway Mode to Bridge
  5. Save and reboot
  6. Connect Firewalla to the gateway

Alternatively, call Cox support and ask them to put your gateway in bridge mode remotely.

Spectrum (Charter)

Spectrum - Already Bridged

Good news: Spectrum typically provides a standalone modem (not a router/modem combo). This means it is already in bridge mode by default.

Setup:

  1. Connect Firewalla directly to the Spectrum modem via Ethernet
  2. Set Firewalla to Router Mode
  3. Firewalla will get a public IP automatically

💡 Spectrum Note

If Spectrum gave you a combo unit (modem + router), you can usually call them and request a modem-only swap, or buy your own DOCSIS 3.1 modem.

Google Fiber

Google Fiber Direct Connection

Google Fiber provides a fiber jack (wall unit) with an Ethernet port. You can connect directly to it.

Steps:

  1. If using the Google Network Box, disconnect it
  2. Connect Firewalla directly to the Google Fiber jack's Ethernet port
  3. Set Firewalla to Router Mode
  4. Firewalla will get a public IP via DHCP

If you have the newer Google Fiber setup with a built-in router, contact Google Fiber support to request bridge mode or a standalone fiber jack.

Other ISPs (Generic Framework)

General Bridge Mode Steps

If your ISP is not listed above, follow this general approach:

  1. Find your gateway IP: Usually 192.168.1.1 or 192.168.0.1. Check your device's network settings for "Default Gateway"
  2. Login to admin panel: Credentials are usually on a sticker on the device. Common defaults: admin/admin, admin/password, admin/1234
  3. Look for Bridge Mode: Check under Advanced, Gateway, WAN, or Internet settings. It may be called:
    • Bridge Mode
    • Passthrough Mode
    • IP Passthrough
    • Modem Mode
    • Transparent Bridge
  4. Enable it: Save and reboot the device
  5. Connect Firewalla: Plug into the gateway's Ethernet port
  6. Verify: Firewalla should get a public IP (not 192.168.x.x)

⚠️ If Bridge Mode is Not Available

Some ISPs lock their equipment. Options:

  • Call your ISP and ask them to enable it remotely
  • Ask if you can use your own modem instead
  • Use Firewalla in DHCP Mode behind the ISP router (Beginner Mode)
  • Some ISPs offer a "DMZ" mode that forwards all traffic to one device

After Bridge Mode

Verify Your Setup

  1. Open Firewalla app and check Network > WAN
  2. Your WAN IP should be a public IP (not 192.168.x.x or 10.x.x.x)
  3. Test internet connectivity on all devices
  4. Test VPN access from outside your network
  5. Disable the ISP router's Wi-Fi if it is still broadcasting

Common Issues After Bridging

  • No internet: Restart both the ISP device and Firewalla. Wait 2-3 minutes for the ISP modem to re-authenticate
  • Still getting private IP: The ISP device may not be fully bridged. Double-check settings or call ISP support
  • TV/Phone stopped working: Some ISP services require the router functions. You may need to keep the ISP router for those services and use IP Passthrough instead of full bridge
  • Slow speeds: Run a speed test. If speeds dropped, check that your Ethernet cables are Cat5e or better. Restart the ISP modem
← Back to Hub Advanced Guide →
AI Marketing Flow logo
Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About

Contact Us

Site Info

Privacy Policy

Terms of Use