Asus ZenWiFi XT8 with Firewalla Gold - Config advice?


New Around Here
I've been using 'mesh' Portal (two node, off-brand, EOL) routers with a Firewall Blue for several years. I've decided it was time for an upgrade. I got a pair of XT8 routers and set them up in the default AI Mesh wireless router mode using the 5GHz-2 band as backhaul, and without any firewall. I got a good pair, they work flawlessly and I love the UI options, especially the multiple SSID options per band, which I will use to segregate IoT devices and Guests from the main network.

But I've come to love my Firewalla. They are constantly adding features and it has just been getting better and better. The Asus controls are not granular enough to replace the firewall; I have kids and need to watch exactly what they are doing when, and be able to selectively block/whitelist domains. The Asus UI, as far as I can tell, only has very simplistic blocking, it doesn't seem to have the feature set I need.

The FW Blue uses ARP spoofing/poisoning, and I think that contributed to some of my previous network issues, so I grabbed a FW Gold and am going to put it between the dumb modem and the Asus XT8. It's a 'real' FW and does not use ARP spoofing.

However, to really use the FW for what I want, I have to use the integrated router, and I'd rather not double-NAT, so I can't use the XT8 in it's default configuration.

I'd like my network to look like this: Modem---> FW Gold ---> Asus XT8 Node 1 ---(5GHz-2 backhaul)---> Asus XT8 Node 2

The problem is not only am I and wife working form home, the kids are schooling from home, and everyone's only connection to the outside world, including TV, is via the internet. So I don't have the luxury of trial and erroring my way through various setup options, and I'd like some input as to which of the configs I should use, and also if there's anything else I might be overlooking. This is my first time using the Asus UI, and though I've read the manual carefully I don't know what I don't know...

The XT8 has 5 possible modes:

1) AiMesh Wireless Router mode (Default)
2) Access Point(AP) mode / AiMesh Router in AP mode (is this two different modes with the second option only visible after applying this?)
3) Repeater mode
4) Media Bridge
5) AiMesh Node
*There is also a Bridge or WDS (Wireless Distribution System) option. The way the manual describes it doesn't make sense to me, and I can't tell which of the 5 modes it applies to.

Can anyone give me advice on how to set the XT8 up to get it to work the way I'd like? Appreciate all input!
Last edited:


New Around Here
Hi there! Just wondering if you might have tested and figured this out as I'm thinking of doing the same as yourself!


Part of the Furniture
I have my ZenWiFi AX set up this way, in AP mode, with an RT-AX86U instead of the Firewalla Gold facing the internet. The way that I set this up was to first get the RT-AX86U configured as my "wired/main" router. The 86U is connected to the fiber gateway that I have to use in bridge mode (IP Passthrough mode). Then connected my ZenWiFi that was in router mode to the 86U. I was able to use the Asus Router smartphone app to switch the ZenWiFi to AP mode, and now have a nice mesh AP via the ZenWiFi. It was pretty easy to do it that way. After that I could find the ZenWiFi IP address from the the client list on the 86U web admin interface, and go directly to the ZenWiFi IP address to use the admin interface on it.

By the way, also using wireless backhaul here, so the 5GH-2 radio is the dedicated backhaul radio.

At one point, though, I did have a problem and had to reset the ZenWiFi to factory defaults. At that point, I just used the Asus Router smartphone app to get the ZenWiFi mesh set up and running again. And the last thing that I did with the smartphone app was to set the ZenWiFi to AP mode. After that I could go to the ZenWiFi admin interface directly to finish the configuration, as mentioned above.


Occasional Visitor
Doing parental controls at the router level is a bad idea. I don't know how old your kids are, but it's just a matter of time until they figure out how to outsmart your firewall. It also doesn't work if they switch to mobile data - or just connect to your neighbors' network.
It is far better to use Google Family Link or Apple Screen Time in the end device. Both are deeply rooted in the OS, so circumventing them is unlikely. It's also more efficient as browsing and streaming don't suffer from deep inspection and MITM.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!