Question to you: Do you think "Ad Block" or other features should also belong in Controls?
You can create a VPN Group to connect to multiple external VPN services. If one connection drops, Firewalla will fail over to the next one.
For more details on VPN Groups: https://help.firewalla.com/hc/en-us/articles/360023379953-Firewalla-VPN-Client#01JN50QA7NS9WJZMQEP4S902WP
Figured I would post here that i submitted a ticket this morning with a lot of detail and logs from the firewalla as well as iOS screenshots. Seems like my tickets are just filtered out unless I post. I get an email from someone at firewalla after I post on here saying my ticket has received no responses in like 6-8 days and someone finally looks at it. In the same response I get you should change your email address. I always say why and never really get a response :) So hopefully someone will actually look at my ticket before 6-8 days this time. The bottom line is the all AP7's go offline and no WiFi works and it seems to be memory issues on the Firewalla Gold Pro or some other type of bug. This has happened several times but this time I actually logged into SSH session and got all the logs before they disappeared and captured diagnostic output. Unfortunately, I know of no way to login to the AP7's to capture their diagnostic logs like doing SSH to the Gold Pro. This seems to be a recurring problem and the ticket has the details. Thanks in Advance.
Is the firewalla team testing against mythos?
Bought a Gold Plus back in 2023 to pair with Frontier fiber and it's been rock solid. Easily the best networking purchase I've made in years. The problem is everything sitting behind it.
As an IT executive it's hard to admit this, but here's what my home network actually looks like right now:
Gold Plus & Eero in the wiring closet... another Eero downstairs pretending to be mesh... a Ruckus wireless controller and 3 ceiling-mounted Ruckus PoE APs left behind when we bought the house... and a Raspberry Pi running Pi-hole as DNS for everything, because the Eero ad blocker and the Firewalla ad blocker kept butting heads and I needed a referee.
I'm done. I want a single ecosystem so when something breaks at 11pm my wife and kids don't scream at me while I dig through three different management UIs.
I just ordered 3x AP7's to retire the Ruckus gear and a Cisco WS-C3650CX-12 to wire in the APs and run ethernet to the smart home hubs (Hue, SmartThings, Lutron, the usual shit show) as well as wired to the bedrooms/loft/fam room just in case because I'm old school.
...then I saw the "Help us make the Firewalla Switch" thread.
Consider this my vote, loudly. You already own the gateway in my house. With the AP7's you now own the wireless layer. The only piece left is L2 and PoE distribution. I love Cisco professionally, but I genuinely do not want to live in IOS - I thought I'd graduated from that shit. If you ship a managed PoE switch that lives in the ecosystem alongside the Gold Plus and the AP7s, with VLANs that auto-sync to my firewall policies, I would preorder it the second it goes live.
My ask is simple: 8 or 12-port SKUs, multi-gig (a couple of 10G uplinks would be the cherry on top), healthy PoE+ budget, fanless or near-silent, and the same beautiful UX as the rest of the lineup. Same pricing philosophy too. You've nailed "prosumer with adult-level features" in every product so far, please don't drift upmarket on the switch.
Firewalla team, if there's any way to nudge this onto the 2026 roadmap, please do it. I'm hoping the AP's will ship next week and I will absolutely throw the Cisco in the heap for a Firewalla Switch the day it's is announced. Heck, I'll beta test if you need it!
I have 3 AP7 units in my house. The goal is to have smooth 5Ghz coverage with a close AP at all locations. I need to disable 2.4Ghz on at least one radio due to cross channel interference from the neighborhood. I don't see the option to do that as I expect from having ran other vendor Wifi systems in the past. I would disable 2.4Ghz completely but there are too many IOT devices requiring it still.
Context: Punycode is the system that lets browsers represent non-ASCII characters (like characters in other languages) in domain names.
For example, a domain like paypal.com using a Greek 'alpha' (α) will be encoded as xn--pypl-0ldc.com.
These can sometimes be used to impersonate legit sites, but may block trusted websites in other languages.
Don't worry. The FCC and DoW/DoD, like the rest of the Trump administration, totally knows what they are doing. /s
This feature is only available to Firewalla Gold Series.
Hey all,
Real quick question for the u/firewalla team, I have some target lists speciflcally blocking certain domains, like IP/Domains in the SIlent/Black RAT malware or threat domains (like sfrclak[.]com or gmzdaily[.]com etc), however I've noticed in NextDNS (which logs all DNS traffic) these domains are being called from my WAN IP - ie. my FW box), if I check my FW Flow logs there is NO devices calling these domains, nothing shows. Nothing else has access to my NextDNS, only traffic through the FW (NextDNS setup over DoH on the LAN side - not WAN DNS on FW).
So my question is, does FW ping these domains periodically to check for their IP (or/and other info), and if so, what security risks does this pose when it comes to exposing a users WAN IP address to these endpoints (for example a malicious RAT endpoint could gain users IP addresses for targetting).
Just need some clarification on if this is normal behaviour and any security concerns.
(attached images of FW target list, NextDNS Logs, FW Flows)
Does this make sense?
I know our hardware is not made in the US and while it’s not a “router” the language in the FCC ban targets anything that forwards packets basically. I know we are good until May 2027 to be able to receive security updates on most consumer routers but I am curious what the plan is for our gear? If we lost updates in a year and your company is unable to manufacture in the US what next?
I know there is a post here https://help.firewalla.com/hc/en-us/community/posts/36955917782675-Set-vlan-ID-on-ports raised the issue, but since it is 1 year old, let me create a fresh request.
I have two AP7, one is connected to Gold Pro via an ethernet cable, and the other is a satellite node wirelessly connected to establish mesh network. I am trying to connect a device to the satellite AP7 via an ethernet cable.
The problem is I cannot find a way to set a VLAN ID on ethernet ports of the satellite AP7. My device cannot setup to use a VLAN ID, thus I need the VLAN ID to be set on AP7's ethernet ports. Currently, I see my device is connected to LAN network, which is unacceptable in my environment.
I know this issue can be resolved using a managed switch connected in-between AP7 and my device, but having an extra managed switch for every AP7 to use its ethernet ports with VLAN is very inconvenient (lots more hassle and money on installing AP7+managed switch vs. only AP7...).
If the feature is already there but I am just missing it, please let me know how to use it. Otherwise, could you please add this feature?
Background story: My house has Frontier Fiber internet. I use the Gold SE in Router mode. All the main Deco units and nodes are set to Access Point (AP) mode, and I’ve connected them via wired backhaul using Ethernet cables into the same unmanaged switch.
Previously, at least once a day, Firewalla would notify me that my WAN ISP was disconnected. When I checked the Events in Firewalla, it said the disconnection was caused by a Ping Test failure. This never used to happen when I was using the Purple.
Eventually, I figured out the cause of the issue. In the first few days after setting up the Gold SE, I changed the DNS settings for both the WAN ISP and the LAN, but I didn’t reboot Firewalla after applying those changes.
Yesterday, after reading a comment from Firewalla on Reddit recommending that the DNS field in the WAN ISP settings should be left it blank, so that way Firewalla can automatically use the ISP’s DNS, I followed that advice. After applying the change, I opened the Firewalla app, tapped the gear icon in the top-right corner of the home screen, then went to Advanced and selected “Reboot Firewalla.”
Since then, the Gold SE hasn’t experienced any WAN disconnections, and the Ping Test failures have also stopped occurring.
Also this is my DNS setup for LAN and WAN. And Ping test target.
For LAN DNS, I set the Primary DNS to 9.9.9.9 and the Secondary DNS to 149.112.112.112.
For WAN DNS, I left it blank so Firewalla can automatically pick up the DNS from the ISP.
In the Ping Test target section of the WAN settings, I entered three IP addresses in order:
The rest i keep as default.
I hope this post can helo anyone have same issue like me
Remember using Firewalla App to reboot your Firewalla after you change LAN and WAN setting.
Hello I just setup my firewalla and AP7 for the first time today everything seems to be working well except that I have 1gig xfinity internet and the speed test in the app is showing 252 mbps a second down for WiFi
I tried the speed test app on my windows pc and it is showing 256 mbps down for ethernet. I set my firewalla speed to 1000mbps down and 1000 mbps up. I am using an ubiquiti flex mini 2.5g switch in this setup
My computer is plugged into the switch not directly into the firewalla itself. Any ideas on what I am missing or did wrong is appreciated
Yesterday, I upgraded from my trusty FW Purple to a Gold I bought (2nd hand).
I dropped it in, migrated, adjusted WAN settings, put Pi-Hole docker back in place and connected everything.
Wired devices all get connected and have been working flawlessly ever since.
However, my WiFi access points have not been behaving well.
Hardware:
Provider modem/router in modem mode --> FW (Gold, was Purple) --> switch --> Netgear Orbi RBR740 (in Access Point mode) --> wireless backhaul --> Netgear Orbi RBS740 (access point, so always in AP mode)
Setup: FW in router mode, no DHCP on modem nor on any other device, Netgear items as mentioned above in AP mode, no fixed IP addresses (for now)
The above setup worked well when the Purple was in place and no settings have been changed.
Now, the RBR740 drops every few minutes. It then also drops connection to the 'satellite' of course.
(so, RBR740 is in AP mode, no NAT, no DHCP, ...)
I've scoured the internet and am yet to find a solution.
Things I've tried:
- disconnect and reboot each of the involved devices in multiple sequences
- change of switches
- turn of AX features
- give fixed IP addresses to Netgear devices
- upgraded to latest Orbi firmware
- upgraded Firewalla Gold to 22.04.4 based firmware
- disabled monitoring of the two Orbi devices in Firewalla
- disabled IPv6 in Firewalla
- ...
Would really appreciate some help, thanks in advance!
(Now, the good news is that I'd already ordered a pair of AP7's. the bad is that they're not here yet - and I have a rather unhappy wife and teenager to fend off. Also, I want to ensure there is no underlying issue / configuration item that might cause an issue when the AP7's arrive.)
I’m currently in South America for work and using the Orange as my travel router (I live in the US). So far it has been fantastic! Performance is excellent for the hotel WiFi (Marriott). Setup with a captive portal was as easy or easier than my Beryl AX with one caveat…I had to use my work laptop to connect to the hotel Wifi as I only got a blank white screen on my iPhone via the Firewalla app.
VPN Configuration:
Orange —> WireGuard (Site to Site) —> Firewalla Gold Plus
Application: Sensitive work data, large file downloads and transfers, online meetings, gaming, and TV streaming. I travel globally and not always to the nicest or most trustworthy places. I also have routing requirements that aren’t supported by the Beryl AX.
Performance: My current hotel WiFi speed is about 15Mbs and this configuration easily outperforms that. My Teams meetings today were flawless and I downloaded movies without any issues.
Setup: With laptop, easier and seemingly almost as quick as my Beryl AX (highly recommend!). However, I couldn’t log in via the hotel’s captive WiFi with my iPhone. Once I realized I needed to use my laptop instead of my phone setup was quick. It may have taken a little longer than my Beryl AX, but not meaningfully for me. I’ll test this out over the next couple weeks (I travel every week for work), but I liked the Firewalla captive WiFi login experience better. I’ve surprisingly had problems with captive WiFi’s with my Beryl AX which was a driving factor to purchase the Orange.
Overall: A huge upgrade over the Beryl AX in security and performance, albeit at a significant price delta. The Orange is larger and takes more space in my bag, but I love being in the Firewalla ecosystem while traveling.
Beryl AX - An inexpensive (comparatively) and slightly more portable option that provides basic security and capabilities. Highly recommended.
Orange - Supercharged performance in the Firewalla ecosystem. A no brainer for my use case. Highly recommended. The Orange is also a much better option for family travel, IMO.
Btw - I have no affiliation with Firewalla and don’t get paid for posting this. I’m just a network geek that travels too much. I enjoy this stuff.
What should i choose? Someone told me 9.9.9.9 for Primary and 1.1.1.1 for Secondary
Another one also say 8.8.8.8 and 8.8.4.4
Any advice? Thank you
What else would you want to show here? It may be hard to make it configurable, so the first phase will be automatic.
(The buttons would be dynamic, based on the most recently used. The first icon is your recent device, the second is recent group/user, the third is recent feature or speed/performance related, and the fourth is a feature that is hidden or disabled.)
