Firewalla App version 1.52 is available on iOS / Android.
Some of the new features require box version 1.975 or above. This version is currently available to
- Gold, Purple (Beta)
To join the Box Beta program, please refer to this guide: Beta Onboarding.
- Blue Plus (Early Access)
To join the Early Access program, please refer to this guide: Early Access Onboarding.
If you have any issues, please post them here: https://help.firewalla.com/hc/en-us/community/topics/115000361734-Beta-Users
- Native Family Protect
- Auto-Configuration Wizard
- Top Blocked Flows by Region & Destination
- Custom DNS Entry Rules
- Preferred Route
- Box Restoration and Migration
- Tuning Speed Test Server
- WOL per Device
- Unbound Over VPN
- Port Forwarding via specified VPN or WAN
- Smart Queue - CAKE (Purple Only)
- Supported warnings when Ethernet port speed changes
- Supported displaying notes on the Rules list
- Supported changing local domain suffixes on Blue Plus
- Supported muting Open Port alarms based on the port purpose
- Help & support enhancements
- Supported grouping VPN devices with other devices
- Supported diagnosing inbound blocked flows using local ports
- Supported targeting multiple ports in one rule
- Changed the "Monitoring" button to "Mode"
1. Native Family Protect (Not supported on Red and Blue)
Before app version 1.52, Family Protect used 3rd party DNS services to filter out violent and pornographic online content. However, since it is a DNS service, it cannot be used with Unbound or DNS over HTTPS. In this release, we've supported a new "Native" mode, which can create multiple blocking rules on the devices to which Family Protect is applied. It leverages Firewalla blocking features to give you full control over what to block right on the Firewalla box without going out of the network. Here is a list of pre-configured options:
- All Porn Sites
- All Gambling Sites
- All VPN sites
- DoH Services
- Apple Private Relay
To give your family extra protection, Family Protect will also help you turn on Active Protect and Ad Block strict mode. These features can still be applied to different devices.
2. Auto-Configuration Wizard (Not supported on Red and Blue)
To help you make the best use of your Firewalla, we've introduced an auto-configuration wizard to help you quickly customize the box by asking a few questions. It can be triggered by tapping Settings -> Features -> Customize Now. This wizard may turn on/off features, create essential rules and etc; all the configurations can be changed on your app afterward. Read more about this feature in our article about using the Auto-Configuration Wizard.
3. Top Blocked Flows by Region & Destination (Requires box version 1.975)
On the box main screen or the detail screen of any devices/ groups or networks, tap the number of blocked flows and tap Top Blocked, and the app will show you two lists:
- Top regions + inbound: If someone from the outside is trying to connect to your network, most attempts will be blocked by Firewalla's Ingress Firewall. We've aggregated those flows based on regions, so you can better understand which regions you should watch out for.
- Top destinations + outbound: These are the destinations your devices trying to connect to; most of them might be blocked by the Ad Block feature or the blocking rules you've created.
In the blocked flows page, the time range can be set to any specific hours or the last 24 hours in total. You can tap on any region or destination to drill down and view the detail. If you are wondering why these blocks are triggered, just tap Diagnose. You can also tap Allow to create allow rules directly.
4. Custom DNS Entry Rules (Requires box version 1.975)
You can now add DNS entries via the app. We used to have a "pro" guide of how to customize your DNS via the command line; in the release, we've brought this feature to the app UI, to make it easier to manage.
On the box's main screen, tap DNS Service -> Custom DNS Rules, tap Add Custom DNS Rule, enter the domain and an IP address you want it to be resolved to, save the rule, and it's done.
5. Preferred Route (Requires box version 1.975)
When using a Route to send traffic to a WAN or a VPN interface, you can now select Route Preference. For each route, you'll be given two options:
- Static: if the selected interface is not available, the traffic will be dropped. This is the default setting.
- Preferred: if the selected interface is not available, allow traffic through an alternate route.
For example, if you have a dual-WAN setup, and you want all gaming traffic on your iPad to go to "ISP 1", if "ISP 1" is unavailable or disconnected the traffic can be sent to the other WAN connection instead. In this case, you can create a route with the following settings:
- Matching: All Gaming Sites
- Device: iPad
- Interface: ISP 1
- Route Preference: Preferred
Please note that in order to "lock" traffic to a selected VPN, you also need to ensure the VPN's Internet Kill Switch is enabled.
6. Box Restoration and Migration
Before box version 1.975, if you want to migrate your data and configurations from one box to another, Firewalla requires you to manually migrate data after the initial setup. With this new release, a complete version of box restoration and migration is supported, more data can be migrated during the initial setup, including the network configurations, routes, data usage, etc.
When installing a new box, the app will automatically check if there are any backup configurations of the same box or boxes with the same model, and then provide you with options to Restore from backup, Replace an old box or Set up as new. So the initial setup and migration can be done with one single tap.
With app version 1.52 and box version 1.975, the following data will not be restored or migrated:
- OpenVPN server configurations
- Paired phones (All other phones need to use additional pairing to pair with the new box)
- DDNS (A new DDNS will be generated for the new box, and all VPN clients need to update their profile to use the new DDNS.)
- Data usage history
- MSP related configurations
7. Tuning Speed Test Server (Requires box version 1.975)
Internet speed tests on Firewalla can be run manually or scheduled to run daily at any hour you select. When running a speed test, it will automatically pick a server near you. With this release, you can specify which server to use or not to use on the app. In any test results, tap the server, then choose:
- Always use this server: To specify this server and always run tests on it
- Never use this server: To exclude this server and tell Firewalla never to use it for testing
The "always use"/ "never use" server lists can be managed in Internet Speed -> Server Selection.
8. WOL per Device (Not supported on Red and Blue)
Wake up your devices directly from the Firewalla App.
On a device's detail page, scroll down to the bottom, tap Status, and tap the button Wake Up; a Wake-on-LAN message will be sent from the Firewalla box to your device.
9. Unbound over VPN (Requires box version 1.975)
If you have a VPN connection configured on your Firewalla and you're using Unbound, you can now send DNS requests over VPN instead of your ISP to protect your privacy further.
To select a VPN connection for Unbound, go to DNS Service -> Unbound -> DNS over VPN, turn on DNS over VPN, select a VPN, and save.
10. Port Forwarding via specified WAN or VPN (Requires box version 1.975)
You can now specify a WAN or a VPN interface to do port forwarding. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface.
AnyConnect VPN is not supported as of box version 1.975.
11. Smart Queue - CAKE (Purple Only. Requires early access box)
When Smart Queue is turned on, Firewalla uses active queue management methods to help you reduce network congestion and improve end-to-end latency. With box release 1.975, in addition to FQ_Codel, we've added a queue type CAKE. To switch to CAKE, tap Smart Queue on the box's main screen, tap Queue Type, select CAKE and save.
- CAKE is only supported on Firewalla Purple for now, requiring the box to be in the early access version.
- CAKE is best to be used with low-speed internet.
- [Local Domain]Supported changing local domain suffix on Blue Plus.
- [Alarm]Supported muting Open Port alarms based on the port purpose.
- [Port Speed]Supported warnings when Ethernet port speed changes.
- [Rule]Supported displaying notes on the Rules list.
- [Help & Support] Supported adding images or files as attachments when submitting support tickets.
- [VPN Device] Supported grouping VPN devices with other devices. (Requires box version 1.975)
- [Rule Diagnostics] Supported diagnosing inbound blocked flows using device local ports.
- [Rule] Supported multiple ports separated by a comma when creating rules. (Requires box version 1.975)
- [Monitoring Mode] Changed the "Monitoring" button into "Mode".
- Fixed an app crashing issue when setting the Data Plan value if the app language is Italian. (Android Only)
[Blocking Rules and Flows] In box version 1.975, all DNS queries will be blocked when an "Internet block" rule is applied. This new breaking change may cause some unexpected issues, including the number of blocked flows being increased significantly, and allow rules on ports/regions not working.
How to fix: We've reverted the change. In the future app release, an option to block DNS will be provided in the app when blocking the internet.
[Alarms] Category-based alarms, including video, gaming, and porn activities, are reduced significantly.
How to fix: This issue was introduced in box version 1.975 and has already been fixed.
[DMZ] If DMZ is enabled, SSH from an external IP to the WAN interface will be redirected to the DMZ host; in DHCP mode, DNS queries sent to WAN's UDP port 53 will be redirected to the DMZ host, which may cause DNS outage.
How to fix: The issue was introduced in box version 1.975 and will be fixed in the next software update.
- [Speed Test] The speed test cannot run properly if any speed test server is specified. (iOS only)
How to fix: Upgrade the app to the early access version, set the server selection to "Automatic", save, then select a server and save again.
- [Migration & Restoration] During the initial setup, if you choose to "Restore from backup" or "Replace an old box", Device Groups may not be migrated successfully.
How to fix: After initial setup, go to Settings -> Advanced -> Migrate from Other Box, choose the box you want to migrate from, select Device Groups and migrate again. This issue will be fixed in the next Box release.
- [IPv6] In box version 1.975, there is a known issue that will cause request timeout when querying IPv6 on local domains.
How to fix: This issue was introduced in box version 1.975 and has already been fixed.
- [AnyConnect + QoS] For Gold Plus boxes or Gold boxes with Unbuntu 22 image installed, when trying to connect to Anyconnect VPN and enable QoS, all devices will lose internet connection.
How to Fix: Reboot the box, or turn off QoS. This issue was introduced in box version 1.975 and has already been fixed.
- [Unbound over VPN] Our users have reported the 3rd party VPN service - Mullvad VPN is not compatible with Unbound, which will cause trouble resolving DNS requests.
- [Device with Link Aggregation] In box version 1.975, devices in the VLAN networks using LAG (Link aggregation) may appear to be in the wrong network.
How to fix: This is only a display issue. It will not affect the device's IP address, rules, or other settings. This issue will be fixed in the next Box release.