Firewalla App version 1.52 is available on iOS / Android.
Some of the new features require box version 1.975 or above. This version is available to Firewalla Gold, Purple, Purple SE, and Blue Plus.
See Open Issues for a list of issues we are actively working on.
New Features
- Native Family Protect
- Auto-Configuration Wizard
- Top Blocked Flows by Region & Destination
- Custom DNS Entry Rules
- Preferred Route
- Box Restoration and Migration
- Tuning Speed Test Server
- WOL per Device
- Unbound Over VPN
- Port Forwarding via specified VPN or WAN
- Smart Queue - CAKE (Purple Only)
- Supported warnings when Ethernet port speed changes
- Supported displaying notes on the Rules list
- Supported changing local domain suffixes on Blue Plus
- Supported muting Open Port alarms based on the port purpose
- Help & support enhancements
- Supported grouping VPN devices with other devices
- Supported diagnosing inbound blocked flows using local ports
- Supported targeting multiple ports in one rule
- Changed the "Monitoring" button to "Mode"
1. Native Family Protect (Not supported on Red and Blue)
Native Family Protect Video Tutorial
Before app version 1.52, Family Protect used 3rd party DNS services to filter out violent and pornographic online content. However, since it is a DNS service, it cannot be used with Unbound or DNS over HTTPS. In this release, we've supported a new "Native" mode, which can create multiple blocking rules on the devices to which Family Protect is applied. It leverages Firewalla blocking features to give you full control over what to block right on the Firewalla box without going out of the network. Here is a list of pre-configured options:
- All Porn Sites
- All Gambling Sites
- All VPN sites
- DoH Services
- Apple Private Relay
To give your family extra protection, Family Protect will also help you turn on Active Protect and Ad Block strict mode. These features can still be applied to different devices.
2. Auto-Configuration Wizard (Not supported on Red and Blue)
Auto-Configuration Wizard Video Tutorial
To help you make the best use of your Firewalla, we've introduced an auto-configuration wizard to help you quickly customize the box by asking a few questions. It can be triggered by tapping Settings > Features > Customize Now. This wizard may turn on/off features, create essential rules and etc; all the configurations can be changed on your app afterward. Read more about this feature in our article about using the Auto-Configuration Wizard.
3. Top Blocked Flows by Region & Destination (Requires box version 1.975)
Top Blocked Flows Video Tutorial
On the box main screen or the detail screen of any devices/ groups or networks, tap the number of blocked flows and tap Top Blocked, and the app will show you two lists:
- Top regions + inbound: If someone from the outside is trying to connect to your network, most attempts will be blocked by Firewalla's Ingress Firewall. We've aggregated those flows based on regions, so you can better understand which regions you should watch out for.
- Top destinations + outbound: These are the destinations your devices trying to connect to; most of them might be blocked by the Ad Block feature or the blocking rules you've created.
In the blocked flows page, the time range can be set to any specific hours or the last 24 hours in total. You can tap on any region or destination to drill down and view the detail. If you are wondering why these blocks are triggered, just tap Diagnose. You can also tap Allow to create allow rules directly.
4. Custom DNS Entry Rules (Requires box version 1.975)
Custom DNS Entry Rules Video Tutorial
You can now add DNS entries via the app. We used to have a "pro" guide of how to customize your DNS via the command line; in the release, we've brought this feature to the app UI, to make it easier to manage.
On the box's main screen, tap DNS Service > Custom DNS Rules, tap Add Custom DNS Rule, enter the domain and an IP address you want it to be resolved to, save the rule, and it's done.
5. Preferred Route (Requires box version 1.975)
Preferred Route Video Tutorial
When using a Route to send traffic to a WAN or a VPN interface, you can now select Route Preference. For each route, you'll be given two options:
- Static: if the selected interface is not available, the traffic will be dropped. This is the default setting.
- Preferred: if the selected interface is not available, allow traffic through an alternate route.
For example, if you have a dual-WAN setup, and you want all gaming traffic on your iPad to go to "ISP 1", if "ISP 1" is unavailable or disconnected the traffic can be sent to the other WAN connection instead. In this case, you can create a route with the following settings:
- Matching: All Gaming Sites
- Device: iPad
- Interface: ISP 1
- Route Preference: Preferred
Please note that in order to "lock" traffic to a selected VPN, you also need to ensure the VPN's Internet Kill Switch is enabled.
6. Box Restoration and Migration
Box Restoration and Migration Video Tutorial
Before box version 1.975, if you want to migrate your data and configurations from one box to another, Firewalla requires you to manually migrate data after the initial setup. With this new release, a complete version of box restoration and migration is supported, more data can be migrated during the initial setup, including the network configurations, routes, data usage, etc.
When installing a new box, the app will automatically check if there are any backup configurations of the same box or boxes with the same model, and then provide you with options to Restore from backup, Replace an old box or Set up as new. So the initial setup and migration can be done with one single tap.
With app version 1.52 and box version 1.975, the following data will not be restored or migrated:
- OpenVPN server configurations
- Paired phones (All other phones need to use additional pairing to pair with the new box)
- DDNS (A new DDNS will be generated for the new box, and all VPN clients need to update their profile to use the new DDNS.)
- Data usage history
- MSP related configurations
7. Tuning Speed Test Server (Requires box version 1.975)
Tuning Speed Test Server Video Tutorial
Internet speed tests on Firewalla can be run manually or scheduled to run daily at any hour you select. When running a speed test, it will automatically pick a server near you. With this release, you can specify which server to use or not to use on the app. In any test results, tap the server, then choose:
- Always use this server: To specify this server and always run tests on it
- Never use this server: To exclude this server and tell Firewalla never to use it for testing
The "always use"/ "never use" server lists can be managed in Internet Speed > Server Selection.
8. WOL per Device (Not supported on Red and Blue)
Wake up your devices directly from the Firewalla App.
On a device's detail page, scroll down to the bottom, tap Status, and tap the button Wake Up; a Wake-on-LAN message will be sent from the Firewalla box to your device.
9. Unbound over VPN (Requires box version 1.975)
Unbound over VPN Video Tutorial
If you have a VPN connection configured on your Firewalla and you're using Unbound, you can now send DNS requests over VPN instead of your ISP to protect your privacy further.
To select a VPN connection for Unbound, go to DNS Service > Unbound > DNS over VPN, turn on DNS over VPN, select a VPN, and save.
10. Port Forwarding via specified WAN or VPN (Requires box version 1.975)
Port Forwarding via Specified WAN or VPN Video Tutorial
You can now specify a WAN or a VPN interface to do port forwarding. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface.
It only allows one port forwarding on one external port now.
AnyConnect VPN is not supported as of box version 1.975.
11. Smart Queue - CAKE (Purple Only. Requires early access box)
When Smart Queue is turned on, Firewalla uses active queue management methods to help you reduce network congestion and improve end-to-end latency. With box release 1.975, in addition to FQ_Codel, we've added a queue type CAKE. To switch to CAKE, tap Smart Queue on the box's main screen, tap Queue Type, select CAKE and save.
- CAKE is only supported on Firewalla Purple for now, requiring the box to be in the early access version.
- CAKE is best to be used with low-speed internet.
Enhancements
- [DNS] Supported using DNS over VPN with Ad Block and Safe Search. When a device is connected to VPN (via the VPN Client feature), you can enable Force DNS over VPN while being protected by Firewalla Ad block and Safe Search.
- [Local Domain]Supported changing local domain suffix on Blue Plus.
- [Alarm]Supported muting Open Port alarms based on the port purpose.
- [Port Speed]Supported warnings when Ethernet port speed changes.
- [Rule]Supported displaying notes on the Rules list.
- [Help & Support] Supported adding images or files as attachments when submitting support tickets.
- [VPN Device] Supported grouping VPN devices with other devices. (Requires box version 1.975)
- [Rule Diagnostics] Supported diagnosing inbound blocked flows using device local ports.
- [Rule] Supported multiple ports separated by a comma when creating rules. (Requires box version 1.975)
- [Monitoring Mode] Changed the "Monitoring" button into "Mode".
Bug Fixes
- Fixed an app crashing issue when setting the Data Plan value if the app language is Italian. (Android Only)
Open Issues
-
[Blocking Rules and Flows] In box version 1.975, all DNS queries will be blocked when an "Internet block" rule is applied. This new breaking change may cause some unexpected issues, including the number of blocked flows being increased significantly, and allow rules on ports/regions not working.
How to fix: We've reverted the change. In the future app release, an option to block DNS will be provided in the app when blocking the internet. -
[DMZ] If DMZ is enabled, SSH from an external IP to the WAN interface will be redirected to the DMZ host; in DHCP mode, DNS queries sent to WAN's UDP port 53 will be redirected to the DMZ host, which may cause DNS outage.
Planned Fix: The issue was introduced in box version 1.975 and will be fixed in the next software update. -
[DNS and WireGuard VPN] In box version 1.975, for a Site to Site VPN connection, if the peer site (i.e. client site) has more than 16 subnets, the DNS-related features (including Ad Block, Family Protect and etc) on the server site's WireGuard network will not work properly.
Planned Fix: The issue was introduced in box version 1.975 and will be fixed in the next software update.
-
[Migration & Restoration] During the initial setup, if you choose to "Restore from backup" or "Replace an old box", Device Groups may not be migrated successfully.
Planned Fix: After initial setup, go to Settings > Advanced > Migrate from Other Box, choose the box you want to migrate from, select Device Groups and migrate again. This issue will be fixed in the next Box release.
-
[Speed Test] The speed test cannot run properly if any speed test server is specified. (iOS only)
Solution: Upgrade the app to the early access version, set the server selection to "Automatic", save, then select a server and save again.
-
[Target Lists] Target list rules may not work if the target list has a significant amount of IP entries (e.g. 10k entries).
Planned Fix: This issue is fixed in Purple SE 1.9751, Gold 1.9751 Beta, Purple & Blue Plus 1.9751 Alpha versions and will be deployed to other models in a few days. -
[Device with VLAN] In box version 1.975, devices in the VLAN networks may appear to be in the wrong network. This is only a display issue. It will not affect the device's IP address, rules, or other settings.
Planned Fix: This issue is fixed in Purple SE 1.9751, Gold 1.9751 Beta, Purple & Blue Plus 1.9751 Alpha versions and will be deployed to other models in a few days.
-
[Unbound over VPN] Our users have reported the 3rd party VPN service - Mullvad VPN is not compatible with Unbound, which will cause trouble resolving DNS requests.
-
[UDP Traffic may not be blocked] UDP flows which begin before a rule takes effect may in some cases continue after a rule is put in place. For example, a rule blocks internet traffic after a certain time to prevent a child from playing video games. If the child is playing a game before the time the rule begins the traffic may not be cut off properly.
Planned Fix: This issue will be fixed in the next release.
Resolved Issues
Fixes for these issues have already been rolled out as specified.
-
[Native Family Mode + DoH block + 1.52 iOS] If you see more iCloud blocks using the DoH block under the native family mode, please turn off the DoH block under family mode. (You can then turn on the DoH block using rules >add rule >block and then use the DoH target list instead]
Fixed: This issue was fixed in app 1.53. (update to 1.53, then turn off and on DoH block under family mode)
-
[AnyConnect + QoS] For Gold series boxes with Unbuntu 22 image installed, when trying to connect to AnyConnect VPN and enable QoS, all devices will lose internet connection.
Fixed: Reboot the box, or turn off QoS. This issue was introduced in box version 1.975 and has already been fixed.
-
[Loading Data] In box software version 1.975, loading data on Firewalla App (pulling down from the main screen or other pages) may be noticeably slower under some circumstances.
Fixed: This issue was fixed in the latest 1.975 boxes.
-
[IPv6] In box version 1.975, there is a known issue that will cause request timeout when querying IPv6 on local domains.
Fixed: This issue was introduced in box version 1.975 and has already been fixed.
-
[Alarms] Category-based alarms, including video, gaming, and porn activities, are reduced significantly.
Fixed: This issue was introduced in box version 1.975 and has already been fixed.
-
[PayPal/DNS Service] In 1.975, DNS queries for the subdomain of the local domain will be silently dropped without getting an empty response if the subdomain does not exist in the local device's hostname. This may break some services like AD controller and also accidentally block 2FA in PayPal app. See this for details: https://help.firewalla.com/hc/en-us/articles/13993215493011
Fixed: This issue was introduced in box version 1.975 and has already been fixed in version 1.9751.
-
[Region Block] If more than 100 regions are blocked/allowed simultaneously, the system may not be stable.
Fixed This issue was introduced in box version 1.975 and has already been fixed in version 1.9751.
Please remember, Firewalla has an ingress firewall enabled by default, so most of the time, you will NOT need to add countries to the blocking list.
-
[Ad Block] Ad block strict mode may not work if Active Protect is turned off.
Fixed: This issue was introduced in box version 1.975 and has already been fixed in version 1.9751.
-
[DNS Service on WireGuard DNS] Configurations on WireGuard site-to-site VPN peers may not work.
Fixed: This issue was introduced in box version 1.975 and has already been fixed in version 1.9751.
Comments
25 comments
Firewalla Gold Early Access
Is anyone else in early access having issues with hundreds of thousands, if not millions, of blocked flows? I went from beta, which was working normally, to the early access, and keep getting hundreds of thousands of flows and nearly as many blocked flows. No rule changes at all, and almost all of them report they are blocked by DNS.
This is after flashing the Firewalla Gold, starting fresh, and setting up all previous rules as I had the before.
You may tap the "Blocked" in the box main screen and then tap "Top Blocked", it should be able to tell you more details.
Some IoT device may generate lots of requests if it is quarantined.
Love that you guys are putting more backup and restore features in. But is there a way to tell it to refresh the backup? I mean if it just pulls the last box's initial setup then it won't restore very much. If that's not the case, at what interval does the backup image get updated with configuration changes?
I would think it would be better to have the option to "Snapshot" a configuration for a specific box model. then either be able to restore that "Snapshot" to the original box because of a bad configuration, or a new box so you have less needed configuration. I'll post this in my original Feature Request at the following link as that is probably a better place for the full discussion.
https://help.firewalla.com/hc/en-us/community/posts/5057442750739-Create-Snapshot-for-Backup-or-Restore
Really appreciate the Custom DNS Entry Rules!
Not sure if I am doing something wrong but I dont have the WOL option when I look at the status of an individual device. I changed from beta to early access to get box version 1.975 and be able to test WOL. I am in app version 1.52 (40). Any pointers on what to do?
@Roberto, WoL is supported on the latest early access App. Can you go to your TestFlight, upgrade the Firewalla app to version 1.52(80) and try again?
I can’t seem to find the upgrade option in the test flight app. Can you provide instructions to do so. Thanks
Got it. I was able to upgrade in my iphone. I was not able to upgrade in my ipad..
I'm having similar problems as Nathan Thee. Most of my IoT devices are not working, Google Speakers just complain that they cannot reach the internet.
I'm pushing over 4 million flows for the past 24 hours, 92% blocked.
I opened a Support Ticket.
Chris Thomas, I tried it again earlier this week with the same result. I even went through and started fresh. Didn’t migrate anything at all and still the same result.
@Nathan,
Appears to be affecting my networks which Block egress by default. Disabling the "Block Traffic to Internet" on my networks seems to resolve the issue. It appears that the dns queries are now being blocked, where as before, they were not. Adding a specific rule to permit all traffic to remote port 53, does not seem to resolve the issue.
Box 1.975 update has completely broken my locked-down networks because the "Block Traffic to Internet" rule is now blocking the response for DNS queries which do not specifically match a firewall allow policy.....
Example
I have a firewall policy that permits traffic to vmware.com
With "Block Traffic to Internet" policy enabled, I can resolve vmware.com, but not download.vmware.com ...
This means every firewall policy I've written around top level domains (microsoft.com, windowsupdate.com, vmware.com, roku.com, homeseer.com, etc etc etc) is now completely non-functional because my devices cannot resolve the sub-domains.
I also cannot resolve the 'firewalla hostnames of other devices on my network. I.e., NVR software cannot connect to my camera's because it cannot resolve hostname (backyard-wyzecam.fwg).
Please completely revert this behavior, this is no good.
Is this behavior change documented in the release notes? I cannot find it.
@chris, let me create a ticket for you and we can take a look at your system.
@chris, our developer suggest you to double-check, make sure the allow rules are on the same level as the blocks. If you block something at the network level, the allow rules should be on the same network. If the block is on the same device, the allow should be on the device as well.
@Firewalla, I am experiencing the EXACT same thing as @Chris. To the T. I sent in a question about this a month ago and never heard anything back other than what you're already said above. The fact that I can go from a completely functional FWG to non-functional, simply by installing the beta or early release, doesn't seem to make sense.
If the rules not working because of a software change, I think that should have been noted when released. Please help, because I fear when pushed to the stable release, there won't be anything I can do.
@Firewalla,
It was working fine until 5am when the Firewalla Gold applied this update and rebooted.
I have a ticket open, your team has remote access to my firewalla if they need to verify how my policies are arranged. We can turn back on all of the "Block Traffic to Internet" policies that I paused and watch the blocked sessions climb into the millions in a couple of hours.
@Firewalla, I turned on all the "Block Traffic to Internet" rules as well. In the past two hours I have 1.2 million flows and 1.1 million blocked flows.
When will 1.975 be released?
Again we need a way to trigger a “backup” or “snapshot” of the current config. Something that we can save to a file and later import to the existing box or a new box to replicate the state of the box when the backup took place.
Looking forward to seeing Preferred route... My backup WAN is a LTE Hotspot and I'd like to be able to block video streaming while I'm failed over to it, lest someone stomps on it while I'm working remotely.
Is there an ETA for when 1.975 will be released? Looking forward to the custom DNS additions :)
I got mine today.
Is there an eta for 1.975 on Purple.
@Brian,
It was just released last night, update to your box may have already happened or will do in less than 12 hours.
Please sign in to leave a comment.