Firewalla's blocking features help you do critical things like protect your kids from offensive content or limit ads as much as possible. So, when they don't work as expected, it can be frustrating at the very least. If you're having problems getting Firewalla's blocks to actually block, read through this article for our troubleshooting tips.
Basic Self-Checklist
When things aren’t working as expected, you can save a lot of time by checking some of the basic configurations within the Firewalla app before diving into more advanced troubleshooting methods.
- Make sure DNS Booster is enabled.
- Make sure Emergency Access is disabled.
- Make sure Monitoring is turned on for both the device and on Firewalla (under More -> Mode).
- If you're trying to test a rule, make sure it's not paused.
- Please check and make sure any rules you are testing is applied to the right device. (Matching the MAC address of the device with the device in the rule)
- Check and make sure your device is not doing MAC randomization; this may cause you to apply rules to the wrong device.
- Make sure to refresh/clear your device cache (a quick way to do this is to switch into airplane mode and then switch back).
Validate Features
Next, double-check the feature that's not working (e.g. Ad Block, Family Protect, etc) by following the instructions in our article on feature validation.
- If the feature passes the validation process, the issue may be outside of Firewalla. Check any other network hardware and confirm that the device is on Firewalla's network.
- If the feature doesn't pass the validation test, or if you're trying to troubleshoot a feature that's not covered in our feature validation article, continue reading.
Common Issues
Private Relay
If you're using Apple Private Relay (iOS or MacOS), rules may not be applied to the device you intended and blocking won’t work. How Private Relay works & how to turn off Private address on Android
VPN Connections
If you're using a VPN or web proxy, from Firewalla's perspective, all traffic will be sent to the VPN server instead of their actual final destination so individual flows are not visible to your Firewalla.
Device or Browser DoH
If you're using DoH outside of Firewalla, DNS queries will be encrypted and effectively hidden from Firewalla. Try turning DoH off. DoH is supported on many platforms and browsers, including macOS, Windows, Android, and Chrome.
Rule Priority
Rules have different priorities. Rules applied to devices/groups win over those applied to networks; network rules win over rules applied to all devices; Allow rules win over Block rules. Devices in groups are generally limited to the group’s rules. Read more about rules logic.
To find if another rule is allowing your device to access a destination, run rule diagnostics.
- Go to Rules
- Tap "..." in the top right corner of the screen
- Tap Diagnostics
- Enter a website and a device, then tap Diagnose
To avoid confusion about what rules are affecting your devices, It's always good to simplify rules when possible.
- Use Target Lists to merge your targets together.
- Put Devices in Groups when you are applying the same rules across two or more devices.
- Don’t apply the same rule more than once (e.g, don’t apply the same rule to Groups and Networks at the same time.)
Additionally, note that Rule Diagnostics doesn't account for other features that block flows, such as Ad Block, Family Protect (3rd-Party Mode), and Safe Search.
Common Troubleshooting Requests
Internet Blocking Doesn’t Work
Firewalla can only block if it can capture your network traffic. If you have a rule that blocks all Internet access on a device and it's not working, it's likely that Firewalla just isn’t seeing traffic from that device or group. Check the device flows and see if you see any recent traffic.
Firewalla has different monitoring scopes depending on what mode you're using. Please make sure your device is within scope.
- Router Mode: Firewalla can control devices in its LAN/VLAN networks. If there's another upstream router doing NAT, any devices connected directly to the upstream router can't be monitored by Firewalla.
- Bridge Mode: Firewalla can control all devices physically behind it. Any devices connected directly to your main router can't be monitored by Firewalla.
- DHCP Mode : Devices must get their IPs from Firewalla to be controlled.
- Simple mode : Firewalla can control all devices in the same network.
You should also check your device's local configurations.
- Make sure your device's IP is consistent with the network it is on.
- If you're using Firewalla in Router Mode and are using another router for Wi-Fi, make sure your Wi-Fi router is in Access Point or Bridge mode and not acting as a second router. If it's acting as a router, Firewalla won't be able to see your individual devices; only the Wi-Fi router itself. How to use your existing router in bridge/AP mode.
- Check if your device is using a private MAC address. Firewalla counts each MAC address as a different device, so it's possible that your rules just aren't getting applied to the right device. How to turn off MAC Address Randomization?
- If you're using Simple or DHCP mode, check your router compatibility. Router Compatibility
Region Blocking Doesn't Work
Firewalla's default Geo-IP/Region blocking capabilities are based only on what locations IP addresses are mapped to.
- If you want to block all sites with a country-specific domain suffix, you'll need to add a rule specifically blocking that region suffix (e.g. *.us, *.ca, *.uk, etc). Firewalla's region block is only based on the IP address associated with the domain, not the domain itself.
- Sometimes, Firewalla's IP mapping may be incorrect. If you notice that certain sites are getting through our region block, you can give us feedback by tapping on the flow, tapping on Region, then tapping Report Incorrect Region/Category.
DNS-Based Features and Rules Don’t Work
If Firewalla can't see DNS queries, DNS-based features and rules won’t work:
- Family Protect
- Ad Block
- Category block
- App block
- Rules that are set to "Domain-only" instead of "Default."
To test if Firewalla can see your DNS traffic, visit firewalla.com on your device. Check your flows to see if that flow shows up. How to read flows
Additionally, other DNS-filtering services (e.g. pihole, nextDNS, OpenDNS Family, etc) may filter things independently of Firewalla. You should always check to see what they're filtering for.
Ad Block Doesn’t Work
No ad block is perfect. Ad Block is never going to block 100% of ads. Firewalla supports two block modes – Strict Mode and Default Mode. Strict Mode blocks more ads but you may find some websites have trouble with aggressive ad blocking.
- To test Default Mode, check if you can see ads on this site: https://ads-blocker.com/testing/
- To test Strict Mode, try comparing the block rate before and after switching to Strict Mode using this site: https://d3ward.github.io/toolz/adblock.html
If neither work,
- Try blocking all Internet traffic on your device. If that doesn’t work, check why Internet block isn’t working.
- Try blocking doubleclick.com on one device and check if the blocked flows show up. If it doesn’t work, check why DNS-based rules aren’t working.
If you still cannot resolve the problem, please email help@firewalla.com.
Comments
0 comments
Please sign in to leave a comment.