This guide will walk through the basic Firewalla AP7 troubleshooting. If this guide does not help, please don't hesitate to email us at help@firewalla.com or use this link to create a support case, and our engineers will help you directly. 

If you are experiencing slow Wi-Fi or connectivity issues, or you're looking for general Wi-Fi tips without the Firewalla AP7, see our guide: Optimizing Your Wi-Fi

• Installation Issues
  • Access Point not Found or Unreachable
  • Firewalla Box Unreachable
  • Access Point not Updated
• Networking Issues
  • Not able to connect devices
  • Network is slow
  • Network is not stable
• Local Network Access Issues
• Using Access Point
  • Can't create Wi-Fi on certain networks
  • Can't move AP7 to a different Firewalla port
• Reset Access Point to Factory Default
  • Reset from the App
  • Reset via the Reset Button
• General Wi-Fi Troubleshooting Tips
  • Update Access Point Software
  • Switch Configuration & VLAN Checks
  • AP7 Placement & Signal Strength
  • Device Testing & Speed Verification
  • Band-Specific Troubleshooting
  • Band Steering for IoT Devices
  • Optimize AP Connectivity
  • AP Orientation Test

Installation Issues

• To install your Firewalla AP7, please consult our Firewalla Access Point 7 Installation Guide.

• During your first install, the Firewalla unit always updates to the latest and greatest. Due to this, your initial installation time can be 5-8 minutes per unit (maybe a little bit more, depending on the speed at which the image is downloaded to your device).
  • Blocking the Firewalla AP7 from accessing the internet may cause issues, as it may need to upgrade to the latest software version to be fully functional.
  • The Firewalla AP7 uses the NTP service to check for software updates. Please make sure NTP is working properly on your network.
• When Mesh satellites come up, it may take a few minutes for them to adjust to optimal channels. Please be patient and wait for the status light to be blue.
• If the Wi-Fi button doesn't show up in the app, check your Firewalla's settings (top right corner) > Features > Mode. Your Firewalla should be in Router or Bridge Mode.
• If you are experiencing random reboots with the Firewalla AP7 Ceiling, please check and make sure the PoE injector or switch supports IEEE 802.3at or IEEE 802.3bt, NOT IEEE 802.3af. 

1. Access Point not Found or Unreachable

• Check Connection
  • Make sure that the power cable is correctly connected on both ends.
  • If you're setting up the first or only Firewalla Access Point, connect it to the LAN port of the Firewalla box via an Ethernet cable.
    • LAN port means you have a Local Network created on that Ethernet port with no VLAN ID.
  • If the status light is blinking blue, wait for several minutes and try again.
  • Power cycle the Access Point and try again.
  • Ensure the Access Point is near the phone you are using for installation, and that Bluetooth is ON. Firewalla uses Bluetooth to discover the device.
  • Access Point uses native LAN (not VLAN) as the management network, ensure the native LAN is functional before setting up Access Points.
    • If there is a managed switch between AP and Box, ensure the native LAN is functional on the managed switch as well as Box.
    • Learn more about setting up the Firewalla AP7 with managed switches and VLANs here.
• Check Power Source: For the Firewalla AP7 Ceiling, make sure the PoE injector or switch supports IEEE 802.3at or IEEE 802.3bt, NOT IEEE 802.3af. If using a power adapter, make sure it's 12V 2.5A.
• Check DHCP: If you use a separate DHCP server on the native LAN (not VLAN), temporarily turn it off and enable Firewalla's DHCP server.
• Check DNS: If you are using a filtering DNS on the Firewalla WAN side, please change it to something well-known, like 1.1.1.1 or 8.8.8.8, or the one from your ISP.
• Reset the Access Point: If the Access Point has been set up before, please make sure it is fully reset before setting it up again as new. Follow the steps here to reset your Access Point.
• Existing Wi-Fi Detected: Check if you have a Firewalla Wi-Fi SD created as a LAN. If so, you must remove it from your LAN before adopting your AP7. 

• Issues Pairing Additional Access Points
  • Wireless Backhaul
    • Try placing the additional Access Point close to a previously paired unit during setup.
    • Once the additional Access Point is successfully paired, you may move the additional Access Point to a different location.
  • Ethernet Backhaul
    • Double-check your LAN configurations or connect the Access Point to a different port on your Firewalla box.
    • The existing Access Points must be connected to a LAN port of the Firewalla Box.
    • The additional units must be connected to the same LAN ports as the existing Access Points.
      • For example, if your first Access Point is connected to Port 1 of your Firewalla box and your LAN is configured to use both Ports 1 and 2, the additional Access Point should also be connected to either Port 1 or Port 2, or a port on the back of a paired Access Point.
    • Try connecting the additional Access Points via wireless backhaul or by wiring them to the back of a paired Access Point first. This can help ensure that your unit’s hardware is working properly.

• Check the LED Status on the front of the Access Point for the current status: 

2. Firewalla Box Unreachable

• Check your box's connection: Make sure your Firewalla box is connected to the Internet.
• Check your phone's connection: Make sure your phone is connected to the Internet.
  If your phone is connected to your previous AP and it's no longer connected to the Firewalla Box, try switching to cellular data or connecting to another Wi-Fi network that has internet access.
• If connecting to a switch, check your Firewalla AP's connection: Make sure your Firewalla AP is connected to the switch, and you can see the switch's link light is on.
   

3. Access Point not Updated

• Check if NTP traffic or Firewalla cloud service is blocked on all devices. See Domains used by Firewalla
   

Networking Issues

1. Not able to connect devices

Try using a 2.4 GHz-only SSID

• Temporarily disable 5 GHz or 6 GHz for your SSID during the setup. 
  • When setting up some legacy 2.4 GHz-only IoT devices, your phone may need to use the same band as the IoT device. 
  • This ensures the phone can send the correct SSID information (e.g., BSSID) to the IoT device. 
  • If the SSID supports multiple bands and the phone is connected to 5 GHz, the IoT device may fail to connect. 

Try using a WPA2-only SSID

• Change the current SSID to WPA2 security or create a separate SSID with WPA2 for your IoT devices. 
  • Some legacy IoT devices may not be able to connect to a WPA2/WPA3 mixed SSID and can only connect to a WPA2-only SSID.

Try disabling DFS for the 5 GHz Band

• Check if you are using a DFS (Dynamic Frequency Selection) channel for your 5 GHz band. 
  • DFS Channels: 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144
  • Non-DFS Channels: 36, 40, 44, 48, 149, 153, 157, 161, 165
• Try to disable all DFS Channels in the Wi-Fi Settings if your devices have trouble connecting to the 5 GHz band. Some devices may not support 5 GHz DFS channels. 

6 GHz only SSID Issue

• Some devices may not be able to connect 6 GHz-only SSID. A workaround is to enable the 2.4 GHz or 5 GHz band as well as the 6 GHz when creating the SSID. 6 GHz information will be included in the beacon of 2.4 GHz / 5 GHz.

2. Network is slow

• Please use the Firewalla "Wi-Fi Test" button via the app to do testing. 
  • A normal speed test runs through the WAN side and does not provide a realistic result. Learn more about speed tests and speed optimizations here. 
  • If latency is not stable on 6 GHz (has a small spike periodically), try the Download/Upload Wi-Fi Tests. If the test is normal, then likely the latency was due to the device having enabled the battery saving feature on 6 GHz.
• Please turn on flow control on the switch between the AP7 and your Firewalla. 
  • Without it, your speed tests may be slow (this is NOT an AP7 issue; it is a networking issue).
• Please use the 6 GHz band if you are looking to get higher speeds (like 3Gbps).
  • Some devices (like OnePlus) may get stuck on a 2.4 GHz channel, which can slow the speed.
• Some Wi-Fi 7 clients (like iPhone 16) may support only 160 Mhz in the 6 GHz band, limiting their maximum speed to around 1.6 Gbps.
• Try forgetting the Wi-Fi network in your device's settings, then reconnect.

3. Network is not stable

• Please check the Ethernet cable used between your Firewalla and the Firewalla AP7. 
  • The maximum length for a (good) CAT6 to support 10 Gbps is around 122 feet. 
  • If you are using older cables, please check their type, as using the wrong cable can lead to:
    • Ethernet negotiating at a slower speed
    • Network flapping (Ethernet interface repeatedly going up and down)
• Check if the Firewalla AP7 LED is blinking red, which means it lost connection to the controller. 
  • When it happens, check the Ethernet cable. 
  • If a networking switch is used between the Firewalla Router and AP7, try to swap to a different Ethernet port or directly connect AP7 to the Firewalla Router.
• For AP7 Ceiling: make sure the PoE injector or switch supports IEEE 802.3at or IEEE 802.3bt, NOT IEEE 802.3af. 
  • An incompatible or bad PoE injector/switch could potentially cause AP reboots or packet loss. 

Local Network Access Issues

• If you can't access devices on your local network from another device on the same network, check whether the rule "Block Traffic from & to all Local Networks" is applied to that network.
  • With the addition of the Firewalla AP7, this rule will now also block all local traffic within the same network.
  • To allow devices on the same local network to communicate with each other, create a rule that allows traffic to that network.
  • For example, if you'd like devices in your Guest VLAN to communicate with each other while still blocking all other local networks, create a rule to "Allow Traffic to Guest VLAN."

• Check if there are any blocking rules on local networks, or check if any VqLAN or Device Isolation is enabled on device/group/user. Try to disable them and check if the issue is gone. 
• For Siri HomeKit integration to work, the HomeKit hub (e.g., Apple TV) must be allowed to access the IoT devices to be able to control them. If these IoT devices are in a VqLAN-enabled group, add the HomeKit hub to the Allowed Devices for that group.

Using Access Point

1. Can't create Wi-Fi on certain networks

• When creating Wi-Fi, the app will ask you to pick a network. Please note that Firewalla Wi-Fi can only be created on networks using the same ports as the LAN the AP7 is wired to. 
• For example, if you have three networks—LAN 1 on Port 1, and LAN 2 and LAN 3 on both Port 2 and Port 3—with the AP7 wired to Port 2 via Ethernet, then Wi-Fi can only be created on LAN 2 and LAN 3, not LAN 1.
• If you want to create Wi-Fi on LAN 1, try editing your network to make LAN 1 use Port 2 and Port 3 as well, with a VLAN ID.

2. Can't move AP7 to a different Firewalla port

If you want to use a different Firewalla port for your AP7 connection, follow the steps below. For example, if your AP7 is currently using Port 1, but you want to move it to Port 2:

1. In your Network Manager, check which LAN interface your Wi-Fi SSIDs are attached to.
2. If Port 2 is already selected for the LAN interface, simply plug the AP7 into Port 2. No additional steps are needed.
3. If Port 2 is not selected for the LAN interface -> Add Port 2 to the LAN interface -> Plug the AP7 into Port 2.

Note:

• After swapping, if you want to remove Port 1 from the LAN interface, the App may pop up a warning and not allow you to remove Port 1. The safe approach is unplugging the AP7 -> wait for the AP7 to show as "offline" on the App -> remove Port 1 from the LAN interface.
• Multiple LANs cannot select the same Ethernet Ports. To add Port 2 to your LAN interface, Port 2 should not be selected for any other LANs on your box. 

Reset Access Point to Factory Default

1. Reset from the App

1. Make sure the Access Point is powered on and connected to the Firewalla Box.
2. Open the Firewalla app, go to the box's main screen, and tap the Wi-Fi button -> Access Points.
3. Tap the Access Point you want to reset.
4. Scroll down to the bottom and tap Delete This Access Point.
5. The Access Point will be deleted from the box and reset to factory default.

Note: If the Access Point is not connected to the Box, deleting it from the app won't reset it to factory default. You'll need to manually reset the Access Point following the steps below: 

2. Reset via the Reset Button
 

1. Make sure the Access Point is powered on.
2. At the bottom of the Access Point, use a pin to press the reset button for at least 10 seconds (or wait until you see the LED start to blink red).
3. Wait for the reset to complete. It will reboot automatically and become ready for pairing.

4. Check light status during reset:

   Light	Status
   Blinking Blue	Reset Button Pressed
   Blinking Red	Resetting
   Lights Off (5s)	Reset Complete
   Solid Red	Booting up
   Blinking Blue	System Booting up
   Solid Blue	Normal
   Blinking White	Ready for Pairing

5.  After resetting using the reset button, delete the Access Point from the app: 
   1. Box's main screen -> Wi-Fi -> Access Points.
   2. Tap the Access Point that you manually reset.
   3. Scroll down and tap Delete This Access Point.

General Wi-Fi Troubleshooting Tips

If the above suggestions didn't help, here are some general Wi-Fi troubleshooting tips you can try.

If you don't have the Firewalla AP7, or you know the specific issue you're having, see if our Optimizing Your Wi-Fi guide can help.

1. Update Access Point Software
2. Verify Cabling & Speed Negotiation
3. Switch Configuration & VLAN Checks
4. AP7 Placement & Signal Strength
5. Device Testing & Speed Verification
6. Band-Specific Troubleshooting
7. SSID Isolation per Band
8. 6 GHz Limitations
9. Reconnect to Wi-Fi Network
10. Adjust Transmission Power
11. IoT Device Connectivity
12. Band Steering for IoT Devices
13. Optimize AP Connectivity
14. Local Network & VLAN Configuration
15. AP Orientation Test

1. Update Access Point Software

Check if the AP7 software is up-to-date.

Open the Firewalla App. From your box’s main screen, tap the “Wi-Fi” icon -> Access Points -> Select an AP7 -> Tap Version -> Check for Updates

Verify if the Access Point is up to date. If not, update it to the latest version.

2. Verify Cabling & Speed Negotiation

Check the cabling between the AP7 and the Firewalla box or between the switch and the devices.

In case the AP7 is connected to a switch, connect the AP7 directly to a Firewalla port and check the speeds.
Open the Firewalla App. From your box’s main screen, tap the 'Wi-Fi' icon, select the 'Access Point' tab, and choose the Access Point. Scroll down to find the Port Speed of the Access Point under 'Port Speed.’

If you're experiencing issues with Ethernet speed negotiation or the link status fluctuating, try swapping the cables.

To ensure reliable 10GBASE-T performance, try using a different Cat6 or higher cable, with Cat6a being the preferred option for extended distances.

3. Switch Configuration & VLAN Checks

If a switch is used between Firewalla Box and the AP7, verify that the ports on the switch are configured properly.

*[Mandatory]: The AP7 uses native LAN (not VLAN) as the management network. Ensure that the native LAN is functional before setting up your AP7s.

If there is a managed switch between the AP7 and Firewalla Box, ensure that the native LAN is functional on the managed switch as well as the Firewalla Box (in other words, both ports of the switch must be allowed to pass untagged VLAN traffic).

4. AP7 Placement & Signal Strength

Ensure the AP7 is located in an open area, and that the placement of the Satellite AP7 (wireless backhaul) is closer to the Root AP7 (already paired unit).

From your box’s main screen, tap the “Wi-Fi” icon -> Access Points -> Check the RSSI on the Satellite-AP to see at which level it is detecting the Root-AP or its Uplink-AP. (Ideally, it should be in the range of -55 dBm to -65 dBm).

5. Device Testing & Speed Verification

Use the 'Wi-Fi Test' on the device that is experiencing issues or another similar phone to determine if the problem is specific to a particular device or a general issue. On laptops, test the speed using the URL: http://fire.walla:8833/ss/ 

Test the Wi-Fi speed by placing the devices close to the AP7 (3 to 5 feet) and measuring the download/upload speeds. Check if the RSSI is better when closer to the AP7.

6. Band-Specific Troubleshooting

Identify the band on which the speed issue is observed: 2.4 GHz, 5 GHz, or 6 GHz.

If the issue occurs on the 2.4 GHz band, try changing the channels to 1, 6, or 11. 

For the 5 GHz band, try using non-DFS channels, such as 36 or 149. To disable 5 GHz DFS channels, from your box’s main screen, tap the “Wi-Fi” icon -> Wi-Fi settings (top right corner) -> Disable “5GHz DFS Channels.”

7. SSID Isolation per Band

Create a separate SSID and assign it to a single band (2.4 GHz, 5 GHz, or 6 GHz) to isolate band-specific issues. For more information about selecting specific frequency bands on your SSID, see here.

8. 6 GHz Limitations

Currently, 6 GHz bandwidth cannot be changed. Future app updates may include an option to modify 6 GHz bandwidth.

If you experience Wi-Fi connection drop on Pixel phones, please turn off adaptive connectivity.
To disable adaptive connectivity on your Pixel 9, open the phone's Settings app, tap "Network & Internet", then toggle off "Adaptive connectivity."

9. Reconnect to Wi-Fi Network

In case Wi-Fi speeds are low and you are not able to connect to the Internet, forget the Wi-Fi network and reconnect. If possible, try the same scenario with different phones/laptops.

To forget a Wi-Fi network and reconnect, navigate to your device's Wi-Fi settings, select "Manage known networks" (or similar), choose the network, and then select "Forget." Then, reconnect by selecting the network and entering the password.

Then, toggle the Wi-Fi button and verify if the network connectivity is better (improved speeds and Internet).

10. Adjust Transmission Power

By default, Tx power on all bands is set to the maximum value. Try lowering the Tx power if devices are connecting to AP7s that are far away, or use the Optimize Wi-Fi experience button on the device page.

11. IoT Device Connectivity

If your device (usually IoT) is unable to connect to the Wi-Fi, try creating a separate SSID with the 2.4 GHz band enabled and changing the Wi-Fi security type to WPA/WPA2 Personal.

12. Band Steering for IoT Devices

Disable “Band Steering” in case IoT devices are having connectivity issues.

From your box’s main screen, tap the “Wi-Fi” icon -> Wi-Fi settings (top right corner) -> Toggle off “Band Steering.”

For more information about advanced Wi-Fi settings, see here.

13. Optimize AP Connectivity

“Optimize Wi-Fi Experience” can be used in case clients are connecting to far-off AP7s.

From the box’s main screen, tap the “Wi-Fi” icon -> Wi-Fi settings (top right corner) -> tap “Optimize Wi-Fi Experience.”

For more information about advanced Wi-Fi settings, see here.

14. Local Network & VLAN Configuration

If you have issues accessing devices in your Local Network, check if there are any blocking rules or if VqLAN or Device Isolation are enabled on the device/group/user. Try to disable them and check if the issue persists.

For Apple HomeKit integration to work, the HomeKit hub (e.g., Apple TV) must be allowed to access the IoT devices to be able to control them. If these IoT devices are in a VqLAN-enabled group, add the HomeKit hub to the Allowed Devices for that group. For more information about Allowed Devices, see here. 

15. AP Orientation Test

Change the orientation of the AP7 clockwise to check if the RSSI or throughput improves when facing the client devices.