This guide will walk through the basic Firewalla AP7 troubleshooting. If this guide does not help, please don't hesitate to email us at help@firewalla.com or use this link to create a support case, and our engineers will help you directly.
- If you are experiencing slow Wi-Fi or connectivity issues, see our Wi-Fi Troubleshooting Guide.
- If you are with the beta program, please see this list of all the known problems: https://help.firewalla.com/hc/en-us/community/posts/36637938357779-AP7-Beta-Known-Issues
- If you are experiencing random reboots with the Firewalla AP7 Ceiling, please check and make sure the PoE injector or switch supports IEEE 802.3at or IEEE 802.3bt, NOT IEEE 802.3af.
- Installation Issues
- Networking Issues
- Local Network Access Issues
- Using Access Point
- Reset Access Point to Factory Default
Installation Issues
- To install your Firewalla AP7, please consult our Firewalla Access Point 7 Installation Guide.
- During your first install, the Firewalla unit always updates to the latest and greatest. Due to this, your initial installation time can be 5-8 minutes per unit (maybe a little bit more, depending on the speed at which the image is downloaded to your device).
- Blocking the Firewalla AP7 from accessing the internet may cause issues, as it may need to upgrade to the latest software version to be fully functional.
- The Firewalla AP7 uses the NTP service to check for software updates. Please make sure NTP is working properly on your network.
- When Mesh satellites come up, it may take a few minutes for them to adjust to optimal channels. Please be patient and wait for the status light to be blue.
- Make sure the Firewalla box is in Router Mode.
- If the WiFi button doesn't show up in the app, check if the box is running in Router Mode: Box Main screen -> top-right settings -> Features -> Mode.
1. Access Point not Found or Unreachable
Check Connection
-
Make sure that the power cable is correctly connected on both ends.
- For the Firewalla AP7 Ceiling, please check and make sure the PoE injector or switch supports IEEE 802.3at or IEEE 802.3bt, NOT IEEE 802.3af.
-
If you're setting up the first or only Firewalla Access Point, connect it to the LAN port of the Firewalla box via an Ethernet cable.
- LAN port means you have a Local Network created on that Ethernet port with no VLAN ID.
- If the status light is blinking blue, wait for several minutes and try again.
- Power cycle the Access Point and try again.
- Ensure the Access Point is near the phone you are using for installation, and that Bluetooth is ON. Firewalla uses Bluetooth to discover the device.
- Access Point uses native LAN (not VLAN) as the management network, ensure the native LAN is functional before setting up Access Points.
- If there is a managed switch between AP and Box, ensure the native LAN is functional on the managed switch as well as Box.
Check DNS
- If you are using a filtering DNS on the Firewalla WAN side, please change it to something well-known 1.1.1.1 or 8.8.8.8, or the one from your ISP.
Existing Wi-Fi Detected
- Check if you have Firewalla Wi-FI SD created as a LAN. If so, you must remove it from your LAN before adopting your AP7.
Issues Pairing Additional Access Points
-
Wireless Backhaul
- Try placing the additional Access Point close to a previously paired unit during setup.
- Once the additional Access Point is successfully paired, you may move the additional Access Point to a different location.
-
Ethernet Backhaul
- Double-check your LAN configurations or connect the Access Point to a different port on your Firewalla box.
- The existing Access Points must be connected to a LAN port of the Firewalla Box.
-
The additional units must be connected to the same LAN ports as the existing Access Points.
- For example, if your first Access Point is connected to Port 1 of your Firewalla box and your LAN is configured to use both Ports 1 and 2, the additional Access Point should also be connected to either Port 1 or Port 2, or a port on the back of a paired Access Point.
- Try connecting the additional Access Points via wireless backhaul or by wiring them to the back of a paired Access Point first. This can help ensure that your unit’s hardware is working properly.
The LED status on the front of the Access Point shows the current status:
Light |
Status |
Solid Blue |
Normal |
Blinking Blue |
Applying Configurations |
Solid White |
Upgrading |
Blinking White |
Ready for Pairing |
Solid Green |
Locating |
Blinking Green | Pairing |
Solid Red |
Booting Up, or System Error (Rare) |
Blinking Red |
Network Down |
Reset the Access Point
- If the Access Point has been set up before, please make sure it is fully reset before setting it up again as new. Follow the steps here to reset your Access Point.
2. Firewalla Box Unreachable
- Check your box's connection: Make sure your Firewalla box is connected to the Internet.
-
Check your phone's connection: Make sure your phone is connected to the Internet.
If your phone is connected to your previous AP and it's no longer connected to the Firewalla Box, try switching to cellular data, or connecting to another Wi-Fi network that has internet access. -
If connecting to a switch, check your Firewalla AP's connection: Make sure your Firewalla AP is connected to the switch and you can see the switch's link light is on.
Networking Issues
Not able to connect devices
Try using a 2.4 GHz-only SSID
- When setting up some legacy 2.4 GHz-only IoT devices, your phone may need to use the same band as the IoT device. This ensures the phone can send the correct SSID information (e.g. BSSID) to the IoT device. If the SSID supports multiple bands and the phone is connected to 5 GHz, the IoT device may fail to connect. If you encounter this issue, try temporarily disabling 5 GHz or 6 GHz for this SSID during the setup.
Try using a WPA2-only SSID
- Some legacy IoT devices may not be able to connect to a WPA2/WPA3 mixed SSID and can only connect to a WPA2-only SSID. If you encounter this issue, try changing the current SSID to WPA2 security or create a separate SSID with WPA2 for your IoT devices.
Try disabling DFS for the 5 GHz Band
- Check if you are using a DFS (Dynamic Frequency Selection) channel for your 5 GHz band.
- DFS Channels: 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144
- Non-DFS Channels: 36, 40, 44, 48, 149, 153, 157, 161, 165
- Some devices may not support 5 GHz DFS channels. Firewalla includes DFS channels to increase the number of available channels for your devices. If your devices have trouble connecting to the 5 GHz band, try manually selecting a channel and choosing a non-DFS channel listed above.
- If you are using app version 1.64.1 beta, you can disable all DFS Channels in the Wi-Fi Settings.
6 GHz only Hidden SSID Issue
- Devices may not be able to connect 6 GHz only Hidden SSID according to 6 GHz standard. A workaround is to enable 2.4 GHz or 5 GHz band as well as 6 GHz when creating the hidden SSID. 6 GHz information will be included in the beacon of 2.4 GHz / 5 GHz.
Network is slow
- Please use the Firewalla "Wi-Fi Test" button via the app to do testing. A normal speed test runs through the WAN side and does not provide a realistic result. Learn more about speed tests and speed optimizations here.
- If you are speed testing and have a switch between the AP7 and your Firewalla unit that converts 2.5 Gbit to 10 Gbit, please turn on flow control on that switch. Without it, your speed tests may be slow (this is NOT an AP7 issue; it is a networking issue).
- The 3.x Gbps tests are from OnePlus devices running on 6 GHz.
- Some Wi-Fi 7 clients (like iPhone 16) may support only 160 Mhz in the 6 GHz band, limiting their maximum speed to around 1.6 Gbps.
- Try forgetting the Wi-Fi network in your device's settings, then reconnect.
- If latency is not stable on 6ghz (have a small spike periodically), try download/upload speed test by using Firewalla "Wi-Fi Test" button. If download/upload test is normal, then likely latency was due to device has enabled battery saving feature on 6ghz.
Network is not stable
-
Please check the Ethernet cable used between your Firewalla and the Firewalla AP7. The maximum length for a (good) CAT6 to support 10 Gbps is around 122 feet. If you are using older cables, please check their type, as using the wrong cable can lead to:
- Ethernet negotiating at a slower speed
- Network flapping (ethernet interface repeatedly going up and down)
- Check if Firewalla AP7 LED is blinking red, which means it lost connection to controller. When it happens, check the Ethernet cable. If a networking switch is used between Firewalla box and AP7, try to swap to different ethernet ports or directly connect AP7 to Firewalla box.
Local Network Access Issues
- If you can't access devices on your local network from another device on the same network, check whether the rule "Block Traffic from & to all Local Networks" is applied to that network.
- With the addition of the Firewalla AP7, this rule will now also block all local traffic within the same network.
- To allow devices on the same local network to communicate with each other, create a rule that allows traffic to that network.
- For example, if you'd like devices in your Guest VLAN to communicate with each other while still blocking all other local networks, create a rule to "Allow Traffic to Guest VLAN."
- Check if there are any blocking rules on local networks or check if any VqLAN or Device Isolation is enabled on device/group/user. Try to disable them and check if the issue is gone.
- For Siri HomeKit integration to work, the HomeKit hub (e.g., Apple TV) must be allowed to access the IoT devices to be able to control them. If these IoT devices are in a VqLAN-enabled group, add HomeKit hub to the Allowed Devices for that group.
Using Access Point
Can't create Wi-Fi on certain networks
- When creating Wi-Fi, the app will ask you to pick a network. Please note that Firewalla Wi-Fi can only be created on networks using the same ports as the LAN the AP7 is wired to.
- For example, if you have three networks—LAN 1 on Port 1, and LAN 2 and LAN 3 on both Port 2 and Port 3—with the AP7 wired to Port 2 via Ethernet, then Wi-Fi can only be created on LAN 2 and LAN 3, not LAN 1.
- If you want to create Wi-Fi on LAN 1, try editing your network to make LAN 1 use Port 2 and Port 3 as well, with a VLAN ID.
Reset Access Point to Factory Default
Reset from the App
- Make sure the Access Point is powered on and connected to the Firewalla Box.
- Open the Firewalla app, go to the box's main screen, and tap the Wi-Fi button -> Access Points.
- Tap the Access Point you want to reset.
- Scroll down to the bottom and tap Delete This Access Point.
- The Access Point will be deleted from the box and reset to factory default.
Note: If the Access Point is not connected to the Box, deleting it from the app won't reset it to factory default. You'll need to manually reset the Access Point following the steps below:
Reset via the Reset Button
- Make sure the Access Point is powered on.
- At the bottom of the Access Point, use a pin to press the reset button for at least 10 seconds (or wait until you see the LED start to blink red).
- Wait for the reset to complete. It will reboot automatically and become ready for pairing.
-
Check light status during reset:
Light
Status
Blinking Blue
Reset Button Pressed
Blinking Red
Resetting
Lights Off (5s)
Reset Complete
Solid Red
Booting up
Blinking Blue
System Booting up
Solid Blue
Normal
Blinking White Ready for Pairing -
After resetting using the reset button, delete the Access Point from the app:
- Box's main screen -> Wi-Fi -> Access Points.
- Tap the Access Point that you manually reset.
- Scroll down and tap Delete This Access Point.
Comments
0 comments
Please sign in to leave a comment.