Firewalla will work in either Simple Mode (Plug and Play) or DHCP mode (you will need to login to the router and disable DHCP server. Learn more about DHCP Mode). Your router will need to be compatible with at least one of these modes.
The Firewalla app will do mode auto-detection for you during the initial pairing with the Firewalla box. If you are running into problems, please check the list below for your router to see if we've noted any known issues. (The auto-detection process is not perfect, you can always manually force a mode)
- If your router is not on the list, it is very likely to be compatible with Firewalla. This list will be updated as we learn from our customers and detection algorithms.
- For Meshed routers: Additional instructions are explained here.
- DHCP Mode: If your router has the option to turn off the built-in DHCP server then DHCP mode will work for you. And for some routers DHCP cannot be turned off, a trick like this might work.
- Questions? please email us at firstname.lastname@example.org, it will create a support case, and our engineers will help you directly.
- If you encounter problems such as 'slow throughput', please also make sure your router's firmware is up to date.
- To connect Firewalla, your router (or a switch connected to the router) must have a free ethernet port.
- DHCP Leases. If you run into devices keeps on changing IP address and you don't have a network extender, double check your router's DHCP lease time. Make sure it is long.
|Router Model||Simple Mode||DHCP Mode|
|T3200||❌Not Compatible||⚠️❌Under investigation, may not be Compatible|
|✅Compatible||⚠️Likely Compatible (Require Special Setup)|
|XB6||❌Not Compatible||✅⚠️Require Special Setup|
|SVG2482AC||✅Compatible||⚠️Likely Compatible (Require Special Setup)|
|5268||✅⚠️ Need to disable monitoring of devices that look like 5268AC, or 5268.||⚠️Likely Compatible (Require Special Setup)|
|SBG6782||✅⚠️Set the DHCP lease time from 3600 (one hour) to a large number like (604800)||✅Compatible|
|DG3450||❌Not Compatible||✅⚠️Require Special Setup|
|SBG6900AC||✅⚠️Set the DHCP lease time from 3600 (one hour) to a large number like (604800) Put device Arris-LGW in not monitor mode.||✅Compatible|
|Others||✅Compatible⚠️ Need to disable monitoring of device that looks like ARRIS-LGW||✅Compatible|
|⚠️Model number unknown. Please turn off "Block ARP Broadcast". This prevents firewalla from being discovered.|
|N600 RT-N56U||✅⚠️NAT Acceleration must be turned off See this||✅Compatible|
|SRT-AC1900 (OnHub)||❌Not Compatible||❌Not Compatible|
|RT-AC68R||✅⚠️Firewall must be turned off during installation||✅Compatible|
|RT-AC87||✅⚠️NAT Acceleration must be turned off See this||✅Compatible|
|Motorola NVG510||✅Compatible||❌Not Compatible|
|FRITZ!Box 6490||✅⚠️Compatible (verification needed)||✅Compatible|
|FRITZ!Box 7490||⚠️ Investigating||✅Compatible|
|Home Hub 3000||❌Not Compatible||✅Compatible|
|Comcast DPC3941 Cable Modem||✅Compatible||⚠️Likely Compatible (Require Special Setup)|
|Version 1||❌Not Compatible||✅Compatible|
|Version 3||May not work||Unknown|
|OnHub TGR-1900 (TP-Link)||❌Not Compatible||❌Not Compatible|
|OnHub SRT-AC1900(ASUS)||❌Not Compatible||❌Not Compatible|
|Google Wifi||✅⚠️Compatible (See additional instruction) Some users are experiencing issues.||✅Compatible (Require Special Setup)|
|HUAWEI/Or HUAWEI BASED ROUTERS|
|HG659 HG635||❌Not Compatible||✅Compatible|
|Mitrastar model hgw-2501gn-r2||❌Not Compatible||✅Compatible|
|HA35-22||❌Not Compatible||NOT SURE|
|✅⚠️Compatible (verification needed)||❌Not Compatible|
Majority routers will need express forwarding feature to be disabled:
|N600||✅⚠️Not Compatible with Guest Network||✅Compatible|
|✅⚠️Express Forwarding must be disabled||✅Compatible|
|Velop||✅Compatible (See additional instruction)||✅Compatible|
|✅⚠️Not Compatible with Guest Network||✅Compatible|
Nighthawk Pro Gaming
|✅Compatible (See additional instruction)||✅Compatible|
|❌Not Compatible||⚠️Unlikely to work. Best use another router behind this|
|❌Not Compatible||✅⚠️Likely Compatible|
|TP OnHub||❌Not Compatible||❌Not Compatible|
|TP-LINK Deco||✅Likely Compatible (See additional instruction)||❌Not Compatible|
|RT2600AC||❌Not Compatible||✅Compatible (Guide)|
|RT1900||❌⚠️ Under investigation, may not be compatible||✅Compatible (Guide)|
|❌Not Compatible||✅⚠️Require Special Setup|
|XB6||❌Not Compatible||⚠️Require Special Setup|
Additional List: user-contributed router list
There is a class of network extenders that will actively change or randomize all the Wifi devices connecting to it. These are not compatible with Firewalla. The reason is, Firewalla uses the device MAC address as the key to the device, if it keeps on changing, it will make monitoring impossible. (Such as NETGEAR EX3700)
Wifi Access Points: (Simple Mode)
If you have network devices, such as extenders, or routers acting as access points, you may need to put them into "not monitor" mode.
Certain Comcast routers that run in DHCP mode (such as XB6) may have issues with blocking ipv6 traffic. This is because these routers cannot turn off ipv6 auto-config. We are working on a solution.
In Simple mode: IPv6 support needs manually turning on. Please tap on "+" then add the IPv6 feature.
DHCP mode: DHCP mode should lock out IPv6 if DHCPv6 and auto-config are turned off.
Network Size (For advanced + business users)
Most home network by default is /24 network mask (253 networked devices). Please limit Firewalla Red's network to /24 and Firewalla Blue to /19
(So far we see issues below happening in Germany and China)
To access the Firewalla VPN server, your ISP will need to give you an externally routable IPv4 address. (Most ISP does this already, we have seen cases in Germany, China, where the IP address provided is a private IP) Without this, your VPN client will not able to talk to Firewalla.
VPN will not work in a pure IPv6 network, it only supports IPv4 at the moment. We are working on getting it working over IPv6. We encounter problems in some German ISP's, where IPv4 in IPv6 tunnel is used.
Compatibility with Other Devices
The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. We engineered our box to play with other boxes just for this purpose.
Circle: If you have Circle on the network, make sure Circle is not monitoring Firewalla and Firewalla is not monitoring Circle. And both are not monitoring the same devices. Otherwise, your network will be shut down with packets flying all over the place.
Cujo: We have one user claim he ran Firewalla in Simple Mode under Cujo. (verified by another user)
Fing: Fully compatible. Do not use Fing to block a device that's monitored by Firewalla in Simple Mode.
PFSense: Pending confirmation, we have one user got Firewalla Simple mode working with it.
PiHole: This is the open source DNS server. Much like what Firewalla does. If you have this as your DNS server, please disable monitoring of the PiHole Unit inside Firewalla App. (tap on devices->find pi hole->tap on it->move to the bottom and monitoring off)
SonicWall: Should work in the Simple mode
Bitdefender: We do know a few users run Firewalla with Bitdefender in router mode.
Ubiquity: Firewalla works with many Ubiquity devices in simple mode.