Being unable to access the websites and apps you want can be very frustrating and seem difficult to debug. Fortunately, Firewalla can help! Follow these steps to confirm that Firewalla is responsible for blocking the site, then resolve whatever is causing the block.
- Step 1: Verify Firewalla is blocking the site
- Step 2: Check your block rules
- Step 3: Check your block features
- Step 4: Check IPv6
- Step 5: NAT Passthrough
- Advanced Debugging
STEP 1: Verify Firewalla is blocking the site
Step 1.1: Turn on Emergency Access
Emergency Access instantly unblocks internet access by suspending all blocking mechanisms (monitoring and basic protection remain in place). To turn on Emergency Access:
- Go to your box's main screen -> Devices
- Tap on the device that's having problems connecting
- Scroll to the bottom and turn on Emergency Access
You can also turn on Emergency Access globally (Rules -> "…" in the top right corner -> Emergency Access)
- Emergency Access may take some time to go into effect (due to the DNS cache). You can speed up this process by either turning the device's Wi-Fi off and on, or rebooting it.
- If Emergency Access fixes the access problem, it means that one of Firewalla's policies is blocking the site. Continue to Step 2.
- If you still can't access the site with Emergency Access turned on, go to Step 1.2.
Note: Emergency Access will suspend your customized blocking rules. Default inbound blocking and Active Protect will still work when it's on. Other blocking features won't be affected.
Learn more about Emergency Access.
VPN Client
If you are using the VPN client feature, please pause it. Some services may not always run via VPN. (This is a general VPN issue, not a firewalla issue). For example, Netflix may detect you are using a VPN and block your access.
Policy Based Routing
Policy-based routing is not automatically disabled by "emergency access"; you must manually disable or pause it. (In case you are routing the traffic to VPN or to a different WAN interface).
Step 1.2: Turn off monitoring on the device
- Go to your box's main page -> Devices
- Tap on the device that's having problems connecting
- Scroll to the bottom and turn off monitoring.
If you are running DHCP mode, you may need to turn the DHCP service on your main router back on, then turn your device's Wi-Fi off and on to let it acquire a new IP address.
- If turning monitoring off doesn't fix the problem, you should stop and check your network (wiring, router configuration, compatibility with other devices, etc.) or contact us.
- If turning monitoring off fixes the problem, go to Step 2.
DNS Servers:
Please also carefully check what DNS servers you are using – some may filter results. If possible, trying using a more open DNS server, like 1.1.1.1 or 8.8.8.8.
STEP 2: Check your block rules
Step 2.1: Identify the blocking rule using blocked flows
Firewalla Blocked Flows records all the flows blocked by Firewalla. You can use it to find out which IP or domain is being blocked:
- Try to access the site or the app blocked by Firewalla.
- Go to your box's main screen -> Blocked stats at the top of the page -> Blocked Flows -> find the flow(s) related to the app or the service.
-
When you tap on a blocked flow, you'll see the feature that caused the block at the bottom of the flow detail page (if the flow was blocked by Ad Block or Active Protect). Tap on the line of text on top of the action to configure the feature directly.
-
Otherwise, you'll find a Diagnose button at the bottom of the page. Tap it to identify the rule that blocked the site. If there is a rule found, go to Step 2.3. If there is no rule found, then the connection is likely being blocked by other features. Skip to Step 3 to identify the feature.
Step 2.2: Identify the rules that are blocking the site
Our Rule Diagnostics tool will tell you what rule(s) are responsible for blocking certain types of traffic. Just fill in the site you can't access and the device you're having an issue with. To run Rule Diagnostics, go to your box's main screen -> Rules -> "..." in the top right corner -> Diagnostics.
If no rule shows up while all features listed in Step 3 are disabled, try pausing each rule one by one. Some sites will share the same IP mapping, meaning that when you block one, others will be inaccessible.
Step 2.3: What to do after the blocking rule is identified
Case 1: The rule blocks a domain required by the site
Sometimes, a site requires access to a separate domain. For example, if you can't access docs.google.com, you might see that it's due to a global block rule on ytimg.com (a resource required by Google Docs). See more examples with Google and Youtube access.
To resolve this:
- Pause or remove the rule
Case 2: The rule blocks a seemingly unrelated domain
Sometimes one rule will block two supposedly different sites. For example, if you can't access help.firewalla.com, it could surprise you that it's due to a blocking rule on roblox.com. This is because Firewalla by default blocks at the IP level, and blocking roblox.com will block the IP used by help.roblox.com, which shares an IP with help.firewalla.com. See this article for details.
To resolve this:
- Pause or remove the rule, or
- Change the Block Mode of the rule to "Domain Only"
Case 3: It's a category block rule
For example, you might not be able to access pinterest.com because you have a block on "All Social Sites".
To resolve this:
- Unblock "All Social Sites", or
- Remove pinterest.com and related domains from the All Social Sites category list, or
- Create an Allow rule for pinterest.com to create an exception in the "All Social Sites" block
See this article for detailed instructions for the example above.
Case 4: It's an Allow rule
Sometimes, Allow rules get blocked by other features. Go to Step 3.
Case 5: The blocking rule is applied to other devices
Check if there is a Wi-Fi extender in your network. Some Wi-Fi extenders will mix up MAC addresses while processing packets. To resolve this, try temporarily powering off the extender.
STEP 3: Check your block features
Besides rules, Firewalla has several other features that can block content. Try turning each one off and see if it makes any difference. Before testing these features, make sure to flush your DNS cache by turning your device's Wi-Fi off and on or rebooting it.
Ad Block
For example, some Google search results may be blocked because they are ads.
- Go to your box's main page -> Ad Block
- Turn off Ad Block globally or on the device experiencing the problem
Family Protect
- Go to your box's main page -> Family
- Turn off Family Protect globally or on the device experiencing the problem
Safe Search
For example, certain YouTube videos could be blocked due to Safe Search (see this article).
- Go to your box's main page -> Family
- Turn off Safe Search globally or on the device experiencing the problem
DNS Over HTTPS (DoH)
Sometimes, DoH does some filtering. The results returned are not always consistent from provider to provider.
- Go to your box's main page -> DNS Service
- Turn off DNS over HTTPS (DoH) or change its server
Active Protect
As a last resort, you can try turning off Active Protect. However, if a site is blocked by Active Protect, chances are it shouldn't be trusted.
- Go to your box's main page -> Settings -> Features -> Active Protect
STEP 4: Check IPv6
In rare cases, we have seen devices that have trouble in IPv6 environments. If you have IPv6 enabled, try disabling IPv6 on the LAN settings and see if the issue disappears. If it does, but you want other devices to continue using IPv6, you can put the problem device on a separate LAN with IPv6 disabled and leave other devices on a network with IPv6 enabled. See Network Segmentation for details.
STEP 5: Check NAT Passthrough
Firewalla will block inbound traffic by default to keep your network safe. Sometimes it's essential for services like Wi-Fi call or VPN, which require consistent and reliable connections for voice and data transmission. If you have trouble with video call, Wi-Fi call or VPN, you may need to enable one of these options (depending on the service protocol). See this article.
Advanced Debugging
If you need more powerful debugging techniques, see Rule Debugging and use of tcpdump.
Need Help?
If you still cannot resolve the problem, please feel free to open a support case. We guarantee a response in less than 24 hours.
Comments
0 comments
Please sign in to leave a comment.