← PART 1: Visibility

→ PART 3: Protect

→ PART 4: Zero Trust Network Architecture

→ PART 5: Creating a Better Network

PART 2: Control

After gaining visibility into your network and devices, the next step is defining how you want your network to behave. 

Every network is different — different devices, users, and tolerance for risk. There's no single "secure" template that fits everyone — and we don't believe in forcing one. With Firewalla, you create your own rules. Whether you prefer a lighter approach or tighter controls, the choice is yours. 

• By intentionally managing traffic based on your environment and risk tolerance, you reduce your attack surface, limit unnecessary exposure, and build a network that is both more secure and better aligned with how you actually use it.

• Firewalla provides flexible tools to block, allow, segment, schedule, and regulate traffic at the device, group, or network level. 

With Firewalla, you can manage:

1. Access Controls
   1. Block unwanted access
   2. Allow trusted networks with allow rules
   3. Block unrecognized open ports and change weak passwords
2. Network Segmentation and Microsegmentation
   1. Manage devices with Device Group
   2. Microsegment devices with VqLAN and Device Isolation
   3. Isolate new devices with New Device Quarantine
   4. Automatically assign devices to groups with Firewalla Wi-Fi
   5. Isolate traffic with Network Segmentation
3. Online Activity & Traffic Management
   1. Enable Family Mode for kids
   2. Manage activities and screen time with Time Limits and Disturb
   3. Control traffic with Routes
   4. Regulate traffic with Smart Queue
4. Privacy, DNS, & VPN
   1. Protect your privacy with Ad Block
   2. Control DNS traffic with DoH, Unbound, and DNS Rules
   3. Sync time securely with NTP Intercept
   4. Secure network access with Firewalla VPN

1. Access Controls

1.1. Block unwanted access
1.2. Allow trusted networks with allow rules
1.3. Block unrecognized open ports and change weak passwords

1.1. Block unwanted access 

Blocking limits network access for one or more devices. Firewalla enables you to take action against unwanted network use through an array of blocking features, including:

1.1.1. Default Stateful Firewalls
1.1.2. Region Block (Geo-IP Filtering)
1.1.3. TLD Blocks
1.1.4. Application Block
1.1.5. Target List Block
1.1.6. Activity Category Block
1.1.7. Domain/IP/IP-Range Block
1.1.8. Block via Alarms
1.1.9. Block via Network Flows

1.1.1. Default Stateful Firewalls

If you are running your unit in router mode, Firewalla will, by default, insert a "stateful" firewall to block all ingress (from outside of your network to inside) traffic. Please do not delete or pause this rule.

1.1.2. Region Block (Geo-IP Filtering)

Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering. 

• Most of the time, these blocks are for egress (your network out). Ingress traffic should already be blocked by the default stateful firewall. 

1.1.3. TLD Blocks (Top Level Domain)

In addition to blocking full domains like firewalla.com and *.firewalla.com, Firewalla also supports blocking top-level domains, such as *.country, *.stream, *.download, etc.     

1.1.4. Application Block

If you want to manage access to a certain app (such as YouTube, TikTok, Instagram, etc.), you can use Firewalla's Rules to limit what apps a device or a group of devices may use. To do this, create a new block rule and set the rule target to the app you'd like to block.

1.1.5. Target List Block 

Firewalla has built-in Target Lists that you can use to enhance Firewalla's blocking features even more. For example,

• Block Apple Private Relay or DoH Services to ensure that no devices on your network can get around your policies by encrypting their DNS requests. 
• Block OISD to block additional risky or unwanted sites and improve Ad Blocking.
• Block Newly Registered Domains (NRDs) to block potentially malicious sites that might lack an established reputation.

If you have your own targets that you'd like to block, you can create a Custom Target List using the Firewalla Web Interface and Firewalla MSP.

For even more blocking, Firewalla MSP supports an Import Target List feature, so you can import popular 3rd-party lists, such as HaGeZi and AdGuard, to use in block rules.

1.1.6. Activity Category Block

For smart devices that function closer to a general-purpose computer, you should implement controls similar to those on your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to ensure they don't access sites they're not supposed to. 

1.1.7. Domain/IP/IP-Range Block

You can block targets by using the "Rules" button. You can choose target(s) to allow/block based on one or a combination of the following items:

• IP Address or IP Address range (and optional ports)
• Domain name (and optional ports)
• Remote port or Local port 
• Region
• Local Network (Gold and Purple running in Router mode only)
• Internet (all internet sites)

Find out more about blocking capabilities here.

1.1.8. Block Via Alarms

Blocks can also be created from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen.  

1.1.9. Block Via Network Flows

While looking at your device's network flows, you can tap on its flow entries to get into the details screen. In the details screen, you can block flows (please note that not all flows can be blocked, and your device may still maintain its functionality).

1.2. Allow trusted networks with "allow" rules

For devices that are very purpose-specific and only need access to certain services, you can configure rules to only allow trusted connections to come through. 

For example, on your Nest Thermostat or Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules.

• Instead of manually allowing sites, you can also use Firewalla's Device Active Protect, which can automatically block everything and allow only what's needed for certain smart devices. This feature requires a Firewalla Gold Series unit. Learn more about Device Active Protect.

1.3. Block unrecognized open ports and change weak passwords

In Part 1, we discussed open ports and weak passwords on commonly used ports. Check for open ports and services that aren't secured with solid credentials (Home -> Scan).

• If the scan finds any open ports and you don't recognize them, or if any ports were opened intentionally but should not be open anymore, you should block them.
• If the scan finds any weak passwords on common services, we recommend that you first log into your device and verify if the scan result is correct, then either disable the service or change the password on the service to something more secure.

2. Network Segmentation and Microsegmentation

2.1. Manage devices with Device Group
2.2. Microsegment devices with VqLAN and Device Isolation
2.3. Isolate new devices with New Device Quarantine
2.4. Automatically assign devices to groups with Firewalla Wi-Fi
2.5. Isolate traffic with Network Segmentation

2.1. Manage devices with Device Group

A device group is a software-based segmentation. You can use Groups to manage devices that share the same rules and policies. This can simplify the daily management of devices and policies. Learn more about Device Group.

Here is an example of how you can use Device Group:

• Create a device group for streaming devices
• Add all your smart TVs, speakers, or set-top boxes to the group
• Manage the group with consistent rules and policies across the whole network

2.2. Microsegment devices with VqLAN and Device Isolation

While VLAN and port-based network segmentation are powerful, they can only help separate traffic on different networks. With the Firewalla AP7, you can further microsegment your wireless devices, groups, and users, even within the same network segment.

You can microsegment your network by:

• Enabling VqLAN (virtual quarantine LAN) on any Group/User to block local traffic traveling between devices outside the group.
• Assigning SSIDs, personal keys, or Enterprise Wi-Fi to a Group/User with VqLAN enabled. Learn more about dynamic group memberships.
• Enabling Device Isolation on a VqLAN group or on individual devices as needed.

Learn more about VqLAN.

2.3. Isolate new devices with New Device Quarantine

You can enable New Device Quarantine in Firewalla to immediately place unrecognized devices into a separate Quarantine Group if they join your network. This way, you can have full visibility of unfamiliar devices and set special rules to control their access. You can release a device from the Quarantine Group whenever you want.

2.4. Automatically assign devices to groups with Firewalla Wi-Fi

With the Firewalla AP7 and Firewalla Orange, you can automatically assign any device that connects to Firewalla Wi-Fi to a group, user, or network. This can be helpful to automatically identify and group devices that appear as new devices to Firewalla through MAC randomization. 

Assign devices with Firewalla Wi-Fi by:

• Creating multiple SSIDs and assigning them to a group, user, or network.
• Using a single SSID and creating personal keys, assigning each to a group, user, or network. (Requires AP7)
• Using a single SSID, enabling WPA3-Enterprise or WPA2-Enterprise, and creating usernames and passwords for each User.

Note: microsegmentation may take precedence over New Device Quarantine. Learn more about it here.

Learn more about microsegmentation with the AP7 here.

2.5. Isolate traffic with network segmentation

You can use network segmentation to create multiple local networks in your home and dedicate one to IoT devices. This way, you can isolate IoT device traffic from the rest of the network to reduce the risk exposure in case IoT devices get compromised.

You can set up a network segment for your IoT devices by:

• Creating a VLAN for your IoT devices
• Creating a rule on the VLAN to block all outgoing traffic to other parts of your network

Network segmentation is available when Firewalla runs as your main router. VLAN and port-based networks allow you to secure and separate devices that are less critical and possibly less rigorously tested. Learn more about Network Segmentation.

3. Online Activity & Traffic Management

3.1. Enable Family Mode for kids
3.2. Manage activities and screen time with Time Limits and Disturb
3.3. Control traffic with Routes
3.4. Regulate traffic with Smart Queue

3.1. Enable Family Mode for kids

Firewalla's Family Mode contains services that automatically filter out inappropriate content for families (porn and violent materials). It includes:

• Family Protect: Block access to websites with offensive content. Native Mode gives you full control over what to block, directly from Firewalla.
• Safe Search: Filter inappropriate search results on well-known search engines.
• Social Hour: Block internet connections for one hour on personal, media, and entertainment devices. 

If you have kids at home, enable Family Mode on all computers and smart devices (like Apple TV) that your kids might have access to. 

3.2. Manage activities and screen time with Time Limits and Disturb

Firewalla can help you manage online activities, either for kids, adults, or even for yourself, including:

3.2.1. Set activity time limits
3.2.2. Gently disrupt traffic with Disturb

3.2.1. Set activity time limits

You can control when and for how long a set of devices can access certain apps with Time Limits. This allows you to do things like give your kids 2 hours of Fortnite access on weekends or set a daily 1-hour limit on YouTube. You can set a time limit by creating a User, then scrolling down on the User's page and tapping Add Time Limit.

3.2.2. Gently disrupt traffic with Disturb

Instead of blocking access completely, use Disturb to gently disrupt traffic. This allows you to make it slightly frustrating or less enjoyable to use certain apps, encouraging users to take healthy breaks on their own. Learn more about Disturb.

3.3. Control traffic with Routes

In case you have multiple traffic terminations, such as:

• VPN Client (or many VPN clients) 
• Secondary WAN
• Site-to-Site VPN 

You can send any IoT device's network traffic to any of the destinations from above by using smart routing policies through Firewalla. Learn more about policy-based routing.

You can also choose a Route Preference. For each route, you'll be given two options: 

• Static: if the selected interface is not available, the traffic will be dropped. This is the default setting.
• Preferred: if the selected interface is not available, allow traffic through an alternate route.

Please note that in order to "lock" traffic to a selected VPN, you also need to ensure the VPN's Internet Kill Switch is enabled. For detailed instructions, you can watch our video tutorial.

3.4. Regulate traffic with Smart Queue

If you worry about your IoT devices consuming too much bandwidth, you can easily apply policies to limit traffic by either device or destination. Learn more about Firewalla Smart Queue.

4. Privacy, DNS, & VPN

4.1. Protect your privacy with Ad Block
4.2. Control DNS traffic with DoH, Unbound, and DNS Rules
4.3. Sync time securely with NTP Intercept
4.4. Secure network access with Firewalla VPN

4.1. Protect your privacy with Ad Block

Firewalla's built-in ad blocker does more than just block ads -- it also protects your privacy by preventing ads from tracking your online behaviors. Turn on Ad Block on All Devices so your whole network is ad-free.

This is especially useful for smart devices that have general access to the internet but do not have any privacy settings or controls. 

If you find the default Ad Blocking is not enough, try using Ad Block Strict Mode for more aggressive blocks, and combining it with our built-in Target Lists, such as OISD, which is a list of risky sites or sites with unwanted content.

Find out more about Ad Block.

4.2. Control DNS traffic with DoH, Unbound, and DNS Rules

DNS over HTTPS (DoH) sends DNS requests encrypted over HTTPS, as opposed to the traditional DNS that sends the request in plain text over HTTP. It prevents third parties from spying on what websites, domains, and services your devices are accessing. 

By turning on DoH in Firewalla, all devices in your network will be protected, especially IoT devices that otherwise have no ability to configure this type of service. 

Firewalla also supports Unbound, a validating, recursive, caching DNS resolver that helps increase your online privacy and security and is installed locally on Firewalla. 

Unbound prevents a single public DNS server from having all your DNS records. For an extra layer of protection, you can also send your Unbound DNS requests over VPN instead of your ISP by enabling Unbound over VPN.

You can also add Custom DNS Entry Rules via the app. We used to have a guide on how to customize your DNS via the command line, but we brought this feature to the app UI to make it easier to manage. For detailed instructions, you can watch our video tutorial.

4.3. Sync time securely with NTP Intercept

Many devices regularly make Network Time Protocol (NTP) requests to keep their clocks in sync – you'll see these requests as traffic over port 123 on your box's Flows page. Vulnerable NTP servers can sometimes be exploited for DDoS attacks or as a covert communication channel. 

Firewalla's NTP Intercept feature catches your devices' NTP requests and processes them locally using trusted NTP servers, reducing your network's risk exposure while saving some bandwidth. From the devices' perspectives, NTP requests simply succeed as usual.

4.4. Secure network access with Firewalla VPN

Firewalla has a built-in VPN client that makes it easy and free to tunnel all your home network traffic, including IoT traffic, through a VPN.

Site-to-Site VPN:

If you have multiple homes, you can use Site to Site VPN to connect your networks together over encrypted links. You can securely access shared devices such as file servers, printers, and video cameras bi-directionally between the sites.

3rd Party VPN:

If you are using a third-party VPN server to shield your data from your ISP or government, you can enable the Firewalla VPN Client and connect to the VPN Server. This will allow all your IoT devices to easily use the same VPN service.

Firewalla has a built-in VPN Server as well. When you are traveling or using public Wi-Fi, you can connect back to the VPN Server at home and securely access your home devices, such as security cameras and home automation controllers.

This method is far more secure than using simple port forwarding on your router. The extra encryption hides your traffic and provides authentication at the network layer at the same time.

To learn more about how Firewalla protects your data from breaches and attacks, continue reading in Part 3: Protect.

→ PART 3: Protect