This article is to help you look at and diagnose connectivity issues from your devices to the internet.
- If you have issues only with a few sites, please see this article: What to do if you can't access certain sites
- If you are having network quality issues, see Network Performance and Quality Monitoring
- If you are having speed/performance issues Speed Test and Speed Optimization on Firewalla
- If this does not solve your problem, please contact the support team here https://help.firewalla.com/hc/en-us/requests/new (If possible, please let us know some of your test results, it will make the diagnostic process faster)
Network connectivity problems can occur at different layers or locations of the network. This article will start at the lowest layer and help you run through the different checks. Most of the methods are just specific to Firewalla.
- Physical layer problems
- ISP Connectivity
- Local Network Connectivity
- DNS Issues
- Network Configuration
- Other Firewall Restrictions
1. Physical Layer Checks
These may seem like basic things, but checking these over can save a lot of time and frustration.
- Make sure you are using the right cables. CAT 5E or better cables are recommended. Please make sure all the cables are connected firmly and have no damage or questionable connections.
- If you have a modem, look at its link lights and reboot it.
- Check the link lights on your switch/router, and make sure they display the right speed. Firewalla link lights can be found, in this article.
- Check your physical connections, and make sure they are connected correctly. If you are using a switch, check for switching loops.
- If you are having issues with Wi-Fi, try to plug in a device (PC/MAC) via ethernet and see if they are working or not.
- Check that your access points are configured correctly. Reboot your Wi-Fi AP.
- If you are having issues with VLANs, check if your non-VLAN connections are working, then double-check your VLAN devices and make sure they are configured correctly.
2. WAN/ISP Connectivity
Network Diagnostics:
We all know how frustrating it feels when experiencing internet outages. To enhance the troubleshooting process, we include a network diagnostic tool with detailed network information when your internet is down.
On Firewalla Gold/Purple series, when your WAN is down, if your phone can connect to the box via Bluetooth or the local network, you'll find an Internet Connection Lost banner on top of the box's main screen, tap Diagnostics and the app will open a page listing the status of the ethernet port, IP address/gateway, and the connectivity test results on each of your WAN networks.
If you need any help from our Support team, you can just take a screenshot, or tap on the "Share" button in the top-right corner to send the information to our team for more support.
We also have on-demand network diagnostics. This allows you to diagnose the connection anytime, even when Firewalla is not reporting connection errors. To run network diagnostics, tap the Network Manager on your box's main page, then tap Run Network Diagnostics.
Network Events:
Firewalla Gold / Purple will automatically test your ISP network using network ping and DNS queries. If your network is down, you will get warned.
Firewalla will log the WAN connectivity status changes using Events and display a notification on the main screen of the Firewalla app. If your ISP is unstable, these events will help you debug or learn more about why the problem occurred.
Events can be found in Main Screen-> Settings -> Events. It can provide you with the history of:
- WAN disconnected or restored
- Dual WAN switch or failover
- Ethernet Ports connected or disconnected
More details on Firewalla Network Events and how to customize the connectivity test.
3. Local Network Connectivity
LAN connectivity issues can happen if you have a bad cable or problems with a WiFi access point. In this test, you will ping the intermediate networks and make sure they are up.
To do this test, you can launch a terminal and ping your Firewalla.
By default, Firewalla Box's local domain name is "fire.walla".
# This is good
test@test-mbp ~ % ping fire.walla
PING fire.walla (10.0.1.1): 56 data bytes
64 bytes from 10.0.1.1: icmp_seq=0 ttl=64 time=3.525 ms
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=3.025 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=2.762 ms
^C
--- fire.walla ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.762/3.104/3.525/0.316 ms
# This means the connection isn't working or the name is not resolving (DNS)
test@test-mbp ~ % ping fire.walla
PING fire.walla (10.0.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- fire.walla ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
If you are connecting via Wi-Fi, you can also try to ping the access point's IP Address or local domain name.
# This is good
test@test-mbp ~ % ping 10.0.1.88
PING 10.0.1.88 (10.0.1.88): 56 data bytes
64 bytes from 10.0.1.88: icmp_seq=0 ttl=64 time=2.513 ms
64 bytes from 10.0.1.88: icmp_seq=1 ttl=64 time=5.611 ms
64 bytes from 10.0.1.88: icmp_seq=2 ttl=64 time=5.637 ms
64 bytes from 10.0.1.88: icmp_seq=3 ttl=64 time=5.608 ms
^C
--- 10.0.1.88 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.513/4.842/5.637/1.345 ms
# This means the connection isn't working
test@test-mbp ~ % ping 10.0.1.88
PING 10.0.1.88 (10.0.1.88): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 10.0.1.88 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
4. DNS Connectivity
Not all network issues are related to network traffic; sometimes, a bad DNS server configuration may cause issues. To test, you can ping a public IP address, say, 1.1.1.1, to check if the internet is accessible, and 'nslookup' will help you validate if the DNS server is able to find the public IP mapping to the domain.
test@test-mbp ~ % ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=35 time=7.59 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=35 time=7.30 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=35 time=7.51 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=35 time=7.26 ms
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 7.269/7.422/7.593/0.149 ms
# DNS server is unreachable.
test@test-mbp ~ % nslookup firewalla.com
;; connection timed out; no servers could be reached
#DNS server can't find the correct IP address mapping to the domain
test@test-mbp ~ % nslookup firewalla.com
Server: 10.0.1.1
Address: 10.0.1.1#53
** server can't find firewalla.com: NXDOMAIN
If the Firewalla box is in Simple mode and all tests failed, go to Router Compatibility to check if Simple mode is compatible with your router.
5. Network configuration issues
If you are running Firewalla Gold or Purple in router or bridge mode and you suspect a bad configuration, you can:
- Confirm your phone is connected to the internet (4G/LTE), and the Bluetooth is turned on.
- Confirm your phone is close enough to the Firewalla box.
- Launch the firewalla app, and tap on "Network", and you should be able to configure the network.
Learn more about how to access your box when you don't have internet connectivity.
6. Other Firewall Restrictions
If you have other firewall hardware or software installed the two firewall agents very often will see each other as a threat. If you have any trouble, please check:
- If there is any built-in firewall enabled on your router.
- If you are using ASUS-RT-AC87U, please disable NAT-Acceleration. How to disable NAT Acceleration
- If anti-virus software is enabled on your local device, for example, Bitdefender, you may need to disable port scanning in that software or turn off Firewalla's port scan for that device. This stops your anti-virus software from accidentally flagging Firewalla as a cyberthreat. To control which of your devices is scanned by Firewalla, tap Scan on your box's main page, tap Device Port Scan, tap Specified Devices, and then choose which of your networks, groups, or devices gets scanned.
- Disable your other firewall devices from scanning; your devices should not scan each other.
- If you have devices like PC/MAC connected directly to firewalla, please see https://help.firewalla.com/hc/en-us/articles/14486004537235-Device-is-slow-to-get-an-IP-address-Spanning-Tree-Protocol-STP
7. Others / Advanced Users
Docker Containers
Docker containers are no different than running normal processes on the Firewalla. If you are getting connectivity issues, please check your docker containers, and make sure they are not eating CPU/Memory/Disk. We've seen many cases where the system slowdown is caused by too many containers, badly configured containers, or old docker images left behind after upgrading a container.
Comments
2 comments
Hello, i recently upgraded to a static IP address from my ISP. I updated the settings in the firewalla and since then constantly get connection reset, ssl issues etc on all browsers. I finally reformatted my computer, reset the modem and reset the firewalla and same problems.
I just now hardwired direclty to the modem bypassing the firewalla and no issues. What is going on and how do i get firewalla working
Possibly a configuration issue on static IP. If you send email to help@firewalla.com, we can help you out.
Please sign in to leave a comment.