Welcome to your new Firewalla Access Point 7! We’re excited to help you set up and secure your network with your new Firewalla AP7. This guide will show the first steps to creating your Wi-Fi and all the new features available.

If you haven't installed your Firewalla AP7 yet, please see our installation guide.

1. Basic Wi-Fi Guide
   1. Create Firewalla Wi-Fi
   2. Additional Wi-Fi
   3. View Your AP Topology Layout
   4. New Device Visibility Features
      1. Signal Strength and Group by APs
      2. Wi-Fi and Access Point Details
   5. Local Flows
   6. Improved Wi-Fi Testing
2. Advanced Configurations
   1. Multiple Frequency Band Support
   2. Advanced Access Point Settings
      1. Change Channels and TX Power for Each Frequency Band
      2. Change 5 GHz Channel Width
      3. Status Light Control
      4. IP Reservation and Local Domain
   3. Advanced Wi-Fi Settings

3. Getting Started with Zero Trust and Microsegmentation

4. FAQs

Other helpful resources:

• To troubleshoot your unit, please see our Troubleshooting Guide.
• For general discussions, please join our Firewalla AP7 Community Page.

 

1. Basic Wi-Fi Guide

The Firewalla Access Point 7 offers unique configuration options beyond what is typically available in other consumer access points. This guide displays how Firewalla AP7’s basic features provide more control and flexibility to better fit your networking needs.

In this guide, we may refer to "Wi-Fi" and "SSID" (the name of your Wi-Fi) interchangeably.

 

1.1 Create Firewalla Wi-Fi

When you pair your first Firewalla AP7, the app will ask you to create your Wi-Fi.  

By default, each Wi-Fi name, or SSID, uses Mixed Personal security with all frequency bands enabled. If your networking needs are simple, this default option works perfectly.

To create a new Firewalla Wi-Fi:

1. Tap the Wi-Fi button on the main screen.
2. Tap Create Wi-Fi.
3. Set the Wi-Fi name (SSID), password, and network. 

Note: If you have multiple Firewalla AP7s, any SSID created will apply to all of them. The Firewalla AP7s are installed as a set.

 

Unlike many consumer-grade APs, each SSID can be customized. Tap on any SSID listed on the Wi-Fi page, then tap Edit in the top right corner. For each SSID, you can configure the following settings:

• Network: The LAN or VLAN for the SSID. (Note: Wi-Fi can only be created on networks using the same ports as the LAN (not VLAN) the Firewalla AP7 is wired to.)
• User/Group (optional): When connected, assign devices to a user/group automatically.
• Security Settings: Choose from WPA/WPA2, Mixed Personal, WPA2/WPA3, or WPA3.
  
  • Mixed Personal uses WPA2 Personal for 2.4 GHz and 5 GHz and WPA3 Personal for 6 GHz.
• Frequency Bands: Select from 2.4 GHz, 5 GHz, and/or 6 GHz.

 

1.2 Additional Wi-Fi

Firewalla AP7 allows you to create up to 10 separate SSIDs, each customizable for different needs, devices, or networks. 

• For example, create separate SSIDs for kids, IoT devices, or guests.
• If you have a family of four, you can create an SSID for each person, and all SSIDs can share the main network.
• Creating multiple SSIDs on the 2.4 GHz channel is not recommended, as the overhead may slow down the 2.4 GHz band. 

(Optional) Each SSID can be automatically assigned to specific users, groups, or networks:

1. Assign to User/Group
2. Assign to Different Networks

 

1.2.1 Assign to User/Group

To assign an SSID to a user or device group:

1. Create a new Wi-Fi or use an existing one. 
2. Tap on the SSID. On the Wi-Fi detail page, tap Edit in the top right corner.
3. Tap User/Group, choose a user or device group, then save. 

Once configured, Firewalla will automatically map devices to the assigned user or device group when they connect to Wi-Fi.

 

1.2.2 Assign to Different Networks

To assign an SSID to a different network:

1. Create a VLAN or use an existing one.
   • The VLAN must be configured to the same ports as the LAN the AP7 is connected to. 
   • A LAN (not VLAN) is required for the AP7 and should span all ports that carry AP7 traffic.
   • If the Firewalla AP7 is connected to Port 1 of your Firewalla unit, and your LAN is configured to Ports 1 and 3, then the VLAN must be configured to Ports 1 and 3.
2. Create a new SSID and select the VLAN as the network, or edit an existing SSID and choose the VLAN for the network.

Once configured, Firewalla will automatically map devices to the VLAN when they connect to Wi-Fi. 

 

1.3 View Your AP Topology Layout

Firewalla AP7 supports both wired and wireless mesh. The Firewalla app displays your Access Point topology and the signal strength of wirelessly connected (backhaul) Access Points to help you visualize how your APs are laid out. 

To view the topology:

1. Tap on Wi-Fi from the main screen.
2. Tap the Access Points tab.

The Access Points tab will also display the number of devices connected to each AP7 and the band they're connected to.

 

It is possible for some of the Wi-Fi backhaul units to be nested. For example, in the setup below: 

• The Yard AP is connected to the Kitchen AP via Wi-Fi. 
• The Kitchen AP is connected to the Living Room AP via Wi-Fi.
• The Living Room AP, Garage AP, and Garage222 AP are directly wired to the Firewalla router.

 

1.4 New Visibility Features

With the Firewalla AP7, network visibility is extended to your LAN, giving you full visibility on how devices communicate within your local network. 

 

1.4.1 Signal Strength and Group by Access Points

Devices connected to Firewalla AP7s can be sorted by signal strength, with each device displaying a colored label indicating its value. 

To sort and view the signal strength per device:

1. Tap Devices on the main screen.
2. Tap the View Options in the top right corner.
3. Tap sort devices by Signal Strength.

 

Devices connected to the Firewalla AP7 can also be grouped by Connected Access Points to see which AP7 and frequency band your devices are connected to.

To group by Connected Access Points:

• Tap the View Options in the top right corner of the Devices list.
• Group Devices by Connected Access Point.

 

1.4.2 Wi-Fi and Access Point Details

With the Firewalla AP7, the device detail page displays Wi-Fi information for each device connected to Firewalla Wi-Fi, including:

• Connected Wi-Fi Name (SSID) 
• Access Point
• Channel
• Signal Strength (as received by the Firewalla AP7)
• Wi-Fi Standard
• MIMO (Multiple Input, Multiple Output)
• Rx/Tx Rates (Receive/Transmit Rates)

 

1.5 Local Flows

The Local Flows feature is enhanced to display connections between local devices connected to the Firewalla AP7.

 

1.6 Improved Wi-Fi Testing

With the Firewalla AP7, the Wi-Fi Test is enhanced to help you find the best Wi-Fi spots in your home or office.

When connected to Firewalla Wi-Fi, the Wi-Fi Test will provide detailed information about the connection between your phone and the Firewalla AP7, including:

• SSID
• BSSID
• Access Point
• Channel
• Band
• Signal Strength

 

2. Advanced Configurations

If you’re an advanced networker looking to improve Wi-Fi performance, the Firewalla AP7 offers more options to customize your Access Points.

 

2.1 Multiple Frequency Band Support

Each SSID supports 2.4 GHz, 5 GHz, and 6 GHz frequency bands. By default, all three bands are enabled. 

To choose the frequency bands:

1. Tap Wi-Fi on the main screen, then tap on the SSID to configure.
2. Tap Edit in the top right corner.
3. Tap Band under Advanced Settings, select the bands you’d like to use, then save.

Note: The 6 GHz band only works with WPA3 or Mixed Personal security, and it is disabled on SSIDs with personal keys. Learn more about microsegmentation here.

 

2.2 Advanced Access Point Settings

Each Firewalla AP7 can be configured to different settings to fit your needs.

 

2.2.1 Change Channels and TX Power for Each Frequency Band

Navigate to a specific Firewalla AP7 from your Access Point list (Wi-Fi > Access Points) or Device List.

From an Access Point’s detail page, you’ll be able to configure:

• Channels: For 2.4 GHz and 5 GHz frequency bands, manually specify the channel to use, or let Firewalla choose it automatically. (6 GHz channel specifications will be available in the future.)
• TX Power: For all frequency bands, manually specify the power to use, or let Firewalla choose it automatically. A high TX power may not always be the best. A lower TX power may be better if you are in a crowded place and have your Firewalla AP7s fairly close.

Warning: Unless you know what you are doing, keep these settings “automatic”. 

 

2.2.2 Change 5 GHz Channel Width

The Firewalla AP7 also supports adjusting the 5 GHz channel width.

Firewalla will attempt to use the highest available bandwidth when possible, but it may be reduced if the selected channel doesn't support it or if it overlaps with radar signals in your environment.

 

2.2.3 Status Light Control

If you'd like to disable the status light on the front of the Firewalla AP7, navigate to the AP7 detail page and toggle the Status Light button off.

To ensure you are working with the correct Access Point, you can also tap Locate This Access Point. This will make the LED light turn green on the corresponding Firewalla AP7. 

 

2.2.4 IP Reservation and Local Domain

If you'd like to set a specific IP address on your Firewalla AP7,

1. Go to your box's main screen > tap Wi-Fi > Access Points.
2. Tap on any Access Point > IP Address > choose Reserved.
3. Tap on Reserved IP Address to change it as needed.

To use local domains, go to Wi-Fi > Access Points > tap on any Access Point > Local Domain.

Similar to a normal device, when reserving a different IP address for the AP7, it won't adopt the new IP until reconnected to the network or the current lease is over. 

 

2.3 Advanced Wi-Fi Settings

The Firewalla AP7 provides advanced Wi-Fi settings that apply to all Access Points, such as:

• Band Steering: Automatically switch between Wi-Fi Bands during idle times.
• Maximize Compatibility: Improve your Wi-Fi to be compatible with more devices. This option is enabled by default.
• Storm Control: Suppress broadcast and multicast traffic from flooding your network.
• 5 GHz DFS Channels: Include DFS channels on the 5 GHz band when the 5 GHz channel selection is set to Automatic. This option is enabled by default.
  • When the 5 GHz Band channel selection is Automatic, the Firewalla AP7 will include DFS channels to optimize network performance. DFS can increase the number of available channels for your devices, but these channels are also shared with radar systems (such as weather, airport, or military radar).
  • If you have devices that don't support DFS or live near an airport or military base and experience radar interference, disable the 5 GHz DFS Channels option.

Tap the Wi-Fi Settings button in the top right corner of the Wi-Fi page to toggle these settings.

 

If any wireless devices are experiencing unstable Wi-Fi, you can optimize their Wi-Fi performance using the Optimize Wi-Fi Experience button on the device’s detail page. Firewalla may reconnect the device to a different Firewalla AP7 with a better signal (if available).

 

The Firewalla AP7 allows you to toggle Wi-Fi on or off. This is useful for temporarily disabling Guest Wi-Fi when you don't have guests.

To toggle Wi-Fi:

1. Tap Wi-Fi from your box's main screen.
2. Select any SSID you want to disable.
3. Tap Edit (top right corner) > toggle the Wi-Fi switch > Save.

The SSID will stop being broadcast, and any devices connected to it will be disconnected.

 

3. Getting Started with Zero Trust and Microsegmentation

Firewalla empowers homes and small businesses with Zero Trust architecture. With the introduction of the Firewalla AP7, we can push Zero Trust further into the network by protecting both the LAN and WAN. 

If you are already using "Groups" or "Users" to manage devices, all you need to do is go to groups (or users) and turn on VqLAN. (With VqLAN on, your group/user will now be segmented from the rest of your devices).

• Use groups (or users) to identify the devices that need to be microsegmented. These devices will need to be on the same network.
• When VqLAN is on, your devices within the group/user can only talk to themselves and the internet. They will not be able to access devices outside the group/user.
• You can further enhance this microsegment by turning on Device Isolation. This will isolate devices within the same group from talking to each other. 

 

For more advanced uses of Zero Trust + Microsegmentation + Segmentation, please continue with these articles:

• Learn more about Firewalla Zero Trust architecture here. 
  • For a Zero Trust example walkthrough, check out: Zero Trust Network Architecture Example
  • For more scenarios and best practices, check out: Zero Trust Best Practices and Examples
• Learn more about VqLAN (Firewalla Microsegmentation) here.
  • See more advanced Microsegmentation and Segmentation Examples here.

4. FAQs

• Can the Firewalla AP7 be added to existing APs?
• What security type does Firewalla AP7 support?
• Does Firewalla AP support separating/merging different bands in the same or different SSID?
• What happens if I don't choose a User/Group for an SSID?

 

Can the Firewalla AP7 be added to existing APs?

Yes. There are a few options depending on your setup:

1. Using only Firewalla AP7s.

• If you use only Firewalla AP7s, your Wi-Fi will roam from one Firewalla AP7 to another when you walk around.
• Roaming is seamless and efficient for large homes or enterprise networks with multiple APs.

2. With third-party APs and different SSIDs.

• You can use the Firewalla AP7 in parallel with your existing third-party APs already connected to your Firewalla box.
• Connect the Firewalla AP7 to another LAN port of your Firewalla box. Ensure the new port is configured as either bridged with an existing LAN or a new LAN. Then, create a new SSID on the Firewalla AP7.
• Your third-party APs will continue broadcasting the old SSID, while the Firewalla AP7 will broadcast the new SSID.

3. With third-party APs, but the same SSID.

• If you have third-party APs or Wi-Fi routers, you can configure the same SSID + password on the Firewalla AP7.
• This setup is not recommended. If the APs are not from the same manufacturer, roaming will cause a disconnect/reconnect, and your network may not be stable during the process.

The downside of using third-party APs with the Firewalla AP7 is that the advanced Firewalla features won’t run on the third-party AP Wi-Fi.

 

What security type does Firewalla AP7 support?

Firewalla AP7 supports WPA/WPA2, WPA2, WPA2/WPA3, and WPA3 personal. We plan to support enterprise security in the future. 

Note: Microsegments with personal keys are only supported with security type WPA2 personal or WPA/WPA2 Personal (WPA3 is not supported).

 

Does Firewalla AP7 support separating/merging different bands in the same or different SSID?

Yes. Each SSID can be configured to use a combination of 2.4 GHz, 5 GHz, and 6 GHz frequency bands, or just a single band per SSID.

For example:

• Your main SSID can be configured for all three bands simultaneously, allowing newer devices to connect to the higher 5 GHz or 6 GHz bands, while older devices can still connect to the 2.4 GHz band. 
• Your kids’ Wi-Fi can be set up with 2.4 GHz and 5 GHz under the same SSID.
• Your guest Wi-Fi can be limited to just 2.4 GHz. 

Note: Only SSIDs without microsegments (using personal keys) will support the 6 GHz band. Creating microsegments on an SSID with personal keys will disable the 6 GHz band for that SSID. 

 

What happens if I don't choose a User/Group for an SSID?

Selecting a User/Group for each SSID is optional and will dynamically assign devices to groups when they connect to the SSID.

If you don't choose a User/Group, the group membership will remain static. Devices that connect to the SSID will stay in their original user or group, and if New Device Quarantine is enabled, new devices will be placed in the quarantine group.