Welcome to your new Firewalla Access Point 7! We’re excited to help you set up and secure your network with your new Firewalla AP7. This guide will show the first steps to creating your Wi-Fi and all the new features available.

If you haven't installed your Firewalla AP7 yet, please see our installation guide. 

1. Basic Wi-Fi Guide
   1. Create Firewalla Wi-Fi 
   2. Additional Wi-Fi Features
      1. Assign to User/Group
      2. Assign to Different Networks
      3. QR Codes for Wi-Fi
   3. View Your AP Topology Layout 
   4. New Device Visibility Features
      1. Signal Strength and Group by AP7s
      2. Wi-Fi and Access Point Details
      3. Access Point Events
   5. Local Flows 
   6. Improved Wi-Fi Testing 
2. Advanced Configurations
   1. Multiple Frequency Band Support
      1. Multi-Link Operation (MLO)
   2. Advanced Access Point Settings
      1. Change Channels and TX Power
      2. Change 5 GHz Channel Width
      3. Status Light Control
      4. IP Reservation and Local Domain
      5. Block Devices from Connecting to Specific AP7s
      6. Backhaul Mode Selection
   3. Advanced Wi-Fi Settings
      1. Optimize Wi-Fi Experience
      2. Toggle On/Off Wi-Fi
3. Getting Started with Zero Trust and Microsegmentation
4. FAQs

Other helpful resources:

• To troubleshoot your unit, please see our Troubleshooting Guide.
• For general discussions, please join our Firewalla AP7 Community Page.

Before You Begin

The Firewalla Access Point 7 offers unique configuration options beyond what is typically available in other consumer access points. Because of this flexibility, setting it up may look a little different than what you're used to.

If you're upgrading from an older Wi-Fi system, we highly recommend reviewing this article first:

• Remodeling Your Big, Old Flat Network with Firewalla & Firewalla AP7

This will help you avoid common issues with IoT devices and show you how to migrate your network smoothly.

1. Basic Wi-Fi Guide

This guide displays how Firewalla AP7’s basic features provide more control and flexibility to better fit your networking needs. In this guide, we may refer to "Wi-Fi" and "SSID" (the name of your Wi-Fi) interchangeably.

1.1 Create Firewalla Wi-Fi

When you pair your first Firewalla AP7, the app will ask you to create your Wi-Fi.  

By default, each Wi-Fi name, or SSID, uses Mixed Personal security with all frequency bands enabled. If your networking needs are simple, this default option works perfectly.

To create a new Firewalla Wi-Fi:

1. Tap the Wi-Fi button on the main screen.
2. Tap Create Wi-Fi.
3. Set the Wi-Fi name (SSID), password, and network. 

Note: If you have multiple Firewalla AP7s, any SSID created will apply to all of them. The Firewalla AP7s are installed as a set.

Unlike many consumer-grade APs, each SSID can be customized. 

Tap on any SSID listed on the Wi-Fi page, then tap Edit in the top right corner. For each SSID, you can configure the following settings:

• Network: The LAN or VLAN for the SSID. (Note: Wi-Fi can only be created on networks using the same ports as the LAN (not VLAN) the Firewalla AP7 is wired to.)
• User/Group (optional): When connected, assign devices to a user/group automatically.
• Security Settings: Choose from:
  • Personal: WPA/WPA2, Mixed Personal, WPA2/WPA3, or WPA3.
    (Mixed Personal uses WPA2 for 2.4/5 GHz, and WPA3 for 6 GHz)
  • Enterprise: WPA2, WPA2/WPA3, or WPA3. 
    (Requires App 1.67 or later. Learn more about Enterprise Wi-Fi.)
• Frequency Bands: Select from 2.4 GHz, 5 GHz, and/or 6 GHz.

1.2 Additional Wi-Fi Features

Firewalla AP7 allows you to create up to 10 separate SSIDs, each customizable for different needs, devices, or networks. 

• For example, create separate SSIDs for kids, IoT devices, or guests.
• If you have a family of four, you can create an SSID for each person, and all SSIDs can share the main network.
• Creating multiple SSIDs on the 2.4 GHz channel is not recommended, as the overhead may slow down the 2.4 GHz band.

1.2.1 Assign to User/Group (Optional)

Each SSID can be automatically assigned to specific users or groups.

To assign an SSID to a user or device group:

1. Create a new Wi-Fi or use an existing one.
2. Tap on the SSID. On the Wi-Fi detail page, tap Edit in the top right corner.
3. Tap User/Group, choose a user or device group, then save. 

Once configured, Firewalla will automatically map devices to the assigned user or device group when they connect to Wi-Fi.

1.2.2 Assign to Different Networks (Optional)

Along with users or groups, each SSID can also be automatically assigned to a specific VLAN.

To assign an SSID to a different network:

1. Create a VLAN or use an existing one.
   • The VLAN must be configured to the same ports as the LAN the AP7 is connected to.
   • A LAN (not VLAN) is required for the AP7 and should span all ports that carry AP7 traffic.
   • If the Firewalla AP7 is connected to Port 1 of your Firewalla unit, and your LAN is configured to Ports 1 and 3, then the VLAN must be configured to Ports 1 and 3.
2. Create a new SSID and select the VLAN as the network, or edit an existing SSID and choose the VLAN for the network.

Once configured, Firewalla will automatically map devices to the VLAN when they connect to Wi-Fi. 

1.2.3 QR Codes for Wi-Fi

On any Firewalla Wi-Fi, create a QR code for the Primary or Additional Microsegment to allow others to connect without entering a password or personal key.

To generate a QR code:

1. Go to your box's main screen > Tap Wi-Fi > Select an SSID.
2. Tap QR Code under the Primary or Additional Microsegment.
3. Tap Share to export and send the QR Code as an image.

1.3 View Your AP Topology Layout

Firewalla AP7 supports both wired and wireless mesh. The Firewalla app displays your Access Point topology and the signal strength of wirelessly connected (backhaul) Access Points to help you visualize how your APs are laid out. 

To view the topology:

1. Tap on Wi-Fi from the main screen.
2. Tap the Access Points tab.

The Access Points tab will also display the number of devices connected to each AP7 and the band they're connected to.

It is possible for some of the Wi-Fi backhaul units to be nested. For example, in the setup below: 

• The Yard AP is connected to the Kitchen AP via Wi-Fi.
• The Kitchen AP is connected to the Living Room AP via Wi-Fi.
• The Living Room AP, Garage AP, and Garage222 AP are directly wired to the Firewalla router.

1.4 New Visibility Features

With the Firewalla AP7, network visibility is extended to your LAN, giving you full visibility on how devices communicate within your local network. 

1.4.1 Signal Strength and Group by Access Points

Devices connected to Firewalla AP7s can be sorted by signal strength, with each device displaying a colored label indicating its value. 

To sort and view the signal strength per device:

1. Tap Devices on the main screen.
2. Tap the View Options in the top right corner.
3. Tap sort devices by Signal Strength.

Devices connected to the Firewalla AP7 can also be grouped by Connected Access Points to see which AP7 and frequency band your devices are connected to.

To group by Connected Access Points:

• Tap the View Options in the top right corner of the Devices list.
• Group Devices by Connected Access Point.

1.4.2 Wi-Fi and Access Point Details

With the Firewalla AP7, the device detail page displays Wi-Fi information for each device connected to Firewalla Wi-Fi, including:

• Connected Wi-Fi Name (SSID)
• Access Point
• Channel
• Signal Strength (as received by the Firewalla AP7)
• Wi-Fi Security
• Wi-Fi Standard
• MIMO (Multiple Input, Multiple Output)
• Rx/Tx Rates (Receive/Transmit Rates)

1.4.3 Access Point Events

To help you stay notified of your AP7 status and debug any connection issues, Access Point Events are added to your existing Firewalla Network Events.

To view your Network Events:

1. Go to your box's main screen > Tap Network Performance > Tap Recent Events.
2. Alternatively, go to Settings > Events. 

For a full list of AP7 Events and troubleshooting help, check out our guide on Network Events.

1.5 Local Flows

The Local Flows feature is enhanced to display connections between local devices connected to the Firewalla AP7. Learn more about Local Flows here.

1.6 Improved Wi-Fi Testing

With the Firewalla AP7, the Wi-Fi Test is enhanced to help you find the best Wi-Fi spots in your home or office.

When connected to Firewalla Wi-Fi, the Wi-Fi Test will provide detailed information about the connection between your phone and the Firewalla AP7, including:

• SSID
• BSSID
• Access Point
• Channel
• Band
• Signal Strength

The Wi-Fi Test feature also supports a new Signal Strength test type. To test your signal strength:

1. Ensure your phone is connected to the Firewalla AP7 Wi-Fi.
2. Go to your box's main screen > Tap Wi-Fi Test > Select Signal Strength for "Test Type."

2. Advanced Configurations

If you’re an advanced networker looking to improve Wi-Fi performance, the Firewalla AP7 offers more options to customize your Access Points.

2.1 Multiple Frequency Band Support

Each SSID supports 2.4 GHz, 5 GHz, and 6 GHz frequency bands. By default, all three bands are enabled. 

To choose the frequency bands:

1. Tap Wi-Fi on the main screen, then tap on the SSID to configure.
2. Tap Edit in the top right corner.
3. Tap Band under Advanced Settings, select the bands you’d like to use, then save.

Note: The 6 GHz band only works with WPA3 or Mixed Personal security, and it is disabled on SSIDs with personal keys. Learn more about microsegmentation here.

• If you want to assign devices to multiple users on a single SSID, while still using WPA3 and 6 GHz, consider using Enterprise Wi-Fi instead. Users can connect to Wi-Fi using a username and password. Learn more about WPA Enterprise Wi-Fi (with RADIUS) here.

2.1.1 Multi-Link Operation (MLO) (Preview Mode)

On each Firewalla SSID, enable Multi-Link Operation (MLO) to allow Wi-Fi 7 devices to use multiple bands at the same time, which can improve speed, latency, and reliability. This feature will remain in "preview" mode until tested with more real-world devices. 

To enable MLO:

1. Go to your box's main screen > Tap Wi-Fi > Select an SSID.
2. Tap Edit (top right corner) > Scroll down to find MLO > Toggle it on.
3. Tap Save in the top right corner.

Note:

• MLO enforces WPA3. Mixed Personal security and Additional Microsegments will not be available on SSIDs with MLO enabled.
  • Legacy or IoT devices may fail to connect to SSIDs with WPA3. We recommend creating a separate SSID for MLO-supported devices.
• MLO client support varies greatly across different device vendors.

With MLO enabled, the Wi-Fi Test feature can be used to see the RSSI and channels in use:

1. Connect your phone to your MLO-enabled SSID.
2. From your box's main page, tap Wi-Fi Test.

2.2 Advanced Access Point Settings

Each Firewalla AP7 can be configured to different settings to fit your needs.

2.2.1 Change Channels and TX Power

Navigate to a specific Firewalla AP7 from your Access Point list (Wi-Fi > Access Points) or Device List.

From an Access Point’s detail page, you’ll be able to configure:

• Channels: For all frequency bands, manually specify the channel to use, or let Firewalla choose it automatically.
• TX Power: For all frequency bands, manually specify the power to use, or let Firewalla choose it automatically. A high TX power may not always be the best. A lower TX power may be better if you are in a crowded place and have your Firewalla AP7s fairly close.

Warning: Unless you know what you are doing, keep these settings “automatic”. 

2.2.2 Change 5 GHz Channel Width

The Firewalla AP7 also supports adjusting the 5 GHz channel width.

Firewalla will attempt to use the highest available bandwidth when possible, but it may be reduced if the selected channel doesn't support it or if it overlaps with radar signals in your environment.

2.2.3 Status Light Control

If you'd like to disable the status light on the front of the Firewalla AP7, navigate to the AP7 detail page and toggle the Status Light button off.

To ensure you are working with the correct Access Point, you can also tap Locate This Access Point. This will make the LED light turn green on the corresponding Firewalla AP7. 

2.2.4 IP Reservation and Local Domain

If you'd like to set a specific IP address on your Firewalla AP7,

1. Go to your box's main screen > tap Wi-Fi > Access Points.
2. Tap on any Access Point > IP Address > choose Reserved.
3. Tap on Reserved IP Address to change it as needed.

To use local domains, go to Wi-Fi > Access Points > tap on any Access Point > Local Domain.

Similar to a normal device, when reserving a different IP address for the AP7, it won't adopt the new IP until reconnected to the network or the current lease is over.

2.2.5 Block Devices from Connecting to Specific AP7s

(Requires App 1.67 or later)

Some devices may prefer to connect to an AP7 that is further away, which can sometimes cause performance issues. You can block devices from connecting to specific AP7s so that they stay connected to their closest Access Point instead.

If you have more than one Firewalla AP7,

1. Navigate to the device's detail page. In the Wi-Fi details section, tap Access Point. 
2. Tap Block Access Points and toggle it on.
3. Select the AP7s you'd like to block and tap Save.

Note:

• You can block the currently connected AP7, but your device may briefly disconnect.
• Choosing which AP to connect to is ultimately up to the device, not the AP. They can suggest connections, but devices may make their own roaming decisions. If devices connect to an unideal AP, but the performance and connections are good, there is likely no need to adjust anything.
• This type of "block" may not always work with all devices. 
• If all allowed AP7s are offline, the feature will automatically disable so the device can connect to any available AP7.

2.2.6 Backhaul Mode Selection

(Requires App 1.67 or later)

Firewalla AP7 supports both wired and wireless backhaul. If your AP7 is connected with an Ethernet cable, you can select the Backhaul Mode to ensure your Wi-Fi performance stays stable and fast via Ethernet.

To select the backhaul mode, navigate to your AP7's detail page, tap Connection Type > Backhaul Mode > select the mode:

• Automatic (default): Automatically uses wired backhaul when available; otherwise, falls back to wireless.
• Wired Only: Uses wired backhaul exclusively. If no wired Ethernet connection is detected, the Access Point will not attempt to connect wirelessly.

2.3 Advanced Wi-Fi Settings

The Firewalla AP7 provides advanced Wi-Fi settings that apply to all Access Points, such as:

• Band Steering: Automatically switch between Wi-Fi Bands during idle times.
• Maximize Compatibility: Improve your Wi-Fi to be compatible with more devices. This option is enabled by default.
• Storm Control: Suppress broadcast and multicast traffic from flooding your network.
• 5 GHz DFS Channels: Include DFS channels on the 5 GHz band when the 5 GHz channel selection is set to Automatic. This option is enabled by default.
  • When the 5 GHz Band channel selection is Automatic, the Firewalla AP7 will include DFS channels to optimize network performance. DFS can increase the number of available channels for your devices, but these channels are also shared with radar systems (such as weather, airport, or military radar).
  • If you have devices that don't support DFS or live near an airport or military base and experience radar interference, disable the 5 GHz DFS Channels option.
• Adaptive DFS Selection: Automatically avoid DFS channels if radar interference is detected, while still keeping DFS channels available for when interference is low. This option is enabled by default if 5 GHz Channels are enabled.
  • Requires App 1.67 and AP7 Desktop version 0.1.114.1.9.54 and/or Ceiling version 0.1.47.1.9.54. 
• Optimize Wi-Fi Experience: Automatically set all AP7s to use the best channels for your network. 

Tap the Wi-Fi Settings button in the top right corner of the Wi-Fi page to toggle these settings.

2.3.1 Optimize Wi-Fi Experience

If any wireless devices are experiencing unstable Wi-Fi, you can optimize their Wi-Fi performance using the Optimize Wi-Fi Experience button on the device’s detail page. Firewalla may reconnect the device to a different Firewalla AP7 with a better signal (if available).

Note that this is different from the Optimize Wi-Fi Experience button on the Wi-Fi Settings page, which configures all Access Points to use the best settings for your network.

2.3.2 Toggle On/Off Wi-Fi

The Firewalla AP7 allows you to toggle Wi-Fi on or off. This is useful for temporarily disabling Guest Wi-Fi when you don't have guests.

To toggle Wi-Fi:

1. Tap Wi-Fi from your box's main screen.
2. Select any SSID you want to disable.
3. Tap Edit (top right corner) > toggle the Wi-Fi switch > Save.

The SSID will stop being broadcast, and any devices connected to it will be disconnected.

3. Getting Started with Zero Trust and Microsegmentation

Firewalla empowers homes and small businesses with Zero Trust architecture. With the introduction of the Firewalla AP7, we can push Zero Trust further into the network by protecting both the LAN and WAN. 

If you are already using "Groups" or "Users" to manage devices, all you need to do is go to groups (or users) and turn on VqLAN. (With VqLAN on, your group/user will now be segmented from the rest of your devices.)

• Use groups (or users) to identify the devices that need to be microsegmented. These devices will need to be on the same network.
• When VqLAN is on, your devices within the group/user can only talk to themselves and the internet. They will not be able to access devices outside the group/user.
• You can further enhance this microsegment by turning on Device Isolation. This will isolate devices within the same group from talking to each other. 

For more advanced uses of Zero Trust + Microsegmentation + Segmentation, please continue with these articles:

• Firewalla Zero Trust architecture
  • For a Zero Trust example walkthrough, check out: Zero Trust Network Architecture Example
  • For more scenarios and best practices, check out: Zero Trust Best Practices and Examples
• VqLAN (Firewalla Microsegmentation)
  • See more advanced Microsegmentation and Segmentation Examples here.
• WPA Enterprise Wi-Fi (with RADIUS)

4. FAQs

• Can the Firewalla AP7 be added to existing APs?
• What security type does Firewalla AP7 support?
• Does Firewalla AP support separating/merging different bands in the same or different SSIDs?
• How do I get my devices to connect to a specific AP7?
• What happens if I don't choose a User/Group for an SSID?
• What if I want more than one User/Group assigned for an SSID?

Can the Firewalla AP7 be added to existing APs?

Yes. There are a few options depending on your setup:

1. Using only Firewalla AP7s.

• If you use only Firewalla AP7s, your Wi-Fi will roam from one Firewalla AP7 to another when you walk around.
• Roaming is seamless and efficient for large homes or enterprise networks with multiple APs.

2. With third-party APs and different SSIDs.

• You can use the Firewalla AP7 in parallel with your existing third-party APs already connected to your Firewalla box.
• Connect the Firewalla AP7 to another LAN port of your Firewalla box. Ensure the new port is configured as either bridged with an existing LAN or a new LAN. Then, create a new SSID on the Firewalla AP7.
• Your third-party APs will continue broadcasting the old SSID, while the Firewalla AP7 will broadcast the new SSID.

3. With third-party APs, but the same SSID.

• If you have third-party APs or Wi-Fi routers, you can configure the same SSID + password on the Firewalla AP7.
• This setup is not recommended. If the APs are not from the same manufacturer, roaming will cause a disconnect/reconnect, and your network may not be stable during the process.

The downside of using third-party APs with the Firewalla AP7 is that the advanced Firewalla features won’t run on the third-party AP Wi-Fi.

What security type does Firewalla AP7 support?

Firewalla AP7 supports both Personal and Enterprise Security:

• Personal: WPA/WPA2, Mixed Personal, WPA2/WPA3, and WPA3.
  (Mixed Personal uses WPA2 Personal for 2.4/5 GHz, and WPA3 Personal for 6 GHz.)
• Enterprise: WPA2, WPA2/WPA3, and WPA3.
  (Requires App 1.67 or later. Learn more about Enterprise Wi-Fi.)

Note: Microsegments with personal keys are only supported with security type WPA2 personal or WPA/WPA2 Personal (WPA3 is not supported). 

• If you need WPA3, but you'd like to assign devices to specific users under a single SSID, consider using an SSID with WPA3 Enterprise security, and use usernames/passwords instead of personal keys.

Does Firewalla AP7 support separating/merging different bands in the same or different SSIDs?

Yes. Each SSID can be configured to use a combination of 2.4 GHz, 5 GHz, and 6 GHz frequency bands, or just a single band per SSID.

For example:

• Your main SSID can be configured for all three bands simultaneously, allowing newer devices to connect to the higher 5 GHz or 6 GHz bands, while older devices can still connect to the 2.4 GHz band.
• Your kids’ Wi-Fi can be set up with 2.4 GHz and 5 GHz under the same SSID.
• Your guest Wi-Fi can be limited to just 2.4 GHz. 

Note: Only SSIDs without microsegments (using personal keys) will support the 6 GHz band. Creating microsegments on an SSID with personal keys will disable the 6 GHz band for that SSID. 

• If you need 6 GHz, but you'd like to assign devices to specific users under a single SSID, consider using an SSID with WPA3 Enterprise security, and use usernames/passwords instead of personal keys.

How do I get my devices to connect to a specific AP7?

Choosing which AP to connect to is ultimately up to the device, not the access point. Access points can suggest or encourage a connection, but many devices make their own roaming decisions. Forcing a device to stay on a specific access point is not a Wi-Fi standard feature and may not always work as expected.

If your devices are connecting and performing well, there's no need to worry about which AP7 they pick. However, if you notice connection or performance issues, try the following:

• Use the Block Access Point feature to prevent the stubborn device from connecting to the less ideal AP7.
• Adjust the TX Power (lowering it can encourage nearby devices to switch)
• Reposition your AP7s to improve coverage (use the Wi-Fi Test to see when roaming happens)
• Use Optimize Wi-Fi Experience from the device detail page to force devices to reconnect to an AP7 with a better signal.
  • Use Optimize Wi-Fi Experience from the Wi-Fi Settings page to update all AP7s to use the best settings for your network.

What happens if I don't choose a User/Group for an SSID?

Selecting a User/Group for each SSID is optional. When a User/Group is assigned, devices that connect to that SSID will be automatically moved to the selected group, even if they previously belonged to another one.

If you don't choose a User/Group, the group membership will remain static. Devices that connect to the SSID will stay in their original user or group, and if New Device Quarantine is enabled, new devices will be placed in the quarantine group.

What if I want more than one User/Group assigned for an SSID?

If you'd like more than just one User/Group assigned, you can create Additional Microsegments on that SSID and assign more Users/Groups using personal keys. To learn more about the Additional Microsegments, see our Microsegmentation Tutorial.