Firewalla Box Release 1.974 + App Release 1.50

Follow

Comments

19 comments

  • Avatar
    Scott Angstreich

    Does the AnyConnect implementation support using RSA SecureID tokens at login? If it doesn't, is that a feature you're planning to add? Thanks.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Scott

    We'll likely provide MFA in the next app update, but we don't have the RSA SecureID hardware to test.

    When it's ready, it would be great if you can try it out and let us know if it works on SecureID.

     

    1
    Comment actions Permalink
  • Avatar
    Scott Angstreich

    Sounds great (by next app update, you mean 1.51?). Happy to test it out once available.

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    Posting this here, since I'm not sure how much action the Beta forum gets:

    With Unbound being added, I had a few questions about its implementation.

    1. How is it running off the box? Is it installed with the new box version as a Docker container, similarly to how it was supported in previous versions, or is it running natively?

    2. Is there currently a way to edit or customize the .conf of the Unbound instance, and if not, will one be added?

    3. Is there currently a way to monitor its performance, and if not, will one be added?

    Aside from me just being a tinkerer, I think a more power-user feature like Unbound requires more power-user information availability due to the flexible and customizable nature of the solution, if for nothing else than just for troubleshooting purposes. For example, in my current deployment I'm failing DNSSEC tests with devices using Unbound - I'd be curious to see what that is.

     
    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Scott,

    Next update of 1.50 :) there are still quite a few features coming in 1.50.

     

    @Theodore,

    1. It's running natively.

    2. No, we are trying to hide the complexity of the configuration, especially for the first version. We may add more sub-features in the future, depending on user feedbacks.

    3. Sorry, not from the app. We may add DNS diagnostic feature in the future that it's not just BLOCKED or OK, but something else like failed with reasons.

    1
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    Thanks for the prompt reply, @Support.

    That's awesome that y'all got it going natively! I completely understand wanting to hide the complexity, but I do hope y'all add those options in the future for those of us interested in them! Perhaps under a "tap 10 times" option or something like that? Ditto for diagnostics.

    Do you see DoH support being added to Unbound in the future? I know it has supported DoH/DoT for some time now, but I'm not sure if/how that would work in this particular implementation.

    Tangentially related to all this Unbound talk - I assume enabling native Unbound would break Pi-hole running in Docker, correct? Is there any plan for tying in Pi-hole functionality, either natively or through potential future Unbound configuration/feature changes? I like the native AdBlock, but as y'all have already acknowledged it's not as strong or granular as Pi-hole - being able to have everything running on one box would be incredible!

    Thank y'all for taking the time to reply, by the way. I'm so happy that I went with Firewalla - it's awesome seeing devs actively work with and take feedback from their community. Your work is very much appreciated!

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Theodore,

    We will unlikely add DoH/DoT support because unbound DoH and DoT are only for clients connecting to unbound. (Unbound doesn't support DoH and DoT when connecting to DNS authoritative servers.)

    Only Firewalla DNS service will directly connect to unbound, and both of them are local on the box, so it's not necessary to enable DoH/DoT, which also introduces performance issues.

    And most DNS authoritative servers in the world don't support DoH/DoT, so even if unbound supports DoH/DoT to connect them, it won't work either.

     

    The unbound feature can't work with Pi-Hole in container, you will have to set up containers manually for both Pi-Hole and unbound to use them together.

    FYI. The AdBlock feature in Firewalla can work with unbound.

     

     

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    @Support

    Ah, okay! So from Unbound's perspective, the only client it sees connecting is the Firewalla DNS service - not the individual devices on the network; DoH/DoT would only be "inside the box" so to speak, which is pointless. Do I have that right?

    So to use Pi-hole with Unbound, you'd have to leave native Unbound disabled and build it and Pi-hole in containers?

    Is there any plan in the future for native Pi-hole support as another "tier" or option within AdBlock, similar to how Unbound has now been made available? I would presume not, since it sniffs DNS requests, but I figured I'd ask! I would think it'd be a somewhat popular option, even with that caveat!

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Theodore,

    1. Yes.

    2. Yes.

    3. Pi-Hole in general is a DNS-based filtering system, not just for ads. We just don't know how to position this if integrating it into Firewalla, as Firewalla already has the same feature and even more. Since some of our users like to use Pi-Hole, we implemented the docker container to make Firewalla extensible to run anything they want on the box.

    0
    Comment actions Permalink
  • Avatar
    S C

    @Support

    Just firing it out there, any update on MFA for Firewalla?  Would like to have as much locked down from the portal and such.

    Inquiring minds want to know :)

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @S C

    Do you mean MFA for Firewalla MSP login? We are working on it.

    0
    Comment actions Permalink
  • Avatar
    heath

    For MFA to the MSP portal, are you going to leverage push notifications to the Firewalla app, or just go for OTP? If possible, I’d recommend push notification as it’s not susceptible to MitM attacks like OTP is.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    not sure yet, still working in progress.

    0
    Comment actions Permalink
  • Avatar
    Raul

    Amazing Update! Can't wait to start testing Unbound and Target List/Rule changes.

    0
    Comment actions Permalink
  • Avatar
    ColoRock

    Testing AnyConnect with multi-factor authentication. We use Azure SSO with Microsoft Authenticator App to generate the 6-digit multi-factor codes. I can't get it to connect through FWG. Are there known limitations for AnyConnect on FWG?

    0
    Comment actions Permalink
  • Avatar
    Stephen Ball

    Does AnyConnect work with OKTA for authentication?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    I don't think OKTA is supported by now, but technically possible. We'll see if many people want it.

    0
    Comment actions Permalink
  • Avatar
    Ricardo Marques

    Hi @Firewalla. I have the Beta version but I can't see the rule matching to a domain or IP address. Is that suppose to be here in the Beta or do we have to wait for the 1.50 final release ? Thanks.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Ricardo, not sure what you mean, can you help elaborate?

    0
    Comment actions Permalink

Please sign in to leave a comment.