- Firewalla App version 1.50 is supported on iOS and Android.
- Box version 1.974 is supported on Firewalla Gold, Purple, and Blue Plus
New Features
- DNS Service - Unbound
- VPN Client: AnyConnect
- VPN Client: WireGuard Site to Site VPN
- Flexible Alarm Handling
- Last 12-month data usage
- Alarm/Flow Category Feedback
- Network Diagnostics
- Port Forwardings on IP Addresses
1. DNS Service - Unbound (Requires box version 1.974)
Firewalla now supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security.
Unbound is part of the DNS Service feature along with DNS over HTTPS. To apply Unbound to your devices, tap the DNS Service button at the bottom of the main page, turn on Unbound and select the devices/groups/networks to apply to. You can also go to the detail page of any device, tap "…" on the control button panel, tap DNS service, and select Unbound.
Learn more on what DNS services to use.
Note: Any specific device/group/network can only be applied with one of the DNS services at a time, including Unbound, DNS over HTTPS, and Family Protect.
2. VPN Client: AnyConnect (Requires box version 1.974)
In addition to OpenVPN and WireGuard, the Firewalla VPN Client is now supporting AnyConnect. For those of you who are using AnyConnect to connect your devices to your company/school, you can now create a VPN connection on the Firewalla box and then connect any of your devices (or your entire network) to it with one tap.
If your VPN service provider requires Multi-Factor Authentication, just turn on the option and the app will ask for a one-time password when connecting to the VPN.
If your VPN service provider allows you to generate your One-Time Passwords using a Secret or a QR code, just tap One-Time Password, and select Auto-Fill, then fill in the secret or tap the "[-]" icon on the right to scan the QR code provided by the VPN service provider, then save the configuration. Firewalla will auto-fill your OTP every time when connecting to the VPN, no more entering OTPs.
3. VPN Client: WireGuard Site to Site VPN
Note: WireGuard is not supported on Firewalla Red and Blue.
Similar to OpenVPN, Site to Site VPN using Wireguard protocol allows you to access shared devices such as file servers, printers, and video cameras bi-directionally between any two sites, but with a higher encryption rate and better performance. Learn more on WireGuard VPN Server.
To create a site-to-site VPN connection using WireGuard, on the Firewall app, go to VPN Client -> Create VPN Connection -> Site to Site VPN -> Select the server box you'd like to connect -> Select WireGuard.
4. Flexible Alarm Handling
Many of you have told us you want more flexibility in handling alarms, so we've extended the options for you. Now if you tap the Mute or the Block button of any alarm, the Firewalla app will let you decide which target to match, and whether to apply the policy to the devices, group/network the device belongs to, or all devices in your network.
Alarm handling is made much more flexible while remaining easy to use.
The app is also updated with the ability to choose which target to match and where to apply when blocking a network flow from the Flows page.
5. Last 12-month data usage (Requires box version 1.974)
Firewalla is now able to show the data usage of the last 12 months, you can tap on each month to drill down and see the daily detail. This allows you to trace back and compare your data consumption with the previous months.
If you have the "monthly data plan" feature enabled, the monthly cycle will be calculated based on the reset date of your data plan.
Learn more about Bandwidth Usage Monitoring.
6. Alarm/Flow Category Feedback (Requires box version 1.974)
Firewalla uses an extensive network of intelligence feed to categorize your network flows, and it will block/alert you when those flows fall into a certain category. The system is large and dynamic, and categorization can sometimes have "false positives".
Due to this, we are now providing the ability to Report Incorrect Categories. If you find the domain/IP Address in an alarm or a network flow is marked as an incorrect category, you can tap the category and submit your report, Firewalla will review your feedback and use it to improve our categorization system.
7. Network Diagnostics (Requires box version 1.974, Purple & Gold Only)
We all know how frustrated it feels when experiencing Internet outage. To enhance the troubleshooting process, we are providing a new network diagnostic tool that can get detailed network information of the box via Bluetooth or the local network when the internet is down.
Tap "Diagnostics" on the banner of "Internet Connection Lost", and the app will open a page listing the status of the ethernet port, IP address/gateway, and the connectivity test results on each of your WAN networks. If you need any help from our support team, you can just take a screenshot, or tap on the "Share" button in the top-right corner to send the information to our team for more support.
8. Port Forwardings on IP Addresses (Gold and Purple only)
Some devices may have multiple IP addresses associated with the MAC address, in this case, Firewalla may not be able to discover them as normal devices. However, we are now providing the ability to create port forwardings/ a DMZ host on these IP addresses. On Network -> NAT Settings -> Port Forwarding, tap "Add Portwarding" -> "Forward to…", select IP Address, and then you can enter the IP address.
In addition, we also supported specifying "Allow" sources when creating port forwardings and DMZ. Similar to creating rules on a local port, you can choose to only allow the traffic from certain target lists, IPs/IP ranges, or any trusted regions. Allow rules will be created accordingly.
Enhancements
- Wi-Fi Access Point supports Maximum Compatibility for 2.4 GHz only Wi-Fi devices
Maximize Compatibility will allow 2.4 GHz only connections, including some IoT devices that only support 2.4 GHz connections. Please note that the internet performance may be reduced when turned on.
- For Firewalla Purple users, the ability to edit Wi-Fi networks (SSID or password) is supported. You can now go to your Wi-Fi WAN connection, tap Edit -> Wi-Fi network, select any of the networks under My Networks and tap the "i" icon to edit it.
- In VPN Client, 3rd-Party VPN profiles are now editable. You can go to any 3rd-party VPN detail page and tap Edit on the top right corner to edit any field, after saving your change, the devices you've applied to will remain unchanged.
- Supported specifying protocol when creating rules matching domain, IP address, and IP ranges.
- Supported the ability to turn off DDNS. (Requires version 1.974 and above)
Please be aware that when DDNS is turned off, you'll need to manually manage your public IP address if you are running internet service at home.
- Supported creating rules matching target lists and local ports.
- Able to show the blocked reason when a flow is blocked by Ad Block feature.
Bug Fixes
- Fixed the issue of incorrect live throughput chart on bridge networks.
- Fixed the issue of not being able to create rules on certain top-level domains.
- Fixed the issue of no high packet loss event when the loss rate is relatively high.
- Fixed the issue of the WireGuard VPN server not working properly with dual wan load balance mode.
- Fixed the issue of not being able to migrate IP reservations across boxes.
- Fixed the issue of the live throughput chart disappearing occasionally (iOS).
- Fixed the issue of App crash or hang when opening a large App log file (iOS).
- Fixed the issue of incorrect display of the peer site networks in the VPN profiles (Android).
- Fixed the issue of no DNS warning when DNS over VPN is turned on (iOS).
- Fixed the issue Box name not being updated promptly after changing it.
- Many minor UI bugs
Comments
24 comments
Does the AnyConnect implementation support using RSA SecureID tokens at login? If it doesn't, is that a feature you're planning to add? Thanks.
@Scott
We'll likely provide MFA in the next app update, but we don't have the RSA SecureID hardware to test.
When it's ready, it would be great if you can try it out and let us know if it works on SecureID.
Sounds great (by next app update, you mean 1.51?). Happy to test it out once available.
Posting this here, since I'm not sure how much action the Beta forum gets:
With Unbound being added, I had a few questions about its implementation.
1. How is it running off the box? Is it installed with the new box version as a Docker container, similarly to how it was supported in previous versions, or is it running natively?
2. Is there currently a way to edit or customize the .conf of the Unbound instance, and if not, will one be added?
3. Is there currently a way to monitor its performance, and if not, will one be added?
Aside from me just being a tinkerer, I think a more power-user feature like Unbound requires more power-user information availability due to the flexible and customizable nature of the solution, if for nothing else than just for troubleshooting purposes. For example, in my current deployment I'm failing DNSSEC tests with devices using Unbound - I'd be curious to see what that is.
@Scott,
Next update of 1.50 :) there are still quite a few features coming in 1.50.
@Theodore,
1. It's running natively.
2. No, we are trying to hide the complexity of the configuration, especially for the first version. We may add more sub-features in the future, depending on user feedbacks.
3. Sorry, not from the app. We may add DNS diagnostic feature in the future that it's not just BLOCKED or OK, but something else like failed with reasons.
Thanks for the prompt reply, @Support.
That's awesome that y'all got it going natively! I completely understand wanting to hide the complexity, but I do hope y'all add those options in the future for those of us interested in them! Perhaps under a "tap 10 times" option or something like that? Ditto for diagnostics.
Do you see DoH support being added to Unbound in the future? I know it has supported DoH/DoT for some time now, but I'm not sure if/how that would work in this particular implementation.
Tangentially related to all this Unbound talk - I assume enabling native Unbound would break Pi-hole running in Docker, correct? Is there any plan for tying in Pi-hole functionality, either natively or through potential future Unbound configuration/feature changes? I like the native AdBlock, but as y'all have already acknowledged it's not as strong or granular as Pi-hole - being able to have everything running on one box would be incredible!
Thank y'all for taking the time to reply, by the way. I'm so happy that I went with Firewalla - it's awesome seeing devs actively work with and take feedback from their community. Your work is very much appreciated!
@Theodore,
We will unlikely add DoH/DoT support because unbound DoH and DoT are only for clients connecting to unbound. (Unbound doesn't support DoH and DoT when connecting to DNS authoritative servers.)
Only Firewalla DNS service will directly connect to unbound, and both of them are local on the box, so it's not necessary to enable DoH/DoT, which also introduces performance issues.
And most DNS authoritative servers in the world don't support DoH/DoT, so even if unbound supports DoH/DoT to connect them, it won't work either.
The unbound feature can't work with Pi-Hole in container, you will have to set up containers manually for both Pi-Hole and unbound to use them together.
FYI. The AdBlock feature in Firewalla can work with unbound.
@Support
Ah, okay! So from Unbound's perspective, the only client it sees connecting is the Firewalla DNS service - not the individual devices on the network; DoH/DoT would only be "inside the box" so to speak, which is pointless. Do I have that right?
So to use Pi-hole with Unbound, you'd have to leave native Unbound disabled and build it and Pi-hole in containers?
Is there any plan in the future for native Pi-hole support as another "tier" or option within AdBlock, similar to how Unbound has now been made available? I would presume not, since it sniffs DNS requests, but I figured I'd ask! I would think it'd be a somewhat popular option, even with that caveat!
@Theodore,
1. Yes.
2. Yes.
3. Pi-Hole in general is a DNS-based filtering system, not just for ads. We just don't know how to position this if integrating it into Firewalla, as Firewalla already has the same feature and even more. Since some of our users like to use Pi-Hole, we implemented the docker container to make Firewalla extensible to run anything they want on the box.
@Support
Just firing it out there, any update on MFA for Firewalla? Would like to have as much locked down from the portal and such.
Inquiring minds want to know :)
@S C
Do you mean MFA for Firewalla MSP login? We are working on it.
For MFA to the MSP portal, are you going to leverage push notifications to the Firewalla app, or just go for OTP? If possible, I’d recommend push notification as it’s not susceptible to MitM attacks like OTP is.
not sure yet, still working in progress.
Amazing Update! Can't wait to start testing Unbound and Target List/Rule changes.
Testing AnyConnect with multi-factor authentication. We use Azure SSO with Microsoft Authenticator App to generate the 6-digit multi-factor codes. I can't get it to connect through FWG. Are there known limitations for AnyConnect on FWG?
Does AnyConnect work with OKTA for authentication?
I don't think OKTA is supported by now, but technically possible. We'll see if many people want it.
Hi @Firewalla. I have the Beta version but I can't see the rule matching to a domain or IP address. Is that suppose to be here in the Beta or do we have to wait for the 1.50 final release ? Thanks.
@Ricardo, not sure what you mean, can you help elaborate?
When will 1.974 go public?
@Daniel,
Very likely this week for Gold.
Others maybe next week or the week after.
@Firewalla, how do we troubleshoot 3rd party vpn connection failures?
is it possible to add an option to automatically whitelist URL/IP addresses required by 3rd party apps ?
for example MS Teams has several URL/IP that Microsoft suggested to get whitelisted in Firewall and it would be easier to have the app specific setting built in to the Firewalla.
I'm new here and I'm receiving my box today so sorry if this was asked before.
@Todd, we will add troubleshooting functions in future updates.
@Pejman, you can create target list in my.firewalla.com, add any IP/domain to the list, and add rule to allow them in your network.
https://help.firewalla.com/hc/en-us/articles/1500005941962-Firewalla-Feature-Target-List
Please sign in to leave a comment.