AP7 Beta, Known Facts and Issues
Pinned
Facts:
- [VLAN] In order for vlan network to be selectable when creating SSID, the physical ports used by VLAN network needs to be the exact same as the physical LAN network (which is the AP mgmt network).
- [INSTALL] If you have Purple built-in WiFi in AP mode, it will get turned off (without a warning message) if you install firewalla AP7. (Warning message is coming up soon)
- VqLAN will only work with devices managed by the Firewalla AP7.
- To allow a device from accessing a vqlan group or device, need to use "Allowed Devices" in group/device page. Creating rule to allow device from accessing a LAN IP in Rules UI won't work for this case, because allow rule on IP won't be propagated to AP.
- There can be only one Mesh connected to and be managed by the Firewalla Box.
- 6ghz wifi band channel selection is disabled.
- If AP7 has lost the connection to gateway & internet, it will blink RED, and soon it will shutdown it's own SSID. This is to prevent devices from connecting to a dead SSID.
- 6ghz only Hidden SSID can't be connected according to 6ghz standard. A workaround is to enable 2.4ghz or 5ghz band as well as 6ghz when creating the hidden ssid.
Issues:
- If you see extra VPN networks name AP in my.firewalla, or MSP web interfaces, these networks are used to manage your AP via the Firewalla. (example below)
Tips not related to the Firewalla AP7
- If you are speed testing, and if you have a switch between the AP7 and your Firewalla unit that converts 2.5Gbit to 10Gbit, please turn on flow control on that switch. If you don't, your speed tests will be slow. (This is NOT a AP7 issue, it is a.networking issue)
- The 3.x Gbit tests are from Oneplus units running on 6ghz.
- Some Wi-Fi 7 clients (like iPhone 16) might support only 160Mhz in 6ghz; their speed will be maxed at around 1.6gbit
- When setting up some legacy 2.4ghz-only IoT devices, it may require phone to be on the same band as IoT device so that the phone can send the right SSID information (e.g. BSSID) to the IoT device. So if the ssid is mixed and phone is connected to 5ghz, the IoT device may fail to connect. If you encounter this issue, you may have to temporarily deselect 5ghz/6ghz for this SSID during the setup.
- Some legacy IoT devices may not able to connect WPA2/WPA3 mixed SSID, but only able connect to WPA2 only SSID.
- If vlans are configured on AP, and there is a managed switch between box and AP, then these vlans must be configured and enabled on the managed switch as well, otherwise, the vlan traffic will be blocked by the managed switch.
- Sometimes your phone may need to "forget the SSID" and reconnect, after WiFi config is changed on AP7 side. In some rare cases, during our own test, we had to reboot phone to get max performance.
- Some devices may not like DFS channels. Try to disable DFS in Wifi Settings if devices have trouble to connect to 5ghz DFS channels.
- Try to change channels or use "Optimize Wifi Experience" feature if device has good signal but still encounters heavy connectivity issues. There may be strong Wi-Fi interference nearby.
-
Yes I have also just discovered this limitation for the AP7 after installing my second one :) If you are hardwired this is also true as both of my AP7s are hardwired and there are several things I have found to be limitations with a single only mesh design:
1) All SSIDs show up on all AP7s - there is no way to bind the SSID to an AP7 or even hide/un-hide the SSID by AP7
While this seems great in a small home and is most use cases perhaps. I don't need every SSID to show up on all AP7s as it would seem to me that would add to the wireless noise and coverage ranges. I don't want to enable 2.4ghz on every AP7 in my house just the one nearest the couple of 2.4ghz only devices I may have. Most of which are security related so it would limit the overall ability to not broadcast these secure devices SSID on every AP7
2) There is no MAC filtering available on the AP7
This is a pretty basic thing on most APs and used heavily on SSIDs with security type devices as I mentioned above.
3) You cannot really place the AP7's in groups to manage them which is kind of odd since there is only one mesh
It appears that even though the wireless security is a very great thing. the LAN security are a little lacking for these devices. probably because the assumption is everyone will not hard-wire them but use a mesh. I had to take mine out of a group as somethings simply did not work. This kind goes against manage a mesh type architecture as management simplicity would see to be something that would be needed. I use the groups functionality a lot to segment/secure parts of my home network.
4) Bandwidth/performance/latency limitations using only one mesh
It would seem to me that 10gb is the total limit of the Mesh in entirety? Because I am assuming since we have the requirement of VLAN1/PVID1 for every AP7 that one logical segment with one mesh would limit the throughput of every AP7? While Firewalla seems to think 2.5gb is their sweet spot the rest of the consumer/prosumer market has moved on to 10g or greater speeds. The inability to segment the AP7 mesh to have multiple individual meshes limits overall scale. Perhaps I am the only one with plex media servers hardwired and pushing past the 2.5gb bandwidth and needed to upgrade to 10g. While the Firewall Gold Pro is an impressive device there are limitations of all this VLAN, vqLAN, etc.. I would think the inability to segment the one mesh would become a bottleneck at some point.
4) Having a test AP7 segmented off for testing is not supported with a one mesh design.
This is a great product but it does have some feature/function gaps like any other. Hopefully Firewalla will listen to some of this feedback and adjust as necessary with future capabilities.
-
3) You cannot really place the AP7's in groups to manage them which is kind of odd since there is only one mesh
It appears that even though the wireless security is a very great thing. the LAN security are a little lacking for these devices. probably because the assumption is everyone will not hard-wire them but use a mesh. I had to take mine out of a group as somethings simply did not work. This kind goes against manage a mesh type architecture as management simplicity would see to be something that would be needed. I use the groups functionality a lot to segment/secure parts of my home network.
I don't think they are making that assumption since they are making a ceiling mounted version and have stated that most users will probably hardwire the ceiling mounted version. It's supposed to be POE powered, and most folks will use a switch to do that.
Please sign in to leave a comment.
Comments
7 comments