Open Firewalla Issues even after 10+ tickets with no responses from support for anwhere from 3-9 days
1) Inability to do MAC address Filtering. If this is implemented I suspect it will apply to every AP7 in the mesh not just select AP7s which means I still won't be able to lock specific devices to a specific AP7. Groups do not help with this as putting the AP7s in groups still does not solve this issue and breaks other functionality of micro-segmentation and VQLAN
2) Unclear whether the rules to whitelist ports/protocols for required outbound access should go on the AP7 device itself, the LAN/VLAN they connect to as a backbone or a combination of both. The only way to see this traffic is via MSP console in most use cases. Lot's of open questions on how exactly the AP7 management traffic works as well as why sometimes my AP7 switches from a LAN address to VLAN address.
3) Lack of support to put AP7 into groups to manage fully. Gaps in functionality and problems with installations when the AP7s are put into groups. Because of this I just don't put them in groups.
4) VLAN1/PVID1 required to support management and setup of the AP7s. Requires me to put all of the AP7s on one managed switch connected to one port on the Firewalla. Or use the mesh network.
5) Support for only one mesh for all AP7s. This relates to the following issues:
a) Inability to only bind an SSID to a specific AP7 instead of all
b) Limits your overall total number of SSIDs for same reason
c) If you have 2.4ghz legacy IoT devices on your network that 2.4ghz SSID will be bound to every AP7 in the single mesh
d) Saturates your AP7s with un-needed WiFi bands because I don't need 2.4ghz turned on for every AP7 only the ones near my legacy devices which require it. It would also be nice if the legacy devices could be locked to only connect to those AP7s and not roam. Without this capability it decreases the the overall coverage of an AP7 as well as creates the same overlap of WiFi signals on every AP7.
6) No longer able to support the SD-WAN WiFi card on the Firewalla so now it can only be used for WAN fail-over. I have found this backup WiFi connectivity very useful by creating a private Mgmt interface directly to the Firewalla without any cabling, VLANs, routing or other issues. It is almost mandatory, since just Bluetooth from the iOS app does not support all changes required as some require WiFi access to implement on the Firewalla. If you mis-configure or have some type of networking issue using the iOS app will not work.
7) Lack of clarity on the bridging/routing of the AP7 physical network ports on the back of the AP7s. I am unable to get any answers for how they are physically/logically connected. Evidently they are just bridged which means that if you decide to plug a device which supports VLANs into the back it will be unable to talk to the same VLAN on the SSIDs on the AP7. Traffic must traverse the mesh or LAN and route via the Firewalla and back out to the AP7. Still testing to see if I can fix this with a managed switch to keep the traffic localized to the switch and not route via the Firewalla.
8) Inability to apply rules to the Allowed Devices function on the AP7. It opens up all ports/protocols or none. They are planning to add rules to this for a future release.
As an example of a security hole, you are required to open Ping traffic to several ip addresses which are also public DNS server addresses. This is necessary for the AP7s to properly operate. Since the Firewalla does not support ICMP filtering you must open all ports/protocols to those specific IP addresses. Unfortunately, this skips all the Firewalla layered security and for use cases where a Roku or Firestick is on the same AP7 it opens up DNS to those devices. Also, you can no longer filter out direct DNS queries to these popular IP addresses :) Since these rules are at the device level they override any other rules at any other level.
Look forward to trying out the Ceiling version of the AP7 to determine if I can better shape the coverage and the direction of the WiFi signals. I don't have POE on my network as devices continue to require more power which exceeds the capacity of these switches and most of those switches are 2.5gb as the 10gb POE is still quite expensive to implement. Unfortunately this increased power requirement cannot be fixed with firmware only a switch hardware upgrade.
POE requires copper which I do not really use much in my entire network which is mostly fiber. Limitations of POE length along with a 10gb speed and say 50-90w power requirement for some devices is not practical in larger homes. So i tend to avoid the use of it. I did find one 10g Fiber to 10/5/2.5/1gb POE media converter which does allow for me to use Fiber to remote AP7s including ceiling mounts where there is no power.
Overall I am very happy with my Firewalla products and would recommend them to most people as a great solution.
-
Very likely your ticket rate triggered some type of "filtering". Would it be possible for you to just reply back to one of the ticket and work with us on just one ticket at a time? I think you are the first person created many tickets, and the system is not used to it. By rate limiting yourself a bit may get better attention.
To get us started, let me know which ticket number is high priority to you, we can start with that.
-
So put the ticket number here still zero support from Firewalla and not a single response to any of my tickets. If I bought I product I expect to get support. I am tired of putting in tickets with zero responses and people aske the same questions here and get an immediate response.
I had to reboot one of my AP7's today and it would not reconnect until I gave the LAN it is on emergency access. That is not a desired or secure configuration to support. I need actual support from firewalla to resolve my questions and issues.
I just put in yet another ticket today for this issue
-
Hi Troy
Sorry about the problem, likely our system is still thinking your tickets are a form of SPAM (due to the large quantity of tickets previously) . I have manually created a ticket for you, and hopefully our support will be able to see it and help you out with your recent problem.
And if you have other problems, please wait until your current problem is resolved first, before creating more tickets.
Please sign in to leave a comment.
Comments
5 comments