Firewalla: Odds and Ends

08 Jun, 2026

While writing this series on Firewalla, we wanted to highlight why it is worth considering for improving your home network security and privacy. Firewalla was built with a clear mission: to make secure, intelligent, and privacy-focused networking accessible to everyday users without requiring enterprise-level expertise or complex configurations. By combining powerful hardware with an intuitive app-based interface, it delivers enterprise-grade controls such as device grouping, granular rules, DNS customization, and real-time monitoring in a package designed for home and small business networks.

If you are just joining us, here is a quick recap of the earlier articles in this series:

• Privacy Tool Spotlight: Firewalla Purple and AP7 introduces the hardware, covers initial setup, and explains the core features of the Firewalla Purple and the accompanying AP7 access point.

• Firewalla: Focusing on Groups and Users dives into user and group management, showing how to organize devices, apply rules, and create customized network policies.

• Firewalla: Focusing on DNS Services explores DNS configuration options, including how to how to host your own Unbound DNS service.

This final piece serves as a catch-all roundup. Here we address the smaller but often very useful settings and configurations that did not fit neatly into the earlier topics. Whether you want to intercept NTP traffic (or learn what NTP is), selectively disable VPN and DNS overrides for specific groups, turn IPv6 on or off per group, or explore several other lesser-known options, you will find practical guidance below.

These tweaks can add the final layer of control and polish to your Firewalla setup. Let’s dive in.

Work From Home Group Settings

In our earlier post on Groups and Users, we recommended placing company devices into a "Work From Home" group and enabling VqLAN (Virtual Quarantine LAN) to isolate those devices from the rest of your network. We also suggest enabling Device Isolation so the devices can only reach the internet and nothing else on your local network.

This setup works well for most people, but company laptops with corporate security or VPN software sometimes need completely unrestricted internet access. Groups give you discrete control over the following features:

• Internet (Access Blocking)
• Gaming (Access Blocking)
• Social (Access Blocking)
• Video (Streaming Access Blocking)
• Porn (Access Blocking)
• Safe Search
• VPN (Blocking VPN Use)
• Family Protect
• Ad Block
• DNS Service (Firewalla DNS Services)

To give work devices unfettered connectivity, turn all of the above off for that group.

How to disable group-level services

1. Open the Firewalla app.
2. Go to the main screen and tap Devices.
3. Tap the Work From Home group (or whatever name you used).
4. Just below the "Network Flows" chart, you will see a row of feature buttons. Tap the ... (More) button to expand the full list.
5. For any feature that is currently enabled (highlighted), tap it to disable.
6. Changes are saved automatically.

It may take a few seconds for the new settings to take effect on the devices. This is a great time to grab a cup of coffee!

NTP Intercept

NTP Intercept is a Firewalla security and privacy feature that intercepts all NTP (Network Time Protocol) requests from devices on your network and handles them locally on the Firewalla box itself. If you search your logs, you will probably see dozens of NTP requests from almost every device. IoT devices, such as smart plugs, will call "pool.ntp.org" almost every minute. That is a lot of network traffic, especially if you have many devices.

There are two things you can do to stop this torrent of calls. The first is to enable NTP Intercept.

How to enable NTP Intercept

1. Open the Firewalla app and go to your box’s main page (the screen showing your box overview, networks, and devices).
2. Tap the Services button (usually near the top or in the box control area).
3. Scroll down until you find NTP Intercept.
4. Toggle NTP Intercept on (it turns green).
5. By default, it applies to all networks.
   • To customize: Tap Apply To → select Specified Networks → choose the networks or VLANs you want it active on (for example, your IoT or VqLAN group).

Note: We usually apply the change to all devices.

Similar to the changes for the Work From Home group outlined above, the setting takes effect almost immediately.

Because we follow the principle of least privilege, we often block internet access for certain groups or devices. When we do this, we need an explicit allow rule so devices can still reach NTP servers for time synchronization.

How to create an NTP Allow Rule

This rule is useful when you have a Block Internet rule applied and still need NTP traffic (UDP port 123) to flow.

1. Open the Firewalla app and go to your box’s main screen.
2. Tap Rules (bottom navigation or main menu) → tap the + (Add Rule) button in the top right.
3. Set the Action to Allow.
4. Set the Target:
   • Recommended: Choose Domain and enter *.ntp.org (this wildcard covers pool.ntp.org and other NTP servers).
   • For more precision: Add Remote Port 123 (UDP).
5. Set On (scope): Select the specific device, group, VLAN, or network that needs the exception (e.g., your IoT group). Avoid using “All Devices” unless truly necessary.
6. Set the Schedule to Always (or your preferred time window).
7. (Optional but recommended) Add a note such as “Allow NTP for IoT time sync”.
8. Tap Save.

The new rule will appear in your Rules list. Allow rules take precedence over broader Block rules.

Quick alternative using Flows

If you see an NTP connection being blocked:

1. Go to Flows.
2. Find the blocked NTP flow (UDP 123).
3. Tap the flow → tap Allow at the bottom.
4. Adjust the domain, port, and scope as needed → save.

This approach keeps your devices tightly restricted while still allowing essential time synchronization. This also leads to our next topic.

White Lists

We follow the principle of least privilege, meaning devices are only given access to what they explicitly need to perform their function. This dramatically reduces the attack surface and limits potential data exfiltration or command-and-control (C2) communication if an IoT device is compromised, especially when combined with VqLANs and Device Isolation.

What Device Isolation (with VqLAN) Already Provides

• Local network isolation: The device is blocked from communicating with other devices on your LAN (or within the same group/VLAN), except for any explicitly allowed exceptions. It can still reach the internet in most cases.
• This is excellent for preventing lateral movement (e.g., a hacked smart camera cannot scan or attack your computers, NAS, or other devices locally).

What Adding Internet Whitelisting Provides

By combining Block All Internet access with targeted Allow rules, you restrict outbound connections to only known-good destinations.

This prevents:

• Connections to unknown or malicious servers if the device is compromised.
• Data exfiltration to attacker-controlled sites.
• Command-and-control (C2) communication.
• Unnecessary “phone home” behavior common in many IoT devices.

Together, Device Isolation and internet whitelisting create strong micro-segmentation: one protects your network from the device, the other protects the internet (and you) from a potentially compromised device.

Practical Example: TP-Link Kasa Smart Plug

1. Place the smart plug in a dedicated VqLAN group (e.g., “IoT Plugs”) with Device Isolation enabled.
2. On that group, enable Block Traffic to Internet to stop all outbound connections.
3. Create a new Target List called “IoT Plugs Allowed”.
4. Add the necessary domains. Check the device’s Network Flows to discover them. In this example we used:
   • use1-api.tplinkra.com
   • n-use1-devs.tplinkcloud.com
5. (Optional but recommended) Add a note to the Target List explaining its purpose.
6. Create a new Allow rule, select the “IoT Plugs Allowed” Target List, and apply it to the IoT Plugs group.
7. Save the rule.

This pattern works very well for cameras, plugs, thermostats, and other IoT devices that only need to reach specific cloud servers.

In short: Device Isolation protects your network from the device. Internet whitelisting protects you from the device. When used together, they form a powerful layered defense that significantly reduces risk from vulnerable IoT hardware.

Solving IPv6 Heartburn

One of the benefits we found while testing the Firewalla Purple is that it finally let us use IPv6 consistently and reliably. IPv6 is the modern upgrade to the internet’s addressing system. It solves the limitations of IPv4 by giving every device its own unique, globally routable address. This often results in smoother smart-home performance, lower latency for gaming and video calls, faster connection setup for streaming services, and better peer-to-peer functionality.

However, some services and devices still do not play well with IPv6. In our case, a particular streaming app on the Apple TV 4K had issues. A simple rule fixed it.

How to create a rule to block all IPv6 traffic

1. Open the Firewalla app and go to your box’s Home Screen → tap Rules.
2. Tap the + (Add Rule) button.
3. Set Action to Block.
4. For Target, choose IP Range.
5. Enter ::/0 as the CIDR notation (this matches all IPv6 addresses).
6. Leave the protocol and ports broad to block all IPv6 traffic, or narrow them if desired.
7. Under On, select the scope: a specific group, network, or device. In our example we applied it to the “Streaming Devices” group.
8. Set the Schedule to Always (or your preferred window).
9. (Optional) Add a note for reference.
10. Tap Save.

Once the rule was active, the streaming service worked reliably again.

VPN Groups for Failover

In our previous post, we outlined setting up a pair of VPN connections to handle Unbound traffic and traffic that needed DNS services from the VPN provider.

Firewalla supports VPN Groups on boxes running in Router Mode with recent firmware. This feature lets you bundle multiple VPN client profiles into a single group for automatic failover and better availability. If your primary VPN drops or slows down, traffic moves seamlessly to the next profile. It is great for always-on privacy or reliable work VPN access without manual switching.

For both of our VPN connections (with and without forced DNS), we are using a VPN group. One note about Unbound is that it will only currently work on a single VPN connection that can be within a VPN group.

Before creating a VPN Group, you will need multiple individual VPN client profiles. In our example we created two profiles without forced DNS services and two profiles with forced DNS services from the provider. This gives us options for different routing needs while allowing failover within each category.

How to Create a VPN Group

1. Open the Firewalla app and go to your box’s main screen.
2. Tap VPN (or VPN Client).
3. Tap the + button to create a new connection.
4. Select VPN Group.
5. Give it a clear name such as “Primary Privacy VPN” or “Work VPN Failover”.
6. Tap Add VPN Profile and choose the existing profiles you want to include. You can mix OpenVPN and WireGuard.
7. (Optional but recommended) Tap Edit and drag to reorder the profiles. Firewalla tries them in this order.
8. Tap Save.

Firewalla connects to the profiles in the background. When the top one fails, it automatically forwards traffic to the next available profile.

Wrapping Up

We hope this series has given you a clear picture of what the Firewalla solution offers, how easy it is to configure powerful features without needing to be a networking expert, and why it is a significant upgrade over the basic routers supplied by ISPs or sold at big-box stores.

With its intuitive app (and MSP portal for power users), strong privacy tools, and flexible controls, Firewalla makes enterprise-grade networking accessible for regular homes and small businesses. Whether you are just getting started or fine-tuning advanced settings like the ones covered in this post, the platform rewards a little exploration with much better security, visibility, and peace of mind.

If you are looking to upgrade your network security and privacy, Firewalla’s solutions - especially the new Firewalla Orange with integrated Wi-Fi - are well worth your consideration.

Remember: We may not have anything to hide, but everything to protect.

#DigitalPrivacy #Firewalla #Privacy #PrivacyTool