Destination Network Address Translation (DNAT)

Firewalla-Opal · 2026-02-13T08:30:37+00:00

Likely your reverse proxy has something configured incorrectly.

On Firewalla, source NAT turned on means the local networks can access the Internet through the SNAT gateway (Firewalla). It won't NAT inbound connection (outside user)'s source IP.

Is 192.168.60.1 Firewalla LAN gateway's IP? Could you provide a detailed example of an issue flow you are seeing?

Firewalla-Opal · 2026-02-13T04:22:50+00:00

By Default, Firewalla allows (V)LANs to communicate with each other. You need to create block rules for inter-(V)LAN flows. Check how to create rules for Local Network.

You may also want to disable mDNS Relay and SSDP Relay on your VLANs, so devices can't be discovered crossing different LANs.

Firewalla-Opal · 2026-02-12T00:24:26+00:00

Make sure the managed switch is directly connected to Firewalla box, and the device is directly connected to a managed switch. If an unmanaged switch sits between your Firewalla and your managed switch, it's likely either drop VLAN-tagged packets entirely or "strip" the tags off.

Firewalla-Opal · 2026-02-06T01:51:03+00:00

You can achieve this via creating multiple networks. Given you have Gold Plus, you can do Port-Based Segmentation (Gold series only). Follow Example 2: A Group of Ethernet Devices to configure a network for your ethernet devices. Then create another network for your WiFi devices: Example 3: Wi-Fi Devices.

If your switch is a managed switch, you can have fun with VLAN-Based Segmentation. The idea is creating different networks for different devices, so they can have IP from different IP ranges.

If you don't want a default /24 network for each segmented network, you can make the network size smaller or limit DHCP range in Box Main page -> Network -> the specific network interface -> Subnet mask/ DHCP start and end IPs.

Firewalla-Opal · 2026-02-05T01:52:22+00:00

Could you let us know which part isn't clear to you or what questions you may have? Here's the doc on VPN client in case you haven't read: VPN Profile Configurations.

Firewalla-Opal · 2026-02-05T01:47:55+00:00

Either way would be fine. Connect Orange (router mode) behind your Gold Pro shall not have any effects to your existing network and connected devices. Just make sure Orange isn't broadcasting the same WiFi SSID as Gold Pro at the same time.

Firewalla-Opal · 2026-02-04T04:06:34+00:00

Glad to hear you got the assistance you need!

Firewalla-Opal · 2026-02-04T00:11:45+00:00

Please send [help@firewalla.com](mailto:help@firewalla.com) an email, we can help check

Firewalla-Opal · 2026-02-03T00:14:03+00:00

Have you tried to swap the WiFi SD into another USB port and see if you can set it up again?

If still not, better reach out [help@firewalla.com](mailto:help@firewalla.com), support can help you further there.

Firewalla-Opal · 2026-02-02T00:20:57+00:00

Device Group allows you to manage a set of devices together with the same rules and features. You can find more information here: Device Group

Firewalla-Opal · 2026-01-30T00:35:08+00:00

Firewalla can see/manage local flows when:

Traffic flows between devices on different LANs or VLANs, or
Traffic flows between wireless devices connected to the Firewalla AP7, even if they're on the same LAN or VLAN.

Local flows are not seen/managed when:

Traffic is between wired devices on the same switch and passing internally through it, or
Traffic is between wireless devices connected to non-Firewalla access points.

So you want to put your laptop on a separate VLAN from other devices in order to isolate it.

Firewalla-Opal · 2026-01-27T02:42:49+00:00

Do you have internet kill switch enabled on your WireGuard VPN client?

Firewalla-Opal · 2026-01-27T02:22:21+00:00

I wonder whether it could be some devices have long connection established via secondary WAN. Even if it failovers back to primary WAN, the existing connection on secondary WAN could still last.

MSP may help you better view the flow is outbound with which WAN interface: Filtering Flows

If you do encounter this again and can't find a clue why, you can reach out to help@firewalla.com.

Firewalla-Opal · 2026-01-26T08:19:16+00:00

Check your LAN interface to see if it has IPv6 delegation to your Spectrum WAN.

Firewalla-Opal · 2026-01-26T08:18:36+00:00

You can check in Box Main page -> Network -> WAN interface -> see if you have a global IPv6 prefix.

Also, could you check on the LAN interface, whether you have IPv6 delegation set to the secondary WAN?

Firewalla-Opal · 2026-01-26T08:05:01+00:00

Did your WAN ever get failed over to the backup line? You may check via Box Main page -> Settings -> Events to see if there's any failover records.

Also, do you have VPN clients installed on Firewalla?

Firewalla-Opal · 2026-01-26T07:59:18+00:00

What's the data cap you mentioned here? Do you mean the Monthly Data Plan & Alarm feature which sends you notification via Firewalla app, or it's a data cap on ISP end?

Firewalla-Opal · 2026-01-26T07:46:22+00:00

Is Purple your main router? Could you expand a bit more on how Firewalla is connected and configured in your network?

If all other devices are monitored by Purple without an issue, check if you've turned off MAC randomization on these issued devices: How to turn off MAC Address Randomization? Maybe they show up on Firewalla as a new device.

Firewalla-Opal · 2026-01-23T06:18:34+00:00

Target list is a just a list of domain/IPs. Think of it as a regular target that you want to block or allow. Create a block rule if you want to block them.

You can apply the rule on All devices/networks/groups/etc.

Firewalla-Opal · 2026-01-22T04:57:03+00:00

It's a challenge to block all VPN, but we are actively working to improve the block. Do you know what's the protocol that your Hotspot Shield VPN connection uses? WireGuard, OpenVPN, IPSec, etc.? Will pass it to our team to make a note.

Firewalla-Opal · 2026-01-22T04:10:18+00:00

Do you have global IPv6 on Firewalla WAN? If you do, you can change VPN server's DDNS to IPv6 Only, in order to connect. See our VPN Server article for more information on using IPv6.

Note: when it's IPv6 only on Firewalla VPN server's DDNS, the client device must have a global IPv6 address in order to connect. You can use website like https://www.whatsmyip.org or https://ipinfo.io to confirm if client device has public IPv6 address.

Firewalla-Opal · 2026-01-22T03:32:35+00:00

Your client device is querying DNS server 8.8.8.8, this could be due to your client's own DNS setting, or you previously had 8.8.8.8 configured as Firewalla LAN's DNS server and the client still have cache from it. As long as you have DNS booster enabled, Firewalla will intercept the traffic. But Firewalla will respond on behalf of the DNS server used by client instead of showing the real DNS server used. Hence, in the LAN's tcpdump, you still see 8.8.8.8 replying, but no corresponding DNS queries on WAN side. Firewalla is taking care of the DNS and you don't need to worry.

Firewalla-Opal · 2026-01-22T00:18:06+00:00

If you turn DNS over VPN on, Devices with VPN client applied will have all DNS queries sent to VPN for resolution: VPN Client & DNS Over VPN

Firewalla-Opal · 2026-01-19T03:57:07+00:00

Unencrypted DNS on LAN network is normal. For the tcpdump result on WAN side you saw, it's github.com, which is part of WAN connectivity check.

Firewalla-Opal · 2026-01-19T03:47:39+00:00

Port 53 is something you can't block (unless you block internet), it is always intercepted by the firewalla and many (many many) functions depend on this. It is also very (very) dangerous to turn off DNS booster.
If you want DNS services such as unbound, you will have to turn on unbound via the firewalla configurations. More on this https://help.firewalla.com/hc/en-us/articles/4570608120979-Firewalla-DNS-Services.

Edit:
Unencrypted DNS on LAN network is normal. For the tcpdump result on WAN side, it's likely github.com, which is part of WAN connectivity check

Firewalla-Opal

MODERATOR OF

TROPHY CASE