I really want to like my FWG+
Going in circle with their support and either going nowhere, getting wrong information, or just refuse to hear the truth. I’m still within the return period but want to keep it if I make it work. The problem I’m dealing with is that I’m unable to block inappropriate traffic for my kids devices despite Firewalla Family Protect all enabled including apple private relay. In addition, when private relay block rules are enabled, I get problems with apple devices communicating with each other and random problems accessing internet through mobile devices.
My setup: eero 6 pro wifi backhaul in bridge mode. Firewalla Gold Plus in router mode. All working fine as far as connection and speed. Flat network.
My devices: 3 iPads, 2 iPhones, 2 Apple TVs, 4 HomePods, about 30 IoT devices. I also have apple iCloud+ with apple private relay enabled.
Firewalla settings: family protect native mode, everything turned on, DNS over https on, ad block on. I also have quarantine enabled.
Wi-Fi setting: private Wi-Fi turned off.
Firewalla support says apple private relay must be turned off in iCloud+ setting. I understand the logic. What I don’t understand is that why having apple private relay block rules in Firewalla if I still need to turn off the relay in iCloud? If this is intact the right answer then the work around is rather cumbersome as every portable device needs to have the relay turned back on in iCloud settings every time these devices are left the household.
Am I missing something? Unblocking some apple and iCloud services works to a degree but then all family filtering is broken. I asked Firewalla support about what apple services should be intact enabled to fix functionality and ever got the answer.
This is a self imposed battle. Firewalla is doing its job as expected and so is Apples Private Relay. At home, in order for firewalla to do its job effectively, you need to disable Apple Private relay across all your devices. Why? Because it bypasses firewallas detections. When you leave home and if you want some protections, then you enable apple private relay. Dont confuse both services (firewalla and apple private relay) focus on different types of security/privacy. Also, for your kids, enable parental controls or make them an apple id account. Create a family and add them as kids which grants you more administration.
You don’t need to disable relay at the iCloud settings level, but for every Apple device in your network you need to find the Wi-Fi network, tap into more options, and disable private Wi-Fi address. That essentially disables it just for that Wi-Fi network and ensures that firewalla can ‘do its job’.
I’m an Apple user with an FWG. I have an iPhone, a watch, a MacBook and an Apple TV. My family all have iPhones and iPads. We have none of the issues you describe. Yes, blocking private relay will also stop Mail and Safari from blocking tracking pixels, but it has zero effect on devices talking to each other.
You don’t have to turn off private relay in your iCloud settings, that just helps reduce delays where your device will attempt to use it and cuts down on blocked flows. You will also block private relay if you use the DoH providers category in a block rule. This is because Apple uses the same FQDNs for both DoH, blocking pixel tracking (by loosing images remotely), and Private relay.
My advice is to only block private relay for your kids’ groups and guest network so they can’t hop over to it and get around your content filters. Maybe make an allow rule for your devices to use private relay so pixel tracking blocking works.
If after this you’re still having issues, you need to check the blocked flows to see which correspond to the time you had issues, and use the diagnostic tool to see why they were blocked. It could be your upstream DoH server if you use a service that provides content filtering. You might try unbound instead. I use it and it works great.
Without blocking private relay, you would have the same problem with a $10,000 enterprise military grade firewall. Private relay is doing its job. Block it in the rules and tell your family to turn it off in order to connect to the internet
I have FWG+ and my primary goal is also to block inappropriate sites from my kids.
As others have already suggested, the easiest way is to create a device group including all your kids’ devices, and enable all the rules in that group. Blocking private relay in that group then is to prevent your kids to enable it to bypass Firewalla. Trust me, they have all sort of ways to try to circumvent your rules!
n00b here … Question for you or OP as I’m about to buy a FWG … what is the benefit of using apple private relay (APR) on a child’s device? In this case DNS over HTTPS is already being leveraged so what’s the value of using APR? Is it that you want to ensure your child’s anonymity from the DNS server? If so, what’s the risk? Only asking because my kids are so ringfenced the DNS server would only see them googling for dog pictures
u/Tankbot001 - How do you block private relay and MAC randomization on your home network?
I have parental controls in place through apple screen time for my kids. Unfortunately the screen time is very limited when it comes to filtering website categories. There is a way to block specific sites, but no way to block “porn” as a category. So it seems to me that the firewalla parental control comes at expense of breaking the ecosystem and should not be used on households full of apple products.
So Im not contemplating if I should even keep the FWG if I can’t use parental control through firewalla. I have erro and refuse to pay $100 to play the Amazon game.
I think OP said that private wifi is already turned off, but it is also possible to disable private relay on a per network basis by doing the following:
Go to Settings, then tap Wi-Fi.
Next to the Wi-Fi network, tap the More Info button.
Scroll down and tap Limit IP Address Tracking.
Or for cellular networks, go to Settings > Cellular > Cellular Data Options, and tap Limit IP Address Tracking.
I did that then started noticing strange behaviour of my apple devices. The official responce from Firewalla is to turn relay off at the icloud setting level.
Are you able to filter family traffic such as facebook, tiktok, porn and ets?
Initially I had private wifi dissables specific for the wifi. Then firewalla rules enabled to block apple relay. It started causing issues with apple services so I had some services unblocked. Everything was working fine until I tried reaching tik tok and youtube from my kids ipad. Nothing was being filtered basically. So you might wanna check parental control, pornhub loads just fine.
I agree. Then what the hell is the purpose of having the apple relay block in firewalla settings if it doesn’t work. If the only way is to turn of the relay on icloud level then firewalla should have this disclosed. Turning it on and off every time kids take devices outside of the household, I have three, is a royal pain in the ass.
It didn’t work for me as i previously described. Private relay block breaks apple services, delays between apple devices, apple purchase requests not going through and so fort. It basically breaks most of apple ecosystem services between apple devices.
The only benefit of using APR on kids ipads is to protect their privacy when they are using grandparents wifi network. Obviously when kids are home my intent was to use the FWG.
