Firewalla + Your Existing Router
Get powerful network security in under 30 minutes. No technical expertise required. Works with any ISP.
What You'll Achieve
By the end of this guide, you'll have:
π‘οΈ Threat Blocking
Automatic blocking of malware, phishing, and malicious domains across all devices β including smart TVs, IoT gadgets, and guest phones that can't run antivirus.
π Device Monitoring
See every device on your network, what they're connecting to, and how much data they're using. Get instant alerts when unknown devices join.
π« Ad Blocking
Network-wide ad blocking without installing anything on your devices. Works on smart TVs, game consoles, and IoT devices that don't support browser extensions.
π VPN Access
Securely access your home network from anywhere in the world. Browse through your home IP at coffee shops, hotels, and airports.
What You Need
A one-time investment of ~$450-500 that will protect your household for years. Compare that to the cost of identity theft, ransomware, or a compromised smart device spying on you.
π₯ Recommended Bundle (~$480 total)
Everything you need for solid home network security. One-time purchase, years of protection.
Firewalla Purple
The brain of your network security. This compact, fanless device sits between your ISP router and all your devices, inspecting every packet of traffic in real time. No subscription fees β you buy it once and it protects you forever.
- Network-wide ad blocking (works on smart TVs, game consoles, everything)
- Malware & phishing protection using continuously updated threat feeds
- Device monitoring dashboard β see exactly what each device is doing
- Built-in VPN server (WireGuard & OpenVPN)
- Bandwidth monitoring and per-device usage stats
Zyxel NWA50AX Wi-Fi 6 AP
Replace your ISP's weak Wi-Fi with a proper enterprise-grade access point. The NWA50AX supports client isolation (prevents IoT devices from attacking each other on the same network) and Wi-Fi 6 for faster speeds with more simultaneous devices.
- Wi-Fi 6 β handles 50+ devices without slowing down
- Client isolation β each device can only talk to the internet, not each other
- Works standalone (no cloud account required) or Nebula cloud-managed
- Future-ready for VLANs when you upgrade to Advanced Mode
- PoE-capable β can be powered through the Ethernet cable (with a PoE switch)
As an Amazon Associate, we earn from qualifying purchases. This helps support our free security guides.
π‘ Why the Wi-Fi AP?
Your ISP router's Wi-Fi is often the weakest link. The Zyxel AP gives you:
- Client Isolation: Prevents your Fire Stick from attacking your laptop (yes, this happens)
- Better Range: Proper antenna design vs. ISP's cheap hardware
- Future-Proof: When you're ready for Advanced Mode with VLANs, this AP supports it
πΈ On the Price...
We know ~$480 isn't cheap. But consider: the average cost of identity theft is $1,500+ in direct losses, plus hundreds of hours fixing it. A single ransomware attack can cost $10,000+. This is insurance that actually prevents the problem.
And unlike antivirus subscriptions ($50-100/year), this is a one-time purchase that protects your entire household.
How It Works
Internet
β
βΌ
βββββββββββββββββββ
β ISP Router β β Disable its Wi-Fi
β (modem only) β
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ
β Firewalla Purpleβ β Monitors & protects all traffic
β (DHCP Mode) β
βββββββββββββββββββ
β β
β ββββββββββββββββ
βΌ βΌ
Wired Devices βββββββββββββββ
(Ethernet) β Zyxel AP β
β (Wi-Fi 6) β
βββββββββββββββ
β
βΌ
Wi-Fi Devices
(phones, laptops, IoT)
Firewalla sits between your ISP router and all your devices. The Zyxel AP replaces your ISP's weak Wi-Fi with proper coverage and client isolation (so your IoT devices can't attack each other).
Setup Steps
1 Unbox & Connect
- Plug the power adapter into Firewalla Purple β use the included USB-C cable and power brick
- Connect an Ethernet cable from your ISP router's LAN port to Firewalla's WAN port (the port closest to the power connector)
- Wait for the LED to turn solid blue (about 2 minutes). Flashing means it's still booting
π‘ Which Port Is Which?
Firewalla Purple has 2 Ethernet ports. The WAN port (closer to the USB-C power) connects TO your ISP router. The LAN port connects FROM Firewalla to your devices or Wi-Fi AP. Think of it as: internet comes IN through WAN, your devices go OUT through LAN.
2 Download the App
- Download Firewalla from the App Store (iOS) or Google Play (Android)
- Create a Firewalla account or sign in β use a strong, unique password
- Tap Add New Box on the home screen
- Make sure Bluetooth is enabled on your phone β the app uses it to find your Firewalla
β οΈ Use a Dedicated Email
Consider using a dedicated email for your Firewalla account (not your primary email). If an attacker compromises your email, they shouldn't be able to access your network security dashboard. A separate email adds a layer of isolation.
3 Pair Your Device
- The app will search for your Firewalla via Bluetooth β keep your phone within a few feet of the device
- When found, tap to pair. You'll see the device's serial number β confirm it matches the sticker on the bottom
- Follow the on-screen setup wizard. It takes about 3-5 minutes to complete initial configuration
π‘ Bluetooth Not Finding It?
Make sure Firewalla has been powered on for at least 2 minutes (solid LED). Try closing and reopening the app. On Android, make sure Location Services are enabled β Android requires this for Bluetooth scanning.
4 Choose DHCP Mode
- When asked to choose a mode, select DHCP Mode
- This is the easiest option β no router changes needed, no risk of breaking your internet
- Firewalla will configure itself automatically and start monitoring within 60 seconds
π‘ Why DHCP Mode?
DHCP Mode works with any router without modifications. Firewalla creates an overlay network and monitors all traffic. Perfect for beginners who don't want to touch their ISP router settings.
The tradeoff: DHCP Mode means your ISP router is still doing NAT (network address translation), which creates "double NAT." This works fine for everyday use but can complicate VPN access from outside your network. If that matters to you later, the Advanced Guide covers Router Mode which eliminates this.
5 Enable Protections
- Once setup completes, go to Features in the app
- Enable Ad Block β blocks ads network-wide, including in-app ads on smart TVs and mobile games
- Enable Safe Search β forces Google, Bing, and YouTube to filter explicit content
- Enable Active Protect β blocks known malicious domains, phishing sites, and command-and-control servers
- Enable New Device Quarantine (if available) β automatically isolates unknown devices until you approve them
π‘ What Gets Blocked?
Firewalla uses multiple threat intelligence feeds that are updated continuously. When any device on your network tries to connect to a known malicious domain β whether it's a phishing link in an email, malware calling home, or a compromised IoT device β Firewalla blocks it and sends you an alert. You'll be surprised how many blocked connections you see in the first 24 hours.
6 Explore Your Dashboard
Your main dashboard is your network's control center. Here's what each section means:
- Network Status: Green = healthy, Yellow = warnings, Red = active threats detected
- Device Count: Total devices on your network β if this number is higher than expected, investigate
- Blocked Flows: Threats that were stopped. Don't panic if this number is high β it means Firewalla is doing its job
- Traffic Stats: Upload/download for the day. Unusually high upload from a device could indicate data exfiltration
- Alarms: Tap to see recent security events β new devices, blocked connections, abnormal uploads
Main dashboard showing network stats and blocked flows
Spend 5 minutes each day checking your dashboard for the first week. You'll quickly learn what's normal for your network and be able to spot anything unusual.
Identify Your Devices
Firewalla automatically discovers every device on your network β no manual IP hunting required.
π± View All Connected Devices
- Open Firewalla app β tap Devices
- See all devices with names, IP addresses, and MAC addresses
- Tap any device to see its traffic, set rules, or rename it
- Unknown devices show as "New Device" β tap to identify and name them
π Get Alerts for New Devices
- Go to Settings β Notifications
- Enable New Device alerts
- You'll get a push notification whenever something new joins your network
π― Why This Matters
If a hacker gets on your Wi-Fi, you'll know immediately. If your neighbor's kid guesses your password, you'll see their phone pop up. This is your early warning system.
π·οΈ Organize Your Devices
- Rename devices: "Unknown" β "Living Room Fire Stick"
- Create groups: "IoT Devices", "Work Devices", "Kids Devices"
- Set per-device rules: Block specific sites, limit bandwidth, schedule access
Set Up the Zyxel Wi-Fi AP
Now let's replace your ISP's weak Wi-Fi with proper coverage and security.
7 Connect the Access Point
- Connect an Ethernet cable from Firewalla's LAN port to the Zyxel AP's Ethernet port
- Plug in the AP's power adapter (or use PoE if you have a PoE switch)
- Wait 2-3 minutes for it to boot β the LED will cycle through colors then settle to steady green
- The AP will get an IP address from Firewalla automatically via DHCP
π‘ Placement Tip
For best coverage, place the AP centrally in your home, elevated if possible (shelf or wall-mounted). Avoid placing it near microwaves, baby monitors, or cordless phones that interfere with the 2.4GHz band.
8 Configure the AP
- In Firewalla app, go to Devices and find the Zyxel AP (may show as "Zyxel" or by MAC address)
- Note its IP address (e.g., 192.168.x.x)
- Open a browser on your phone or laptop and navigate to that IP address
- Login with default credentials: username
admin, password1234 - You'll be prompted to change the password β do this immediately
- Set up your Wi-Fi network name (SSID) and a strong password (12+ characters, mix of letters/numbers/symbols)
β οΈ Change the Default Password
The default admin/1234 credentials are publicly known. Anyone on your network could access the AP's admin panel and change your settings. Change this password before doing anything else.
9 Enable Client Isolation
This is the key security feature β it prevents IoT devices from seeing or attacking each other on your Wi-Fi:
- In the AP's web interface, go to Wireless β AP Management
- Select your SSID and click Edit
- Find Intra-BSS Traffic (Zyxel's name for client isolation) and set it to Block
- If you don't see that option, look for Client Isolation or AP Isolation under advanced wireless settings
- Save and apply changes β Wi-Fi will briefly disconnect while settings update
π Why Client Isolation Matters
Without this, every Wi-Fi device can "see" every other Wi-Fi device. A compromised smart TV or IoT gadget could scan your network and attack your laptop, phone, or NAS. Client isolation blocks lateral movement β each Wi-Fi device can only talk to the internet (through Firewalla), not to each other. This is the same principle enterprises use to protect guest networks.
10 Disable ISP Router Wi-Fi
- Log into your ISP router (usually 192.168.1.1 or 192.168.0.1 β check the sticker on your router for the exact address)
- Find Wireless Settings (sometimes under Advanced or Network)
- Disable both 2.4GHz and 5GHz radios
- Save changes β your ISP router's Wi-Fi will turn off
- Reconnect all your devices to the new Zyxel SSID you created in Step 8
Now all your devices will connect through the Zyxel AP, which is protected by Firewalla. Your ISP router is still handling your internet connection β it's just no longer broadcasting Wi-Fi.
π‘ Can't Disable ISP Wi-Fi?
Some ISP routers (especially AT&T and Verizon Fios) don't let you fully disable Wi-Fi. In that case, set the Wi-Fi password to something long and random that you don't share with anyone. The goal is to make sure no devices connect to it β everyone should be on the Zyxel AP instead.
Optional: Set Up VPN Access
Access your home network securely from anywhereβcoffee shops, hotels, airports.
11 Enable VPN Server
- In Firewalla app, go to VPN Server
- Tap Enable
- Choose WireGuard (recommended β faster and more battery-efficient than OpenVPN)
- Create a profile for each device you want to connect remotely (phone, laptop, tablet)
- Tap Show QR Code for the profile you created
- On your phone/laptop, install the free WireGuard app and scan the QR code to import
- Test it: disconnect from Wi-Fi, switch to cellular, toggle the VPN on β you should browse as if you're home
VPN Server setup screen
π‘ When to Use Your VPN
Turn on your home VPN whenever you're on untrusted networks β coffee shop Wi-Fi, hotel networks, airports, coworking spaces. Your traffic gets encrypted and routed through your home Firewalla, so you get the same threat blocking and ad blocking you have at home. It also hides your browsing from the local network operator.
β οΈ VPN Note for DHCP Mode
In DHCP Mode, your ISP router is still doing NAT. For VPN to work from outside your network, you'll need to set up port forwarding on your ISP router (forward UDP port 51820 to Firewalla's IP address). Check our ISP Bridge Mode Guide for instructions on your specific ISP, or consider upgrading to Advanced Mode which eliminates double NAT entirely.
Security Hardening
These extra steps lock down your setup and prevent unauthorized changes.
12 Disable Additional Pairing
Prevent others from adding their phones to control your Firewalla:
- Go to Settings (gear icon)
- Tap Advanced
- Find Allow Additional Pairing
- Toggle it OFF
With this off, nobody can pair a new phone to your Firewalla β even if they have physical access to it. If you ever need to add a second phone (e.g., a partner), you can temporarily re-enable it.
Disable additional pairing for security
13 Enable Two-Factor Authentication
Protect your Firewalla account from unauthorized access:
- Go to Settings β Account
- Enable Two-Factor Authentication if available
- Use an authenticator app (like Google Authenticator or Authy) β avoid SMS-based 2FA
π‘ Why This Matters
Your Firewalla account controls your entire network security. If someone gains access to it, they can disable protections, view your traffic, or modify firewall rules. 2FA ensures that even if your password is compromised, your account stays secure.
14 Set Up Notification Alerts
Make sure you're notified about important security events:
- Go to Settings β Notifications
- Enable New Device β alerts you when an unknown device joins your network
- Enable Abnormal Upload β flags devices sending unusually large amounts of data
- Enable Security Alarms β notifies you of blocked threats and suspicious activity
What This Setup Gives You
With Firewalla + Zyxel AP + Client Isolation, you get:
- β Network-wide threat blocking: Malware, phishing, ads blocked for all devices
- β Device monitoring: See everything on your network
- β IoT isolation: Client isolation prevents devices from attacking each other on Wi-Fi
- β VPN access: Securely connect from anywhere
- β Better Wi-Fi: Proper AP vs. ISP's cheap hardware
What You'd Get with Advanced Mode
If you want even more control later, Advanced Mode adds:
- VLANs: Completely separate network segments (IoT can't even see your LAN)
- Firewall rules between networks: Block IoT β LAN at the firewall level
- Multiple Wi-Fi SSIDs: Different passwords for IoT vs. trusted devices
- No double NAT: Firewalla becomes the only router
- Red team / lab network: Isolated testing environment
π Ready for More?
When you're comfortable with Firewalla and want full network segmentation, check out our Advanced Guide: VLANs + Managed Switch.
Or if you want to put your ISP router in bridge mode for better VPN support, see our ISP Bridge Mode Guide.
Troubleshooting
Devices not showing up?
- Make sure devices are connected to your network (not cellular data)
- Try disconnecting and reconnecting Wi-Fi on the device
- Some devices take 5-10 minutes to appear after first connecting
- In the Firewalla app, go to Network β DHCP and confirm the DHCP server is active
- IoT devices that use a static IP won't appear until they make a network request
Internet not working after setup?
- Unplug Firewalla and confirm internet works without it β this isolates the problem
- Check that the Ethernet cable is in the correct ports: ISP router LAN β Firewalla WAN
- Restart in order: ISP router first, wait 2 minutes, then Firewalla
- In the app, go to Network β WAN and check if it shows a valid IP address
- If WAN shows no IP, your ISP router may not be assigning one β try a different LAN port on the ISP router
Zyxel AP not broadcasting Wi-Fi?
- Confirm the Ethernet cable from Firewalla LAN to the AP is firmly connected
- Check the AP's LED β steady green means it's working, flashing means it's still booting
- Try accessing the AP's admin page (its IP address in a browser) to confirm it's online
- If you can't reach the admin page, try a different Ethernet cable
Certain websites or apps not working?
- Firewalla's ad blocker can sometimes block legitimate services β check Alarms for recent blocks
- To allow a blocked domain: tap the alarm β tap Allow to whitelist it
- Streaming services (Netflix, Hulu) may need specific domains whitelisted if ad blocking is too aggressive
- Check the Firewalla support site for known compatibility issues
