Firewalla Purple thoughts
13 August 2022 548 views | Security, Internet of things, Tech notes
I wanted to add a dedicated hardware firewall to my network and really, there's just nothing available locally in Thailand without going enterprise. I was tempted to import a Netgate 1100 (pfSense) box, a traditional and respected option, but eventually chose the Firewalla Purple for its modern interface and instrumentation (and partly because Netgate explicitly state they don't want to provide international support and seem quite pathological about it).
The strength of the Firewalla Purple is a well designed dashboard interface that makes network management accessible to ordinary people. The dashboard is available via an app on your phone or (better) tablet. You can see your devices, place them in groups, and apply content filtering rules or block ads with a click. Live charts of network activity and device-specific alerts provide realtime insights and actionable intelligence, such as when a new device is detected on the network or an unusual file upload takes place. You can see what is being blocked, why, the destination and which computer was involved. One feature I particularly like is to automatically place new devices that join the network in quarantine, locking out uninvited guests.
As a result of the alerts and improved visibility, I have found myself investigating various machines, mainly for chugging unreasonable amounts of bandwidth at strange times, removing chatty crapware and tightening their configuration. That's the sort of value that a firewall should provide.
In terms of things I didn't like, my main complaint is a lack of transparency in DNS management, which I see as an important issue in a security device. You can, of course, specify the DNS servers you want to use. The problem is that several settings in the app will override your choice without telling you, and that's bad. The behaviour is described in the documentation but there's nothing in the interface that will warn you when you point and click.
For example, I always use Cloudflare's anti-malware DNS service as network default. But if you activate the Firewalla "Family Protect" feature - which filters adult content - your firewall will silently switch to using OpenDNS instead. Similarly, if you activate DNS over HTTPS it will switch to using servers from Cloudflare, Google or Quad9, and you can configure it to use any of those, but you can't specify to use specific sub-services such as anti-malware, unless you setup a custom server. I believe the Unbound DNS option also wont use specified DNS servers but that is the nature of that particular option.
To get around the DNS switching behaviour, I chose not to enable Family Protect, instead just specifying the relevant Cloudflare DNS servers as reliable WAN and LAN defaults. I did enable DNS over HTTPS by adding a custom server pointing to Cloudflare, which requires entering the relevant URL for the service you want to use.
You also only get one LAN port, which means the Purple can't implement VLANs on its own. It can define and use VLANs, but you need to map them to ports on VLAN-capable switches behind it. However, I found that the guest WIFI network on my Synology RT2600ac router still works, even though it is operating in access point mode and is not VLAN-capable. The guest network devices are on a separate private subnet set by the Synology box and are not visible in the Firewalla interface, although they do have internet access. So I am guessing that the Synology is still doing some routing, even though the routing function is turned off, and possibly uses VLANs internally!
Apart from that, the Purple only has one downside: It's clearly overpriced, costing double the Netgate 1100. Despite the accessibility and visibility it provides to the less technically inclined, the price is really, really out there. And I think having a single LAN port is pretty stingy, given the cost.
Still, I really like it. In fact, I would say it's excellent. If you are ok with the price, I recommend it.
Update: Shortly after writing this the new Gold Plus became available and I preordered it. The Gold Plus features 4x 2.5 GbEs ports, and since I run a 2.5 GbE network I couldn't resist. So the purple will become my new travel router (thanks to its ability to accept a WIFI hotspot as WAN input), and the Gold will be a part of my home network.
Copyright, all rights reserved.