Firewalla Gold Plus thoughts
17 November 2022 189 views
I liked the Firewalla Purple hardware firewall so much that I pre-ordered the Gold Plus as soon as it was announced. I've had it installed for a couple of weeks now, and have a couple of thoughts to share.
So why upgrade? Let's be clear: The only reasons to do so are for faster throughput and more ports. Otherwise the functionality is the same as the cheaper models.
The Gold Plus has four 2.5 GbE network interfaces (NICs) as opposed to two 1 GbE NICs on the Purple. The faster NICs are only useful if you have 2.5 GbE capable equipment, or plan to get some in future (and even then, probably only if you are working on large files such as video projects). If you don't have compatible equipment you should buy a cheaper model.
The additional ports are also useful for network segmentation, and this was one of the main reasons I upgraded. You can define a subnet on each physical port, but you can also share a port with multiple VLANs, so long as your downstream equipment (switch or WIFI access point) is VLAN capable. You define the VLANs on the Firewalla Purple or Gold, and then map them to particular physical ports or wireless SSIDs on the downstream equipment.
I used physical ports to isolate my fast wired LAN and to protect a high-value backup device. My WIFI network* has been segmented with VLANs, again to protect high-value work machines. IOT devices such as air purifiers live on a separate 2.4 GHz WIFI segment, while the smart TV and set top box live on a fast 5 GHz WIFI segment. I also created a separate 5 GHz segment to isolate a high-risk member of the household.
Having set up the segments, it is trivial to use rules to manage traffic between them as required. For example, there is a canned rule you can apply to block access to and from other LAN segments while still permitting internet access, but you have flexibility to do nearly anything.
There's not much to complain about on the Gold Plus but I'll give it my best shot: The things I don't like are i) the price, ii) the need to buy a USB dongle to add wireless functionality, and iii) it runs a bit hot for my taste. Not super hot, but in the tropics a 'warm' device can get uncomfortably hot when the aircon isn't on.
I have found one issue, related to the fact that Firewalla tracks devices based on their MAC address, because most modern devices use MAC address randomisation. In theory most devices will generate a new MAC only when they connect to a new network, but in practice, some devices will occasionally change their MAC for unknown reasons, perhaps due to a reboot or re-association with an SSID. The main offenders on my network are a couple of Raspberry Pi 4 and a Samsung Galaxy tablet. If a device MAC changes, Firewalla will recognise it as a 'new' device and any rules or policies you had applied to it will stop working. If you have enabled the 'automatic quarantine' rule for new devices, it will suddenly be cut off from all network access (cue angry stomping of housemates in your direction).
You can (try to) turn MAC randomisation off in many devices. But a better approach is to apply firewall rules on network segments, if possible. That way it doesn't matter if a device MAC changes (or if an enterprising juvenile decides to elevate their network access by borrowing someone else's MAC). So long as the device is connected to a particular segment the rules will stay in place.
I still love the Firewalla Purple, which is now my travel router, and if you don't need 2.5 GbE speeds, that's the model I would recommend. The Purple has a much smaller footprint, which makes it highly portable, and has the advantage of WIFI being built in (plus a cheaper 500 MbE model has just been announced). On the Gold Plus, I only use the WIFI to establish a second failover WAN connection via a mobile phone hotspot when I'm doing something important. But on the Purple it is useful to create a protected network / firewall when connecting to public WIFI as a source WAN.
* My WIFI mesh network is via a Synology RT2600ac in access point mode with a MR2200ac repeater. The recently released version 1.3 of the Synology Router Management (SRM) version introduced VLAN support.
Copyright, all rights reserved.