I was recently sent one of the new Firewalla Gold SE devices to test out in the home lab. However, other than the unit being sent to me for my thoughts, this is not a paid review, and I only give my thoughts and opinions on testing and using the Firewalla in the home lab. Many of the readers of this site are interested in home labs and technologies for home labs reviews. The question is, is this a good firewall for home lab use?
What is Firewalla?
Firewalla is a cool project that was started as a Kickstarter back in 2017 and kicked off Firewalla as a business. Their business focuses on providing effective cyber security firewall router appliances that are easy to use and don’t take a CCIE to figure out.
The Firewalla device has been built to add to your existing network with an existing router, either in router mode, simple, or DHCP mode. You can use it to protect your entire network or a segment of the network with a separate subnet such as an access point
What makes it different?
Firewalla has a few characteristics that make it different than other firewalls in this space. First and foremost there are no subscription feeds with Firewalla. Even though you get features like premium web filtering, there is no subscription service for these. They are simply included.
They are trying to branch out more into the business sector, and there is an interesting statement on their FAQ page noting the following: “In the future, we may provide additional apps or features for pro/business users for a reasonable fee.” So, it sounds like there may be subscriptions for some of the business premium features coming down the pipes.
Also, with Firewalla, most of the configuration is carried out using a mobile app. I like and don’t like this at the same time. Firewalla has designed their products to primarily use the mobile app for configuration, management, and monitoring. I think this is great for most home users. However, for those of us running a home lab, most like the “nerd knobs” and like to be able to get to and tweak all aspects of the system.
There is a web interface, but it is not as fully featured as the mobile app. Keep that in mind that if you want to tinker with the more advanced settings, you have to have the phone app and you are reliant on the Firewalla cloud connection for the management web interface.
Firewalla firewall models
Firewalla has several models of their firewall to choose from, including:
- Firewalla Blue
- Firewalla Blue plus
- Firewalla Purple
- Firewalla Purple SE
- Firewalla Gold
- Firewalla Gold Plus
- Firewalla Gold SE
Introducing the Firewalla Gold SE
The new Firewalla Gold SE is a new offering from Firewalla that has all of the features of other Firewalla devices with (2) 2.5G network ports. It is an affordable choice for both home and business environments and I think also home lab environments as well. Note the following hardware and software/capabilities features.
Hardware
- Quad-Core ARM CPU
- 2 x 2.5Gbits & 2 x 1Gbits Interfaces
- 2Gb Software Packet Processing
- 4096 Megabyte DDR RAM
- 32GB Storage
Features
Firewalla Gold includes the following features in the SE model:
- 2 x 2.5G and 2 x 1G network interfaces
- Protections your devices from cyberattacks
- Advanced insights into your network
- Safeguards your personal and business data
- Dynamic content filtering to block sites (porn, etc)
- Parental controls
- Monitor and control Internet usage
- Block unwanted ads (ad-blocking)
- Built-in VPN server and VPN client
- Network segmentation and Lockdown mode protection
- 2 Gigabits deep packet inspection hardware
- Advanced Smart Queue reducing network latency
- Multi-WAN for better performance and availability
- No monthly feed
Background: The Firewalla Gold Lineage
The Firewalla family, including the Firewalla Gold and Firewalla Gold Plus, has established a reputation for robust network management and security. The Firewalla Gold SE builds on this foundation, offering an affordable version without compromising on key features.
Firewalla Gold & Gold Plus
- Firewalla Gold: The Firewalla Gold is known for its relatively robust hardware and multi-layered security measures
- Firewalla Gold Plus: An enhanced version of the Firewalla Gold that offers more additional features. If you have more demanding network security and traffic needs, the plus is a step up from the Gold
- Firewalla Gold SE: This new model is positioned in the lineup for those who need a high-performing cyber security solution at a reasonable price. It retains the core functionalities of the Firewalla Gold line and has 2.5G connectivity.
Design and Hardware
The Firewall Gold SE has a compact design and a very small physical footprint. I think this makes it ideal for a home lab setup, especially if you don’t have a server rack and your lab is in a bedroom or office space. It features four ethernet ports, including (2) multi-gigabit ports. It definitely appeals to those who have made the jump to 2.5 gig connectivity in their home network or have upgraded to multi-gigabit Internet access.
Key Hardware Components
- LAN Ports: Equipped with (2) 2.5GbE and (2) 1GbE ports, it can provide network segmentation and management.
- Robust Hardware: It is outfitted with a quad-core processor and 4 GB of RAM to handle many connections
Unboxing
Let’s take a look at the unboxing of the unit. The unit comes in nice packaging.
You wills see a box with your power adapter, and the getting started guide that is included.
A picture of the network ports and power slot (micro USB). The default WAN port is the far-right port with the yellow around it. As you can see below, the two outside ports are designated as 2.5G, and the two middle ports are 1G.
On the back side, you can see the unit has a reset button, a micro SD card slot, an HDMI slot, which allows advanced users to connect a display device for advanced configuration, a USB slot with the security dongle used for box pairing and activation, and another USB slot.
Installation and User Experience
The setup process of the Firewalla Gold SE is straightforward using the smartphone app. The device supports various modes like router mode, bridge mode, and simple mode for different network setups.
Firewalla has installation guides for your respective Firewalla model: Firewalla Installation Guide | Firewalla
First, install the app for either Apple iOS or Google Android:
- https://itunes.apple.com/us/app/firewalla/id1180904053
- https://play.google.com/store/apps/details?id=com.firewalla.chancellor
Open the app and click on the “+” sign to add a new Firewalla appliance for setup.
Select the model of the appliance you will be configuring.
Cable up the WAN port from the Firewalla to your ISP modem or existing network. For my purposes in testing, I am simply cabling up the Firewalla to the existing network switch in the lab environment to test with a client.
You will see a permissions request to use the Bluetooth on your mobile device.
Click to allow the permissions requested.
One of the neat things that Firewalla does is place a QR code sticker on the bottom of the appliance. Using the app, scan the barcode to onboard the device into the Firewalla cloud.
Next, you configure the “mode” of the device. Even though I am adding it to the existing network, I still chose, “Yes, set up as a router” since I wanted to test it with a client on its own network segment. So, my lab network hands out a “WAN IP” to the Firewalla in the form of a private IP address from DHCP.
Note the following mode types:
- Router Mode: Ideal for use as a main router, providing comprehensive control over home network traffic.
- Simple Mode: For less complex setups, offering ease of use while maintaining effective network management.
We are directed to connect to the ISP modem at this point using an Ethernet cable.
Once this is all configured, you will see the Firewalla appliance begin the Setting up phase.
Once completed, you should see the Get Started button.
Navigating around in the app
On the mobile app, there are quite a few options you can configure and drill into for information, configuration, and management. Below are a few screenshots of navigating the app so you can see what options and menus are available.
Looking at the tools and configuration available.
Under the more features, you can see the list of things that are enabled and those that aren’t used as of yet. The Wi Fi Test is a new app listed.
Using the Create Network menu, you can create your networks, including LAN or VLAN configurations.
VLANs and Networks
One of the first things I wanted to understand and do with the Firewalla Gold SE was create additional VLANs and networks. If you navigate to the Network dashboard, there is an option to Create Network. On this screen, you can set the following:
- Name – Name the network
- Type – Set the type of network, either LAN or VLAN
- Ethernet port – Select the ethernet port you want to associate with the new network
- Template – Under templates, by default, you can select Guest Network or Lockdown network
- Network settings – Configure the subnet for the network, DHCP range, DNS servers, etc
When you choose to Create Network, you will see the options to create the various network types, including WAN connection, Local Network, Guest Network, and Lockdown Network.
Below are the descriptions for the network types:
- WAN connection – Connect to the Internet using DHCP or Static IP
- Local Network – LAN or VLAN without present rules
- Guest Network – Devices can use the Internet without access to other local networks
- Lockdown Network – Devices are blocked from the Internet connection and other local networks
If you choose VLAN, you can create tagged networks with that specific VLAN. Below, you can see I am choosing the first port, which I already have my mini PC plugged into.
If you create a LAN port, it must not be a part of any other network. I believe the differentiation here is untagged traffic vs tagged traffic. When you add a port to a LAN, you are untagging that traffic on the port for that network.
As you can see below, the first port is a part of LAN 1, LAN 2, and LAN 3. It is untagged for LAN 1, and then I created two additional VLAN networks to tag for those specific VLANs on the same port.
Testing VLAN connectivity
To test my theory on tagged vs untagged, I added a Hyper-V virtual switch to my mini PC and then created two tagged virtual network adapters on the Hyper-V switch in Windows 11.
As you can see below, the mini PC successfully grabbed an IP address from the new VLAN 100 that matches the new VLAN I created on the Firewall Gold SE.
Alerts and Notifications
One of the nice features of the Firewalla solution along with the mobile app is the notifications and alerting you get by default. When I created the additional VLANs and tagged virtual network adapters for the VLANs, I immediately got alerts for the “new devices” found on those networks.
I run Arpwatch in my home lab environment for this purpose. However, if you have the Firewalla solution, this is a great way to have visibility of rogue network devices that appear on your networks as you will get these alerts and notifications in the app.
Advanced Features
Firewalla Gold SE is more than a basic firewall device. It provides a complete network management solution. It has additional features like advanced smart queue management, content filtering, and VPN capabilities.
Also, you get policy-based routing capabilities that you find on enterprise firewalls that allow flowing traffic different directions based on the type of traffic.
Cybersecurity and Traffic Management
Firewalla has many other types of cybersecurity and traffic management features built into the solution. First it contains the classic ingress filtering when in router mode for stateful ingress firewall rules.
It also has egress filtering, which I think everyone should be using as malicious traffic often calls home using abnormal ports, etc.
For home server and home lab environments, it also has a segment firewall, meaning you can block or allow traffic between the segments you have created on your network.
The Active Protect feature is a full-fledged IDS/IPS (Intrusion Detection Service / Intrusion Prevention Service) provided by Firewalla that automatically detects, blocks, and alerts on suspicious activities.
Strict Mode checks Firewalla’s cloud database of security intel more often and is more likely to block network flows. It can lead to false positives, but is the most secure mode.
It also has behavioral detection, allowing Firewalla to understand an attacker’s intent. This detection looks beyond matching signatures and deep dives into the network flows to detect:
- SSH login failure attempts
- Heartbleed attacks
- Unusual uploads or transfers of data
Monitoring and Control
Firewalla provides network performance insights and device management capabilities.
Network Performance Insights
The Firewalla app gives detailed visibility into network usage and performance. You can view flows, blocked traffic, Upload and Download amounts.
You can also see data usage.
Device Management: Allows control over connected devices, ensuring optimal network function and security. You can see all devices on the Firewalla network, including upload and downloads in real-time.
You can sort your devices by different metrics like Top download/upload.
Does it have a web interface?
One thing that home labbers and those familiar with traditional firewalls will be asking is, “does it have a web interface for management”? Well, the answer is “it does and it doesn’t.” Let me explain. You can’t browse to a specific IP on the LAN side and log in as you can with traditional firewalls you may be used to, like pfSense, OPNsense, or other commercial firewalls.
To get to the web interface involves a process that starts with the Firewalla mobile app. Tap on the Firewalla web tool in the app.
It will direct you to go to my.firewalla.com which will present you with a barcode.
After you scan the barcode, it will display the Confirm Sign In screen. Tap Sign In.
After this, you will be taken to the web interface for your Firewalla appliance. As a note, you can only do a few basic things from the Firewalla web interface and you don’t have access to the more advanced configuration you can do from the mobile app.
Video review
Take a look at my video review of the Firewalla Gold SE for home lab:
Wrapping up the Firewalla Gold SE review
Up until I received the Firewalla Gold SE device with 2.5G connectivity, I had not had my hands on a Firewalla device. I have to say that I am pleasantly surprised at the features and ease of use of the unit. It actually has quite a few advanced cybersecurity features. It can do things that I think most running a home server or home lab network will want to do, like creating VLANs and segmentation, along with rules for blocking traffic between their different networks.
There are what I think are good & bad at the same time features. I think the mobile app is great, especially for being on the go and seeing everything going on with your devices and network. However, I would like to see Firewalla make the web interface more readily accessible and with all the features you have in the mobile app. What happens if the Firewalla cloud is down? The web interface should be an effective alternative.
Even if you don’t want to use the device as your main security device behind your ISP modem/router, I think it would work as a great appliance for a separate segment of your network, maybe in between your home lab/server network and your family/home network or to protect and filter kid’s traffic for parents.
0 Comments