This year, we looked at some of the best DNS blockers and firewalls for securing your small business and residential network. Among our list of recommended hardware firewall products that were easy to configure and provide the highest performance for a small business or residential broadband connection was Firewalla, a family of products made by a group of former Cisco engineers.
It should be noted that high-speed broadband does not require a high-speed firewall device. One could go “naked” without the Firewalla, directly connecting to the service provider’s high-speed residential gateway and using its simple NAT-based firewall; however, that’s not a configuration I would recommend in today’s threat actor-rich environment as a small business — anyone can be a target.
I like Firewalla because it is straightforward to install, isn’t particularly expensive, and has no ongoing fees. Unlike the DNS blocking solutions detailed in that article, it is an actual embedded Linux, IP-based rules firewall with advanced intrusion detection capabilities that can monitor every device on your home or small business network. The company’s products are also very fast, which means you get wire-line performance over the monitored connection; there’s no significant degradation as you might find with a purely software-based firewall solution, which should be a bare minimum when considering protecting your business and home broadband connection.
Firewalla also has an excellent app for mobile devices to administrate it and receive alerts and a robust remote management web interface. You don’t need to be a network security genius to set rules and protect your network.
Still, even though it’s easy to set up, It’s possible to do some very granular protections and permissions on a per-device basis and set block lists of different target groups and many other things. For the most part, the default configuration, when applied to all devices on the network, is likely sufficient for protecting most home users and small businesses.
At the time of that previous article’s writing, Firewalla had four products, Red (100Mbps), Blue (500Mbps), Purple (1Gbps), and Gold (Multi-gigabit).
Today, it also has Purple SE (advanced protection for below 1Gbps) and the Gold Plus — which looks very similar to the Gold (4x1Gbps ports), but this device has 4×2.5Gbps ports. With channel bonding (LACP) and a supporting gateway device, you can connect the Firewalla Gold Plus over a 5Gbps+ broadband connection.
From a functionality and feature standpoint, the Gold and Gold Plus are identical, but the Gold Plus is over twice as fast on wireline speeds.
I recently installed Firewalla Gold Plus on my network. You may be wondering what kind of network and home broadband you need to take full advantage of this device’s wire-speed packet inspection capabilities: a very fast one.
A thirst for speed means upgrades are needed
A few months ago, I enrolled in AT&T Fiber’s 2gig+ service, consolidating the fiber terminal and the router into a single device with a 5Gbps ethernet port for ultra-fast gaming PCs. However, I did not have a computer fast enough to take advantage of this connection until very recently, when I purchased an Apple Mac Studio with a built-in 2.5Gbps ethernet for my primary workstation.
Mac Studio can use up one of the three remaining ports on the Firewalla (one has to be dedicated to the broadband WAN interface), but what about all the Wi-Fi stuff and all the other ethernet-connected devices?
For that, we needed a 2.5Gbps switch; we needed two of them because of how many devices and rooms they operate in. For the comms room where the broadband drop is located, we chose the Netgear MS108EUP, a managed switch with 8×2.5Gbps ports and 40W and 60W power-over-ethernet (PoE+) support for devices like remotely-connected wireless access points.
For my office, we decided on the TP-LINK TL-SG108-M2, an unmanaged desktop switch with 8×2.5Gbps ethernet ports. Between these two switches, I had enough spare ports for all my other devices in my office and home that were hard-wired (including a legacy 24-port 1Gbps switch).
To eliminate the possibility of bad connections, we also bought fresh new Category 6 ethernet cables for all our 2.5Gbps-connected devices, such as switch-to-switch connectivity. I can’t stress enough how important this is, as when I tried to re-use some of my old Category 5e cables on the faster 2.5Gbps ports, I couldn’t get them to negotiate properly and spent hours diagnosing various networking issues as a result. So if you are going to spend $1000+ on a new high-speed firewall and accompanying switches, buy some new Cat 6 cables too.
As to the Wi-Fi, while an upgrade from my existing Eero Pro 6 wasn’t necessary, as I was getting between 400Mbps-500Mbps reliably — more than enough to handle any 4K video streaming task, I wanted to take advantage of the PoE and also the 2.5Gbps connectivity, so I procured a Netgear WAX630E AXE7800 enterprise-grade WiFi 6e managed access point ($369), which would provide the fastest-possible wireless connectivity to everything in the house and future proof it for 6Ghz devices (presumably my next iPhone or iPad).
If you are looking for something a bit less expensive with 2.5Gbps connectivity but only 2.4 and 5Ghz bands, as the above 6Ghz tri-band access point is probably overkill, I’d recommend the AX1800 ($150), AX3000 ($159), AX3600, and AX6000 models depending on how wide the coverage you want — all of these have 2.5gbps Ethernet ports and are PoE+ powered. Some, like the AXE7800, also include a 1Gbps ethernet port for hanging off a secondary switch or another ethernet-connected device, which helps extend gigabit connectivity into other rooms for wired devices.
As with the switches, we ran Category 6 cabling to the new AP from the MS108EUP on one of its 60W ports to ensure a clean connection. We also set our broadcast 5Ghz SSID network on the new access point for up to 160Mhz channel width so modern clients like my iPhone 14 Pro Max, recent Android devices, and Macbook Pros could utilize the Wi-Fi 6 connectivity.
Cruising at over 2Gbps
To get the Firewalla Gold Plus running, we didn’t have to do much differently than with the Gold, which we used previously. We booted it up, loaded the smartphone app, connected to the device using Bluetooth on our iPhone, and set it to “router mode.” We also had to configure IP passthrough on the AT&T Fiber residential gateway’s web interface to packet-forward everything to the Firewalla’s WAN port MAC address, which is an AT&T-specific configuration issue.
We also used the app to migrate the previous rules we had set in the prior product, which were stored in Firewalla’s cloud. But once we did that, it was very smooth sailing.
Let’s start with wired performance using the Mac Studio. Even with as much as 35 to 50% blocked flows using built-in rules and full ad-blocking enabled and well over a million objects filtered using Firewalla’s advanced threat protection, we were getting well over 2Gbps speeds up and down using Speedtest.net and Fast.com using local test servers.
And Wi-Fi? Higher than 650Mbps on average in both directions, sometimes over 700Mbps or even 1Gbps depending on the device. On our Qualcomm 888-based Android phone, we could get as high as 800Mbps or 900Mbps Wi-Fi downloads due to advanced wide channel support.
Who is it for?
We’re impressed with the speeds from the Firewalla Gold Plus and AT&T’s Fiber’s 2gbps service. But just who needs broadband that is this fast? For most residential consumers and small businesses, a 1Gbps connection is sufficient. Unless you’ve got a dozen kids at home doing simultaneous Netflix streaming or 1080p Zoom calls, you probably don’t need a 2Gbps fiber broadband service.
Extreme PC gamers will want this for low-latency connections and cloud-based virtual reality apps, but that is something of an edge case, at least until we are all tied into the Metaverse. But content creation pros that need to upload and download large amounts of videos and high-res photos will appreciate it, as will anyone needing reliable connectivity for 4K streamed video and better quality video conferencing solutions than what Zoom can provide.
I believe an argument can also be made for 2.5Gbps network upgrades, as it improves the throughput of Wi-Fi networking quite a bit through supported access points if you have a lot of client devices. It’s also useful — provided the PC workstation supports these higher speeds — for large file transfers on the LAN, particularly when connecting to NAS units that support the faster ethernet standards of 2.5Gbps, 5Gbps, and 10Gbps switch backbones.