Firewalla Gold

coxhaus

Part of the Furniture
Bad news for me and Firewalla. I don't think it will work with a layer 3 switch. I posted out on reddit with no answers.

I did read something interesting as a question which was asked what if the Firewalla cloud goes down. I would assume Firewalla would just keep working without updates, but nobody seemed to a be able to answer it.

Anybody know?
 

L&LD

Part of the Furniture
Usually, if a cloud goes down, it takes everything below with it.
 

jasonreg

Regular Contributor
@coxhaus - Did you ever get any additional information on Firewalla? I am considering adding one between my ISP and my RV340. I am assuming I would then turn off the RV340 firewall and security functions. I am looking at the new (about to ship) Firewalla Gold Plus.
 

Smokey613

Very Senior Member
What are you doing with theRV30 that cannot be done with the Firewalla Gold?
 

sfx2000

Part of the Furniture
Bad news for me and Firewalla. I don't think it will work with a layer 3 switch. I posted out on reddit with no answers.

I did read something interesting as a question which was asked what if the Firewalla cloud goes down. I would assume Firewalla would just keep working without updates, but nobody seemed to a be able to answer it.

Anybody know?

Hmmm... regarding L3 switches - might be similar to pfSense there - I think some of this is whether the FW Gold has it's own switch or is it more like some of the Netgate appliances where the ports are direct interfaces, e.g. not switched.

Since the FW gold is AMD64/x86 based, I would assume that onboarding it to another platform should be straight forward keeping things in the x86 realm (Linux/BSD or derivatives..) if Firewalla were to go away... so one would not be dependent on the cloud, bricking things if the cloud services were discontinued.
 

Christos

Regular Contributor
Firewalla is like a pre-configured pfsense box.
You can do exectly the same things with pfsense + unbound + pfBlockerNG (IP + DNS) + Openvpn/Wireguard.
The only benefits you get with Firewalla is the mobile app and the 2.5G ports on the latest model.
 

coxhaus

Part of the Furniture
@coxhaus - Did you ever get any additional information on Firewalla? I am considering adding one between my ISP and my RV340. I am assuming I would then turn off the RV340 firewall and security functions. I am looking at the new (about to ship) Firewalla Gold Plus.
I have run Untangle as a transparent bridge firewall using a Cisco firewall like the RV340. I think it was an earlier model but it has been a while. There should be threads on this site.

The problem I see with Firewalla is it will not support routing on the inside network which pfsense will so a L3 switch is not going to work. You would need to look at the Firewalla specs to see if you can run it as a transparent firewall bridge. It would need to be able to firewall multiple networks on the inside for it to work and I don't know if it can do this. The other issue is you only want to firewall outbound traffic not inside traffic if you are using L2 if you are using your router for routing inside traffic.

Maybe they will add this feature in the future to Firewalla.
 
Last edited:

jasonreg

Regular Contributor
OK so in my case then, would I place the Firewalla Gold unit per 1 or 2?
  1. ISP Modem -> Firewalla Gold -> RV340 -> SG350X (doing all local routing) -> onwards
  2. ISP Modem -> RV340 -> Firewalla Gold -> SG350X -> onwards
 

coxhaus

Part of the Furniture
It may come down to Firewalla's firewall may not be able to read the packets if you are running a L3 switch with different networks. The data packets have more header trailers with embedded networks. It takes more sophisticated programing. Like when I received my RV340 I setup traffic monitoring and all the RV340 saw was all the traffic coming from the L3 switch not the individual or the networks. The traffic monitoring on the RV340 did not read deep enough into the data packet. It was written for L2.

Firewalla would need to add static routing and adapt their firewall to work with static routing. Otherwise, you need to run L2 and let Firewalla do its thing.

With a transparent firewall bridge, it would be like this. This is what I ran with Untangle.
RV340 -> Firewalla in transparent bridge mode -> SG350X L3 switch. Untangle will do this when I ran it. Probably more than 10 years ago.

I do like the idea of Firewalla. All the routers can be updated dynamically on the fly. Of course, the other is they can all be broken at the same time. Firewalla central control will become a huge target for hackers.
 
Last edited:

coxhaus

Part of the Furniture
It has been a few days since I posted on Firewalla community forum, and they won't answer me. So that implies to me they do not support static routing. I can't seem to figure anything out about their IPS/IDS either. They seem to be closed mouth about it. So, my thinking is their coding is not very sophisticated and is maybe consumer level at best.
I have also posted on reddit without a single response a while back.
 

jasonreg

Regular Contributor
That is consistent with what little I can find in line as well - that being support is “inconsistent” at best. Neat device but not confidence inspiring. Hope they step up their game.
 

Smokey613

Very Senior Member
I am not sure Firewalla Gold is any better than a pfSense unit, but it is much easier to get up and running with dual wan failover, Wireguard, openvpn server/client configuration, custom routes, QoS, etc. But all that ease of use comes at a premium price. For me, it is worth it and I have setup pfSense several times.

I have never needed their support so I cannot comment on it but then, my setup is simple.
 

avtella

Very Senior Member
Yeah it's more consumer oriented and is probably still a relatively small team. I think it nice to have alternatives like this and they could have pretty promising future, I would probably reccomend this over pfSense for new users, I like pf and still use it, but for someone who wants a package a step above your standard Asus/NG WiFi router but not as complicated as pF/OPNSense this is probably a better medium. Support wise I honestly don't think Asus or NG are much better in terms of getting answers, aside from some random lvl1 tech, unless you really know how to push to get to those higher level personnel... at least for these guys I could somewhat excuse them for being small group unable to respond quickly enough.
 
Last edited:

coxhaus

Part of the Furniture
For you guys that run pfsense do you run IPS/IDS on pfsense? If not then Firewalla will be a higher level firewall because they run some kind of IPS/IDS.

I am trying to figure out if pfsense users really use SNORT etc.
 

avtella

Very Senior Member
I’ve tried both Snort and Suricata (separately of course) on pfsense just to experiment about 2 years ago. Didn’t really need them for my use case, so uninstalled. Lots options to tweak things to one’s liking in regards to alerts/blocks vs something simpler like a Firewalla, but that can be daunting for the average user to setup.
 
Last edited:

Christos

Regular Contributor
For you guys that run pfsense do you run IPS/IDS on pfsense? If not then Firewalla will be a higher level firewall because they run some kind of IPS/IDS.

I am trying to figure out if pfsense users really use SNORT etc.
I don't do IPS/IDS as it requires SSL decryption on router side, in order to work properly.
However, I use pfblocker that creates firewall IP lists using feeds from Talos, Spamhaus and many more.
It aslo creates rules for porn and ad blocking. This combined with Quad9 for malware, creates a very powerful DNS firewall.
 

coxhaus

Part of the Furniture
I don't do IPS/IDS as it requires SSL decryption on router side, in order to work properly.
However, I use pfblocker that creates firewall IP lists using feeds from Talos, Spamhaus and many more.
It aslo creates rules for porn and ad blocking. This combined with Quad9 for malware, creates a very powerful DNS firewall.
Yes, I doubt Firewalla does SSL decryption either as I think it is consumer grade. I am not even sure it works on outbound traffic as most consumer gear does not. Not all traffic is encrypted so IPS/IDS still has it uses.
QUAD9 is good stuff.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top