Firewalla Gold Intel-based Ubuntu Router Enables Multi-Gigabit Cyber Security (Crowdfunding)

Orange Pi Development Boards

We covered Firewalla based on NanoPi NEO board in mid-2018. The device is a tiny firewall, parental control, ad-blocker, and VPN appliance for end-users.

Since then they’ve launched Firewalla Blue based on NanoPi NEO2 SBC with Gigabit Ethernet and a faster processor, and now the company has just introduced the even more powerful Intel-based Firewalla Gold.

Firewalla Gold vs Blue Red
Firewalla Gold (Right) vs Firewalla Blue and Firewalla (Red)

Firewalla Gold specifications:

  • Processor – Unnamed intel 64-bit quad-core processor
  • System Memory – 4GB RAM
  • Storage – 32GB flash
  • Connectivity
    • 4x Gigabit Ethernet ports supporting over 3 Gbps in total, and up to 10 VPN connection at up to 120 Mbps aggregated bandwidth.
    • WiFi 6 module (not sure optional or included)
  • Misc – RTC
  • Power Supply – DC barrel jack

They may have designed a custom board this time, as I’m not sure which off-the-shelf SBC they may have used in their new product.
Firewalla Gold Specifications

The device runs Ubuntu Linux so the users will have full access to the operating system with SSH, and will be allowed to install their own packages. Just like the original Firewalla (now Firewalla Red) and Firewalla Blue, Firewalla Gold comes with a web interface to let users easily control what happens on their networks with features such as cyber threats protections, VPN, DDNS, SSH, Adblocker configuration. Additionally, the Firewalla app for Android or iOS enables users to set-up parental control, VPN, monitor bandwidth usage (Monthly / Daily / Hourly), and more…

Firewalla Android App

Since Firewall Gold is more powerful and comes with multiple Ethernet ports, the company also implemented new features including VLAN, network segmentation for instance to separate guests, IoT, and kids networks from your main network, network lockdown to block traffic from unknown devices, and router mode.

They’ve already raised $243,793 for Firewalla Gold on Indiegogo crowdfunding platform, and if interested, you can get the router for $359, or a 28% discount against the $499 MSRP expected once the product launches. Shipping adds $20, and backers should get their reward around July 2020 if everything goes according to plans.

Support CNX Software - Donate via PayPal or become a Patron on Patreon

29
Leave a Reply

avatar
5 Comment threads
24 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
11 Comment authors
tkaiserWillyeastheguyukPaul M Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
dgp
Guest
dgp

Mm why is it not 4gbps in total? Does this mean it’s not 4 ethernet controllers and there’s a switch involved?

Willy
Guest
Willy

Not necessarily, it can be a limit on CPU performance or in other contexts, even a limited number of PCIe lanes to the NIC controller. A switch wouldn’t have come with such a limitation. It could have enforced 2.5 Gbps however if the SoC was using 2.5GE.

dgp
Guest
dgp

>it can be a limit on CPU performance or in other contexts

I think that would be the first time in the history of marketing that someone actually gave the tested throughput and not just the best looking number from one part of the pipeline. πŸ˜‰

tkaiser
Guest
tkaiser

On their Indiegogo page they talk about ‘Deep Insight helps you see the network at up to 3+ Gigabits per second’. So this is a number for a specific use case (‘deep’ packet inspection?). Though a use case I don’t understand since with 4 GbE ports the upstream traffic is clearly limited to 1 Gbps, isn’t it?

Anyway, the screenshot this ‘3+ Gigabits per second’ claim is based on is this:comment image

dgp
Guest
dgp

I might be missing something but I don’t know how they think that shows they can do deep packet inspection at 3gbps. That looks like iperf being used to flood it with traffic. :/

Willy
Guest
Willy

> I think that would be the first time in the history of marketing that someone actually gave the tested throughput

Oh no, I strongly disagree on this. On network gear it’s exactly the opposite, they depend on a large number of factors and you actually have to run a lot of benchmarks to get the best reproducible numbers you can to put on the datasheet. There are dedicated companies like Ixia or Spirent whose job is to help vendors run such measures. And to give you an idea, at my company, we remove ~20% to the measured scores of our load balancers and round this to the closest 2-digit number before putting the numbers on the datasheet. It is very important because it is extremely common for customers to run their own benchmarks before deciding to buy the device, and not being able to reproduce the datasheet number is extremely frustrating and doesn’t give a lot of confidence for the rest of the product. Conversely when they manage to reach a bit more, they understand they start to get a good control of the product.

tkaiser
Guest
tkaiser

> On network gear it’s exactly the opposite

While I agree here, this Firewalla stuff is not ‘network gear’ but an attempt to address the fears of average users regarding ‘cyber threats’. Users who trust in appliances that only work as advertised via apps thrown at them via a crowdfunding campaign. Users who think if they can watch some funny graphs on their tablet or smartphone, get some alerts from time to time and can spy on their kids they regained control of their ‘network’.

Their numbers are marketing stuff without any real meaning. How to interpret this for example?

comment image

The older Firewallas have only one interface so showing ‘500 Mbits’ for Gigabit Ethernet capable ‘Blue’ (based on NEO2) makes some sense. But then it should be ’50 Mbits’ for Fast Ethernet equipped ‘Red’, right? And now with their J1900 based ‘Gold’ thingy they show +3 Gbits based on some weird iperf measurements in a mode that makes no sense for any real world use case this thing could be used for.

It’s marketing BS aimed at a clueless target audience πŸ™‚

Willy
Guest
Willy

The way it is reported on their graph is totally absurd (especially the “new=6*old”), especially for the type of deployment expected here. They’d rather mention that since it can sustain 3Gbps total over its 4 interfaces, it’s unlikely that a single interface even with multiple DMZ will cause any trouble. A completely made up use case could be Gbps fiber on the WAN side, two DMZ with proxies and a LAN with a client. You then really need 3 Gbps of bandwidth to support downloading large objects (e.g. videos) at line rate through these devices. But that’s not for everyone.

Quite frankly, for having done this a lot, benchmarking firewalls is always very difficult. For a long time you would saturate the machine before the cable so it was easy to speak in number of PPS then in number of Mbps, then in number of connections per second. Nowadays even with a small CPU you can achieve a connection rate that’s way above whatever any even large company would need so you don’t need to tell that number anymore. The Mbps trivially reaches the sum of interfaces, and only the packet per second one remains a limiting factor, but nobody cares about this unless trying to deal with DDoS, which is not what users of such a device need either.

In short, they should not even put the focus on performance here I think and instead mention they managed to remove previous limitations.

tkaiser
Guest
tkaiser

> In short, they should not even put the focus on performance

Well, the ‘performance’ isn’t great anyway for relevant use cases (VPN: ‘120 Mbits’ with ’64-bit Intel’ vs. ’70 Mbits’ with Allwinner’s H5) but their target audience are clueless people fearing cyber lalala and especially their happy customers from the first campaigns need to be convinced to replace the older appliances with this more expensive new one.

So every graph visualizing rather meaningless numbers makes a lot of sense for them…

Igor_kh
Guest
Igor_kh

Ubiquiti edge router is way cheaper and already available.

Gabriel
Guest
Gabriel

As an alternative, the Pondesk device based on Intel Atom E3845 looks cheaper, but comes without software.

Willy
Guest
Willy

Regarding the board’s origin, we’ve had some very similar-looking devices 4 years ago or so, they were all black, with the same port disposition, with serial and USB on one side, and ethernet+juice on the other, but I can’t recall the name. I looked for these at Commell, Jetway, Axiomtek, Acrosser, Nexcom, Aaeon, Lanner with no luck. I’m sure I’m missing some, given that I still couldn’t figure that one!

Willy
Guest
Willy

Ah finally found it! It’s Gigabyte. That one looks very similar:

https://fr.aliexpress.com/item/32773196368.html

tkaiser
Guest
tkaiser

If it’s really based on the Gigabyte board then with a J1900 it has not even AES-NI. Though Firewalla guys not mentioning the CPU in question is a good indication that’s something like that πŸ˜‰

dgp
Guest
dgp

> it has not even AES-NI

Does iptables make a lot of use of AES?

tkaiser
Guest
tkaiser

I was focused on the ‘VPN server’ use case. Anyway, a J1900 is not that fast by today’s standards. Around 70% the integer performance of an J4105 or in other words: RK3399 level… (better suited for this use case though due to more flexible PCIe config allowing each lane to be attached to an individual NIC)

Roger Melly
Guest
Roger Melly

AES-NI is for encryption eg in encrypting data sent over a tunnel (as used in a VPN connection). If a tunnel is established using a passphrase, then encryption is needed even for that first step of communicating the passphrase for obvious reasons.

iptables is a tool for packet filtering and network address translation eg deciding to which destination packets should be sent or whether they should be dropped.

These are two different things.

It you want to do ipsec or openvpn etc then AES-NI in hardware does make a significant improvement in performance.

iptables has now been superseded by the “nftables” framework which is slowly increasing in use now that major distributions have made it the default.

dgp
Guest
dgp

I understand that. I was suggesting maybe it doesn’t matter so much for the people that will use this. They’ve given a figure for the VPN throughput and if that’s good enough for your use case then how the VPN sausage is made doesn’t matter.

TLS
Guest
TLS

That’s not a Gigabyte board. It’s as per your second link, from Qotom.

willy
Guest
willy

Ah probably they write “Gigabyte” as a way to mean “gigabit” πŸ™‚

Willy
Guest
Willy

And an example of complete machine here with enclosure:
https://fr.aliexpress.com/item/32758008782.html

These ones were very dense and well designed. I forgot about them until you posted the photos above!

TLS
Guest
TLS

Actual product page. Although, it seems to be for a slightly more recent version.
http://www.qotom.net/product/35.html

Paul M
Guest
Paul M

I’ve been using a dual not j1900 board from gigabyte with an additional dual nic pci card as a firewall. It’s only been recent kernels they have mitigated the problem with the CPU hard locking up.
I’d never use the j1900 for anything due to the flaw. There’s a long running kernel bug about it.

theguyuk
Guest
theguyuk
theguyuk
Guest
theguyuk

Down voters won’t like this either then !

https://www.aliexpress.com/item/32782991772.html?

theguyuk
Guest
theguyuk
theguyuk
Guest
theguyuk

Or i7 that still cheaper than original, down voters going hate that!

https://www.aliexpress.com/item/32706578225.html?

theguyuk
Guest
theguyuk

What is the down voter scared of people knowing!

eas
Guest

I dunno, but it seems the downvoter doesn’t understand the difference between a product and a project. The firewalla appears to be a product. Using those Qotom’s to do the same job is a project (even if it isn’t a very big project).