Firewalla Gold Intel-based Ubuntu Router Enables Multi-Gigabit Cyber Security (Crowdfunding)

We covered Firewalla based on NanoPi NEO board in mid-2018. The device is a tiny firewall, parental control, ad-blocker, and VPN appliance for end-users.

Since then they’ve launched Firewalla Blue based on NanoPi NEO2 SBC with Gigabit Ethernet and a faster processor, and now the company has just introduced the even more powerful Intel-based Firewalla Gold.

Firewalla Gold vs Blue Red
Firewalla Gold (Right) vs Firewalla Blue and Firewalla (Red)

Firewalla Gold specifications:

  • Processor – Unnamed intel 64-bit quad-core processor
  • System Memory – 4GB RAM
  • Storage – 32GB flash
  • Connectivity
    • 4x Gigabit Ethernet ports supporting over 3 Gbps in total, and up to 10 VPN connection at up to 120 Mbps aggregated bandwidth.
    • WiFi 6 module (not sure optional or included)
  • Misc – RTC
  • Power Supply – DC barrel jack

They may have designed a custom board this time, as I’m not sure which off-the-shelf SBC they may have used in their new product.
Firewalla Gold Specifications

The device runs Ubuntu Linux so the users will have full access to the operating system with SSH, and will be allowed to install their own packages. Just like the original Firewalla (now Firewalla Red) and Firewalla Blue, Firewalla Gold comes with a web interface to let users easily control what happens on their networks with features such as cyber threats protections, VPN, DDNS, SSH, Adblocker configuration. Additionally, the Firewalla app for Android or iOS enables users to set-up parental control, VPN, monitor bandwidth usage (Monthly / Daily / Hourly), and more…

Firewalla Android App

Since Firewall Gold is more powerful and comes with multiple Ethernet ports, the company also implemented new features including VLAN, network segmentation for instance to separate guests, IoT, and kids networks from your main network, network lockdown to block traffic from unknown devices, and router mode.

They’ve already raised $243,793 for Firewalla Gold on Indiegogo crowdfunding platform, and if interested, you can get the router for $359, or a 28% discount against the $499 MSRP expected once the product launches. Shipping adds $20, and backers should get their reward around July 2020 if everything goes according to plans.

Support CNX Software - Donate via PayPal or become a Patron on Patreon
Advertisements
Subscribe
Notify of
guest
29 Comments
oldest
newest most voted
dgp
dgp
7 months ago

Mm why is it not 4gbps in total? Does this mean it’s not 4 ethernet controllers and there’s a switch involved?

Willy
Willy
7 months ago

Not necessarily, it can be a limit on CPU performance or in other contexts, even a limited number of PCIe lanes to the NIC controller. A switch wouldn’t have come with such a limitation. It could have enforced 2.5 Gbps however if the SoC was using 2.5GE.

dgp
dgp
7 months ago

>it can be a limit on CPU performance or in other contexts

I think that would be the first time in the history of marketing that someone actually gave the tested throughput and not just the best looking number from one part of the pipeline. 😉

tkaiser
tkaiser
7 months ago

On their Indiegogo page they talk about ‘Deep Insight helps you see the network at up to 3+ Gigabits per second’. So this is a number for a specific use case (‘deep’ packet inspection?). Though a use case I don’t understand since with 4 GbE ports the upstream traffic is clearly limited to 1 Gbps, isn’t it?

Anyway, the screenshot this ‘3+ Gigabits per second’ claim is based on is this:comment image

dgp
dgp
7 months ago

I might be missing something but I don’t know how they think that shows they can do deep packet inspection at 3gbps. That looks like iperf being used to flood it with traffic. :/

Willy
Willy
7 months ago

> I think that would be the first time in the history of marketing that someone actually gave the tested throughput Oh no, I strongly disagree on this. On network gear it’s exactly the opposite, they depend on a large number of factors and you actually have to run a lot of benchmarks to get the best reproducible numbers you can to put on the datasheet. There are dedicated companies like Ixia or Spirent whose job is to help vendors run such measures. And to give you an idea, at my company, we remove ~20% to the measured scores of… Read more »

tkaiser
tkaiser
7 months ago

> On network gear it’s exactly the opposite While I agree here, this Firewalla stuff is not ‘network gear’ but an attempt to address the fears of average users regarding ‘cyber threats’. Users who trust in appliances that only work as advertised via apps thrown at them via a crowdfunding campaign. Users who think if they can watch some funny graphs on their tablet or smartphone, get some alerts from time to time and can spy on their kids they regained control of their ‘network’. Their numbers are marketing stuff without any real meaning. How to interpret this for example?… Read more »

Willy
Willy
7 months ago

The way it is reported on their graph is totally absurd (especially the “new=6*old”), especially for the type of deployment expected here. They’d rather mention that since it can sustain 3Gbps total over its 4 interfaces, it’s unlikely that a single interface even with multiple DMZ will cause any trouble. A completely made up use case could be Gbps fiber on the WAN side, two DMZ with proxies and a LAN with a client. You then really need 3 Gbps of bandwidth to support downloading large objects (e.g. videos) at line rate through these devices. But that’s not for everyone.… Read more »

tkaiser
tkaiser
7 months ago

> In short, they should not even put the focus on performance

Well, the ‘performance’ isn’t great anyway for relevant use cases (VPN: ‘120 Mbits’ with ’64-bit Intel’ vs. ’70 Mbits’ with Allwinner’s H5) but their target audience are clueless people fearing cyber lalala and especially their happy customers from the first campaigns need to be convinced to replace the older appliances with this more expensive new one.

So every graph visualizing rather meaningless numbers makes a lot of sense for them…

Igor_kh
Igor_kh
7 months ago

Ubiquiti edge router is way cheaper and already available.

Gabriel
Gabriel
7 months ago

As an alternative, the Pondesk device based on Intel Atom E3845 looks cheaper, but comes without software.

Willy
Willy
7 months ago

Regarding the board’s origin, we’ve had some very similar-looking devices 4 years ago or so, they were all black, with the same port disposition, with serial and USB on one side, and ethernet+juice on the other, but I can’t recall the name. I looked for these at Commell, Jetway, Axiomtek, Acrosser, Nexcom, Aaeon, Lanner with no luck. I’m sure I’m missing some, given that I still couldn’t figure that one!

Willy
Willy
7 months ago

Ah finally found it! It’s Gigabyte. That one looks very similar:

https://fr.aliexpress.com/item/32773196368.html

tkaiser
tkaiser
7 months ago

If it’s really based on the Gigabyte board then with a J1900 it has not even AES-NI. Though Firewalla guys not mentioning the CPU in question is a good indication that’s something like that 😉

dgp
dgp
7 months ago

> it has not even AES-NI

Does iptables make a lot of use of AES?

tkaiser
tkaiser
7 months ago

I was focused on the ‘VPN server’ use case. Anyway, a J1900 is not that fast by today’s standards. Around 70% the integer performance of an J4105 or in other words: RK3399 level… (better suited for this use case though due to more flexible PCIe config allowing each lane to be attached to an individual NIC)

Roger Melly
Roger Melly
7 months ago

AES-NI is for encryption eg in encrypting data sent over a tunnel (as used in a VPN connection). If a tunnel is established using a passphrase, then encryption is needed even for that first step of communicating the passphrase for obvious reasons. iptables is a tool for packet filtering and network address translation eg deciding to which destination packets should be sent or whether they should be dropped. These are two different things. It you want to do ipsec or openvpn etc then AES-NI in hardware does make a significant improvement in performance. iptables has now been superseded by the… Read more »

dgp
dgp
7 months ago

I understand that. I was suggesting maybe it doesn’t matter so much for the people that will use this. They’ve given a figure for the VPN throughput and if that’s good enough for your use case then how the VPN sausage is made doesn’t matter.

TLS
TLS
7 months ago

That’s not a Gigabyte board. It’s as per your second link, from Qotom.

willy
willy
7 months ago

Ah probably they write “Gigabyte” as a way to mean “gigabit” 🙂

Willy
Willy
7 months ago

And an example of complete machine here with enclosure:
https://fr.aliexpress.com/item/32758008782.html

These ones were very dense and well designed. I forgot about them until you posted the photos above!

TLS
TLS
7 months ago

Actual product page. Although, it seems to be for a slightly more recent version.
http://www.qotom.net/product/35.html

Paul M
Paul M
7 months ago

I’ve been using a dual not j1900 board from gigabyte with an additional dual nic pci card as a firewall. It’s only been recent kernels they have mitigated the problem with the CPU hard locking up.
I’d never use the j1900 for anything due to the flaw. There’s a long running kernel bug about it.

theguyuk
theguyuk
7 months ago
theguyuk
theguyuk
7 months ago

Down voters won’t like this either then !

https://www.aliexpress.com/item/32782991772.html?

theguyuk
theguyuk
7 months ago
theguyuk
theguyuk
7 months ago

Or i7 that still cheaper than original, down voters going hate that!

https://www.aliexpress.com/item/32706578225.html?

theguyuk
theguyuk
7 months ago

What is the down voter scared of people knowing!

eas
eas
7 months ago

I dunno, but it seems the downvoter doesn’t understand the difference between a product and a project. The firewalla appears to be a product. Using those Qotom’s to do the same job is a project (even if it isn’t a very big project).

Advertisements