We covered Firewalla based on NanoPi NEO board in mid-2018. The device is a tiny firewall, parental control, ad-blocker, and VPN appliance for end-users.
Since then they’ve launched Firewalla Blue based on NanoPi NEO2 SBC with Gigabit Ethernet and a faster processor, and now the company has just introduced the even more powerful Intel-based Firewalla Gold.

Firewalla Gold specifications:
- Processor – Unnamed intel 64-bit quad-core processor
- System Memory – 4GB RAM
- Storage – 32GB flash
- Connectivity
- 4x Gigabit Ethernet ports supporting over 3 Gbps in total, and up to 10 VPN connection at up to 120 Mbps aggregated bandwidth.
- WiFi 6 module (not sure optional or included)
- Misc – RTC
- Power Supply – DC barrel jack
They may have designed a custom board this time, as I’m not sure which off-the-shelf SBC they may have used in their new product.
The device runs Ubuntu Linux so the users will have full access to the operating system with SSH, and will be allowed to install their own packages. Just like the original Firewalla (now Firewalla Red) and Firewalla Blue, Firewalla Gold comes with a web interface to let users easily control what happens on their networks with features such as cyber threats protections, VPN, DDNS, SSH, Adblocker configuration. Additionally, the Firewalla app for Android or iOS enables users to set-up parental control, VPN, monitor bandwidth usage (Monthly / Daily / Hourly), and more…
Since Firewall Gold is more powerful and comes with multiple Ethernet ports, the company also implemented new features including VLAN, network segmentation for instance to separate guests, IoT, and kids networks from your main network, network lockdown to block traffic from unknown devices, and router mode.
They’ve already raised $243,793 for Firewalla Gold on Indiegogo crowdfunding platform, and if interested, you can get the router for $359, or a 28% discount against the $499 MSRP expected once the product launches. Shipping adds $20, and backers should get their reward around July 2020 if everything goes according to plans.

Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
Mm why is it not 4gbps in total? Does this mean it’s not 4 ethernet controllers and there’s a switch involved?
Not necessarily, it can be a limit on CPU performance or in other contexts, even a limited number of PCIe lanes to the NIC controller. A switch wouldn’t have come with such a limitation. It could have enforced 2.5 Gbps however if the SoC was using 2.5GE.
>it can be a limit on CPU performance or in other contexts
I think that would be the first time in the history of marketing that someone actually gave the tested throughput and not just the best looking number from one part of the pipeline. 😉
On their Indiegogo page they talk about ‘Deep Insight helps you see the network at up to 3+ Gigabits per second’. So this is a number for a specific use case (‘deep’ packet inspection?). Though a use case I don’t understand since with 4 GbE ports the upstream traffic is clearly limited to 1 Gbps, isn’t it?
Anyway, the screenshot this ‘3+ Gigabits per second’ claim is based on is this:
I might be missing something but I don’t know how they think that shows they can do deep packet inspection at 3gbps. That looks like iperf being used to flood it with traffic. :/
> I think that would be the first time in the history of marketing that someone actually gave the tested throughput Oh no, I strongly disagree on this. On network gear it’s exactly the opposite, they depend on a large number of factors and you actually have to run a lot of benchmarks to get the best reproducible numbers you can to put on the datasheet. There are dedicated companies like Ixia or Spirent whose job is to help vendors run such measures. And to give you an idea, at my company, we remove ~20% to the measured scores of… Read more »
> On network gear it’s exactly the opposite While I agree here, this Firewalla stuff is not ‘network gear’ but an attempt to address the fears of average users regarding ‘cyber threats’. Users who trust in appliances that only work as advertised via apps thrown at them via a crowdfunding campaign. Users who think if they can watch some funny graphs on their tablet or smartphone, get some alerts from time to time and can spy on their kids they regained control of their ‘network’. Their numbers are marketing stuff without any real meaning. How to interpret this for example?… Read more »
The way it is reported on their graph is totally absurd (especially the “new=6*old”), especially for the type of deployment expected here. They’d rather mention that since it can sustain 3Gbps total over its 4 interfaces, it’s unlikely that a single interface even with multiple DMZ will cause any trouble. A completely made up use case could be Gbps fiber on the WAN side, two DMZ with proxies and a LAN with a client. You then really need 3 Gbps of bandwidth to support downloading large objects (e.g. videos) at line rate through these devices. But that’s not for everyone.… Read more »
> In short, they should not even put the focus on performance
Well, the ‘performance’ isn’t great anyway for relevant use cases (VPN: ‘120 Mbits’ with ’64-bit Intel’ vs. ’70 Mbits’ with Allwinner’s H5) but their target audience are clueless people fearing cyber lalala and especially their happy customers from the first campaigns need to be convinced to replace the older appliances with this more expensive new one.
So every graph visualizing rather meaningless numbers makes a lot of sense for them…
Ubiquiti edge router is way cheaper and already available.
As an alternative, the Pondesk device based on Intel Atom E3845 looks cheaper, but comes without software.
Regarding the board’s origin, we’ve had some very similar-looking devices 4 years ago or so, they were all black, with the same port disposition, with serial and USB on one side, and ethernet+juice on the other, but I can’t recall the name. I looked for these at Commell, Jetway, Axiomtek, Acrosser, Nexcom, Aaeon, Lanner with no luck. I’m sure I’m missing some, given that I still couldn’t figure that one!
Ah finally found it! It’s Gigabyte. That one looks very similar:
https://fr.aliexpress.com/item/32773196368.html
If it’s really based on the Gigabyte board then with a J1900 it has not even AES-NI. Though Firewalla guys not mentioning the CPU in question is a good indication that’s something like that 😉
> it has not even AES-NI
Does iptables make a lot of use of AES?
I was focused on the ‘VPN server’ use case. Anyway, a J1900 is not that fast by today’s standards. Around 70% the integer performance of an J4105 or in other words: RK3399 level… (better suited for this use case though due to more flexible PCIe config allowing each lane to be attached to an individual NIC)
AES-NI is for encryption eg in encrypting data sent over a tunnel (as used in a VPN connection). If a tunnel is established using a passphrase, then encryption is needed even for that first step of communicating the passphrase for obvious reasons. iptables is a tool for packet filtering and network address translation eg deciding to which destination packets should be sent or whether they should be dropped. These are two different things. It you want to do ipsec or openvpn etc then AES-NI in hardware does make a significant improvement in performance. iptables has now been superseded by the… Read more »
I understand that. I was suggesting maybe it doesn’t matter so much for the people that will use this. They’ve given a figure for the VPN throughput and if that’s good enough for your use case then how the VPN sausage is made doesn’t matter.
That’s not a Gigabyte board. It’s as per your second link, from Qotom.
Ah probably they write “Gigabyte” as a way to mean “gigabit” 🙂
And an example of complete machine here with enclosure:
https://fr.aliexpress.com/item/32758008782.html
These ones were very dense and well designed. I forgot about them until you posted the photos above!
Actual product page. Although, it seems to be for a slightly more recent version.
http://www.qotom.net/product/35.html
I’ve been using a dual not j1900 board from gigabyte with an additional dual nic pci card as a firewall. It’s only been recent kernels they have mitigated the problem with the CPU hard locking up.
I’d never use the j1900 for anything due to the flaw. There’s a long running kernel bug about it.
No good then ?
https://www.aliexpress.com/item/32783607963.html?
Down voters won’t like this either then !
https://www.aliexpress.com/item/32782991772.html?
Or this i5 5200U
https://www.aliexpress.c/item/32821689998.html?
Or i7 that still cheaper than original, down voters going hate that!
https://www.aliexpress.com/item/32706578225.html?
What is the down voter scared of people knowing!
I dunno, but it seems the downvoter doesn’t understand the difference between a product and a project. The firewalla appears to be a product. Using those Qotom’s to do the same job is a project (even if it isn’t a very big project).