Firewalla Gold review

Firewalla is a capable device which plugs into your router and protects your connected home from a host of network and internet threats.

A firewall detects and blocks external access to your baby monitor, smart speaker or other connected devices, for instance. 

Local network monitoring spots new devices as they connect, disables them as required, and warns you about devices exposed to the internet.

• Want to try Firewalla? Check out the website here

Parental controls and forced safe searching keep your kids away from the worst of the web, while built-in ad-blocking speeds up browsing on all your devices, and smart behavior monitoring alerts you to suspect apps or possibly compromised devices.

Despite all this power, Firewalla is easy to use, at least in a basic way. Its core features work largely automatically, without requiring any intervention at all, and straightforward Android and iOS apps help you manage everything else.

Firewalla is available in four flavors: Red ($109), Blue ($179), Blue+ ($199) and Gold ($418.) Unlike Norton Core and some other competitors, there's no ongoing subscription cost; you pay once only, and it's yours for life.

The Red, Blue and Blue+ editions vary mostly in their hardware specs and processing power. Upgrading from Red to Blue+ gets you a faster CPU (64-bit Quad Core @ 1.2GHz vs 32-bit Quad Core @ 1GHz), more RAM (2GB vs 512MB), faster VPN encryption (70Mbps vs 28Mbps) and packet processing speed (100Mbps vs 500Mbps.)

Upgrading to the Firewalla Gold doubles the hardware power in most areas (including support for 1Gb internet), ramps up the site-to-site VPN support from one to ten simultaneous connections, and throws in a full-featured and highly configurable router and firewall.

Works for us, but beware, this power does come at the cost of a lot of extra bulk. Firewalla Gold is 5.1" x 4.3" x 1.3 cm in size and 19oz (539g) in weight, which although it isn't large, can't compete with the other model's specs of 1.8 x 1.8 x 1.2 cm and a tiny 1.6oz (45g.)

We've tried to simplify this a little, but there are some software variations, too; Firewalla Red can't be used as a VPN server, for instance, which also means it doesn't provide a web console for remote management. If you're looking for the very fine detail, Firewalla's How To Choose article covers everything you need to know about the product range.

Whatever your preferred model, you'll also need an Android or iOS device to run Firewalla's setup and management app right now, although there is a beta web dashboard interface now available.

Setup

Our Firewalla Gold arrived, well protected in a small but solid box containing the base unit, power supply and power cable, a wall mounting rack and assorted screws.

Firewalla ships with a USA power cable, so if you're elsewhere in the world, make sure you order an 'international power cord' for $10 (UK, Europe and Australia are supported.)

There's a Getting Started card, but it has nothing more than a URL for the installation guide and a help@firewalla.com email address if you run into problems.

The setup guide points users first to the Firewalla apps for iOS and Android. And that's probably a good thing, because although the manual setup guide is detailed, it uses some seriously technical language in places, even for this type of kit ('If you have triple-play services over VLAN's setup required by you ISP...') and is likely to intimidate beginners.

The app is more straightforward, fortunately. After asking for our email address to register the product, then explaining some basic options (how to turn off notifications in Firewall Settings), it offered to pair with our Firewalla Gold.

Firewalla recommends setting up the device in Router mode. Connect it in line with an existing ISP modem/ router and the Firewalla takes over as the main router for your network. Easy to use and it should work with any device.

The alternative, Simple/ DHCP mode, simply adds Firewalla Gold to your existing network. Connect it to a free port on your existing router and Firewalla uses ARP spoofing to redirect most device traffic through its processor. Even though it's not your main router and your current network stays active, Simple/ DHCP mode allows you to use Firewalla's security tools to monitor and protect all your devices.

(Despite being called 'Simple' mode, this can be a little more complicated, not least because Firewalla's ARP trickery doesn't work with all routers. Check the Router Compatibility page on the website to see what options should work with your kit.)

Once you've chosen your preferred mode, the app makes setup easy. It prompted us to power up the router, scan a QR code to pair with the device and pick an operating mode. 

We chose Router Mode, connected the Firewalla to our current router, and a tap or two later, the app told us it was setting everything up. There was nothing else to do but wait, and around three minutes later it was ready to go.

If your needs are more complicated, a web installation guide is on hand. This can be more difficult to follow, depending on your network type and needs, but there's a lot of useful information, and you can get direct support via email, as well as discuss issues in a community forum and even Firewalla's own subreddit. 

Monitoring

Once you're Firewalla is up and running, launching the Firewalla app provides an instant view on what's going on. 

A chart at the top of the screen highlights bandwidth use over the last 24 hours, immediately useful as a way to highlight unexpected traffic.

Below that, the app displays the number of devices previously connected to your network, along with however many alarms Firewall has raised.

Tapping the Alarms button displays a list of what Firewalla thinks are interesting events. Some of these are just records of usage activity, and for instance Firewalla logged a Video Activity alert every time we watched a new YouTube video. Others could be warnings, ranging from blocked network attacks to spotting unusually high upload activity (someone accessing your webcam, say) or just highlighting attempts to watch porn on a specific device.

There's real depth to this. If you see a connection you don't understand, tapping it provides an array of extra information: device IP and MAC addresses, vendor and network names, domain names and registration details, protocol, ports and more. And if it looks like a problem, you're able to block that connection in future with a tap.

You don't have to drill down to that level of detail, though, and if you prefer a simple life, a Mute button enables hiding all but the notifications you really care about. 

Tapping Firewalla's Devices button gives you list of devices previously seen on your network, along with their low-level details (type, IP, MAC address and so on) and a full internet history: bandwidth used, domains accessed, the details of each connection (port, location, timestamp) and more.

If that's too technical, an Apps view tries to list network activity by categories like Messaging, Shopping, Games, Audio/ Video and more, in theory giving you a very good idea of exactly what your kids were doing last night.

In practice, it's not quite as simple as that. Firewalla variously classified our Fire TV as Shopping, Entertainment and Audio TV, for instance, and we're not clear why its traffic was spread across multiple categories. Still, the report did give us a decent general idea of network usage, and you'll likely get better at interpreting it over time as you learn any quirks.

Parental controls

Firewalla's monitoring tools are useful, but they're just the start, and the box has many other tricks and tools.

The Family option is a basic parental controls-type system which enables simple content filtering, enforcement of Safe Search (Google, Bing, YouTube and DuckDuckGo) and a 'Social Hour' feature which blocks all social networking activities for an hour.

The Family option only blocked violence and porn-related sites for us, but you can also opt to block gaming sites, social media and video streaming for any particular device (or stop all internet access entirely, if you're feeling extreme.)

Site blocking doesn't always give clear warnings. When we tried visiting a banned site on a MacBook Pro, Chrome complained about an invalid certificate. We couldn't access the site, but in a real-world situation, would probably assume it was a site issue, not anything to do with Firewalla or the network.

The Family feature did a good job of blocking family-unfriendly sites, though, probably because it's powered by the effective OpenDNS Family Shield underneath.

Safe Search proved effective, too, transparently refining our search results to filter out anything that's not family-friendly. There are no guarantees - if your child has a mobile, they can switch from Wifi to their network and have no controls at all - but it did as good a job as we could expect.

VPN

Firewalla has some unusual extras in both a built-in VPN server and support for working with a third-party VPN client.

Enabling the VPN server allows you to securely access your home network from anywhere in the world via an OpenVPN-compatible client. You could use this to access any of your connected devices, or browse local files. It also works like any other VPN server in your own country, unblocking content which might not be available when you're abroad.

If your router supports UPnP, Firewalla's sets up the server almost immediately, no manual port forwarding nightmares required. This worked just fine for us, with the app providing our necessary details (server name, IP, port, password, more), and automatically generating an appropriate OpenVPN profile. 

The app then pointed us to links for the standard OpenVPN apps (Windows, Android, iOS, Mac.) We installed the Android build, imported Firewalla's custom profile and it connected immediately, allocating us our UK IP address. This really could allow us to, say, access BBC iPlayer from anywhere in the world, but keep in mind that performance is limited to the maximum upload speed for your home connection. 

Firewalla's built-in VPN client is more flexible, with support for remote access (you can securely access resources in another network), a site-to-site VPN (two networks are connected, and devices in either one of the networks can access devices in the other), and third-party VPN servers (you can connect to a server managed by another provider.)

The third-party option is the most interesting. If you've an account with a compatible provider - ExpressVPN, NordVPN, Surfshark, IPVanish and PureVPN are all on the list - then you're able to set up Firewalla with the details of one of its servers. After that, you can connect to the VPN at any time from the Firewalla app, and choose whatever devices you'd like to use that connection (a smart TV for viewing US Netflix, say.)

There's a lot of functionality here, and we don't begin to have the space to do it justice. If the VPN sounds like it could work for you, take a look at the Server and Client support pages for details on what's possible, and how to get it all working.

More features

Firewalla includes a simple DNS-based ad blocker. It doesn't clear away as much on-screen clutter as the top browser extensions, but we expect that with this type of tool, where there's no option to analyze page content. As a bonus, it's fast and automatically protects all your devices (plus you can continue using your existing ad blocker where performance is really important.)

An Open Ports feature scans your setup from the outside world, and alerts you to any devices with exposed ports, a handy way to spot vulnerabilities.

A New Device Quarantine option automatically places new devices in a restricted Quarantine group when they join your network, and doesn't allow them to access the internet or other network devices. The app raises an alarm to warn you about this, and if you recognize the device, you can release the device from Quarantine with a tap. But if you don't recognize it, or you're not paying attention to the network right now, the new arrival stays quarantined and won't be able to do very much. (You can also block it entirely if you're sure it's rogue.)

Experienced users looking to access their network remotely will appreciate Firewalla's dynamic DNS support (essentially, you're able to securely access your system via a unique yourID.firewalla.org subdomain.)

Built-in support for DNS over HTTPS ensures DNS lookups are encrypted, reducing the chance for an attacker to see which websites you're visiting.

Perhaps best of all, while most of these features only take a tap or two to implement, they work by generating firewall-type rules underneath. These are fully customizable and you can edit them or create your own from scratch, making for a hugely configurable setup.

Want to block a specific domain, for instance? A remote port, a geographical region, access to shopping sites, a site category? Just create a rule, apply it to some or all of your devices, choose a schedule and you've another customized layer of protection. You don't have to get down to this level of technical detail, but just having the option is ideal for fine-tuning the Firewalla to suit your needs. 

Final verdict

Firewalla Gold is a powerful and configurable firewall/ router for business users and techies, but it's likely to be overkill for everyone else. If you're looking for simple network protection and internet security, check out Bitdefender Box; and if you like Firewalla, keep in mind that its starter Red product gives you plenty of functionality for $99, less than a quarter of the Gold price.

• We've also highlighted the best VPN