Thank you for this. It is incredibly hard to find good Firewalla reviews and deep dives like this on RU-vid. Please keep covering these devices, you gained a Sub from me!
I took down my OPNSense firewall/router device & got this. I have had no issues to date and the simplicity & visibility is just great. My home network has UniFi APs, a UniFi switch & quite a few devices including IOT.
Ty for the video and appreciate the feedback. IT and Cyber inclined - I want simplicity. Not only that but ease of use not only for me but my better half. I do this for a living and I enjoy it but time at home doing other things is more of a priority now. Things change in life. Just like you, I will take down my pfsense box and give this a shot. I can't knock it much until I give it a shot.
great video thank you for this! Im really considering this box to setup some better network security at home. question though as Im not an I.T. Pro myself - can I use the VPN features within my home for whole home network traffic privacy without a VPN service provider? or do I still have to buy a VPN service to connect to?
As a vpn server it allows you to connect to your home from a remote location; the vpn client allows you to create a site to site, remote access vpn, and the previous 3rd party option.
Very interesting question. For whole home VPN security features you would need to buy a VPN service connection. Firewalla (and keep in mind some models can do this some cannot, might need to verify) check out this firewalla article: https: //help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client. I can’t paste links, so just remove the space after https:. It seems expressesvpn, surfshark, and nordvpn are all possible. By creating a 3rd party vpn using either openvpn or WireGuard you can create the whole home vpn. Keep in mind I have not tired doing this, but may be worth another video!
if i have three routers at home and connect firewalla with WAN then connect those routers to it, will it be able to see all traffic from those routers? will it matter if they are set to router mode/AP mode?
Great video! No in-depth videos on firewalla like yours. I am upgrading from the Firewalla Blue plus that I connected in simple mode, to the Purple that I want to connect in router mode. I have a TP-Link Ax21 router that I'll switch to an access point. My question is when I connect the Firewalla Purple LAN side to the now TP Link access point do I connect it to the LAN or WAN of the TP Link. Much appreciate your videos! Stay well! Tony
I’m guessing your TP is a non enterprise? Meaning no vlans? Simply enough you’re going to just create a network for the lan interface, not a vlan port, and just connect the TP to the purple. As I don’t know the software for your TP I’m guessing here: plug the Firewalla lan port into a lan port on the TP and done. If the TP only has a routed wan port it may not accomplish what you want but will still connect to the internet. If the TP has a routed internet port only, or otherwise, there may be a setting in the TP to turn it to access point mode and this your wan link will become a lan link.
@@ntraas1584 Correct no vlans. Wasn't aware once TP link router turned into access point then the Wan port just becomes another LAN port. Good to know . Thanks again for your in-depth videos on Firewalla
I had a similar dilemma before. In my case, I knew I have to use the Firewalla as my main router to take full advantage of its features. But heck... YOLO.... I saved all my router and switch settings and replaced my main router with Firewalla. Long story short, I'm glad I did and I was pleasantly surprised that setting up things is easier with Firewalla than my old router. I just have read and follow the tutorials for stuff I'm trying to do such as setting up port-forwarding, enabling the built-in VPN, etc. Most of the blocked IPs are just net scanners from both legit organizations monitoring how many people are compromised and of course... malicious hackers. The notifications are annoying mostly just at the beginning. If you mute the ones you definitely know are safe traffic (using a wider range of filter), it wouldn't be that bad later on.
All great points! The built in VPNs can be a little glitchy at times but when they work they work like a charm. It’s an interesting thing though, that this little device can do and show so much that bigger, Enterprise firewalls, fail to show so elegantly (see the firepower appliance without forwarding logs…). Though with that same thought firewalla really is home and small business. I would definitely recommend this to a business to use if they don’t require more advanced routing and internet features. What’s really the point of IPS if it’s only inside out right? I’m wondering if firewalla will show if an infected machine is sending out data or if everything is listed as “abnormal upload” because the false positives have been numerous.
@@ntraas1584 So far everything seems "abnormal uploads" even legit ones. I have a Firewalla Purple on my mom's Linux PC (I switched her to Linux.. lol!) and I got alerted of an "abnormal upload". I found out though that this was caused by the facebook messenger app. This happens whenever she does video chat with my aunts that are located from other countries. I since muted this traffic so it doesn't alert me anymore. You really have to address the notification alerts as soon as you can or they will pile up quick. Most of the time, one rule can address multiple alerts so you won't have to create one rule per alert. Firewalla would give you a "malicious website" alert if you visit well-known cracks/warez/malicous sites. It won't block you however from accessing them unless you create a rule for it afterwards. On my Firewalla at home, I currently have like 100k+ flows and 61k blocked in just the last 24 hours. I run a crypto miner though and I have a lot of cameras and other smart gadgets connected to the network. I have most of them segmented and the cameras and other stuff that has no business with my local network blocked from connecting to it. I even region blocked china/india/russia/etc. from connecting to my cameras.. 'Coz yea... some of my cameras are made in China and I see China IPs trying to connect to it. As long as I can access my cameras locally and over the Internet, I'm good... everything else is blocked from accessing it. I even saw a suspicious IP that was trying to connect to my NAS. Somehow that IP found out the outside port I'm using on that NAS. Good thing Firewalla alerted me to it. Ever since I changed the port and the user/password credentials (using a password manager), I haven't been alerted again. Maybe it's still trying to poke the old port.. lol
I'm looking at one of these for a family member for the keep it simple aspect, they're not tech savy etc. Me I'm in the trade, so will continue to run Cisco CBS switches at home with whatever firewall I'm exploring. Been running Sophos XG for a while, but spending time with pfsense and opnsense at present.
Honestly…unless you want the ability to troubleshoot their issues locally, you can’t manage if no internet, then might not be necessary. If there is an internet issue, the Bluetooth troubleshooting is painful. I’ve always been a fan of buy to check out, implement and learn, so hey if you/them want to have some cool features and dashboards I’d say go for it. How do you like the Sophos XG? Im in a 50% Cisco 50% Palo shop so I pretty much stick with those at home. Anyone in IT I’d never recommend any firewall that they don’t use at work, but if they use those then cool. JMO; if you want to be seen as the expert at work, use that at home…
My isp speeds are 1350 down and 250 up. If I use this will I get close to actual speeds? My Asus barely does half. Thinking about using it as an AP instead.
Have you tried it in Bridge Mode? Does the unit still block Russia, China etc if in Bridge Mode? I am wondering if Firewall would coexist in an existing Ubiquiti UDM environment.
I have not tried bridge mode but I have the purple I need to setup so I’ll check that out and let you know. For ubiquiti I’m wondering what you mean by coexisting. In router mode it simply provides a NAT to the outside, bridge mode will still do monitoring, etc. according to Firewalla: In bridge mode, blocking features, protection features, and the ad blocked will work the same way as in router mode. I wouldn’t use routed mode with ubiquiti unless you have a real need, but they both do static routing.
Yeah, the Firewalla must be the security gateway, core, aggregation and access level all-in-one and be configured in a router-on-a-stick topology for any vlans configured on connected layer 2 access switches. This means that all inter-vlan routing must occur on the Firewalla for it to be able to apply rules to control traffic within the local network and to the internet. If you have a need to run layer 3 routing to the access layer in a multi-layer network the Firewalla won't be a good choice. The whole router-on-a-stick design required by the Firewalla means that it cannot function on high performance 10G networks. If a home runs some 10G interconnects between a couple of switches and something like a NAS the Firewalla is going to be a point of congestion.
You could have kept your original router and put Firewalla into bridge mode between it and your internal switch. If you are running multiple subnets on your internal network, then create additional bridges on the Firewalla. My home network is set up this way and my Firewalla sees all traffic on my internal subnets. Bridge mode acts as a man-in-the-middle so doesn't NAT traffic.
I have above gig speed on my network so would putting the Firewalla Blue Plus in bridge mode between the router and hardwired devices would that slow my speed down or only if it is used as the gateway?
This is good, thank you. Some feedback: spent too much time exploring "Blocked Connections" and where they're coming from (ie around 7:26) So much of this traffic happens it is really not interesting unless you trigger the scenario where you WANTED traffic to get in but it was blocked (and you had to resolve that issue) Meant to be encouraging. :-) There are not a lot of very technical reviews on Firewalla so please keep going. Cheers
I agree man I hate these hackers my neighbor is hacking my network but my firewalla red in dhcp mode can’t stop it the year I bought it was 2021 it became EOL 2022.
Great video - outstanding work compared to others I watched. What I don't like about Firewalla is their devices are manufactured in China. I believe the firmware is also flashed in China (asked their support to find out). Supply chain attacks are a big problem. I do not think they reflash them or offer coreboot in the USA to save money. For me, I always buy hardware with coreboot bios and toss on ipfire or pfsense. I also run pi-hole on a raspberry pi and configured to block 3 million bad urls that updates these know bad lists weekly. I just don't want to install a FIREWALL to protect my network from being hacked from the same folks who bought it. China hacks the heck out of the USA. Hi Mr. Burglar, I know you keep trying to break into my network, but hey, you are cheaper costs so can you build my home security system so i can use it to protect against burglars including you guys? Just doesn't make sense at all to me. But Cisco/Juniper/etc.. all has their stuff manuafactured in china then everyone scratches their head and tries to figure out how china got into their networks. If they were fully manufactured in the USA though, I would buy it! Seems like a great solution, but way to many backdoors hitting the news lately and just to risky. Yes, everything is made in china (iphone chips, etc..), but, for a edge router, I want that one single device NOT flashed by the chinese.
Why use Firewalla when you can run your network through Cloudflare? I mean I get it because of latency but still for me in EU it doesnt add any latency at all and it all runs smooth so yeah..... Nothing against firewalla but id rather use Fortigate then 😉 Cheers
Hey thanks for the message! I hadn’t heard of cloudflare, it looks to be an interesting option to look more deeply into. Firewalla is a good option for home use, honestly a techie probably would go with something else but for the average consumer it’s a move in the right direction.
