Want to spend some time explaining why there are limitations in Firewalla speed. In technical terms, Firewalla is an inbound firewall, it can block traffic coming in, and also an outbound firewall, it can block traffic from inside. It is also an IDS/IPS, which is simply, there is code inside Firewalla that detect bad things and do something about it.
Now, let's look at the packet processing process
You can see the stages of packet processing here. And note, not all packets go through these in real-time, this is simply a functional representation of how the internals works.
The packet rate is directly limited by
- Header lookup
- Route lookup (where to send the packet to)
- Blocks (these are the rules to block traffic, they are additional lookups, and speed here is based on how many rules are there and the complexity of the rules)
- Kick packets out (send the packet out to userspace from kernel)
Indirect rate limitation
- Packet header extraction in user space
- Packet header protocol decoding
- and IPS/IDS process.
- User flows. This is the number of IP (src and dest) flows generated by the user. If P2P software is running, this can blow up the flow table.
CPU vs ASIC
Firewalla is optimized to deep inspect packets, while your router is optimized to switch/forward packets.
Firewalla is a purely software-based system, all processing is done via CPU cores. By using the CPU, firewalla can examine packets with much more flexibility, and go deeper than just the simple IP header.
While most consumer and business routers are optimized for speed. They rely on specialized hardware to forward packets. This specialized hardware is fast but does not have the flexibility to move around the packet header. They have less CPU power and less memory is required.
Since much of the packet processing is done via software, the network complexity and the number of active flows will influence the final performance and speed. Since each network is different, and network usage is different
- If you have a big network and run a lot of network applications (VPN, VLAN, streaming, video conferences ...) you should use the Gold Unit.
- If you have an average size network, the Purple unit will deliver gigabits and can maintain performance for this network.
- If you have a smaller / simple network, Purple SE and Blue+ are more affordable and efficient. (under 25 devices)
Firewalla does not impact LAN traffic. (Network traffic within your home).