Want to spend some time explaining why there are limitations in Firewalla speed. In technical terms, Firewalla is an inbound firewall, it can block traffic coming in, and also an outbound firewall, it can block traffic from inside. It is also an IDS/IPS, which is simply, there is code inside Firewalla that detect bad things and do something about it.
Now, let's look at the packet processing process
You can see the stages of packet processing here. And note, not all packets go through these in real-time, this is simply a functional representation of how the internals works.
The packet rate is directly limited by
- Header lookup
- Route lookup (where to send the packet to)
- Blocks (these are the rules to block traffic, they are additional lookups, and speed here is based on how many rules are there and the complexity of the rules)
- Kick packets out (send the packet out to userspace from kernel)
Indirect rate limitation
- Packet header extraction in user space
- Packet header protocol decoding
- and IPS/IDS process.
- User flows. This is the number of IP (src and dest) flows generated by the user. If P2P software is running, this can blow up the flow table.
CPU vs ASIC
Firewalla is optimized to deep inspect packets, while your router is optimized to switch/forward packets.
Firewalla is a purely software-based system, all processing is done via CPU cores. By using the CPU, firewalla can examine packets with much more flexibility, and go deeper than just the simple IP header.
While most consumer and business routers are optimized for speed. They rely on specialized hardware to forward packets. This specialized hardware is fast but does not have the flexibility to move around the packet header. They have less CPU power and less memory is required.
Since much of the packet processing is done via software, the network complexity and the number of active flows will influence the final performance and speed. Since each network is different, and network usage is different
- If you have a big network and run a lot of network applications (VPN, VLAN, streaming, video conferences ...) you should use the Gold Unit.
- If you have an average size network, the Purple unit will deliver gigabits and can maintain performance for this network.
- If you have a smaller / simple network, Purple SE and Blue+ are more affordable and efficient. (under 25 devices)
Firewalla does not impact LAN traffic. (Network traffic within your home).
Great information. I have a lot to learn and the gold has become my new hobby ... qq what is the capacity of the ports on the gold router? Are they Gigabit? or higher? The reason I ask is I am considering upgrading my Access Point to the TP Link EAP660 HD with a 2.5 Gbps Ethernet Port and was wondering if my gold router can take advantage of that or is limited to 1Gbps at each port? TIA
All the ports on the Gold are gigabit. But do remember, the Gold is a router, so it should not interfere with traffic on your local network. This means unless you have > 1gigabit internet (at the time of this message, >gigabit speed internet is not popular), you should NOT have any issues with your network.
So, if you want to take advantage of that 2.5Gbit for LAN, you will need a switch that's 2.5Gbit capable in front of Firewalla Gold, which your EAP660 connects to. But before doing any of this, make sure the EAP660 can output >gigabit. (To do this test, you may want to have several devices transferring at the same time).
This article has great descriptions of the products performance differences.
To cover all your products,
Could you please add similar detailed info regarding the blue plus .
@HF, blue plus is like the blue
@Firewalla, I'm looking at the section of your post stating the following:
P2P has historically caused PC's to use all the memory and cause for routers to crash / reboot. I'm trying to understand what "blowing up the flow table" means. Is it the same logic where the router runs out of memory? Why does P2P require so much memory in the first place? Any solutions / articles you can point me to is greatly appreciated.
Thank you for the explanation. I was confused why my upgraded speed was not coming through to my home network. As soon as I unplugged the red, I had nearly 500mbps download. I may need to upgrade or do as you say an select certain devices to be excluded such as my TV. With so much of my work being in cloud based programs the extra speed really is noticeable.
Please sign in to leave a comment.