Articles in this section

See more

Firewalla Speed Limitations Explained ...

Avatar
Firewalla
  • Updated
Follow

Want to spend some time to explain why there are limitations in Firewalla speed.   In technical terms, Firewalla is an inbound firewall, it can block traffic coming in and also an outbound firewall, it can block traffic from inside.  It is also an IDS/IPS, which is simply, there is code inside Firewalla that detect bad things and do something about it. 

Now, let's look at the packet processing process

You can see the stages of packet processing here.  And note, not all packets go through these in real time, this is simply a functional representation of how the internals works. 

Packet rate is directly limited by

  • Header lookup (if doing tunneling, like VPN)
  • Route lookup (where to send the packet to)
  • Blocks (these are the rules to block traffic, they are additional lookup, speed here is based on how many rules are there and complexity of the rules)
  • Kick packets out (send the packet out to userspace from kernel)

Indirect rate limitation

  • Packet header extraction in user space
  • Packet header protocol decoding
  • and IPS/IDS process.
  • User flows.  This is the number of IP (src and dest) flows generated by the user.  If P2P software is running, this can blow up the flow table. 

Since Firewalla's is a purely software-based system, all processing is done via the quad-core CPU.  We will unlikely to go with any processor that does packet processing in hardware.  These processors are generally more expensive and have more restrictions.  

Firewalla RED

Firewalla RED can only process packets around 100Mbits per second.  This is with around 1000 rules installed in the data path.  

If your internet is just a bit faster than this, you shouldn't worry.  It is likely during normal operations you will never reach the limit. 

Here is something you can do 

  • Firewalla monitoring is virtual, so you can easily turn it on and off.  For example, you can turn off monitoring of your 4K TV.  This way, the 4K TV stream will not impact packet processing on Firewalla.  To figure out which one to kick out from monitoring, look at the graph for that device.  Limiting Firewalla streams to be less than 100mbits will ensure your internet is not throttled.

Performance of the system depends highly on what's going on.  If you are experiencing performance around >70Mbits, then you are okay.  If you are experiencing <50Mbits, something is going wrong.  

Why the variation?  It is really the CPU.  There are periodic processes that may take CPU away from switching.  It shouldn't be that much, but it may cause a temporary slowness.    The performance number should be measured with a longer duration. 

Firewalla BLUE (releasing in Feburary 2019, Crowdfunding starts 2018/8)

Firewalla BLUE has an upgraded CPU and doubles the memory.  This will significantly increase the throughput to be around 300 to 500 megabits.  (Note, we advertise it as near Gigabit, it is really half of that.  And it is also likely we may increase the performance in software, which means we can get to 'near' gigabit in the future with software upgrades)

  • A faster processor will allow packet processing to be a lot faster
  • More memory will store more active rules and prevent us from using intermediate steps to compress data.
  • More memory will also allow more extra services to be running together

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk