Want to spend some time to explain why there are limitations in Firewalla speed. In technical terms, Firewalla is an inbound firewall, it can block traffic coming in and also an outbound firewall, it can block traffic from inside. It is also an IDS/IPS, which is simply, there is code inside Firewalla that detect bad things and do something about it.
Now, let's look at the packet processing process
You can see the stages of packet processing here. And note, not all packets go through these in real-time, this is simply a functional representation of how the internals works.
The packet rate is directly limited by
- Header lookup (if doing tunneling, like VPN)
- Route lookup (where to send the packet to)
- Blocks (these are the rules to block traffic, they are additional lookup, speed here is based on how many rules are there and complexity of the rules)
- Kick packets out (send the packet out to userspace from kernel)
Indirect rate limitation
- Packet header extraction in user space
- Packet header protocol decoding
- and IPS/IDS process.
- User flows. This is the number of IP (src and dest) flows generated by the user. If P2P software is running, this can blow up the flow table.
CPU vs ASIC
Firewalla is optimized to deep inspect packets, while your router is optimized to switch/forward packets.
Firewalla is a purely software-based system, all processing is done via the quad-core CPU. By using the CPU, firewalla can examine packets with much more flexibility, and go deeper than just the simple IP header.
While most of the consumer and business routers are optimized for speed. They rely on specialized hardware to forward packets. This specialized hardware is fast, but do not have the flexibility to move around the packet header. They have less CPU power and less memory is required.
Firewalla RED can only process packets around 100Mbits per second. This is with around 1000 rules installed in the data path.
If your internet is just a bit faster than this, you shouldn't worry. It is likely during normal operations you will never reach the limit.
Here is something you can do
- Firewalla monitoring is virtual, so you can easily turn it on and off. For example, you can turn off monitoring of your 4K TV. This way, the 4K TV stream will not impact packet processing on Firewalla. To figure out which one to kick out from monitoring, look at the graph for that device. Limiting Firewalla streams to be less than 100mbits will ensure your internet is not throttled.
The performance of the system depends highly on what's going on. If you are experiencing performance around >70Mbits, then you are okay. If you are experiencing <50Mbits, something is going wrong.
Why the variation? It is really the CPU. There are periodic processes that may take CPU away from switching. It shouldn't be that much, but it may cause a temporary slowness. The performance number should be measured with a longer duration.
Firewalla BLUE has an upgraded CPU and doubles the memory. This will significantly increase the throughput to be around > 500 megabits. (Note, we advertise it as near Gigabit, it is really half of that. And it is also likely we may increase the performance in software, which means we can get to 'near' gigabit in the future with software upgrades)
- A faster processor will allow packet processing to be a lot faster
- More memory will store more active rules and prevent us from using intermediate steps to compress data.
- More memory will also allow more extra services to be running together
The Firewalla Gold, unlike the Red and the Blue, runs on Intel CPU, which can push packets a lot faster. The 'beast' can do multiple-Gigabit. In addition, the Gold has 3 extra ports, each of these ports on the Gold has its own dedicated Intel MAC, which means, each of the ports can get their own IP address, running its own segment, and provide a VLAN trunk.
Firewalla does not impact LAN traffic. (Network traffic within your home).