Want to spend some time to explain why there are limitations in Firewalla speed. In technical terms, Firewalla is an inbound firewall, it can block traffic coming in and also an outbound firewall, it can block traffic from inside. It is also an IDS/IPS, which is simply, there is code inside Firewalla that detect bad things and do something about it.
Now, let's look at the packet processing process
You can see the stages of packet processing here. And note, not all packets go through these in real-time, this is simply a functional representation of how the internals works.
The packet rate is directly limited by
- Header lookup (if doing tunneling, like VPN)
- Route lookup (where to send the packet to)
- Blocks (these are the rules to block traffic, they are additional lookup, speed here is based on how many rules are there and complexity of the rules)
- Kick packets out (send the packet out to userspace from kernel)
Indirect rate limitation
- Packet header extraction in user space
- Packet header protocol decoding
- and IPS/IDS process.
- User flows. This is the number of IP (src and dest) flows generated by the user. If P2P software is running, this can blow up the flow table.
CPU vs ASIC
Firewalla is optimized to deep inspect packets, while your router is optimized to switch/forward packets.
Firewalla is a purely software-based system, all processing is done via the quad-core CPU. By using the CPU, firewalla can examine packets with much more flexibility, and go deeper than just the simple IP header.
While most of the consumer and business routers are optimized for speed. They rely on specialized hardware to forward packets. This specialized hardware is fast, but do not have the flexibility to move around the packet header. They have less CPU power and less memory is required.
Firewalla RED can only process packets around 100Mbits per second. This is with around 1000 rules installed in the data path.
If your internet is just a bit faster than this, you shouldn't worry. It is likely during normal operations you will never reach the limit.
Here is something you can do
- Firewalla monitoring is virtual, so you can easily turn it on and off. For example, you can turn off monitoring of your 4K TV. This way, the 4K TV stream will not impact packet processing on Firewalla. To figure out which one to kick out from monitoring, look at the graph for that device. Limiting Firewalla streams to be less than 100mbits will ensure your internet is not throttled.
The performance of the system depends highly on what's going on. If you are experiencing performance around >70Mbits, then you are okay. If you are experiencing <50Mbits, something is going wrong.
Why the variation? It is really the CPU. There are periodic processes that may take CPU away from switching. It shouldn't be that much, but it may cause a temporary slowness. The performance number should be measured with a longer duration.
Firewalla BLUE has an upgraded CPU and doubles the memory. This will significantly increase the throughput to be around > 500 megabits. (Note, we advertise it as near Gigabit, it is really half of that. And it is also likely we may increase the performance in software, which means we can get to 'near' gigabit in the future with software upgrades)
- A faster processor will allow packet processing to be a lot faster
- More memory will store more active rules and prevent us from using intermediate steps to compress data.
- More memory will also allow more extra services to be running together
The Firewalla Gold, unlike the Red and the Blue, runs on Intel CPU, which can push packets a lot faster. The 'beast' can do multiple-Gigabit. In addition, the Gold has 3 extra ports, each of these ports on the Gold has its own dedicated Intel MAC, which means, each of the ports can get their own IP address, running its own segment, and provide a VLAN trunk.
LAN Traffic
Firewalla does not impact LAN traffic. (Network traffic within your home).
Comments
5 comments
Great information. I have a lot to learn and the gold has become my new hobby ... qq what is the capacity of the ports on the gold router? Are they Gigabit? or higher? The reason I ask is I am considering upgrading my Access Point to the TP Link EAP660 HD with a 2.5 Gbps Ethernet Port and was wondering if my gold router can take advantage of that or is limited to 1Gbps at each port? TIA
All the ports on the Gold are gigabit. But do remember, the Gold is a router, so it should not interfere with traffic on your local network. This means unless you have > 1gigabit internet (at the time of this message, >gigabit speed internet is not popular), you should NOT have any issues with your network.
So, if you want to take advantage of that 2.5Gbit for LAN, you will need a switch that's 2.5Gbit capable in front of Firewalla Gold, which your EAP660 connects to. But before doing any of this, make sure the EAP660 can output >gigabit. (To do this test, you may want to have several devices transferring at the same time).
Hi,
This article has great descriptions of the products performance differences.
To cover all your products,
Could you please add similar detailed info regarding the blue plus .
Thank you.
@HF, blue plus is like the blue
@Firewalla, I'm looking at the section of your post stating the following:
P2P has historically caused PC's to use all the memory and cause for routers to crash / reboot. I'm trying to understand what "blowing up the flow table" means. Is it the same logic where the router runs out of memory? Why does P2P require so much memory in the first place? Any solutions / articles you can point me to is greatly appreciated.
Please sign in to leave a comment.