Keeping your home network safe has never been more important, given how much of our lives and finances are on our digital devices. I've toyed with the idea of building my own custom hardware firewall on several occasions, but every time I've started, it quickly becomes a long process of trade-offs and convoluted forum searches to install the features that I want. Having software firewalls on each device helps, but it doesn't protect any of the IoT devices that can't run a full service.

I'm tired of the issues, first in finding hardware that's suitable (and without conflicts), and then in getting the easily available open-source firmware packages working how I want. Even some of the dedicated network appliances that I've tried haven't worked all that well, with limited hardware power, slow ports, and annoying administration pages. But I've finally found a prebuilt hardware firewall that has everything I need, plus the ability to add more functionality through containers. That device is the Firewalla Gold Pro, and while it's not cheap, it's absolutely worth every penny to me.

About this article: Firewalla sent us the hardware firewall for the purposes of this article, but had no input into its contents or saw it before publishing.

9 It just works

All the features and services I want are already installed

When was the last time you bought a complex piece of hardware, and it worked instantly out of the box? Especially anything that has to do with networking... It rarely happens, and I test a lot of devices. I pulled it out of the box, plugged it in between my existing network hardware, and linked it to the phone app on my iPhone. And that was it; it had already linked DHCP to my ISP, so I didn't have to do anything there, and I searched my network to find all the devices it was going to monitor and protect.

The other part of this equation is that it's not only open-source firmware that you can install on your own hardware if you prefer; none of the advanced features are locked behind a paywall. I can't remember the last time I used a prebuilt hardware firewall that didn't offset the hardware price with a yearly subscription for some of the vital security features that you bought the device for in the first place.

With the Firewalla, everything from Parental Controls to the robust Active Protect system that's constantly being updated is all included in the original purchase cost. I don't know about you, but I'd rather pay upfront than be locked into a service subscription for the features I wanted to use.

8 To get low power usage

Sure, I could use a spare PC, but it's not efficient

There are many ways to protect your home network, from building custom OPNsense boxes to running virtual firewalls on an old PC, or even in a VM on your home server. But all of these options have limitations, and one of the biggest ones is the amount of power they draw. I don't want my always-on network equipment drawing lots of energy, even if I live in a state where electricity is fairly affordable.

Ah, but then why didn't I put router and firewall software on an SBC, like the Raspberry Pi? It's low-power and has enough processing power to run complex firewall rules. The issue here is the limited number of Ethernet ports and their stuck status at 1GbE. I have Wi-Fi 7 and 6E access points, and anything under 2.5GbE will limit my Wi-Fi. It'll also limit the throughput of packet inspection, and that's not good for me.

7 For this specific hardware configuration

I'd rather pay for convenience than struggle with network interfaces

Anyone who's tried building their own hardware firewall or installing custom firmware on an already-designed device knows that it's never straightforward. Hardware firewalls predominantly use Linux, which means some hardware components don't have easily found drivers, if they have them at all.

The biggest issue with networking gear is that many consumer-level devices use Realtek Ethernet controllers, or NICs, and those have major issues with Linux. Intel NICs are more compatible, but the low-powered devices sold as routers and firewall replacements often have other hardware components that have similar issues or quirks.

Plus, even enterprise networking gear isn't guaranteed to come with 2.5GbE or 10GbE ports, or a mix of them that can also negotiate connections at 10, 5, 2.5, and 1 gigabit speeds. It's hard to find compatible hardware that does what you want while using custom firewall software, but the Firewalla Gold Pro has everything I need and more. I do wish it had more than 8GB of RAM by default, but it's a simple matter of swapping the SODIMM for a 16GB module to fix that.

6 I like having app-based control

I've gotten used to the convenience and I don't want to go back

Powerful networking hardware often has annoying software or administration pages that could really use a user experience glow-up. However, consumer networking devices are often controlled via mobile apps, which limit many of the advanced features behind a sheen of convenience so the user doesn't have to spend time configuring things manually.

I'm a difficult customer here because I love the convenience of the app-based management system. My Wi-Fi network has several Eero mesh nodes and one larger Wi-Fi 7 access point. I keep trying to find an alternative to the Eero because I don't like paying the yearly subscription for advanced security features, but the pull of convenience is too great.

I think I've found a replacement, though, because the Eero nodes will soon be put in access point mode. Firewalla's app-first management console is just as easy to use and allows me to customize any of the features that Eero likes to manage independently. That gives me convenience for easy setup and a level of granularity that my network has been lacking. Plus, app-based control means I can manage it from anywhere, which I love.

5 To have a stable platform for learning

A home lab should have a solid foundation that you don't need to struggle with

I'm a big believer in using the right tools for the job, and some things need to be more stable than DIY firewalls. If I was only dealing with my home lab, then I could afford to tinker with a custom hardware firewall, but setting that up and adding modules that I'd need takes away from the actual experimentation that I want to do with self-hosted services.

Plus, I'm not the only user on my home network. I'm also the first person who gets asked questions when the internet stops working, and I don't want to deal with having to fix my own mistakes while playing around with a custom firmware implementation for my home network. I just want it to work, once it's plugged in.

4 So I don't miss anything important

While I'm learning about network security, I don't want to overlook essential features

Anything to do with networking is complex, whether it's setting up VLANs to keep less-trusted devices on their own network, or making it so that your house guests can use the internet or your printers without seeing your private files. But it goes further than that when you're dealing with network security and trying to set up complicated firewall rules, intrusion prevention and detection services, and other important features.

While I want to learn how these software packages work together to keep my home network secure, I don't want to be responsible for setting them up, at least not until I understand them. It's all too easy to misconfigure something and think your network is protected, but in reality, that tiny mistake means nothing is working as intended. That's not a situation I want to be in, and having a prebuilt and preconfigured hardware firewall means I can learn, while being protected from my own mistakes.

​​​​​​​

3 Inbuilt WireGuard and OpenVPN with fast connection

Secure tunnels to your home network should never have to worry about speed restrictions

The internet can be a scary place, and browsing from public Wi-Fi or hotel Wi-Fi can be dangerous. It's not as worrisome as it used to be, because protocols have been designed so that most traffic is encrypted by default, but for peace of mind, nothing beats using a VPN to browse as if you're at home.

Except, many VPN or remote connection software packages have annoying limitations on the speed you can use. This particular Firewalla can support up to 2 gigabits of throughput using WireGuard, which is more than most residential connections. It'll also do decent speeds of around 500 megabits for OpenVPN connections, and can deal with over 20 VPN connections at once. That means it won't limit anyone at home's usage while I'm connecting from elsewhere, and we're all kept protected.

​​​​​​​

2 New device quarantine

All new devices go into a holding pattern when connected to the network, to avoid inadvertent access

One simple way to protect your home network is to create access lists for your devices. However, this is not always straightforward to set up, and the rules for quarantining newly added devices until they're double-checked and positively identified are annoying.

Or, they were because I can set a simple toggle in the app, and now every new device gets quarantined and is unable to talk to anything on the network until I've approved it. I even get a push notification on my phone to do the approval, and it's far more civilized than digging through web-based management pages.

​​​​​​​

1 It also replaces my router

The hardware on this firewall is far more powerful than any consumer network appliance

My Eero kit's inbuilt router functionality is fine, but I'm starting to run into device limits as I install more smart home devices and features. I've used other hardware firewalls or parental control devices that plug into the existing network and don't take over the router, but I find these limited, and they also slow down the internal network as everything has to go over one single Ethernet cable.

The Intel CPU in the Firewalla is far more powerful for routing and other tasks, and it has a decent heatsink and cooling solution. That's something lacking from my existing networking gear, and I don't like how warm it gets under load. I'm looking forward to having the Eero's run as Wi-Fi APs only, with the heavy processing handled by a dedicated device.

I'm done with fighting custom firewall firmware to get the packages I need

I've been administrating network appliances for a long time, and most of them are complicated to get working. The Firewalla Gold Pro is one of the first devices I've used that just works out of the box, with the convenience and simplicity of Eero, but the advanced controls of prosumer and enterprise hardware firewalls. And that's an important thing, because home networks deserve to be secure, but they won't be if the hardware is too hard to use.