You've got things on your home network that perform many actions, such as opening the garage door, showing you who's ringing your doorbell, and turning the lights on and off.
Most of these smart home devices aren't properly secured—their makers focus on function, not security.
Why not add hardware to your network that ensures network security? The tiny Firewalla gives you total insight into what's on your network, along with a raft of related features, including insight into what computers and mobile devices are doing, simple parental control, and even your own VPN server.
Unlike such competitors as Norton Core and F-Secure Sense, Firewalla doesn't attempt to replace your router.
It simply sits on the network, monitoring and managing traffic and devices and applying some simple rules to network traffic.
In testing, the central monitoring and control features proved very effective, but some other operations ranged from complex to extremely complex.
Dimensions and Specifications
Firewalla is, to put it simply, crazy small, at 1.2 by 1.8 by 1.8 inches (HWD).
For a little perspective, I calculated the volume of Firewalla and of several other network security devices.
If Firewalla were liquid and Norton Core were hollow, you could pour 30 Firewallas into a Norton Core! With a hypothetical hollow Bitdefender Box or F-Secure Sense, you could fit almost 40 Firewallas.
Like I said: It's small.
That's not surprising, though, given that the prototype started life running on a Raspberry Pi.
Inside the tiny box you find a quad-core 1GHz ARM CPU running Ubuntu, with 512MB of DDR RAM.
It has an Ethernet port, a micro-USB port for power, a USB port, and a slot for a micro-SD card.
The Firewalla website points out a ton of geeky uses for that SD card slot.
Those with the necessary advanced skills can swap in a bigger card and do programming on the device, using its built-in Python, Javascript, and other languages.
You can also use it to re-flash the firmware image.
Given the clearly minimalist design approach, having a USB port seems odd.
Firewalla's CEO explained that it's for future expansion.
"The box is fully hackable," he said.
"Many of our customers are pretty crazy about this." He mentioned experimenters adding a USB Wi-Fi adapter, a programmable USB light, and mounting USB memory to create a Samba share drive.
Sorry, my expertise doesn't extend to explaining that last one.
The red Firewalla, reviewed here, is meant for consumers.
It works with internet speeds below 100Mbps and fewer than 50 devices.
Firewalla blue, which is just shipping to its crowdfunding backers, handles higher speeds and more connections.
One-Time Pricing
You pay $109 for the diminutive Firewalla, sold through Amazon.
Yes, Prime users can get it with one-day shipping.
That's quite a bit less than most similar products cost.
Bitdefender Box, Norton Core, and F-Secure Sense all list for about $200, though you'll often find them discounted.
That's not the only difference in pricing, though.
Your Firewalla purchase is a one-time affair.
You bought it; it's yours.
The other three competitors I mentioned all come with security software, and keeping that protection active requires a subscription after the first year.
That's not to say that Firewalla will replace your existing security suite.
The company strongly recommends using it in conjunction with security software, and my hands-on testing agrees.
But it does mean you're free to choose the suite or antivirus that suits you best, rather than being locked into the one that matches your hardware.
Getting Started With Firewalla
In the box, you'll find the tiny Firewalla box along with a power adapter, an Ethernet cable, and a micro USB cable.
There's no manual or startup guide, just a tiny instruction card with a URL pointing to installation instructions.
Following the simple instructions, I downloaded the Firewalla app onto the iPad I use for testing and registered my email.
I should point out that, as with other network security boxes, you must control Firewalla through an iOS or Android phone or tablet; PCs and Macs need not apply.
For the next step, I hooked up the box to power and connected it to the network with the Ethernet cable, just as I'd do with any other device.
I didn't have to connect it "upstream" from the router or make any other network changes.
There was no interruption in my network connectivity.
After a few minutes it finished its initial boot sequence.
A New Firewalla notification and icon appeared in the app.
Per the instructions, I paired it with the app by scanning a QR code on the bottom of the box; clever! At that point it offered to learn the network, with an option for manual setup.
Not having any idea what manual setup entails, I let it do its own exploration.
In just a few minutes, it was ready to get to work.
Devices and Notifications
At the outset, I got a flood of notifications, as Firewalla detected everything connected to the network for the first time.
Each new notification comes with the device's name and manufacturer, if supplied, as well as the IP and MAC addresses.
If you see something that clearly doesn't belong, you can block its access with a single tap.
And if you hear a scream of lost-connection anguish from elsewhere in your household, because you blocked the wrong thing, you can restore access just as easily.
Getting notifications that new devices have joined is just the start.
By default, Firewalla alerts you when any thing it's monitoring starts using gaming, video, or porn sites, or encounters a dangerous website.
It also alerts on what it calls "abnormal uploads," and when someone connects to the VPN server (more about VPN below).
You can fine-tune this system for each category, telling Firewalla to give you a pop-up notification, an in-app alarm, both (the default), or neither.
And if you see that your kid is playing games instead of doing research for a term paper, you can tap the notification to cut off gaming on that device for an hour, or until you turn it back on.
Some hardware reports a name or manufacturer name that makes it easy for you to recognize them.
Others may show up as something unintelligible like a string of hex digits, or a bare-bones IP address.
With a little sleuthing, you may be able to match the reported IP address or MAC address to a specific piece of hardware.
If so, it's easy to rename the device so it's easy to find in Firewalla's list.
Details and Actions
Software-based network scanners like Bitdefender Home Scanner and Avira Home Guard also let you give friendly names to hardware based on the reported IP address or MAC address.
But Firewalla offers vastly more information about the activity of each, data that can aid in correctly matching an entry with its physical device.
Here's an example.
On my own network, one device came up with a name that I didn't recognize at all.
Tapping for details, I got a graph of its recent activity.
More usefully, tapping the Network Flows link let me see just where it connected.
Given that all the named URLs in the list were subdomains of ring.com, I deduced that this entry represented my Ring Video Doorbell Pro.
Firewalla lists four sets of stats for each device.
The history list, the one I used to identify the doorbell, lists all connections.
Separate lists report uploads and downloads, along with a size for each.
And the Apps tab lists apps that made a network connection.
Additionally, each device includes blocking icons for internet, games, social media, and video.
One tap of the icon blocks the specified category for an hour.
A second tap blocks access until you lift the block.
Tapping Status, a little further down the page, lets you see whether the device is online, when it was last active, and when Firewalla first detected it.
You can also configure Firewalla to notify you when it comes back online, or when it goes offline.
The former can be handy to let you know when family members have returned to the fold.
The latter can provide a warning if your NAS or something equally important goes down.
Basic Features
Network and device monitoring is the main function of Firewalla, but it has other tricks, too.
In addition to monitoring, six other abilities show up as icons on the app's main window.
You can access a full list of features, including those six, by tapping More.
Four of these abilities are enabled by default, with the most significant being Cyber Attack Protection.
This notifies you if Firewalla detects evidence of an attack on your network.
By default, it actively blocks known dangerous sites.
Don't turn this one off.
The Open Ports scan looks for ports on your network that are accessible from the internet.
It strongly warns about available Universal Plug and Play (UPnP) connections, which can open your system to attack.
Firewalla also probes the network from the outside, which can take a little while.
On my network it found ports 111 and 443 (HTTPS) visible.
I happen to know that that makes sense for my configuration, but I'm not sure what the average user would do with that information.
Another not-for-the-masses feature is Firewalla's Dynamic DNS (DDNS) capability.
Briefly, this lets you host web server apps on your network without worrying about the possibility that your ISP might assign you a different internet-facing IP address.
Don't understand? Don't worry! As the app says, "If you do not have such a need, please ignore."
The Social Hour feature is an interesting one.
With one tap, it disables social networks on all devices on the network, to encourage "your real social life." I can't guarantee that cutting off internet in your household would result in socializing, but it's an interesting idea.
Additional Features
The four functions mentioned above are enabled out of the box.
As such, they appear in the Enabled section of the Features page.
Don't worry; having Social Hour enabled just gives you the ability to impose a no-Facebook hour; it doesn't require you to do so.
Five other components provide a variety of services, some simple, some exceedingly complex.
Ad Block is easy to understand.
Turn it on and Firewalla does its best to strip out ads for all devices.
The app does point out that this will not necessarily remove all ads.
For security and privacy reasons, Firewalla absolutely does not analyze the content of pages you view on the internet.
The ad blocker works by preventing pages from connecting to known ad-spewing domains.
In testing, I found it cleared up most ads on several ad-rich sites.
Turning on Family Protect enables a simple kind of parental control.
Doing so runs all DNS (Domain Name System) requests through the Family Shield servers maintained by OpenDNS.
This is the simple, non-configurable filtering system, not the commercial VIP version.
I thought it odd that Firewalla doesn't support Internet Protocol Version 6 (IPv6) out of the box; you must actively enable it if you want that support.
The FAQ explains "It is likely in the near future, we will automate this after we have tested this across the world." It also points out that IPv6 deployment differs across different service providers.
Expert Features
One available feature is called Expert Mode.
I turned it on, poked around the app, and didn't see any real difference.
My company contact confirmed that it doesn't do much at present, and suggested leaving it alone.
That leaves the unusual VPN Server component.
All of our VPN reviews refer to VPN clients, apps that make a secure connection to a VPN server to protect the privacy of your online activities.
What Firewalla offers is the other end of that connection, a local VPN server just for you.
Getting it set up takes a certain amount of expertise.
To start, you must know how to log in to the configuration system for your router.
With that feat managed, you create a port-forwarding rule matching details supplied by Firewalla.
Next, you install and enable the OpenVPN app, and tie it in to Firewalla using a supplied password.
I needed some expert help to get this working.
It turns out that on my unusual setup, with a commercial Wi-Fi router separate from the main router, I needed a port-forwarding rule on both devices.
Now you can take your mobile device to another location, log into the VPN, and connect with your home network.
As with any VPN connection, this means all your traffic is now encrypted, though you don't get the benefit of disguising your IP address.
You can access hardware such as cameras and NAS systems just as if you were at home.
Most importantly, when you connect through the VPN your Firewalla app has full access to network activities.
Now you can receive notifications, change blocking rules, and so on.
Anything you can do at home, you can do sitting in the airport lounge, or the Wi-Fi enabled commuter train.
This may seem a roundabout way to get remote access to your Firewalla and your network, but it's the secure way.
Yes, other network security hardware makes remote management easier, but it also tends to be less secure.
Hands On With Firewalla
Naturally I had to put Firewalla's components through their paces.
With Family Protect turned on, my attempts to visit naughty websites were met with a bland denial from the OpenDNS system, which included the category that triggered the block and a link to report an incorrect block.
The system does handle blocking HTTPS sites, but it's awkward.
I found that instead of displaying a clear warning, as it did for HTTP pages, the browser displayed a confusing error message.
It stated, "Your connection is not private," with an error message NET::ERR_CERT_AUTHORITY_INVALID.
My Firewalla contact confirmed that's how this feature works when HTTPS is involved.
As noted, the ad blocker removed some, but not all, ads.
I brought up the same ad-infested sites on the laptop managed by Firewalla and on a virtual machine connected to the separate Ethernet network.
On the laptop, most of the ads came up blank.
Digging into details for one test device, I tapped the button to block social media for an hour.
I found that trying to connect with facebook.com just got an error message, this time stating, "This site can't be reached." Again, my contact confirmed that's how blocking works.
The same is true of trying to visit naughty sites with the Porn filter in place—you see just error messages, not the explainer from OpenDNS.
If you're going to use these features, you should probably discuss them with your...
