🟡 Trust Rating: Moderate
Firewalla does the hard part right: traffic inspection happens on the box in your house, not in a data center. The company says it only keeps local traffic data for a limited period, and per-device monitoring finally shows you which IoT gadget is phoning home. Two things hold it back from a higher rating. The stack is not fully open source, so you cannot audit what the box actually does, and the phone app pairs the box to a Firewalla cloud account. Good product, real caveats.
What is Firewalla?
Firewalla is a small hardware firewall you drop onto your home or small-office network. It sits between your modem and your router (or replaces the router), watches every device, and gives you an app that shows what each one is talking to. Firewalla Inc. was founded in 2016 by three ex-Cisco engineers, Jerry Chen, Melvin Tu, and Annie Lu, and is based in the San Jose area of California. The pitch is simple: get the kind of visibility a network engineer has, without building a homelab.
The core idea is on-device deep packet inspection. The box categorizes traffic by app and activity, blocks ads and trackers network-wide, runs intrusion detection, does geo-IP filtering, and acts as both a VPN server and a VPN client. The Gold line adds VLAN segmentation so you can wall off your smart TVs and cameras from your laptops.
Critical Privacy Concerns
⚠️ Read This Before You Buy
- Not a fully open stack. Firewalla markets its software as open source and publishes a lot of its box code on GitHub under AGPL-3.0. But the deep packet inspection engine and the phone app are not fully open, so you cannot independently verify what the box does with the traffic it sees. That is a real gap for a device that inspects every packet on your network.
- The app pairs to a cloud account. You manage the box through a phone app tied to a Firewalla account. The box does the inspection locally, but you are still trusting a vendor cloud for the control plane and remote access.
- MSP stores flow data off-box. The optional Managed Security Portal (MSP) runs in Amazon AWS containers located in the USA and stores flow data and policies from your boxes. Firewalla says each flow is kept for 30 days by default, extendable to 180 days for extra cost. If you enable MSP, your network activity leaves the box.
Where Your Data Actually Goes
Here is the honest version, phrased the way the company documents it. Traffic inspection runs on the device in your home. Firewalla says it retains local network traffic data for a limited period, from 24 hours up to 6 months depending on the device or service you bought, and that your device statistic data is only visible to you. The optional MSP cloud portal is the part that changes the picture: enable it and your flows get shipped to AWS containers in the US over HTTPS. So the default posture is local, and the upsell is what puts your data in someone else's data center. Know which mode you are running.
What It's Actually Good At
Seeing every IoT device phone home
This is the real reason to buy one. Plug it in and within minutes you can watch your smart bulbs, doorbell, TV, and off-brand camera connect to servers you have never heard of. You can dig into any single device and see the exact IP or domain it is talking to, then block it. Doing this yourself means running OPNsense or OpenWrt and reading logs. Firewalla puts it in an app your family can understand.
Ad and tracker blocking, network-wide
Every device on the network gets ad and tracker blocking without installing anything on the device itself. That covers the smart TV that has no ad blocker and the tablet your kid uses. If you already run Pi-hole, this overlaps, but Firewalla bundles it with everything else.
VPN server and client, plus VLANs on Gold
Every box can run as a WireGuard or OpenVPN server so you reach your home network from the road, and as a VPN client to route chosen devices through a commercial VPN. The Gold line adds VLAN segmentation (the Purple SE caps at 5 VLANs, Gold Pro is unlimited), which is the correct way to quarantine untrusted IoT gear. If you want to build the VPN piece yourself, see our home WireGuard server guide and the VLAN segmentation guide.
Technical Specifications
Purple SE (entry model)
- Throughput: rated for networks up to 500 Mbps, no built-in Wi-Fi
- VPN: WireGuard up to 220 Mbps, OpenVPN up to 60 Mbps
- Segmentation: up to 5 VLANs
- Security: DPI, intrusion detection and prevention, ad and tracker blocking, geo-IP filtering for up to 10 countries
Gold Pro (top model)
- Throughput: over 10 Gbps software packet processing, dual 10 Gbps and dual 2.5 Gbps ports
- Hardware: quad-core 12th-gen Intel CPU, 8GB RAM
- VPN: WireGuard up to 2 Gbps, OpenVPN up to 500 Mbps, site-to-site with up to 20 connections
- Segmentation: unlimited VLANs, multi-WAN failover and load balancing
Pricing Structure
Core features are a one-time hardware purchase with no subscription. Firewalla says there is no monthly fee for standard features and the MSP Lite web interface is free. Only the full MSP portal and any future pro features cost extra. Prices below are the current listed figures.
| Model | Price | Best for |
|---|---|---|
| Purple SE | $279 | Networks up to 500 Mbps, no Wi-Fi, entry point |
| Gold SE | $499 | Multi-gig up to 2 Gbps, unlimited VLANs |
| Gold Plus | $609 | Mid multi-gig, busier households |
| Gold Pro | $929 | 10 Gbps, small business, Wi-Fi 7 pairing |
| Access Point 7 | $369 | Wi-Fi 7 access point that pairs with a Gold box |
Firewalla vs. Alternatives
Firewalla vs. GL.iNet
- Firewalla: stronger per-device visibility and DPI, closed core, paired to a cloud account, higher price.
- GL.iNet: cheaper travel and home routers built on OpenWrt, more open, but you do more of the config yourself and the deep monitoring is not as polished. See our GL.iNet review.
Firewalla vs. DIY OPNsense or OpenWrt
A used mini-PC running OPNsense, or a decent router flashed with OpenWrt, does everything Firewalla does and more, for less money, with a fully open stack you can audit line by line. The catch is skill and time. You have to configure it, maintain it, read logs, and fix it when it breaks at 11pm. Firewalla sells you out of that with an app. If you enjoy the tinkering, build it. If you want the visibility without the homelab, pay for the box. Our privacy router comparison lays out the tradeoffs.
When to Use Firewalla
Good Fit
✅ You want to see what your IoT devices are doing and you are not going to run OPNsense to get there.
✅ You want network-wide ad blocking, VPN, and IoT segmentation in one app the rest of the household can use.
✅ You value that inspection stays on the box and you are willing to skip the MSP cloud upsell.
Poor Fit
❌ You need a fully open, auditable stack. The closed DPI engine is a dealbreaker for that threat model. Go DIY.
❌ You are on a tight budget and have the skills. A used mini-PC with OPNsense costs less and does more.
❌ You refuse any vendor cloud pairing. The app ties the box to a Firewalla account.
The Bottom Line
Consider Firewalla if:- You want real per-device network visibility without building a homelab
- You like that traffic inspection happens locally by default
- You will run it without the MSP cloud portal, or you accept where that data goes
- An auditable, open-source stack is non-negotiable for you
- You have the skill to run OPNsense or OpenWrt and want to spend less
- You will not pair any device to a vendor cloud account
⚠️ Final Assessment
Firewalla earns its moderate rating honestly. The local-first inspection and the per-device visibility are genuinely useful, and for most households that cannot or will not run a DIY firewall, it is a real upgrade in awareness. But it is a closed stack paired to a cloud account, and the MSP option quietly moves your flow data into AWS. Buy it for the visibility, run it lean, skip the cloud portal unless you actually need it, and segment your IoT gear with VLANs on day one.