Honeypot.net Profile Photo

Honeypot.net

Extracting chaos from order

networking

    Unboxing the Firewalla Gold Pro

    My early access Firewalla Gold Pro 10 gigabit router came today. It’s replacing a Firewalla Gold Plus 2.5Gb router we’ve used for the last year.

    Cardboard box with 'Firewalla' printed in the center

    The production line isn’t fully running yet but the packaging and the router itself look like it is. Firewalla says the hardware design is finished and this is the same unit everyone else will get later this year. The software’s still under active development.

    Open box showing the router and boxed power supply A yellow router in a semi-opaque wrapper A white metal box with 'Firewalla' embossed in the top

    The Gold Pro is quite a bit larger than the Gold Plus and doesn’t have mounting holes on the bottom for vertical installation. It does have holes on the side for installing rack mount ears.

    The front panel of a router with 2 10G ports and 2 2.5G ports The golden yellow metal bottom of the router

    A fan screamed when I turned it on. It turned off a few seconds later. I wouldn’t want it in the room with me if it always ran at full speed.

    Setup was mostly easy. The Firewalla app prompted to replace an old box or set it up as new. I followed the “replace an old box” process and was running a few minutes later.

    “Mostly” means:

    • I had to reboot my ISP’s modem to clear out its MAC cache, and I initially plugged the WAN cord into the wrong jack on the Firewalla. Neither of those were its fault.
    • A software glitch in migrating the firewall rules from the old router to the new one stopped one of my remote servers from connecting in. This is an early access device so I knew what I was getting into. I reported the problem to Firewalla’s tech support and they’re looking into it.
    Screenshot of its iPhone app showing its setup options

    The end result was a smoking fast 8 gigabits down, 3.4 gigabits up connection. A speed test from my Mac Studio was faster yet.

    Screenshot of a speed test showing 'Download 7989.90 Mb/s, Upload 3384.77 Mb/s'. Also, the Cardinals were losing to the Reds.

    This is a beta device. It may stop working at any moment, catch fire, overfeed the dog, or call me bad names. As long as it keeps racing along like this, I’m going to be a very happy tester.

    I just got the happy news that a Firewalla Gold Pro 10Gbps firewall is on its way soon. Today we’re limited to 2.5Gbps Internet connections because that’s what the current Firewalla Gold supports. Of course, now I also have to upgrade our other switches to match it.

    This is shaping up to be an early Christmas.

    eero + Firewalla = perfection

    I built our home Wi-Fi network on eero Pro 6 mesh routers. It’s great. I love it. It works as advertised. If your household is like most others, where no one has specific highly technical needs, stop reading this and buy an eero system. I’ve recommended them to my friends and family with lots of happy feedback.

    However, our needs are specific and highly technical. Making and fixing computer networks is a significant chunk of my job. Information security is another huge chunk of it. We host servers in our house. And soon, our ISP1 will upgrade our Internet connection from 1Gbps to 10Gbps. eero has a few issues that complicate these uses:

    1. A persistent DHCP bug gives out the gateway eero’s own IP as a DNS server (where it acts as a proxy), even if I configure custom DNS servers. This means that when I had a Pi-hole, most requests appeared to come from the eero itself and not the individual devices. Forget applying custom blocking policies to specific devices because there’s no way to distinguish them.
    2. Hairpin NAT regularly breaks. If a device uses DNS to connect to a machine behind the eero gateway, say with Plex on an iPad configured to watch videos stored on a home server, it often works when I bring that device home and connect it to the same Wi-Fi as that server. For a while, at least. And then it won’t until I remembered to reboot the whole network.
    3. The eero Pro 6 unit only has gigabit Ethernet jacks. If your Internet connection is faster than that, too bad. The newer eero Pro 6E units have single 2.5Gbps Ethernet jacks, which is almost worse. Although the gateway eero itself can have a 2.5Gbps Internet connection, it can’t share the full speed of that connection with any other device.
    4. Its firewall settings are limited. I can either allow all remote hosts to connect to a specific port on an internal server, or not allow any hosts. I can’t define rules like “allow connections to port 8080 from host A.B.C.D”, or “block connections from North Korea”. In practice, this means I have to set the eero to allow all traffic, then configure another firewall app on my server to enforce more tailored rules.

    Enter the Firewalla Gold Plus. It’s a freestanding firewall device with 4 2.5Gbps Ethernet jacks, and a phone (and web!) user interface that is as easy to use as eero’s. I’ve plugged the Firewalla directly into our Internet connection, and the eero gateway plugs into the Firewalla. I put the eero network into bridge mode so it only has to handle the Wi-Fi mesh network. The Firewalla assumed all routing and firewall duties. The setup works perfectly:

    1. Firewalla’s DHCP is more configurable and works correctly. Its DNS incorporates a lot of Pi-hole’s functions like ad blocking and local DNS.
    2. Hairpin NAT works perfectly, or at least it hasn’t broken yet in the few weeks since we got the device. I can connect to myserver.example.com from my living room as easily as from Starbucks without reconfiguring anything when I travel between those networks.
    3. I don’t have the equipment to test Firewalla’s highest throughput yet. The box could max out at 1.1Gbps for all I could prove today. However, I doubt it. I can run benchmarks that pass 1Gbps of traffic in through 1 port and out through another without effort. Even if the Firewalla could only pass exactly 2.500Gbps through to the Internet connection, that would allow devices connected to the eero gateway to download at its current full 1Gbps speed while the new, separate wired LAN is also pulling another 1.5Gbps through it. For future improvement, it can bond pairs of Ethernet ports together to act as 5Gbps ports. That’s not the top speed of the 10Gbps Internet connection, but it’s faster than any devices I own today.
    4. The firewall settings are vastly more sophisticated. I can open inbound ports to specific IPs or subnets, named groups of hosts, or geographical regions. I can also block outbound connections. And unlike with eero, I get a detailed report of blocked and allowed connections.

    If I didn’t host a home server, or if I weren’t quite so super-nitpicky about security settings, or if our brilliant ISP wasn’t upgrading our connection from “hella fast” to “that’s just ridiculous”, our eero network would be fine as-is. I still happily recommend it to everyone I know. And despite my few complaints, I didn’t need to add a Firewalla to our working system. That said, I’m happy I did. It elevated our already excellent little network to blissfulness.

    1. If you live somewhere with Sonic Internet access, get it. Their service is fast, inexpensive, reliable, doesn’t have data caps, and supports net neutrality↩︎

    Tripping on a Cracked Sidewalk

    Amazon Sidewalk is a new project which allows Amazon devices (like Alexa, Ring doorbells, etc.) with different owners to share their Internet connections. In short, your Alexa talks to your neighbor’s Alexa. If your Internet connection goes down, your neighbor’s device will relay messages for your device so that it can keep working. Similarly, if your Ring doorbell is closer to your neighbor’s Alexa than to your own WiFi router, it can send alerts to you through their Alexa.

    This is a terrible idea.

    This means that a device on your home network — a device you bought and paid for yourself — is letting other devices you don’t control borrow your Internet connection. Amazon claims to have designed this as a secure system, but people in infosec know that a new security protocol written and implemented by a single company is going to be a mess. When (not if, but when) an attacker finds a flaw in the Sidewalk protocol or the devices it runs on, 2 terrible scenarios seem likely to happen:

    • However good and strong your WiFi password is, if an attacker can access your neighbor’s network, they can hack your neighbor’s Alexa and then use it to gain access to your own wireless network.
    • A braver attacker could sit outside your house with a hacked Alexa, or an app on their laptop that acts like one, and use it to connect to your Ring doorbell and then attack the other computers on your network.

    If you have any Amazon devices, I strongly recommend you follow their instructions to turn off Sidewalk immediately. Because Amazon plans to turn this on for everyone who hasn’t explicitly asked them not to, if you don’t follow those instructions, you’ll be allowing people near your home to use your WiFi. Some owners have claimed that they turned off Sidewalk but that it turned itself back on after a software update. If this happens in my home, I will literally throw our Alexas out in the trash.

    Amazon Sidewalk is a solution without a problem. Turn it off. This is a potential disaster in the making.