Firewalla Gold Plus Review:  2.5G Cyber Security Firewall & Router

Over the years, I have reviewed many consumer routers from brands like Netgear, TP-Link and D-Link.

I have then reviewed plenty of more niche products such as the Vilfo VPN Router, Netduma R3 Gaming Router and the ExpressVPN Aircove.

Then, to a lesser extent, prosumer and enterprise options such as the Zyxel SCR 50AXE Secure Cloud-Managed Router and the EnGenius ESG510 SD-WAN Gateway.

Then, when I started work for an MSP, I finally committed and went all in with Unifi and have been using the Unifi Cloud Gateway Max for the past year.

I have always hated the fanboyism towards Unifi, but, at the end of the day, since committing to Unifi, my network has been fault-free and easy to manage.

One brand I have never had a chance to work with until now is Firewalla.

Not dissimilar to Unifi, Firewalla straddles the world of enthusiast consumers/prosumers and enterprise.

The company was founded by a team of veteran Cisco engineers, including co-founder Jerry Chen whose daughter’s hacked baby camera inspired the project, Firewalla’s mission is to bring enterprise-grade cybersecurity to everyday users in a simple, affordable package.

Firewalla devices blend intrusion detection and prevention (IDS/IPS), firewall functionality, VPN servers, ad-blocking, parental controls, and behavioural analytics, all wrapped in a user-friendly mobile app experience.

The Firewalla Gold Plus sits below the 10GbE Pro model and is probably the sweet spot for enthusiasts, especially in the UK.

Its four ports are 2.5GbE, and it supports 5Gbps IPS/IDS, making it ideally suited for 2500Mbps CityFibre connections. In particular, it is reported to work well with PPPoE connections, which is something that Unifi has not always been good at.

Unfortunately for me, I have been waiting for CityFibre to install a new 2500Mbps line for around 6 months, with them constantly cancelling. I had hoped that it would be set up for this review, and I could push the Firewalla to its limits and compare the performance of my Unifi, but I am still stuck on Virgin Gig1.

However, I have still been very impressed with this powerful little router.

Firewalla Product Specification Comparison

Core Hardware Specifications

Specification	Gold Pro	Gold Plus	Gold SE	Purple	Purple SE
CPU	Intel N97 quad-core x86	Intel J4125 quad-core x86	ARM quad-core	6-core ARM (4x A53 + 2x A73)	4-core 64-bit ARM
CPU Architecture	x86-64	x86-64	ARM64	ARM64	ARM64
PassMark Performance	~100% faster than Gold original	~50% faster than Gold original	Similar to Gold original	Raspberry Pi 4+ level	Lower than Purple
RAM	8GB SO-DIMM (expandable to 16GB)	4GB (expandable)	4GB	2GB DDR4	2GB
Storage	32GB eMMC	32GB eMMC	32GB eMMC	16GB eMMC	16GB eMMC
Power Consumption	17W-33W (with fan)	<40W (passive cooling)	<20W (passive cooling)	~15W	~7W

Network Performance & Connectivity

Specification	Gold Pro	Gold Plus	Gold SE	Purple	Purple SE
Ethernet Ports	2x 10Gb + 2x 2.5Gb	4x 2.5Gb	2x 2.5Gb + 2x 1Gb	2x 1Gb	2x 1Gb
Maximum Throughput	10+ Gbps	5+ Gbps (LAG capable)	2+ Gbps	1 Gbps	500 Mbps
IPS/IDS Performance	10+ Gbps	5+ Gbps	2+ Gbps	1 Gbps	500 Mbps
WiFi	No	No	No	802.11ac 2×2 (867 Mbps)	No
Bluetooth	Yes (via USB dongle)	Yes (via USB dongle)	Yes (via USB dongle)	Yes (5.0 integrated)	Yes (via USB dongle)
USB Ports	2x USB 3.0 + 1x USB-C	2x USB 3.0	2x USB 3.0	1x USB 2.0	1x USB 2.0

VPN Performance

VPN Type	Gold Pro	Gold Plus	Gold SE	Purple	Purple SE
WireGuard	1+ Gbps	800+ Mbps	350 Mbps	400 Mbps	220 Mbps
OpenVPN	500+ Mbps	400+ Mbps	250 Mbps	150 Mbps	60 Mbps
Site-to-Site VPN	Multiple	Multiple	Multiple	1 connection	1 connection

Advanced Features & Limitations

Feature	Gold Pro	Gold Plus	Gold SE	Purple	Purple SE
Active Protect Entries	Unlimited	Unlimited	Unlimited	Limited (memory constrained)	Limited (memory constrained)
VLANs	Unlimited	Unlimited	Unlimited	Limited	Limited
Country Blocking	Unlimited	Unlimited	Unlimited	Max 10 countries	Max 10 countries
Docker Support	Yes (8GB RAM advantage)	Yes	Yes	Limited	Limited
Multi-WAN	Yes	Yes	Yes	Yes	No
LAG/Link Aggregation	Yes	Yes (up to 5Gb)	Yes (up to 2Gb)	No	No
Console Port	USB-C	HDMI	HDMI	HDMI	No

Physical Specifications

Specification	Gold Pro	Gold Plus	Gold SE	Purple	Purple SE
Dimensions	218 × 165 × 44mm	130 × 110 × 34mm	130 × 110 × 34mm	~100 × 100 × 30mm	90 × 60 × 30mm
Weight	1.1 kg	565g	500g	300g	100g
Cooling	Active (fan)	Passive	Passive	Active (small fan)	Passive
Mounting	Rack-mountable	Desktop/wall mount	Desktop/wall mount	Desktop	Desktop
Operating Temp	0°C to 40°C	0°C to 45°C	0°C to 45°C	0°C to 45°C	0°C to 45°C

Price and Target Users

Model	US MSRP	Target Market	Best For
Gold Pro	$899 (limited time)	Enterprise/enthusiast	10Gb networks, future-proofing, maximum performance
Gold Plus	$589	Power users	2.5Gb networks, multiple high-speed devices
Gold SE	$509	Mainstream	Balanced performance, 2Gb+ connections
Purple	$369	Home users	Gigabit networks, portable use, WiFi capability
Purple SE	$249	Budget-conscious	Sub-gigabit networks, basic protection

• Gold Pro: The Intel N97 is genuinely fast – I’d expect this to handle 10Gb throughput without breaking a sweat. The fan is reportedly silent, but it’s still a moving part that could fail over time.
• Gold Plus: The J4125 is a solid choice for most users. Four 2.5Gb ports give you proper flexibility, and LAG means you can actually get close to 5Gb aggregate throughput.
• Gold SE: The ARM CPU keeps costs down and runs cooler, but you’re trading some raw performance. Still, 2Gb+ throughput is more than adequate for most UK broadband connections.
• Purple: That 6-core ARM setup (4+2 big.LITTLE design) is surprisingly capable. The WiFi is handy for portable use, though the 867 Mbps rating is theoretical maximum.
• Purple SE: Honestly, 500 Mbps with full IPS/IDS is respectable for the price point. Perfect if you’re on FTTP 300-500 Mbps packages.

Features

Hardware Specifications

The Gold Plus houses a 64-bit Intel processor with 4 cores – specifically what appears to be a Celeron J4125 based on the reviews I’ve seen. You get 4GB of DDR4 memory, which frankly feels a bit tight for a device at this price point in 2025. The unit measures 13 x 11 x 3.4 cm and weighs 565g, so it’s compact enough for most setups.

Power consumption sits between 10-15W, which is reasonable for an always-on device. The aluminium housing acts as a passive heatsink, so no noisy fans – though it will get noticeably warm during heavy usage. Operating temperature range is 0°C to 45°C with proper airflow.

Network Performance and Connectivity

This is where things get interesting. You get four 2.5 Gigabit Ethernet ports – no mixing with slower 1Gb ports like the cheaper Gold SE. The deep packet inspection can handle up to 5 Gbps total throughput, which is genuinely impressive for a sub-£600 device.

Two USB 3.0 ports are included, along with an HDMI output for console access. There’s a USB-C port for serial console as well. The red Bluetooth dongle that ships with it handles initial pairing with your mobile device.

Security Features

The security stack is comprehensive, though I’d be sceptical of some marketing claims. You get:

• Intrusion Detection and Prevention (IDS/IPS)
• Deep packet inspection at line rate
• Geo-IP filtering to block entire countries
• Behaviour analytics for spotting unusual activity
• Active malware protection with real-time updates
• Network segmentation for isolating devices
• New device quarantine
• DNS over HTTPS (DoH) and Unbound recursive DNS

The device automatically blocks malicious sites and can alert you to suspicious activity. Network segmentation is particularly useful – you can isolate IoT devices or create separate networks for guests, kids, or work devices.

VPN Capabilities

Built-in OpenVPN server supports up to 120 Mbps throughput, whilst WireGuard VPN can handle 500 Mbps. No monthly fees for the VPN service, which is refreshing compared to commercial VPN providers. You can also use it as a VPN client to route traffic through third-party services.

Site-to-site VPN supports up to 10 simultaneous connections, making it viable for small business scenarios.

Content Filtering and Parental Controls

The ad-blocking works across all devices on your network, using DNS filtering. Parental controls include:

• Time-based restrictions
• Application blocking (gaming, social media, etc.)
• Safe search enforcement across major search engines
• Category-based filtering (gaming, social, adult content, gambling)
• “Social Hour” feature to block social networks temporarily

Advanced Features

• Multi-WAN support for load balancing or failover
• Advanced Smart Queue for traffic prioritisation and buffer bloat reduction
• Policy-based routing to send different traffic types through different connections
• VLAN support
• Bridge mode, router mode, or simple inline deployment
• Docker container support for custom applications
• Web interface (beta) to complement the mobile app

Bandwidth Monitoring and Management

Deep insight provides granular bandwidth monitoring down to individual devices and domains. You can set rate limits on specific devices or activities, and the monthly usage tracking helps if you’re on a capped connection.

Unboxing / Design

The Gold Plus arrives in a compact brown cardboard box with minimal branding. Inside, you’ll find the unit itself, a 40W power adapter with US plug (international adapters available separately), an Ethernet cable, wall mounting bracket, and the essential red USB security dongle.

The unit itself is surprisingly compact at 13 x 11 x 3.4cm, fitting comfortably in your palm. The brushed aluminium finish gives it a premium feel that’s appropriate for the price point. Four rubber feet keep it stable on surfaces, and the passive cooling design means silent operation.

The front panel houses two USB 3.0 ports, with one occupied by the red security dongle. There’s also an HDMI port for console access. The rear features four identical 2.5GbE RJ45 ports, power input, and a USB-C console port.

Build quality feels solid throughout. The aluminium construction serves as an effective heatsink, though the unit does get noticeably warm during heavy use. This is normal and expected for passive cooling.

Modes

If you are spending $600 on this, then you will likely be buying it to use as a router to make the most of the investment, but you don’t have to.

This can work as a security appliance, either in legacy mode with it attached to the network as you please, or in bridge mode, where it sits between your router and network. For most of my review, I actually used it in bridge mode and you get all the great features available in the router mode.

Router Mode: The Gold Plus replaces your existing router entirely. You connect your ISP modem directly to the Gold Plus, which then provides DHCP, NAT, and all routing functions. This mode gives you maximum control and features.

Bridge Mode: The Gold Plus sits between your existing router and network infrastructure. Your existing router continues to handle DHCP and basic routing, while the Gold Plus provides security, monitoring, and advanced features. This is ideal if you want to keep your existing setup.

Simple Mode: A legacy mode where the Gold Plus operates more like a traditional add-on security appliance. This mode has limitations and Firewalla is planning to phase it out in favour of improved bridge mode functionality.

I tested primarily in bridge mode as it allowed me to compare directly with my existing UniFi setup. The transition was seamless – devices maintained their IP addresses and network configuration whilst gaining all the Firewalla security features.

Set Up

Initial setup is refreshingly straightforward. After connecting the device to your network and powering it on, you download the Firewalla mobile app and use it to scan the QR code on the device. The red USB dongle handles Bluetooth pairing for initial configuration.

The app guides you through network detection and deployment mode selection. Most users will want either router mode (replacing existing router) or bridge mode (keeping existing setup). The setup wizard handles the heavy lifting, though you’ll need to understand your current network topology to make the right choices.

Once deployed, the device begins learning about your network. This initial discovery period takes several hours as it catalogues devices, identifies services, and establishes baseline behaviour patterns. The notifications can be overwhelming during this period, but they settle down as the system learns.

One frustration is the mandatory mobile app requirement for initial setup. Whilst the web interface exists (in beta), you cannot complete setup without the mobile app.

While this may be the norm with smart home devices, I think most prosumers who have an interest in networking would much prefer a web interface for the entire set-up and management.

Installing Your Own Software

The Gold Plus supports Docker containers, allowing you to extend functionality with custom applications. The 4GB of RAM is somewhat limiting here – you can run lightweight containers, but don’t expect to host resource-intensive applications.

Popular Docker applications include UniFi Controller (for managing UniFi access points), Pi-hole (though the built-in ad-blocking is quite good), and various monitoring tools. The Docker implementation is straightforward if you’re familiar with container technology.

The ability to run custom software is a significant advantage over consumer routers. However, the limited RAM and x86 architecture restrict your options compared to a dedicated server or NAS.

I have read reports that you can upgrade the RAM as this is basically just an x86 mini PC. The extra RAM would be beneficial for any Docker containers you run.

Firewall App Settings / GUI

The mobile app is well-designed and intuitive for basic operations. The dashboard provides an excellent overview of network status, security events, and device activity. Navigation is logical, and most common tasks are easily accessible.

However, complex configuration tasks can be frustrating on a mobile interface. Creating sophisticated firewall rules, managing VLANs, or configuring advanced routing requires patience and multiple screen taps. The web interface (in beta) addresses some of these concerns but feels incomplete.

The app’s strength lies in monitoring and alerting. Security events are clearly presented with sufficient detail to understand what’s happening. Device management is straightforward, and the ability to quickly block or quarantine devices is valuable.

Web Interface

There is a web interface that is available at https://my.firewalla.com/, which you have to connect with via the app.

Alternatively, there is a Firewalla MSP portal, which has a Family plan option for $40 per year, or for actual MSPs, there is the business plan, which is $300 per year.

The free Web UI is quite basic with limited control over the Firewalla, it is mainly for viewing data and acting on alerts. I do prefer using this to the mobile app.

The MSP web UI offers more functionality, including 30 days of flows.

The following compares the features of the three plans:

Firewalla	Free	Professional	Business
Flow Storage	24 hours	Up to 30 days	Up to 180 days
Included Seats	1	One 30-Day Flows seat	One 180-Day Flows seat
Seat Limit	1	Up to 100 (at an additional cost)	Up to 100 (at an additional cost)
Reports	–	Up to 30 days of data	Up to 180 days of data
VPN Mesh	–	1 mesh (up to 3 boxes per mesh)	3 meshes (up to 10 boxes per mesh)
Flows & Alarms Search	Basic	Advanced	Advanced
MSP Active Protect	–	Yes	Yes
IPsec VPN	–	Yes	Yes
Import Target List	–	Yes	Yes
FireAI	–	Yes	Yes
API/Integration	–	Yes	Yes
Cloud Container	–	Yes	Yes
High Availability	–	–	Yes
Email Login	–	Yes	Yes
Number of Admins	–	1	Up to 10
Box Group	–	Yes	Yes
Temporary Access	–	–	Yes
Vanity Domain	–	[random].firewalla.net	[custom].firewalla.net
Dedicated Email Support	Best effort	Within 24 hours	Within 12 hours
Hardware Discount	–	–	5% to 10% discount

Notifications / Alarms / Rules 

The first few days with the Firewalla are quite annoying due to the volume of notifications you receive. But if you are proactive and mute notifications and/or set up rules, then these will become manageable within a couple of days.

While the notifications are annoying, that is kind of the point; you want to identify weak spots in your network.

You’ll receive alerts for new devices, security events, policy violations, and system status changes. The granularity is impressive, you can see exactly which device accessed which service at what time.

Rule creation is straightforward for basic scenarios but becomes complex for sophisticated policies. The mobile interface struggles with intricate rule sets, making the web interface almost essential for advanced users.

The alerting system is effective at catching genuine security concerns. During testing, it identified several suspicious connection attempts and blocked them appropriately.

Ask FireAI

Firewalla includes an AI-powered assistant to help with configuration and troubleshooting. In practice, it’s useful for basic questions but struggles with complex scenarios. The responses are generic and often point you to documentation rather than providing specific guidance.

The AI feature feels more like a marketing checkbox than a genuinely useful tool. Experienced users will rely on documentation and community forums, whilst beginners might find the responses too technical.

Ad Blocking

The built-in ad-blocking is reasonably effective. It operates at the DNS level, blocking known advertising domains before they can serve content. The performance impact is minimal and will rival Pi Hole or other similar options with out-of-the-box settings.

You can customise block lists and whitelist specific domains. The default configuration blocks most advertising whilst avoiding false positives with legitimate services. The monthly bandwidth savings are noticeable – typically 15-20% reduction in overall traffic.

For households with multiple devices, network-level ad-blocking is more effective than browser-based solutions. It protects all devices automatically, including those that can’t run ad-blockers like smart TVs and IoT devices.

While it is generally good, it is far less customisable than Pi Hole or Adguard Home, or premium hosted solutions like NexDNS.

Personally, I’d be inclined to install Pi Hole as a Docker container on the Firewalla for far superior ad blocking.

Scanning

The network scanning capabilities are comprehensive. The device continuously monitors for new devices, changes in device behaviour, and potential security threats. The scanning is passive and doesn’t significantly impact network performance.

Device identification is generally accurate. Most common devices are correctly categorised, though some IoT devices may require manual classification. The asset inventory is valuable for understanding what’s actually connected to your network.

Vulnerability scanning is basic compared to enterprise solutions but adequate for home and small business use. It identifies common security issues like default passwords, open services, and outdated firmware.

VPN Server

The built-in VPN server is one of the Gold Plus’s strongest features. Both OpenVPN and WireGuard protocols are supported, with WireGuard offering superior performance and battery life for mobile devices.

Setup is straightforward through the mobile app. QR codes simplify client configuration, and the performance is excellent. I consistently achieved over 500 Mbps through WireGuard on my gigabit connection.

The VPN server includes useful features like split tunneling, automatic DNS configuration, and bandwidth monitoring. For road warriors or remote workers, having a capable VPN server built into your firewall is extremely valuable.

DNS / Services

DNS management is sophisticated for a consumer device. You can configure custom DNS servers, enable DNS over HTTPS (DoH) for privacy, and create custom DNS rules for specific devices or domains.

The Unbound recursive DNS resolver provides better privacy than forwarding to third-party servers. Performance is excellent, and the ability to create local DNS records is useful for home servers and services.

DNS filtering integrates with the security features to block malicious domains automatically. The threat intelligence feeds are regularly updated, providing effective protection against newly discovered threats.

Firewalla MSP

The Managed Security Provider (MSP) interface costs $40 annually but significantly improves the user experience for complex configurations. The web-based interface is much more suitable for creating sophisticated rules and managing enterprise features.

For business users, the MSP subscription is almost mandatory. The mobile app simply isn’t adequate for managing complex networks or creating detailed security policies. The annual cost is reasonable compared to enterprise firewall licensing.

The MSP interface includes better reporting, historical analysis, and batch operations. If you’re managing multiple Firewalla devices or need detailed compliance reporting, the subscription is worthwhile.

Price and Alternative Options

The Firewalla Gold Plus costs $599 and is shipped from the US. Shipping is free of charge but you would be on the hook for any VAT and import fees.

The Gold Pro has 2x 10GbE ports plus 2×2.5GbE and costs $899 while the Gold SE has 2x 2.5GbE and 2x1GbE for $479.

Then the Purple models are gigabit only with the Purple have 2 ports, one each for LAN/WAN for $369 and the SE is a lower spec model priced at $249.

The main competitor is inevitably Unifi.

The Cloud Gateway Max is the closest competitor in the sense that it has all 2.5GbE ports. It has some advantages with more ports and multi-WAN functionality. I also prefer the way the VPN works. But, the firewall elements and traffic inspection are not as good. You can subscribe to CyberSecure for improved IDS/IPS performance at a cost of £95 per year.

The Cloud Gateway Fiber has 1x10GbE WAN then 2x 10G SFP+ ports with one for WAN and 4x 2.5GbE ports with one being POE. This is £275.

Overall

The Firewalla Gold Plus is undeniably an impressive bit of kit that brings some impressive enterprise functionality to the prosumer/enthusiast market. It is also a viable option for small businesses.

The security capabilities are genuinely impressive. The IDS/IPS system catches threats that would slip past consumer routers, and the network segmentation features provide enterprise-level isolation. VPN performance is excellent, and the absence of ongoing subscription fees for core security features is refreshing.

The hardware is well-built and performance is strong. Four 2.5GbE ports with 5Gbps aggregate throughput provides excellent future-proofing for when multi-gigabit connections become more common. The passive cooling ensures silent operation, and the compact form factor fits most installations.

Software development appears active with regular updates and new features. The community is engaged, and Firewalla responds to user feedback. The Docker support provides extensibility that consumer routers simply can’t match.

I find the mobile-first approach a bit odd. I think most people who take networking seriously would much prefer browser access as the primary form of management, and I dislike having to use the mobile app to scan the QR code just to log in. That being said, you can gain access to the Firewalla MSP interface for $40 per year.

It is not a cheap device in the first place, and it is a hard sell to UK buyers with import fees. You would be looking at over £600 making this more than double the price of Unifi.

The Firewalla Gold Plus is a capable device that delivers on its security and performance promises. The feature set is comprehensive, build quality is solid, and ongoing costs are reasonable. However, the high upfront cost for UK buyers and mobile-centric management approach limit its appeal.

If you need the advanced security features and can justify the cost, it’s a solid choice. The absence of ongoing subscription fees makes the total cost of ownership reasonable over time. However, most home users would be better served by less expensive alternatives unless they specifically need the enterprise-grade security capabilities.

For small businesses or serious enthusiasts willing to invest in comprehensive network security, the Gold Plus represents good value despite the high initial cost