Question about Asus Merlin Router behind a firewalla?

[AsusRouterUser]

I had a friend of one of my family members contact me because he was moving into my area and wanted my help getting his network setup, he needed a router so I recommend a Asus that we could put the Asus Merlin firmware on, he picked the RT-AX68U. However when he got here and I went to set it up I found out he had a firewalla, I had never even heard of this thing so I had to look it up and see what it was to even know how it was suppose to hook into the network. That was not a problem the firewalla connects directly to the modem and it has a firewall built into it, and then the asus router connects to it. But here is where my question comes in, he got some guy on the phone who had set this up for him where he lived before and he said that behind the firewalla should be only an access point and not a full router and that having a full router was LESS secure then having just an access point? I don't claim to be a networking guru or anything but I can't follow why this would be the case or that it is true in anyway. If I am wrong I would really like to know, this just makes no sense to me at all.

 

[martinr]

I too have never heard of a firewalla; I wondered if it was anything like a punka-walla, but for firewall duties.

 

[Tech9]

behind the firewalla should be only an access point

In order to use all Firewalla features as described - yes, it needs AP only.

I too have never heard of a firewalla

Made user-friendly router OS with some quite capable hardware options.

Firewalla: Cybersecurity Firewall For Your Family and Business

Firewalla is an all-in-one intelligent Firewall that connects to your router and secures all of your digital things. It can protect your family and business from cyber threats, block ads, control kids' internet usage, and even protects you when you are out on public Wifi. There is no Monthly Fee.

firewalla.com

 

[martinr]

In order to use all Firewalla features as described - yes, it needs AP only.



Made user-friendly router OS with some quite capable hardware options.

Firewalla: Cybersecurity Firewall For Your Family and Business

Firewalla is an all-in-one intelligent Firewall that connects to your router and secures all of your digital things. It can protect your family and business from cyber threats, block ads, control kids' internet usage, and even protects you when you are out on public Wifi. There is no Monthly Fee.

firewalla.com

I was expecting some sort of snake oil device, but a cursory search indicates otherwise.

https://www.pcmag.com/reviews/firewalla

A bit pricey?

 

[Tech9]

having a full router was LESS secure

This statement is incorrect about security, but unnecessary complication with double NAT configuration and Firewalla won't see the actual clients on the LAN side and won't be able to monitor and filter anything separately. The cascaded router WAN IP will be the only client visible for Firewalla. Asus RT-AX68U is End-of-Life model now and perhaps used as AP is the better option long term. Unfortunately, Firewalla is VLAN capable appliance, but RT-AX68U is not. Most home routers don't have user configurable VLANs on the LAN side. This limits some of Firewalla capabilities. A business class AP with VLAN support is the better fit for Firewalla and similar firewall appliances.

A bit pricey?

Some models are much faster than any home router x86 hardware. The higher specs appliances they use are similar to Protectli Vault, the UI is built on top of Ubuntu Linux, it comes in user-friendly form pre-installed and ready to go. It's a nice project and getting somewhat popular. The same functionality can be achieved on OPNsense/pfSense appliance of course, but requires much more networking knowledge. Firewalla offers professional features and covers higher demands market as well. It also has nice modern UI UniFi/Omada style with both App and Web available. Asuswrt is like blast from the past 2010 UI. Some folks like to play with the UI and like "fresher" design.

 

[AsusRouterUser]

I was expecting some sort of snake oil device, but a cursory search indicates otherwise.

https://www.pcmag.com/reviews/firewalla

A bit pricey?

I thought the same thing when I first saw it.

 

[AsusRouterUser]

This statement is incorrect about security, but unnecessary complication with double NAT configuration and Firewalla won't see the actual clients on the LAN side and won't be able to monitor and filter anything separately. The cascaded router WAN IP will be the only client visible for Firewalla. Asus RT-AX68U is End-of-Life model now and perhaps used as AP is the better option long term. Unfortunately, Firewalla is VLAN capable appliance, but RT-AX68U is not. Most home routers don't have user configurable VLANs on the LAN side. This limits some of Firewalla capabilities. A business class AP with VLAN support is the better fit for Firewalla and similar firewall appliances.



Some models are much faster than any home router x86 hardware. The higher specs appliances they use are similar to Protectli Vault, the UI is built on top of Ubuntu Linux, it comes in user-friendly form pre-installed and ready to go. It's a nice project and getting somewhat popular. The same functionality can be achieved on OPNsense/pfSense appliance of course, but requires much more networking knowledge. Firewalla offers professional features and covers higher demands market as well. It also has nice modern UI UniFi/Omada style with both App and Web available. Asuswrt is like blast from the past 2010 UI. Some folks like to play with the UI and like "fresher" design.


View attachment 58249

Thank you for confirming it is not LESS secure, that is the part I was really not understanding, because I could not wrap my brain around anyway it could be less secure.

 

[Tech9]

Thank you for confirming it is not LESS secure

Not less secure, but doesn't make sense to run it as a router when Firewalla is the actual Internet facing device.

I thought the same thing when I first saw it.

Pricey is subjective. RT-AX68U is quite pricey as well. It arrived in mid-2020 at around $200 price tag and got discontinued in the beginning of 2024.

 

[coxhaus]

Firewalla I would think would fit with consumer gear and may be easy to use. Firewalla seems to be a layer 2 device but it does not do real networking with a layer 3 switch which I would want.

Firewalla seems like an easy to maintain firewall for non-networkers. I have not seen anything on hacking it yet. It is set up like a small business network.

 

[The Sandman]

So... I would need a Firewalla Gold Pro unit for my 10G network with 5GB (so far... 7 GB is now available ) fiberoptic internet. Would there be any significant benefit to putting this ahead of my current mesh setup with 3 hardwired BE30000 (BQ 16 Pro) and changing my main Asus settings to AP/AIMesh? If I would have much better security or a visibly faster network it would be worth it to me... but on the other hand does the ASUS BQ 16 Pro already do everything well enough?

 

[Tech9]

Would there be any significant benefit to putting this ahead of my current mesh setup with 3 hardwired BE30000 (BQ 16 Pro) and changing my main Asus settings to AP/AIMesh?

Firewalla Gold Pro is killing BQ16 Pro in both processing power and features. It's a x86 hardware computer with quad-core Intel N97 up to 3.6GHz CPU and 8GB RAM.

 

[The Sandman]

I’m gonna give it a try.

 

[Tech9]

For the money you are going to spend on this mix of equipment with unused features you could have better quality SMB system.

 

[AndrewJacob]

@Tech9 thank you for the great advice I am also looking at obtaining a Firewalla. Right now, I have a home setup with 2 AX86U in mesh and I'm loving the wi-fi performance but wired performance is hit and miss. Friends with ubiquiti setups seem to have better stability with their wired networks. I am also currently bottlenecked at 1GBE when I have a 3gbit symmetrical FTTH connection. So my question could be simple, or complex... But, if I want to upgrade my wired network to greater than 1GBE speeds and have better and more stable wired switching capacity, would i be better off completely changing my network to Ubiquiti/another SMB system as you just suggested to Sandman, or could I put a Firewalla Gold Pro in front of my main AX86U and call it a day? I know PFsense/raspberry pi is the gold standard for a lot of people, but I'm not willing to go down that route.

 

[Tech9]

You have to decide what do you want. On lower budget you can chase speed with home toys or stability with SMB. If you need both with SMB it may cost you in thousands. Your perhaps good deal 3Gbps ISP plan may lead to investments in equipment good for speed tests, but not improving much your every day user experience. Reusing home routers with no VLAN support as APs to VLAN capable gateway may be cheaper, but will limit your network configuration options. Last advice - move away from Broadcom hardware.

 

[AndrewJacob]

Thanks for the reply @Tech9 , but I'm not sure which Broadcom hardware you are recommending to stay away from? My knowledge doesn't go as far as understanding chipsets etc...
At home I have the ASUS Merlin setup we are currently discussing but as an FYI I am currently administering a Ubiquiti system on a commercial setup and I helped set it up initially (Dream Machine Pro, Wifi6 APs, etc.) and know how to use some of its more basic features (different SSIDs, different bandwidth profiles, MAC address filtering, etc.). So I'm not completely helpless. I don't know if this would help in any way regarding a recommandation but thought I'd mention it.

What I'm looking for is to improve my every day performance and not chase after speed tests. I'm not sure what gave that impression but I'm sorry if I somehow miscommunicated. I would like stability and consistently quicker speeds over wired (preferably between 1Gbe and 3Gbit since I have devices and the FTTH connection to potentially take advantage of it). With my current setup I'm satisfied with the wireless performance but for wired I have my main PC, a NAS, Apple TV 4k, another PC and PS5 for which I would appreciate more stability in terms of wired performance. The PC and NAS are 2.5Gbe so I'd be happy with a 2.5Gbe network but if I can get 10Gbe for not much more I'd opt for that.
Not trying to make this super complicated as I don't consider myself a power user (this is why I'm not considering a pfsense setup), but would you recommend throwing a Firewalla Gold Pro between my main AX86U and the Fiber modem, or would you recommend a Ubiquiti system or other?

 

[AndrewJacob]

Additional note: my network seems to fail maybe once or twice a month and I have to manually reboot the ASUS router for it to be corrected. Not a huge fan of that from a user experience standpoint. So the wired network and the speed aren't the only aspects of my current network I'd like to improve with the potential upgrade.

 

[GarySargent]

@AndrewJacob I have a Firewalla Gold Plus router, and three RT-AX86U devices (Merlin firmware) in access point mode wired back to the router. Works great, and the Firewalla has better functionality than the Asus in router mode.

 

[Tech9]

or would you recommend a Ubiquiti system or other?

What makes sense price wise for home use is UCG-Max, it has 2.5GbE ports, but can do up to 1.5Gbps WAN-LAN with IDS/IPS enabled.

 

[Tech9]

Works great

How do you manage VLANs on your RT-AX86U routers? Custom script?