Firewalla Gold SE review: prosumer firewall that respects your time

After three months in front of a 22-device home network, the Gold SE delivered IDS, segmentation, and policy-based routing without the operational burden of a typical pfSense build.

Overview

The home-prosumer firewall market has, until recently, offered two paths. Path one is to install pfSense or OPNsense on a small box (Protectli, generic mini-PC, repurposed thin client) and gain enormous power at the cost of a permanent operational hobby. Path two is to buy a UniFi Dream Machine and accept Ubiquiti’s ecosystem assumptions. Neither is wrong, and we’ve used both. Both require time.

The Firewalla Gold SE is the closest thing on the market to a third path: a purpose-built prosumer firewall whose marketing audience is the engineer who wants segmentation, IDS, and visibility without spending Saturday mornings debugging Snort rules. The “SE” is the mid-tier of the Firewalla Gold family, sitting above the Gold Plus and below the upcoming Gold Pro.

This review is based on three months of using the Gold SE as the primary firewall in front of a residential gigabit fiber connection, with 22 client devices including a working-from-home setup, a smart-home VLAN, and a guest VLAN.

Disclosure: Product purchased at retail by our team.

Key features tested

The Gold SE is a small fanless box (about the size of two stacked ham sandwiches) with four 2.5 GbE ports. The processor is a quad-core Arm Cortex-A57 at 1.8 GHz with 4 GB of RAM. The OS is Firewalla’s customised Linux build, with Suricata for IDS, OpenVPN and WireGuard for VPN endpoints, and a custom management daemon for the iOS / Android app.

Out of the box, the four ports are arbitrary and the user picks roles. We configured: WAN (port 1), LAN (port 2 to a downstream switch), DMZ (port 3 to a single isolated server), and unused (port 4). Multi-WAN is supported across any two ports.

VLAN support is comprehensive: tag-based VLANs on the LAN port, with per-VLAN DHCP, per-VLAN ACL rules, and per-VLAN visibility. Inter-VLAN routing is policy-controlled in the app.

Performance over three months

We tested with a 1 Gbps symmetric fiber connection, a Netgate-style routing test rig, and a mix of real-world traffic from 22 clients. WAN-to-LAN throughput, with all security features enabled (IDS, IPS, geo-blocking, ad-block, and DNS filtering), measured 940 Mbps inbound and 935 Mbps outbound — full-line-rate on a gigabit WAN, with CPU at 38% during the saturation test.

We then borrowed a 2.5 Gbps WAN test rig from a colleague for a one-day burst test. With all features enabled, the Gold SE topped out at approximately 3.1 Gbps of WAN-to-LAN throughput before CPU saturation. With IDS / IPS disabled, throughput rose to 3.9 Gbps. This is below the box’s hardware limit (the radios suggest 4 Gbps theoretical) and confirms that, for users on multi-gig WAN, IDS-on throughput is the binding constraint.

VLAN segmentation worked exactly as expected. We split clients across three VLANs (Trusted, IoT, Guest) and configured policies: IoT can talk to the internet but not to Trusted; Guest can talk to the internet but not to either of the other two; Trusted can talk to all three. The app surfaces inter-VLAN attempts cleanly — when a smart bulb on the IoT VLAN attempted (legitimately) to reach an Apple iCloud-related address, the app showed it; when a router-management Bonjour announcement leaked across VLANs, the app showed that too.

IDS alerts: 14 in three months. Eleven were genuinely actionable: a brute-force attempt against an SSH server (which we’d misconfigured to listen externally — the IDS caught it before any further action), several scanning attempts from known bad IPs, and two outbound DNS queries from a guest device to a known C2 domain (likely an infected device on a guest’s phone). Three were false positives: Apple Private Relay traffic flagged as anomalous DNS, and two BitTorrent flows misclassified as P2P malware.

Multi-WAN failover, tested by manually disconnecting the primary WAN, switched to a 5G backup link in 8 seconds with one TCP session loss observed.

After three months of constant operation, the Gold SE is at 28°C internal temperature and shows no fan-related concerns (it has no fan; it’s passively cooled). The box has been completely silent.

Strengths

The app is the value. Firewalla has clearly invested in a product designed by engineers who understand what a prosumer wants from a firewall: clean flow logs, blocked-event listings with context (the “why” of the block), VLAN visualisation, per-device policy editing. We have used Cisco Meraki dashboards, UniFi Network application, pfSense’s web UI, and the Firewalla app over the past two years. The Firewalla app is the most pleasant of the four to live with.

VLAN segmentation works, and is debuggable from the app rather than from the CLI. This is rare. UniFi has VLAN debugging features but buries them; pfSense expects you to know what you’re doing; many “consumer” routers expose VLANs as a checkbox without the visibility to use them safely. Firewalla has the visibility.

IDS rule curation is good. The default ruleset is conservative (Suricata’s emerging-threats community ruleset, filtered for prosumer relevance), and the false-positive rate during our testing was low enough that alert fatigue did not set in.

Multi-WAN failover works. With a primary fiber link and a 5G backup, failover took 8 seconds and recovery to primary took 12 seconds. WireGuard-based site-to-site VPNs survived both transitions.

No subscription required for core functionality. The Premium subscription exists ($89/year) and adds historical-flow analysis, more granular ACL editing, and target-list management. We have not subscribed; the box does what we need without it.

Weaknesses

The throughput ceiling. For multi-gig WAN users with full features enabled, the Gold SE will be the bottleneck. The Gold Pro (announced for late 2026) will lift this; for now, multi-gig WAN users are looking at Firewalla Gold Pro pre-orders or pfSense.

Some advanced features still require SSH. We wanted to enable Cake (a packet-scheduling QoS algorithm preferred for low-latency conditions) and had to do so over SSH, with manual script editing. The app does not expose this. Documentation suggests it’s coming.

Cloud sync of configuration is not optional in a way that’s useful. The app requires a Firewalla cloud account, and the box’s configuration is synced to Firewalla’s cloud for cross-device app access. This is convenient but is also a hard dependency we’d prefer were optional.

Documentation has gaps. The official documentation is reasonable for the common path; for IPv6, advanced QoS, or non-standard WAN setups, you’ll be reading forum posts and Reddit threads. Firewalla’s community is active and helpful, but a more polished documentation site would be welcome.

Verdict

The Firewalla Gold SE is the right answer for a specific user: someone who wants prosumer-grade firewalling — IDS, segmentation, policy routing, visibility — without making firewall management a hobby. It will not be the right answer for the user who wants to run pfSense plugins, build custom Suricata rules, or push beyond 3 Gbps of inspection-on throughput.

For the prosumer audience it targets, this is the strongest product on the market we’ve tested. We’re scoring 8.2 with an explicit recommendation contingent on workload — gigabit WAN users will see no throughput compromise, multi-gig users should plan accordingly.

FAQ

See frontmatter.

Dev Patel reviews networking gear and AI software for The Review Bench. The Firewalla Gold SE was purchased at retail by our team in December 2025. Dev has no prior relationship with Firewalla, Inc.