Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


T1 to Firewall with VPN. Help me understand better.

Posted on 2004-09-20
Medium Priority
Last Modified: 2010-03-17
Ok I'm a little bit confused.

T1 is 1.54Mbps a sec. (Captial Mbps is what? MegaBits per sec?)  So technically if I purchase a Firewall with 1.54Mbps max throughput it should handle a T1 connection fine. No?

So what I'm trying to figure out, is when do I need to go to a bigger firewall.


Client of mine has a firewall with max 150MBps, well if a T1 is 1.54, then 150 seems a lot.  Why would they need to go up to say, 200, or 275MBps.  Or why even 1.54Gbps, which I've seen on some high end ones.

Is there a way I can determine easliy?

Then there is the matter of VPN.

This client example has one main location with a T1, that firewall is only 150Mbps Max Througput and 40MBps for VPN.  So I'm thinking, ok 150 Max for the T1, that's good, and all 8 locations can get 40Mpbs max.  Of course now I'm think that adds up to 320Mbps, but they dont need all 40Mbps, if a T1 again is 1.54Mbps.    So if all 8 locations are using the firewall evenly plus the main office tha's 17.11kbps each?  

I'm just a bit confused.

So how do I properly determine what throughput a client needs if they are on a T1?

What would you recommend for 8 locations and a main office to be on VPN.  All internet, email, domain login goes through main office out T1.

Even now the VPN site takes like 8min to logon to the domain, it's awful.
Question by:fredmastro
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Expert Comment

ID: 12112020
It's not always just a question of throughput. It's a matter of CPU and memory on the firewalls, and licensing issues, and other capabilities.
Another consideration, especially for larger companies is the use of DMZ's, or protected networks that are semi-publicly accessible. Perhaps a web server farm that needs high-speed access to back-end database servers. Even though they may have an egress port only capable of 1.5Mbps, the interaction between multiple LAN interfaces may require Gigabit capabilities through the firewall. (Yes, that is Megabits per second, not MegaBytes)

Take for argument example, the Cisco PIX series. Starting with the paperback book sized little 501, the tech specs say it will handle 60Mbps cleartext throughput, 7500 concurrent connections, and 4.5 Mbps throughput over VPN with 128-bit AES encryption. Quite impressive for a box designed for SOHO (Small Office, Home Office)<10 users. Licensing is in three modes -10, 50 or unlimited users. Limitation: no capability for DMZ interfaces. It has inside and outside only. No failover capability. Limited VPN connections (10)

Next, the big boy Enterprise version of the PIX line is the 535 with up to 1.7Gbps, 500,000 connections, 256-bit AES VPN throughput up to 425Mbps, and 2000 simultaneous VPN tunnels. When you need Multiple DMZ interfaces all at gigabit speed, this the workhorse.

Many firewalls try to combine the firewall functions with packet filtering, or AntiVirus, web content control, VPN, etc. The bottom line is to look for the features that you need, at the price point that you can afford.

Author Comment

ID: 12123083

So then..

A firewall witha max 150Mbps (40Mbps VPN) at a main location with a T1 connection, and say 9 remote sites with Cable/DSL connection wanting to use VPN for Internet and Network Filesharing.

Or your opinion would be or not be sufficent?

How should I properly figure out the proper Mbps I'm going to need at the main location?
Do I need to go up to a 250Mbps and 95Mbps VPN?  I dont know.

I'll give you the points, lets just talk over this a little bit.  I really would like to know if it's not adequte.

Expert Comment

ID: 12170621
If they're being restricted by their connection and are looking at uping the speed to accomidate the over load, a better solution might be (for a windows enviro) is to put DCs into each branch office. This will elliviate the logon problem, and reduce the congestion over the links. It would also likely work out to be cheaper then getting faster lines in.  
For filesharing a local file server with replication might be more beneficial aswell.
This can still be managed centrally at the main office.

The other question is how much traffic will there be?  Will all the offices be trasmitting/receiving constatntly at the same time ?
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 12171043
You're still getting wrapped up trying to find some magic mathematic formula and there isn't one.
Defining what is sufficient depends on defining too many other factors.
LVL 79

Expert Comment

ID: 12280413
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
LVL 40

Expert Comment

ID: 12537523
As an interested observer and subscriber to this thread, I believe lrmoore answered it quite thoroughly...  Just an observation..


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question