T1 to Firewall with VPN. Help me understand better.

Posted on 2004-09-20
Last Modified: 2010-03-17
Ok I'm a little bit confused.

T1 is 1.54Mbps a sec. (Captial Mbps is what? MegaBits per sec?)  So technically if I purchase a Firewall with 1.54Mbps max throughput it should handle a T1 connection fine. No?

So what I'm trying to figure out, is when do I need to go to a bigger firewall.


Client of mine has a firewall with max 150MBps, well if a T1 is 1.54, then 150 seems a lot.  Why would they need to go up to say, 200, or 275MBps.  Or why even 1.54Gbps, which I've seen on some high end ones.

Is there a way I can determine easliy?

Then there is the matter of VPN.

This client example has one main location with a T1, that firewall is only 150Mbps Max Througput and 40MBps for VPN.  So I'm thinking, ok 150 Max for the T1, that's good, and all 8 locations can get 40Mpbs max.  Of course now I'm think that adds up to 320Mbps, but they dont need all 40Mbps, if a T1 again is 1.54Mbps.    So if all 8 locations are using the firewall evenly plus the main office tha's 17.11kbps each?  

I'm just a bit confused.

So how do I properly determine what throughput a client needs if they are on a T1?

What would you recommend for 8 locations and a main office to be on VPN.  All internet, email, domain login goes through main office out T1.

Even now the VPN site takes like 8min to logon to the domain, it's awful.
Question by:fredmastro
LVL 79

Expert Comment

ID: 12112020
It's not always just a question of throughput. It's a matter of CPU and memory on the firewalls, and licensing issues, and other capabilities.
Another consideration, especially for larger companies is the use of DMZ's, or protected networks that are semi-publicly accessible. Perhaps a web server farm that needs high-speed access to back-end database servers. Even though they may have an egress port only capable of 1.5Mbps, the interaction between multiple LAN interfaces may require Gigabit capabilities through the firewall. (Yes, that is Megabits per second, not MegaBytes)

Take for argument example, the Cisco PIX series. Starting with the paperback book sized little 501, the tech specs say it will handle 60Mbps cleartext throughput, 7500 concurrent connections, and 4.5 Mbps throughput over VPN with 128-bit AES encryption. Quite impressive for a box designed for SOHO (Small Office, Home Office)<10 users. Licensing is in three modes -10, 50 or unlimited users. Limitation: no capability for DMZ interfaces. It has inside and outside only. No failover capability. Limited VPN connections (10)

Next, the big boy Enterprise version of the PIX line is the 535 with up to 1.7Gbps, 500,000 connections, 256-bit AES VPN throughput up to 425Mbps, and 2000 simultaneous VPN tunnels. When you need Multiple DMZ interfaces all at gigabit speed, this the workhorse.

Many firewalls try to combine the firewall functions with packet filtering, or AntiVirus, web content control, VPN, etc. The bottom line is to look for the features that you need, at the price point that you can afford.

Author Comment

ID: 12123083

So then..

A firewall witha max 150Mbps (40Mbps VPN) at a main location with a T1 connection, and say 9 remote sites with Cable/DSL connection wanting to use VPN for Internet and Network Filesharing.

Or your opinion would be or not be sufficent?

How should I properly figure out the proper Mbps I'm going to need at the main location?
Do I need to go up to a 250Mbps and 95Mbps VPN?  I dont know.

I'll give you the points, lets just talk over this a little bit.  I really would like to know if it's not adequte.

Expert Comment

ID: 12170621
If they're being restricted by their connection and are looking at uping the speed to accomidate the over load, a better solution might be (for a windows enviro) is to put DCs into each branch office. This will elliviate the logon problem, and reduce the congestion over the links. It would also likely work out to be cheaper then getting faster lines in.  
For filesharing a local file server with replication might be more beneficial aswell.
This can still be managed centrally at the main office.

The other question is how much traffic will there be?  Will all the offices be trasmitting/receiving constatntly at the same time ?
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 79

Accepted Solution

lrmoore earned 125 total points
ID: 12171043
You're still getting wrapped up trying to find some magic mathematic formula and there isn't one.
Defining what is sufficient depends on defining too many other factors.
LVL 79

Expert Comment

ID: 12280413
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
LVL 40

Expert Comment

ID: 12537523
As an interested observer and subscriber to this thread, I believe lrmoore answered it quite thoroughly...  Just an observation..


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question