Flexible, cheap firewall needed - 100 users

We need a good, cheap firewall for our 100 employee office. Outbound, we host (for over 200 clients) 4 physical servers on different TCP ports (3389, 80, 443, 25). We need port-forwarding ability: port x on Server1 forwards to port y on Server2, port x2 on Server3 forwards to port y2 on Server4, etc.). We also need to throttle traffic so that saturated outbound port 25 (us sending e-mail) does not horribly slow down inbound 3389 (us serving out RDP). Those needs are currently met by ipCop, but ipCop (1) does not print usage reports (we use Untangle for this), (2) does not easily allow us to block a given IP address (yes, I could manually do this with iptables), (3) does not support failover (http://www.firewall.cx/ftopict-3107.html), (4) does not integrate into Active Directory (minor problem in our environment). We do NOT use VPN. Again, we need this to be cheap if not free.

What would you do?
LVL 1
light-blueAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pierre FrançoisSenior consultantCommented:
Stay on IPCop, but use a better modem-router, v.gr. Draytek 2820, for failover.

If you have the BOT addon (blocking outgoing traffic), you will be able to reject traffic with some address from the Red side as source. You can experiment with this feature.

Active Directory is available in advanced proxy; see: http://www.advproxy.net/

Good luck.
light-blueAuthor Commented:
Thank you pfrancois. How would the two work together? Our default gateway is, let's say, 192.168.0.1. Do I set the default gateway on both devices to that IP? To which IP do I point clients?
Pierre FrançoisSenior consultantCommented:
You set the default gateway of the local clients to the IP-address of the green interface of IPCop.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

light-blueAuthor Commented:
Thank you pfrancois. Do you have any experience with pfsense? It is free and uses CARP for failover (ideally to a Verizon Wireless USB modem in our case).
piwowarcCommented:
I agree with suggestion of light-blue. I am happy to manage three networks under control of pfsense. 2 of them have horrbile, small 2M/256k adsl lines and thanks to wonderful traffic shaper and squid proxy work just fine. Besides the engine under pfsense is FreeBSD, using packet filter as firewall (a lot better and reliable than iptables in my opinion). The GUI is great, huge forum and wiki. I can't reccomend any software firewall more (maybe my beloved ISA Server, but that's another shelf of products). And all that for the cost of hardware.

Check out pfsense.org for software and

http://www.applianceshop.eu/index.php/firewalls/opnsense-hd-rack-edition-19-pfsense-appliance.html

for ready preinstalled appliances.

The only downside of CARP failover is the number of Public IPs needed - 2 (or a router in front of pfense with 2 lan interfaces).
Pierre FrançoisSenior consultantCommented:
I fully agree with piwowarc about the qualities of pfsense. But if you need a router with 2 lan interfaces in front of pfsense anyway, you better stay on IPCop with a Draytec modem.
piwowarcCommented:
Failover is a capability of 2 firewalls (2 identical pfsense boxes). One is working, second is on standby. First one brakes, the second one takes over without dropping active connections. It is common in BSD environments to host cluster firewalls (seen 6 node cluster, like a pile of huge bricks).

So unfortunatety you need 3 public IP or a smart router with static NAT in front of pfsense boxes. It's not my idea about number of IP, check yourselves. That's why I like the front router idea better (there might be a problem with port forwarding though). So consider pfsense with failover if you can provide IPs.

http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

Pfsense works quite nicely in Vmware also so ESXI could be your one in all wonder server.

About Draytek, you mean failover because it has dual wan, right? Number of Wan inferfaces (thus Wan links) in pfsense is limited to number of your PCI slots.

And Draytek 2820 has one Ethernet and one DSL (Rj11) Wan. Light-blue didn't say they have a DSL broadband. Besides 20 connections (really average user with a web browser only) * 100 clients gives you a NAT table of 2000 translations. I've seen some cisco routers slow to a crawl with that amount. And 20 connections is not realy a very big number. A PIII will manage, router this size will not.

I really can't see how capabilites and features could be compared in that case.

Of cours all of the above are just my opinions.

HTH

Cheers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piwowarcCommented:
Sorry about the previous statement about the number of IP needed, it was just from top of my head.
light-blueAuthor Commented:
I read piwowarc's pfsense link on hardware redundancy. Ideally, our system would failover not only to a separate pfSense machine, but to an alternate network provider, e.g. from Comcast to Verizon (USB). However, I will probably abandon that idea due to its complexity and cost: (1) purchasing a new static IP via an alternate network provider (Verizon), (2) DNS would need updates for CNAME, A, MX, and SPF records during the change from primary to backup (which would, of course, be error-prone).

Since a minute or two of internet downtime is probably acceptable (especially at the cost of DNS changes), I will likely implement a hybrid of both of your solutions. As, pfrancois indicated, "But if you need a router with 2 lan interfaces in front of pfsense anyway, you better stay on IPCop with a Draytec modem."

So, I propose:
1. a single pfSense system (improving ipCop's reporting and removing Untangle)
2. place the Comcast router in front of pfSense
3. hope the Comcast router doesn't fail (call for repair if so)
4. hope the pfSense appliance (probably http://www.netgate.com/product_info.php?cPath=60&products_id=492) doesn't fail (use cold-spare if so)

Disadvantages:
1. no network failover
2. no firewall hardware failover

Advantages:
1. simple
2. inexpensive

Am I missing anything? Last thoughts?
piwowarcCommented:
Apart from having front-end and back-end firewall (like a Corporate almost :) which is sweet but adds complexity be careful about NATing (you have 3 places now, router pfsense, ipcop).

You could consider creating DMZ beetween your firewalls like many companies do (your servers wouldn't be on the same subnet or even iterface as lan clients, another chance to ballance traffic more easily).

And you need your router for any specific reasons? Does it bridge your DSL or something? If not it's just another point of failure.

Cheers
piwowarcCommented:
Another thing.

Using pfsense appliance does not allow you to use squid cache (unless you want to kill your CF card with the number of writes). I would strongly recomend cache especially with those servers hosted on the same bandwidth. Remember than any download needs to send ACKs, and they can eat your upload bandwidth as well. Squid would be a powerful ally (just think about antivir updates / microsoft updates and 100 clients downloading them at once, brrr.....) So maybe a destop PC with decent HD acting as your pfesense and cache  would give you more power.

Cheers
light-blueAuthor Commented:
Just to clarify, I would remove ipCop entirely, so my updated proposal is

1. pfSense (a desktop PC with decent hard drive)
   a. SNAT (DMZ is likely overkill)
   b. squid
2. router (Comcast)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.