Cheap Gateway/Firewall Solution

alpha-lemming
alpha-lemming used Ask the Experts™
on
Hi Experts,

We're planning to split up our LAN into several subnets in order to seperate organisational units and isolate SAN/NAS traffic from the rest of the network. We also need to create several DMZ'ed sandbox networks as lab areas, and we have to setup isolated subnets for customer VPN gateway machines.

These subnets, with the exception of the storage network, will not have much traffic on them, so enterprise level routers would be overkill, and we couldn't afford them anyway.

We basically need a solution which puts a whole bunch of cheap routers in one rack.

'til now, we've been considering either:

1) Filling up a rack server with as many nics will fit and runnning some kind of Linux or BSD firewall distro on it.
3) Buying a whole bunch of cheap home routers for which open source firmware exists (like openwrt)
3) FInding an affordable appliance that does what we want (haven't found one yet)

Whaddya think, experts?

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Affordable appliance-wise my vote would be for a SonicWALL.

If those are still too expensive for what you want, you could go with a multi-NIC server running SmoothWall, Untangle, m0n0wall, ipcop, etc.

I would stay away from using home routers, it gets messy and they don't give you the flexibility and security of a higher quality device (or open source firewall).
Top Expert 2007
Commented:
ebay has some good used routers.

I prefer the juniper NS5 GT series for stuff like this.

Prices as low as $30 and these are solid devices that used to cost as much as $500 a pop

10x versions have unlimited users

20x versions have 25 VPNs instead of the default 10

 I hope this helps !
Commented:
IPCop (see www.ipcop.org) works for all the hardware configurations you are describing: rack, cheap computer (also older hardware), little boxes with a flash-card as hard drive, appliance.

As appliance, you can download it from:

VMware; from http://www.vmware.com/appliances/directory/391 

and probably for other VM implementations (VirtualBox, Linux Xen) you will find these on Google.
I would try an ASA5505 for all features (500$), Juniper SG5 without SSL/VPN (300$) or Fortinet.
Cheaper ? Cisco SMB, D-Link, etc.
You need to consider the throughput you need as one if not the most important factor... linux box could be an issue depending on this...

Commented:
@nblancpain: linux boxes have excellent throughput and alpha-lemming told there was no much traffic. I have a linux box on a

A software driven firewall can be tuned. Normally, you start with a weak hardware and you look and the system graphs. If you see the
Commented:
Oops.the message went out before it was finished. I go on:

@nblancpain: linux boxes have excellent throughput and alpha-lemming told there was no much traffic. I have a linux box on a pc 586 at 800 MHz ans 128 MB, and the system graphs shows an average use of the CPU below 5%. Only at boot time, there is a short peak to 60%. I have between 5 and 20 users connected, some of them heavy users.

A software driven firewall can be always tuned. Normally, you start with a weak hardware and you look and the system graphs. If you see the hardware can't follow, you upgrade the RAM, but up to now, it wasn't necessary.
Commented:
I have used Linux or OpenBSD.  The beauty is you don't need to fill it up with interfaces as you can just use one (or a pair of bonded) interfaces with vlan tagging on top of them, splitting them into "interfaces".

Furthermore you can use carp on OpenBSD to create a fail-over pair of routers.  One of the beauties of using this arrangement is if you have a problem you can easily tcpdump on any of the interfaces.  Fire walling can be done with iptables (Linux) or pf (OpenBSD).

I have done several hundred megabits on vlan tagged interfaces on linux boxes.   The thing that will get you is the packets per second.  If that spikes it can raise the number of interrupts and peg your cpu.  You get around that by using NAPI on an E1000 or other supported interface.  But again, you said low bandwidth so that may not be an issue.  
Thanks for the points, glad I could help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial