Firewall on Budget Help

Posted on 2014-03-19
Last Modified: 2014-04-28
I need a firewall first that can host multiple IP addresses:

I have 5 static at the moment with Comcast but looking for 10 shortly!

I need the firewall to be listening on the external address and forwarding to the appropriate server at the moment.

Of course, Opening ports for what is necessary.

I am hosting Web: Port 80 / 443

Share Point Team Server, Exchange server, RDP, Lync etc.

NOTE::   VPN is not critical at all!!!

Looking for 200.00 to 600.00...


A firewall that can have multiple IPS (5 or 10) on one WAN port:

Incoming coming traffic being routed to the correct server based on IP!

All info and in detail / advice is greatly appreciated...
Question by:Clint Jones
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 15

Expert Comment

ID: 39940602
Grab a Cisco ASA 5505 or ASA 5510 from eBay or a used computer store.
I would not, at all, recommend a consumer-grade firewall.
You can use a PC or laptop with two NICs and one of the Linux distribution firewalls.

Accepted Solution

Kent Fichtner earned 500 total points
ID: 39940632
I absolutely agree that you don't need to buy a consumer grade firewall, but if you don't feel like setting up the Linux, you can go with a Watchguard XTM 2.  It is their smallest version and as long as you don't need a bunch of Ethernet ports it should do well.  An upgraded version can also do WiFi.  But we have the XTM5 series.  it does all the stuff you said above (routing the IPs to the correct computer, can do many different static IP addresses).

Author Comment

by:Clint Jones
ID: 39941047
I have Microsoft TMG 2010 which I know is know is no longer supported but I am all for the linux option as I do have a PC with 2 NIC's etc...

But I do want to look at both sides as I agree it seems the biggest functionality for price is watchguard and Cisco.

I am researching it but what linux application firewall are specific thinking about and looking at the above versions of the cisco and watchguard you both mentioned.

I do need a ton of ports but will need a bit if watchgaurd puts a limitation it.

ALSO and may need to open another question for this one.  I was for a few days using my netgear and asus wireless routers as the main guys and internet with wireless drops constantly.  Thinking that was the issue the traffic load.

After taking the traffic off and allowing the wireless to just be the wireless. Which is 2 laptops, 2 ipads, 2 iphones and apple tv at times. It still drops on both routers which are b,g and N. Internet on the comcast router is not dropping... Pain more than anything... I go into the asus and click around on the menus and its up again lol...

Firewall is more important but thought I would as ... Thanks so much for your help =) Clint
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

LVL 17

Expert Comment

ID: 39948935
The number of IP addresses is not a parameter to worry about when choosing firewall. Apart from features, you need to look at the bandwidth and the number of concurrent sessions.

If I were you I would chose a Juniper SRX100, which is about $500.
However, I would manage it with the CLI, since I like it and since the GUI does not yet expose all functionality.

If using GUI is a must I would go for the smallest model of FortiGate. It is even cheaper.
LVL 18

Expert Comment

by:Garry Glendown
ID: 39948949
+1 for the FortiGate ... probably one of the most easily configurable firewall as far as general functionality goes ...
Also, with the amount of intrusion attempts on web servers nowadays, adding the NGFW/UTM features will definitely reduce or completely block any hacking attempts on your servers with the IDS/IPS.
As an added benefit, you get full VPN functionality, making secured remote access easy ...
Depending on your bandwidth, something like a 30D (for higher requirements 60D) should do nicely ...
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39948978
For under $600 depending on licenses for gateway anti virus and such, you can get a sonicwall tz210. Easy to manage but powerful. A big factor I don't see mentioned yet is wan throughput. These lower end devices especially can choke on something over 30 Mbps especially with security features enabled.
LVL 18

Expert Comment

by:Garry Glendown
ID: 39949008
As a basis for selecting a device:

FG30D does 800M Firewall, 150M IPS, 30/40 M AV (which, assuming you're mainly protecting servers shouldn't be that relevant ...)
FG60D does 1.5G Firewall, 200M IPS, 35/50M AV
LVL 78

Expert Comment

ID: 39949388
For Linux firewall, fwbuilder might be an option to consider.
You of course could use iptables manually to add the rules.if you decide to do it manually,  consider using custom ip gains that you predefine and place within the appropriate builtin chains, INPUT, forward, PRE/POSTrouting, OUTPUT, MANGKE,DNAT,SNAT as appropriate.

This way you would only need to add rules to your custom chain to achieve ......

There are multi-port nics.  You could/should consider two older workstations as a cluster to provide HA router.
LVL 22

Expert Comment

ID: 39949442
A new Cisco 5505 can be found at that price range.
LVL 32

Expert Comment

ID: 39954827
pfSense is my goto firewall on a budget.  It's got a great development and support community.  It supports multiple IPs, vLANS, and even a captive portal if you want to authenticate guests in an office.

A computer with a PIII proc is all you need and 2~4GB of RAM.

Author Comment

by:Clint Jones
ID: 39975932
I am going to try the firewalls you can put on PC's but::

If I had too without worrying about VPN's the number of?

Will the Watchguard XTM 2 do:

As I said above where can add 10 External IPs from the Comcast router then route each IP to the correct server so the external matches and routers the correct internal IP???

I am looking at a linux do think the open source or another but if had go buy one so it router 10 external IPs to exch server who would be the choose???

the watchguard seems very budgetary but not at 4000.00 the lower one XTM2 is very budgetary???  

Input please I am reading all the posts and thank you!!!

Author Comment

by:Clint Jones
ID: 40026664
using spiceworks for help as well...

Author Comment

by:Clint Jones
ID: 40026672
We have Comcast with the 13 static IP addresses. and we use most of them.

We've had three firewalls during this time.  They all were able to handle any of the static IP addresses coming inbound.

One was a WatchGuard, but I don't remember the model.  Another was a Watchguard XTM 5.

Now we have SonicWall NSA 220.

With NAT and Firewall rules , we're able to direct any of the incoming traffic by external IP Address

** Our incoming traffic comes on HTTP, HTTPS, FTP, FTP SSL Implicit.

I currently use an XTM5 series for our main firewall/router and a few XTM 2 series for remote offices and do this using 1-to-1 nat to route external ip's to internal servers. You can do this easily with the XTM 2 if it's sized properly for your environment if not look at a larger device. If you go the Watchguard route the 25, 26 and up routers have a new feature that enable them to be gateway wireless controllers. Just buy a Watchguard wireless AP (AP100 or AP200) and use your firewall as the controller...rock solid and reliable. It's also nice because since the AP is separate from the router you can place it anywhere you need it to maximize your wireless coverage.

Thinking the same seperate the wireless from the firewall

What is thoughts about xtm3 ??? Xtm 2 enough? I want monitoring and NAT of course. VPN is not as important.

I only need maybe a few. Concurrent connections and unlimited internal users are and allowing exchange, share team and web site and possible lync too work with no issues.

Able to get reporting and alerts on iPhone / iPad be great but but email to txt is fine.

There is just 5 servers, 5 pc's and the. Wireless for 2 iPhones 2 iPads and 2 laptops.

Is the environment.

Wireless drops a lot. The netgear and ASUS not that old and not using both same time just are an issue.

I need solid wireless that can keep up.

And firewall the can handle the 16 ips and NAT to each server by external ip correctly without issues

Right now the the load traffic wise is not that heavy.

But want high bandwidth efficiency. With concurrent connections etc and I'm able monitor the system for any issues from hacking to etc in the security end

So looking at enterprise level wireless and enterprise level firewall

Watch xtm 5 seems very out budget at the but the xtm 2 and xtm 3 seem doable? And then I need a wireless that can be stable. I'm looking at watch guard only because the affordability and sonicwall is more pricey and do not know much about the rest mention at top my original message.

Again all help is very very appreciated as I have to make decisions.

I'm not a big fan of Cisco or Watchguard... Based on past experiences with both these, I would not touch them with a 10ft barge pole

I would recommend either (In no order of preference)

Sonicwall - I have deployed these extensively... Good bang for the buck... Decent support.
Sophos - Never used... However, I am evaluating one of the products, and I seems rather promising.
Juniper -  A tad on the expensive side, but pretty much worth the extra penny.

ME:: Jones
pfsense seems awesome solution

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New firewall implementation guidance 12 105
Issues installing 10gb network card... 11 52
802.1x and RDP Issues 6 79
Reset HP V1905-24-PoE switch to factory default settings 2 48
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question