Firewall on Budget Help

I need a firewall first that can host multiple IP addresses:

I have 5 static at the moment with Comcast but looking for 10 shortly!

I need the firewall to be listening on the external address and forwarding to the appropriate server at the moment.

Of course, Opening ports for what is necessary.

I am hosting Web: Port 80 / 443

Share Point Team Server, Exchange server, RDP, Lync etc.

NOTE::   VPN is not critical at all!!!

Looking for 200.00 to 600.00...


A firewall that can have multiple IPS (5 or 10) on one WAN port:

Incoming coming traffic being routed to the correct server based on IP!

All info and in detail / advice is greatly appreciated...
Clint JonesAsked:
Who is Participating?
Kent FichtnerInformation Technology Systems SupervisorCommented:
I absolutely agree that you don't need to buy a consumer grade firewall, but if you don't feel like setting up the Linux, you can go with a Watchguard XTM 2.  It is their smallest version and as long as you don't need a bunch of Ethernet ports it should do well.  An upgraded version can also do WiFi.  But we have the XTM5 series.  it does all the stuff you said above (routing the IPs to the correct computer, can do many different static IP addresses).
Darrell PorterEnterprise Business Process ArchitectCommented:
Grab a Cisco ASA 5505 or ASA 5510 from eBay or a used computer store.
I would not, at all, recommend a consumer-grade firewall.
You can use a PC or laptop with two NICs and one of the Linux distribution firewalls.
Clint JonesAuthor Commented:
I have Microsoft TMG 2010 which I know is know is no longer supported but I am all for the linux option as I do have a PC with 2 NIC's etc...

But I do want to look at both sides as I agree it seems the biggest functionality for price is watchguard and Cisco.

I am researching it but what linux application firewall are specific thinking about and looking at the above versions of the cisco and watchguard you both mentioned.

I do need a ton of ports but will need a bit if watchgaurd puts a limitation it.

ALSO and may need to open another question for this one.  I was for a few days using my netgear and asus wireless routers as the main guys and internet with wireless drops constantly.  Thinking that was the issue the traffic load.

After taking the traffic off and allowing the wireless to just be the wireless. Which is 2 laptops, 2 ipads, 2 iphones and apple tv at times. It still drops on both routers which are b,g and N. Internet on the comcast router is not dropping... Pain more than anything... I go into the asus and click around on the menus and its up again lol...

Firewall is more important but thought I would as ... Thanks so much for your help =) Clint
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

The number of IP addresses is not a parameter to worry about when choosing firewall. Apart from features, you need to look at the bandwidth and the number of concurrent sessions.

If I were you I would chose a Juniper SRX100, which is about $500.
However, I would manage it with the CLI, since I like it and since the GUI does not yet expose all functionality.

If using GUI is a must I would go for the smallest model of FortiGate. It is even cheaper.
Garry GlendownConsulting and Network/Security SpecialistCommented:
+1 for the FortiGate ... probably one of the most easily configurable firewall as far as general functionality goes ...
Also, with the amount of intrusion attempts on web servers nowadays, adding the NGFW/UTM features will definitely reduce or completely block any hacking attempts on your servers with the IDS/IPS.
As an added benefit, you get full VPN functionality, making secured remote access easy ...
Depending on your bandwidth, something like a 30D (for higher requirements 60D) should do nicely ...
Aaron TomoskySD-WAN SimplifiedCommented:
For under $600 depending on licenses for gateway anti virus and such, you can get a sonicwall tz210. Easy to manage but powerful. A big factor I don't see mentioned yet is wan throughput. These lower end devices especially can choke on something over 30 Mbps especially with security features enabled.
Garry GlendownConsulting and Network/Security SpecialistCommented:
As a basis for selecting a device:

FG30D does 800M Firewall, 150M IPS, 30/40 M AV (which, assuming you're mainly protecting servers shouldn't be that relevant ...)
FG60D does 1.5G Firewall, 200M IPS, 35/50M AV
For Linux firewall, fwbuilder might be an option to consider.
You of course could use iptables manually to add the rules.if you decide to do it manually,  consider using custom ip gains that you predefine and place within the appropriate builtin chains, INPUT, forward, PRE/POSTrouting, OUTPUT, MANGKE,DNAT,SNAT as appropriate.

This way you would only need to add rules to your custom chain to achieve ......

There are multi-port nics.  You could/should consider two older workstations as a cluster to provide HA router.
A new Cisco 5505 can be found at that price range.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
pfSense is my goto firewall on a budget.  It's got a great development and support community.  It supports multiple IPs, vLANS, and even a captive portal if you want to authenticate guests in an office.

A computer with a PIII proc is all you need and 2~4GB of RAM.
Clint JonesAuthor Commented:
I am going to try the firewalls you can put on PC's but::

If I had too without worrying about VPN's the number of?

Will the Watchguard XTM 2 do:

As I said above where can add 10 External IPs from the Comcast router then route each IP to the correct server so the external matches and routers the correct internal IP???

I am looking at a linux do think the open source or another but if had go buy one so it router 10 external IPs to exch server who would be the choose???

the watchguard seems very budgetary but not at 4000.00 the lower one XTM2 is very budgetary???  

Input please I am reading all the posts and thank you!!!
Clint JonesAuthor Commented:
using spiceworks for help as well...
Clint JonesAuthor Commented:
We have Comcast with the 13 static IP addresses. and we use most of them.

We've had three firewalls during this time.  They all were able to handle any of the static IP addresses coming inbound.

One was a WatchGuard, but I don't remember the model.  Another was a Watchguard XTM 5.

Now we have SonicWall NSA 220.

With NAT and Firewall rules , we're able to direct any of the incoming traffic by external IP Address

** Our incoming traffic comes on HTTP, HTTPS, FTP, FTP SSL Implicit.

I currently use an XTM5 series for our main firewall/router and a few XTM 2 series for remote offices and do this using 1-to-1 nat to route external ip's to internal servers. You can do this easily with the XTM 2 if it's sized properly for your environment if not look at a larger device. If you go the Watchguard route the 25, 26 and up routers have a new feature that enable them to be gateway wireless controllers. Just buy a Watchguard wireless AP (AP100 or AP200) and use your firewall as the controller...rock solid and reliable. It's also nice because since the AP is separate from the router you can place it anywhere you need it to maximize your wireless coverage.

Thinking the same seperate the wireless from the firewall

What is thoughts about xtm3 ??? Xtm 2 enough? I want monitoring and NAT of course. VPN is not as important.

I only need maybe a few. Concurrent connections and unlimited internal users are and allowing exchange, share team and web site and possible lync too work with no issues.

Able to get reporting and alerts on iPhone / iPad be great but but email to txt is fine.

There is just 5 servers, 5 pc's and the. Wireless for 2 iPhones 2 iPads and 2 laptops.

Is the environment.

Wireless drops a lot. The netgear and ASUS not that old and not using both same time just are an issue.

I need solid wireless that can keep up.

And firewall the can handle the 16 ips and NAT to each server by external ip correctly without issues

Right now the the load traffic wise is not that heavy.

But want high bandwidth efficiency. With concurrent connections etc and I'm able monitor the system for any issues from hacking to etc in the security end

So looking at enterprise level wireless and enterprise level firewall

Watch xtm 5 seems very out budget at the but the xtm 2 and xtm 3 seem doable? And then I need a wireless that can be stable. I'm looking at watch guard only because the affordability and sonicwall is more pricey and do not know much about the rest mention at top my original message.

Again all help is very very appreciated as I have to make decisions.

I'm not a big fan of Cisco or Watchguard... Based on past experiences with both these, I would not touch them with a 10ft barge pole

I would recommend either (In no order of preference)

Sonicwall - I have deployed these extensively... Good bang for the buck... Decent support.
Sophos - Never used... However, I am evaluating one of the products, and I seems rather promising.
Juniper -  A tad on the expensive side, but pretty much worth the extra penny.

ME:: Jones
pfsense seems awesome solution
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.