The netscreens are not too bad, I have experience with the ns5400's
and the little ns5gt. They have a decent gui but the cli is a little
unintuitive until you get used to it. They start getting pretty
pricey when you start adding interfaces too. As a different approach
you could always use vlans to separate your networks. pfSense
supports vlans (and I assume dot1q trunking) although I have no
experience using it with pfsense. The ns5400 series stuff supports
dot1q for sure as I've worked fairly extensively with that function
of them (anything larger than a ns500 is probably overkill for what
you're looking to do). Im not sure of the vlan support on the lower
range netscreens. I'd suggest a wrap + pfsense unless you need lots
of crypto throughput. My experience is that a little soekris +
crypto card with pfsense can really only handle limited rules +
ipsec. Once I started adding more than 1 tunnel performance got
pretty poor. I believe this was a limitation of the hardware, not
the software. On a higher end PC the same config ran *much*
better. Really any box that supports dot1q trunking would work for
a router on a stick model (assuming your layer 2 hardware also
supports it) which would negate your need for a bunch of interfaces
and give your client his "separate networks" he thinks he needs.
Does this client really need that option? If the hosts on these
separate "ports" can talk to each other at all then his theory of
protecting the other hosts if one gets compromised is pretty much
debunked. Unless each port / network is configured to have very
restrictive rules and can't talk to the others at all then all you're
really gaining is an individual broadcast domain per segment. Maybe
that is what he wants and/or I'm overlooking something.
nb
On Feb 1, 2006, at 3:57 AM, Rainer Duffner wrote:
DarkFoon wrote:
APPLIANCE! That's the word I was looking for! Thank you!
Yes, my client my client means what you said:
an appliance, which is "plug, go to web interface, click, click,
click and it works".
He has one of those (appliance) already, but like I said, its some
piece of
crap. It can't do hardly anything. I mean, I use m0n0wall (because
I like
using a CD-ROM instead of a harddisk) and it's got so many
functions that I
don't use. And pfSense has more, but my client could use some of
them.
I didn't know that I could do pfSense on a WRAP. I thought pfSense
needs a
harddisk (for swap and such), and I thought WRAP uses CF (which
swap will
wear out quickly).
But the idea of a 1u rackmount unit is nice. I'll still look
around for some
commercial appliances that have the same features, but I'll try to
push for
pfSense with this renewed information.
IMO, the only thing that can match and exceed pfSense is a Juniper-
Netscreen Appliance.
(I think they can do Active-Active clustering for bridging, too).
But the bigger ones can be 10x as expensive as a similar machine
built with pfSense.
Multiply by 2 for a HA-solution...
If you can afford it, go Netscreen.
If not, pfSense or raw OpenBSD ;-)
My question still stands, though: does anybody know of a commercial
(linksys, d-link, and such) firewall/router appliance (that's so
much faster
to type) with the features my client wants?
thanks
http://www.juniper.net/products/integrated/
I see that Tyan now also makes appliance-barebones:
http://www.tyan.com/products/html/network.html
I'm not sure if the onBoard cryto-accelerator really supports
FreeBSD - Cavium do mention FreeBSD on their website and it seems
that some boards of the series are actually supported.
Those would really make killer-appliances, but I haven't seem them
sold anywhere and the price tag is probably high.
cheers,
Rainer
