Hmm. You have talked a little over my head... (I do not know what dot1q
trunking is, and I have a vague memory of what layer 2 is... *eep*)
Anyways
> an individual broadcast domain per segment. Maybe
> that is what he wants and/or I'm overlooking something.
I don't think my client would know what that means. (I only have a vague
understanding)
Networking isn't my strongest point. So, I'm learning a whole lot right now.
>From what I've looked at, it would seem that a pfSense box best suits my
client. I haven't looked at prices for the commercial solutions, but it
would appear that even some of the lower-end ones lack some features I need,
and are rather pricey.
But I'd like to understand one thing first, on the firewall page under
pfSense, can I assign different rules for each interface? And (although
this seems impossible or pointless) can I set the DHCP server to use
different IP ranges for each interface? (for example: LAN would use
192.168.1.xxx and another interface (LAN2?) would use 192.168.10.xxx) I
suppose maybe that's what vlans can do for me... (I have no idea about those
either).
See, allow to explain why my client wants the separate ports. His office
network will soon have a domain server with the roaming profiles
bells-and-whistles and he wants that to not affect any other computers on
the network(I don't think it will). But more importantly, he wants his
business network separate from his kids' network (that's my nickname for it)
in case one of them contracts the Windows XP "Worm of the Week" and it
starts spewing infected packets all over the network (like Sasser, if I
understood that one correctly) and infects/crashes his business portion. At
least the last part makes sense to me. (I personally use windows ME, so I
avoid all those things by obscurity.)
And one final curious tangent, does pfSense support tar pits? That idea has
intrigued me since I first heard about it. Last time I checked, though, the
maintainers said that somebody was free to write a plugin for it. I have no
programming knowledge (yet).
For clarification I'll explain basically what my client's network network
topography will look like (or what he wants it to look like)
___OFFICE
NETWORK
|
WAN -->(modem)--->(firewall/router)=|___(Forum Webserver/VPN login server)*
|
|___KIDS
NETWORK
* perhaps I should seperate these two things onto their own machines and own
seperate interfaces.
Each fork I've shown (I bet that diagram doesn't even show up properly on
anyone's email client but mine) should be "seperate" from the others to
prevent a virus/worm spreading from one to another (or a hacker? as my
client fears). It sounds like I'd have to seperate them by using vlans. The
only way I could think of doing it physically is by using a firewall for
each fork, and having one plain router splitting the connection amongst
them(this sounds cumbersome, stupid, and spendy)
One last thing, do the barebones appliances have gigabit ethernet? Or is
that feature usually rare?
Anthony
----- Original Message -----
From: "Nick Buraglio" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, February 01, 2006 12:43 PM
Subject: Re: [pfSense-discussion] Clients... ugh
> The netscreens are not too bad, I have experience with the ns5400's
> and the little ns5gt. They have a decent gui but the cli is a little
> unintuitive until you get used to it. They start getting pretty
> pricey when you start adding interfaces too. As a different approach
> you could always use vlans to separate your networks. pfSense
> supports vlans (and I assume dot1q trunking) although I have no
> experience using it with pfsense. The ns5400 series stuff supports
> dot1q for sure as I've worked fairly extensively with that function
> of them (anything larger than a ns500 is probably overkill for what
> you're looking to do). Im not sure of the vlan support on the lower
> range netscreens. I'd suggest a wrap + pfsense unless you need lots
> of crypto throughput. My experience is that a little soekris +
> crypto card with pfsense can really only handle limited rules +
> ipsec. Once I started adding more than 1 tunnel performance got
> pretty poor. I believe this was a limitation of the hardware, not
> the software. On a higher end PC the same config ran *much*
> better. Really any box that supports dot1q trunking would work for
> a router on a stick model (assuming your layer 2 hardware also
> supports it) which would negate your need for a bunch of interfaces
> and give your client his "separate networks" he thinks he needs.
> Does this client really need that option? If the hosts on these
> separate "ports" can talk to each other at all then his theory of
> protecting the other hosts if one gets compromised is pretty much
> debunked. Unless each port / network is configured to have very
> restrictive rules and can't talk to the others at all then all you're
> really gaining is an individual broadcast domain per segment. Maybe
> that is what he wants and/or I'm overlooking something.
>
> nb
>
>
>
>
> On Feb 1, 2006, at 3:57 AM, Rainer Duffner wrote:
>
> > DarkFoon wrote:
> >
> >> APPLIANCE! That's the word I was looking for! Thank you!
> >>
> >> Yes, my client my client means what you said:
> >>
> >>> an appliance, which is "plug, go to web interface, click, click,
> >>> click and it works".
> >>>
> >> He has one of those (appliance) already, but like I said, its some
> >> piece of
> >> crap. It can't do hardly anything. I mean, I use m0n0wall (because
> >> I like
> >> using a CD-ROM instead of a harddisk) and it's got so many
> >> functions that I
> >> don't use. And pfSense has more, but my client could use some of
> >> them.
> >>
> >> I didn't know that I could do pfSense on a WRAP. I thought pfSense
> >> needs a
> >> harddisk (for swap and such), and I thought WRAP uses CF (which
> >> swap will
> >> wear out quickly).
> >> But the idea of a 1u rackmount unit is nice. I'll still look
> >> around for some
> >> commercial appliances that have the same features, but I'll try to
> >> push for
> >> pfSense with this renewed information.
> >>
> >
> >
> > IMO, the only thing that can match and exceed pfSense is a Juniper-
> > Netscreen Appliance.
> > (I think they can do Active-Active clustering for bridging, too).
> > But the bigger ones can be 10x as expensive as a similar machine
> > built with pfSense.
> > Multiply by 2 for a HA-solution...
> > If you can afford it, go Netscreen.
> > If not, pfSense or raw OpenBSD ;-)
> >
> >> My question still stands, though: does anybody know of a commercial
> >> (linksys, d-link, and such) firewall/router appliance (that's so
> >> much faster
> >> to type) with the features my client wants?
> >> thanks
> >>
> >
> > http://www.juniper.net/products/integrated/
> >
> > I see that Tyan now also makes appliance-barebones:
> > http://www.tyan.com/products/html/network.html
> >
> > I'm not sure if the onBoard cryto-accelerator really supports
> > FreeBSD - Cavium do mention FreeBSD on their website and it seems
> > that some boards of the series are actually supported.
> >
> > Those would really make killer-appliances, but I haven't seem them
> > sold anywhere and the price tag is probably high.
> >
> >
> >
> >
> > cheers,
> > Rainer
> >
> >
> >
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 2/1/2006
>
>
