Re: [pfSense-discussion] Clients... ugh
wow, that's quite a bit. Thanks for the comprehensive reply. Indeed I will take a look at those books that you reccomended. The problem is that I'm a college student living on financial aid, so I don't really have money to buy it, but I will try to find it in the library. I talked to my client again today, and told him that pfSense would be the best bet. I did actually look at a commercial solution (more than one, really), some thing from D-link, and I told him the price: $6999. He proposed that he just buy 4 firewall/routers (like the little netgear things) and hook them up. He claimed it would be cheaper for him because, at about $50 a piece, it would only set him back $200. I guess he firgued that an integrated box (like a WRAP or one of the more powerful ones, most likely) would cost more than that. I haven't verified, so don't hold me to supporting that. Like I said before, it sounds simple, inelegant, and wasteful. As for preventing viruses from spreading by separating everything. > The problems don't arise from the things you block, but from what you > let through. Indeed, truer words have not been spoken. I think, though, what he is more worried about is damage control. Like compartmentalizing a ship, if one part floods, they can close off that section to keep the whole boat from sinking. So if his kids accidentally get a worm (they're only about 3 years younger than me, and very computer literate) it doesn't ruin his business. Besides, email is more of a threat on the business side, than the kids' side. Though, I guess VLANs would be affected by the high levels of traffic. Well, anyways. Thanks very much for your help. I think I'll try to read those books before I continue on this. I've plenty of other things to work on that I am better at for the time-being. His firewall solution for now does it's job. Anthony - Original Message - From: "Rainer Duffner" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 01, 2006 4:03 PM Subject: Re: [pfSense-discussion] Clients... ugh > DarkFoon wrote: > > >Hmm. You have talked a little over my head... (I do not know what dot1q > >trunking is, and I have a vague memory of what layer 2 is... *eep*) > >Anyways > > > > > >>an individual broadcast domain per segment. Maybe > >>that is what he wants and/or I'm overlooking something. > >> > >> > >I don't think my client would know what that means. (I only have a vague > >understanding) > >Networking isn't my strongest point. So, I'm learning a whole lot right now. > > > > > > > > > That process never stops in this business. > > > >From what I've looked at, it would seem that a pfSense box best suits my > >client. I haven't looked at prices for the commercial solutions, but it > >would appear that even some of the lower-end ones lack some features I need, > >and are rather pricey. > > > > > > > > > If firewalls with VLAN-capabilities could be had at WalMart, Netscreen > wouldn't charge the equivalent of a small house for their top-end gear. > You will also find it next to impossible to find an online-pricelist > for, say, Checkpoint's Firewall One. > (It's also doubtful you would be able to grasp its complexity, I'm told...) > > > >But I'd like to understand one thing first, on the firewall page under > >pfSense, can I assign different rules for each interface? > > > > > Yep. > Even the most humble > "Joey-designed-a-linux-firewall-gui"-freshmeat-of-the-week project can > do this ;-) > You should checkout freshmeat - there must be hundrets of mostly > one-shot attempts at creating a GUI for the Linux-firewalling-commands > (which change every release) and none of them can match or even come > close to pfSense. > > > >See, allow to explain why my client wants the separate ports. His office > >network will soon have a domain server with the roaming profiles > >bells-and-whistles and he wants that to not affect any other computers on > >the network(I don't think it will). But more importantly, he wants his > >business network separate from his kids' network (that's my nickname for it) > >in case one of them contracts the Windows XP "Worm of the Week" and it > >starts spewing infected packets all over the network (like Sasser, if I > >understood that one correctly) and infects/crashes his business portion. At > >least the last part makes sense to me. (I personally use windows ME, so I > >avoid all those things by obscurity.) > > > > > > > > Good idea - pfSense can do that easily. > But you need a swit
Re: [pfSense-discussion] Clients... ugh
DarkFoon wrote: Hmm. You have talked a little over my head... (I do not know what dot1q trunking is, and I have a vague memory of what layer 2 is... *eep*) Anyways an individual broadcast domain per segment. Maybe that is what he wants and/or I'm overlooking something. I don't think my client would know what that means. (I only have a vague understanding) Networking isn't my strongest point. So, I'm learning a whole lot right now. That process never stops in this business. From what I've looked at, it would seem that a pfSense box best suits my client. I haven't looked at prices for the commercial solutions, but it would appear that even some of the lower-end ones lack some features I need, and are rather pricey. If firewalls with VLAN-capabilities could be had at WalMart, Netscreen wouldn't charge the equivalent of a small house for their top-end gear. You will also find it next to impossible to find an online-pricelist for, say, Checkpoint's Firewall One. (It's also doubtful you would be able to grasp its complexity, I'm told...) But I'd like to understand one thing first, on the firewall page under pfSense, can I assign different rules for each interface? Yep. Even the most humble "Joey-designed-a-linux-firewall-gui"-freshmeat-of-the-week project can do this ;-) You should checkout freshmeat - there must be hundrets of mostly one-shot attempts at creating a GUI for the Linux-firewalling-commands (which change every release) and none of them can match or even come close to pfSense. See, allow to explain why my client wants the separate ports. His office network will soon have a domain server with the roaming profiles bells-and-whistles and he wants that to not affect any other computers on the network(I don't think it will). But more importantly, he wants his business network separate from his kids' network (that's my nickname for it) in case one of them contracts the Windows XP "Worm of the Week" and it starts spewing infected packets all over the network (like Sasser, if I understood that one correctly) and infects/crashes his business portion. At least the last part makes sense to me. (I personally use windows ME, so I avoid all those things by obscurity.) Good idea - pfSense can do that easily. But you need a switch that can do VLANs, too. (Nowadays, even the cheap Netgears can do it, you don't have to buy an expensive "core"-switch for that anymore. But firewalls don't protect from stupid users. Or only to degree. If a worm is well spread within a network, it can quickly overwhelm the firewall by creating hundrets of thousands of connections to the internet. SQL-Slammer even brought down switches and whole ISPs. Also, if the worm spreads via email (which you are probably going to let through), the firewall is not going to help much. The problems don't arise from the things you block, but from what you let through. And one final curious tangent, does pfSense support tar pits? That idea has intrigued me since I first heard about it. Last time I checked, though, the maintainers said that somebody was free to write a plugin for it. I have no programming knowledge (yet). You can limit connections per second. But IMO, this function is best left to a real mailserver. For clarification I'll explain basically what my client's network network topography will look like (or what he wants it to look like) ___OFFICE NETWORK | WAN -->(modem)--->(firewall/router)=|___(Forum Webserver/VPN login server)* | |___KIDS NETWORK * perhaps I should seperate these two things onto their own machines and own seperate interfaces. See, I'd really advise you to read some books on the subject of firewall-design Like the one from O'Reilly: http://www.oreilly.com/catalog/fire2 (over books from http://security.oreilly.com/ are also useful) The wikipedia-page on this subject: http://en.wikipedia.org/wiki/Firewall_%28networking%29 is really only a glimpse at the situation. Each fork I've shown (I bet that diagram doesn't even show up properly on anyone's email client but mine) should be "seperate" from the others to prevent a virus/worm spreading from one to another (or a hacker? as my client fears). It sounds like I'd have to seperate them by using vlans. Yes. But then, the transfer-speed between the segments is limited by the firewall-backplane-speed. If you've got a WRAP, it's 20 Mbit. If it's a full-blown PC, it's between 100Mbits and GBit. The only way I could think of doing it physically is by using a firewall for each fork, and having one plain router splitting the connection amongst them(this sounds cumbersome, stupid, and spendy) Yup. Or a firewall with many interfaces.
Re: [pfSense-discussion] Clients... ugh
Hmm. You have talked a little over my head... (I do not know what dot1q trunking is, and I have a vague memory of what layer 2 is... *eep*) Anyways > an individual broadcast domain per segment. Maybe > that is what he wants and/or I'm overlooking something. I don't think my client would know what that means. (I only have a vague understanding) Networking isn't my strongest point. So, I'm learning a whole lot right now. >From what I've looked at, it would seem that a pfSense box best suits my client. I haven't looked at prices for the commercial solutions, but it would appear that even some of the lower-end ones lack some features I need, and are rather pricey. But I'd like to understand one thing first, on the firewall page under pfSense, can I assign different rules for each interface? And (although this seems impossible or pointless) can I set the DHCP server to use different IP ranges for each interface? (for example: LAN would use 192.168.1.xxx and another interface (LAN2?) would use 192.168.10.xxx) I suppose maybe that's what vlans can do for me... (I have no idea about those either). See, allow to explain why my client wants the separate ports. His office network will soon have a domain server with the roaming profiles bells-and-whistles and he wants that to not affect any other computers on the network(I don't think it will). But more importantly, he wants his business network separate from his kids' network (that's my nickname for it) in case one of them contracts the Windows XP "Worm of the Week" and it starts spewing infected packets all over the network (like Sasser, if I understood that one correctly) and infects/crashes his business portion. At least the last part makes sense to me. (I personally use windows ME, so I avoid all those things by obscurity.) And one final curious tangent, does pfSense support tar pits? That idea has intrigued me since I first heard about it. Last time I checked, though, the maintainers said that somebody was free to write a plugin for it. I have no programming knowledge (yet). For clarification I'll explain basically what my client's network network topography will look like (or what he wants it to look like) ___OFFICE NETWORK | WAN -->(modem)--->(firewall/router)=|___(Forum Webserver/VPN login server)* | |___KIDS NETWORK * perhaps I should seperate these two things onto their own machines and own seperate interfaces. Each fork I've shown (I bet that diagram doesn't even show up properly on anyone's email client but mine) should be "seperate" from the others to prevent a virus/worm spreading from one to another (or a hacker? as my client fears). It sounds like I'd have to seperate them by using vlans. The only way I could think of doing it physically is by using a firewall for each fork, and having one plain router splitting the connection amongst them(this sounds cumbersome, stupid, and spendy) One last thing, do the barebones appliances have gigabit ethernet? Or is that feature usually rare? Anthony - Original Message - From: "Nick Buraglio" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 01, 2006 12:43 PM Subject: Re: [pfSense-discussion] Clients... ugh > The netscreens are not too bad, I have experience with the ns5400's > and the little ns5gt. They have a decent gui but the cli is a little > unintuitive until you get used to it. They start getting pretty > pricey when you start adding interfaces too. As a different approach > you could always use vlans to separate your networks. pfSense > supports vlans (and I assume dot1q trunking) although I have no > experience using it with pfsense. The ns5400 series stuff supports > dot1q for sure as I've worked fairly extensively with that function > of them (anything larger than a ns500 is probably overkill for what > you're looking to do). Im not sure of the vlan support on the lower > range netscreens. I'd suggest a wrap + pfsense unless you need lots > of crypto throughput. My experience is that a little soekris + > crypto card with pfsense can really only handle limited rules + > ipsec. Once I started adding more than 1 tunnel performance got > pretty poor. I believe this was a limitation of the hardware, not > the software. On a higher end PC the same config ran *much* > better.Really any box that supports dot1q trunking would work for > a router on a stick model (assuming your layer 2 hardware also > supports it) which would negate your need for a bunch of interfaces > and give your client his "separ
Re: [pfSense-discussion] Clients... ugh
The netscreens are not too bad, I have experience with the ns5400's and the little ns5gt. They have a decent gui but the cli is a little unintuitive until you get used to it. They start getting pretty pricey when you start adding interfaces too. As a different approach you could always use vlans to separate your networks. pfSense supports vlans (and I assume dot1q trunking) although I have no experience using it with pfsense. The ns5400 series stuff supports dot1q for sure as I've worked fairly extensively with that function of them (anything larger than a ns500 is probably overkill for what you're looking to do). Im not sure of the vlan support on the lower range netscreens. I'd suggest a wrap + pfsense unless you need lots of crypto throughput. My experience is that a little soekris + crypto card with pfsense can really only handle limited rules + ipsec. Once I started adding more than 1 tunnel performance got pretty poor. I believe this was a limitation of the hardware, not the software. On a higher end PC the same config ran *much* better.Really any box that supports dot1q trunking would work for a router on a stick model (assuming your layer 2 hardware also supports it) which would negate your need for a bunch of interfaces and give your client his "separate networks" he thinks he needs. Does this client really need that option? If the hosts on these separate "ports" can talk to each other at all then his theory of protecting the other hosts if one gets compromised is pretty much debunked. Unless each port / network is configured to have very restrictive rules and can't talk to the others at all then all you're really gaining is an individual broadcast domain per segment. Maybe that is what he wants and/or I'm overlooking something. nb On Feb 1, 2006, at 3:57 AM, Rainer Duffner wrote: DarkFoon wrote: APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: an appliance, which is "plug, go to web interface, click, click, click and it works". He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. IMO, the only thing that can match and exceed pfSense is a Juniper- Netscreen Appliance. (I think they can do Active-Active clustering for bridging, too). But the bigger ones can be 10x as expensive as a similar machine built with pfSense. Multiply by 2 for a HA-solution... If you can afford it, go Netscreen. If not, pfSense or raw OpenBSD ;-) My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks http://www.juniper.net/products/integrated/ I see that Tyan now also makes appliance-barebones: http://www.tyan.com/products/html/network.html I'm not sure if the onBoard cryto-accelerator really supports FreeBSD - Cavium do mention FreeBSD on their website and it seems that some boards of the series are actually supported. Those would really make killer-appliances, but I haven't seem them sold anywhere and the price tag is probably high. cheers, Rainer
Re: [pfSense-discussion] Clients... ugh
DarkFoon wrote: APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: an appliance, which is "plug, go to web interface, click, click, click and it works". He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. IMO, the only thing that can match and exceed pfSense is a Juniper-Netscreen Appliance. (I think they can do Active-Active clustering for bridging, too). But the bigger ones can be 10x as expensive as a similar machine built with pfSense. Multiply by 2 for a HA-solution... If you can afford it, go Netscreen. If not, pfSense or raw OpenBSD ;-) My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks http://www.juniper.net/products/integrated/ I see that Tyan now also makes appliance-barebones: http://www.tyan.com/products/html/network.html I'm not sure if the onBoard cryto-accelerator really supports FreeBSD - Cavium do mention FreeBSD on their website and it seems that some boards of the series are actually supported. Those would really make killer-appliances, but I haven't seem them sold anywhere and the price tag is probably high. cheers, Rainer
AW: [pfSense-discussion] Clients... ugh
oops: you can access the bios at the front com port, not usb. sorry for confusion ;-) > -Ursprüngliche Nachricht- > Von: Holger Bauer > Gesendet: Mittwoch, 1. Februar 2006 08:24 > An: discussion@pfsense.com > Betreff: AW: [pfSense-discussion] Clients... ugh > > > Take a look at the Hardware links at > http://pfsense.com/index.php?id=33 . I personally have made > good experiences with the nexcom 1041c and have already > deployed systems in production with pfSense. The nexcom > offers an onboard cf-slot to boot from and you even can > access the bios at the front usb and it comes in a shortneck > 1U 19" rackmountable case with front networkports. You get > the nexcoms ranging from celeron 650 up to dual xeon and with > up to 12 interfaces. Gigabit nics are available for them as well. > Btw, you might wonder what is inside of most > "hardwareappliances" once you open them. > A nice story about a watchguard firebox2 for example can be > found here: http://www.ls-net.com/m0n0wall-watchguard/ > > Holger > > > > -Ursprüngliche Nachricht- > > Von: Dmitry Sorokin [mailto:[EMAIL PROTECTED] > > Gesendet: Mittwoch, 1. Februar 2006 07:40 > > An: discussion@pfsense.com > > Betreff: Re: [pfSense-discussion] Clients... ugh > > > > > > Quoting DarkFoon <[EMAIL PROTECTED]>: > > > > > and Secondly, does anybody know of any "hardware" > > firewall/routers (man, I'm > > > tired of typing that) that have the above features? > > > > > > I'm not trying to snub pfSense; I'd love to use it, but I > > can't convince him > > > (well, possibly, but he wants me to first look for a > > "hardware" solution) I > > > am asking here first because I have been watching the > > mailing list for > > > several months now, and I trust the opinions and > > information of (most) of the > > > people here. ;) > > > > I think your client means "not regular pc/linux or > > unix/command line solution", > > but rather an appliance, which is "plug, go to web interface, > > click, click, > > click and it works". Also from technical point there should > > be no hard disk > > drive (no file system, that can become inconsistent in case > > of crash or power > > failure), no peripherial (monitor, keybord, mouse(?). > > Then pfSense/m0n0wall + WRAP platform is your choice. > > look at http://www.m0n0.ch/wall/gallery.php > > your firewall cn be an i386 compatible 1u or 2u 19" rack > > mountable server, or > > as small as smallest linksys or D-link or netgear box with no > > moving parts. > > > > Hope that helps, > > Dmitry > > > > > > > Virus checked by G DATA AntiVirusKit > > Virus checked by G DATA AntiVirusKit
AW: [pfSense-discussion] Clients... ugh
Take a look at the Hardware links at http://pfsense.com/index.php?id=33 . I personally have made good experiences with the nexcom 1041c and have already deployed systems in production with pfSense. The nexcom offers an onboard cf-slot to boot from and you even can access the bios at the front usb and it comes in a shortneck 1U 19" rackmountable case with front networkports. You get the nexcoms ranging from celeron 650 up to dual xeon and with up to 12 interfaces. Gigabit nics are available for them as well. Btw, you might wonder what is inside of most "hardwareappliances" once you open them. A nice story about a watchguard firebox2 for example can be found here: http://www.ls-net.com/m0n0wall-watchguard/ Holger > -Ursprüngliche Nachricht- > Von: Dmitry Sorokin [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 1. Februar 2006 07:40 > An: discussion@pfsense.com > Betreff: Re: [pfSense-discussion] Clients... ugh > > > Quoting DarkFoon <[EMAIL PROTECTED]>: > > > and Secondly, does anybody know of any "hardware" > firewall/routers (man, I'm > > tired of typing that) that have the above features? > > > > I'm not trying to snub pfSense; I'd love to use it, but I > can't convince him > > (well, possibly, but he wants me to first look for a > "hardware" solution) I > > am asking here first because I have been watching the > mailing list for > > several months now, and I trust the opinions and > information of (most) of the > > people here. ;) > > I think your client means "not regular pc/linux or > unix/command line solution", > but rather an appliance, which is "plug, go to web interface, > click, click, > click and it works". Also from technical point there should > be no hard disk > drive (no file system, that can become inconsistent in case > of crash or power > failure), no peripherial (monitor, keybord, mouse(?). > Then pfSense/m0n0wall + WRAP platform is your choice. > look at http://www.m0n0.ch/wall/gallery.php > your firewall cn be an i386 compatible 1u or 2u 19" rack > mountable server, or > as small as smallest linksys or D-link or netgear box with no > moving parts. > > Hope that helps, > Dmitry > > Virus checked by G DATA AntiVirusKit
Re: [pfSense-discussion] Clients... ugh
APPLIANCE! That's the word I was looking for! Thank you! Yes, my client my client means what you said: > an appliance, which is "plug, go to web interface, click, click, > click and it works". He has one of those (appliance) already, but like I said, its some piece of crap. It can't do hardly anything. I mean, I use m0n0wall (because I like using a CD-ROM instead of a harddisk) and it's got so many functions that I don't use. And pfSense has more, but my client could use some of them. I didn't know that I could do pfSense on a WRAP. I thought pfSense needs a harddisk (for swap and such), and I thought WRAP uses CF (which swap will wear out quickly). But the idea of a 1u rackmount unit is nice. I'll still look around for some commercial appliances that have the same features, but I'll try to push for pfSense with this renewed information. My question still stands, though: does anybody know of a commercial (linksys, d-link, and such) firewall/router appliance (that's so much faster to type) with the features my client wants? thanks Anthony Rossi - Original Message - From: "Dmitry Sorokin" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 31, 2006 10:39 PM Subject: Re: [pfSense-discussion] Clients... ugh > Quoting DarkFoon <[EMAIL PROTECTED]>: > > > and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm > > tired of typing that) that have the above features? > > > > I'm not trying to snub pfSense; I'd love to use it, but I can't convince him > > (well, possibly, but he wants me to first look for a "hardware" solution) I > > am asking here first because I have been watching the mailing list for > > several months now, and I trust the opinions and information of (most) of the > > people here. ;) > > I think your client means "not regular pc/linux or unix/command line solution", > but rather an appliance, which is "plug, go to web interface, click, click, > click and it works". Also from technical point there should be no hard disk > drive (no file system, that can become inconsistent in case of crash or power > failure), no peripherial (monitor, keybord, mouse(?). > Then pfSense/m0n0wall + WRAP platform is your choice. > look at http://www.m0n0.ch/wall/gallery.php > your firewall cn be an i386 compatible 1u or 2u 19" rack mountable server, or > as small as smallest linksys or D-link or netgear box with no moving parts. > > Hope that helps, > Dmitry > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006 > >
Re: [pfSense-discussion] Clients... ugh
Quoting DarkFoon <[EMAIL PROTECTED]>: > and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm > tired of typing that) that have the above features? > > I'm not trying to snub pfSense; I'd love to use it, but I can't convince him > (well, possibly, but he wants me to first look for a "hardware" solution) I > am asking here first because I have been watching the mailing list for > several months now, and I trust the opinions and information of (most) of the > people here. ;) I think your client means "not regular pc/linux or unix/command line solution", but rather an appliance, which is "plug, go to web interface, click, click, click and it works". Also from technical point there should be no hard disk drive (no file system, that can become inconsistent in case of crash or power failure), no peripherial (monitor, keybord, mouse(?). Then pfSense/m0n0wall + WRAP platform is your choice. look at http://www.m0n0.ch/wall/gallery.php your firewall cn be an i386 compatible 1u or 2u 19" rack mountable server, or as small as smallest linksys or D-link or netgear box with no moving parts. Hope that helps, Dmitry
[pfSense-discussion] Clients... ugh
I've got a client who has asked me (among other things) to make him a router/firewall. Currently he has a "hardware" firewall/router but I told him that it doesn't support the features he wants. I attempted to pursuade him to use pfSense, but he would rather have a "hardware" (meaning linksys, netgear, etc.) firewall/router because he thinks they're more secure. The main features he wants are: -> "isolated ports". He wants each port on the LAN to be seperate from the others, but all with the same features for each (so each has its own firewall settings, each has its own DHCP, and so on). Basically, he thinks that with this, if "hacker" breaks into the network of one port, he doesn't have access to computers on the other ports on the firewall/router. (I am not so certain that this is possible; please, prove me wrong) -> VPN. He wants franchisees to be able to login over a secure (encrypted) link and access a special place where they can put sensitive information. -> DMZ (but that's pretty much standard) I figure pfSense would be able to do all these, but, like I said, he wants me to look for "hardware" firewall/routers. First, can anybody explain the difference (if any) between a computer running pfSense, and a "hardware" router/firewall? (I didn't think there was one, except for the ROM chip containing the firewall/router OS) and Secondly, does anybody know of any "hardware" firewall/routers (man, I'm tired of typing that) that have the above features? I'm not trying to snub pfSense; I'd love to use it, but I can't convince him (well, possibly, but he wants me to first look for a "hardware" solution) I am asking here first because I have been watching the mailing list for several months now, and I trust the opinions and information of (most) of the people here. ;) Thanks for your help/time. Anthony Rossi