Professional VPN Router
At work, our data center is currently using a $120 Netgear router that automatically handles IPsec VPN tunnles and port forwarding for specific IP addresses. We were given a SonicWall Pro 1260 with the hardware we're using, but it never worked. The Netgear was something we had picked up for $20 on Ebay and was just sitting around, but now it's dying.
I was wondering if anyone has any experience with distributions for Router/VPN/Firewall/Network Security devices, and could make a recommendation for us to build our own. So far, M0n0wall looks good, but I don't have much experience/training in network security (or BSD). I'd like something I can configure from a web interface, and supports VIA's PadLock hardware. It would also be rather sweet if I could have it replace our FTP server, which has FTP and SFTP servers, downloads data from remote FTP servers, and insures that this data gets moved to the right servers on our system.
Free is always a big help, since our company currently isn't making a lot of money. I'm looking to build a rackmount system w/ VIA C3/C7/Nano for under $500 (hoping to hit <=$300), but whatever we get needs to have good power for rapid business growth. We haven't committed to anything, so we're open to any suggestions.
I have fairly good success with untangle. It does require a lot more resources than M0n0wall, but the web interface is fairly nice and it simply does a lot of things for you.
I am using an older P4 3.0ghz system with 2gb of ram that was laying around. It seems to work well, but our traffic is starting to increase and I am probably going to build something with gigabyte ethernet.
They also have paid support and add-ons which I haven't used.
Untangle might be a better route to go, since I have loads of Linux experience and no BSD experience (not that they're very different). It looks like untangle can handle our VPN needs, but I'd have to actually try anything first, since I'm not very knowledgeable about VPN's. The spam blocking might come in handy as well.
What kind of connection speed and features does your P4 3.0GHz system with 2GB of RAM support?
The place where this is used doesn't have a very good infrastructure so it is hard to say whether untangle is causing any speed limitations. There is also not a whole lot of traffic from this office and only about ten employees (three who connect constantly by VPN).
Here are the average stats for last week:
Per second 29.651 KBytes/sec
Per day 2.452 GBytes/day
I started using it because I needed an easy to configure VPN. I tend to use Spam blocking and the web filter quite a bit.
Cons: I am not a big fan of the networking setup, it has gotten better but there is still too much clicking.
Also the interface was in java and they just moved to ajax, I think the ajax setup will be better but currently it is a bit clumsy.
Smoothwall is great. I've been using it for years and it should do most if not all of what you need.
Plus a great web interface to help setup things.
The FTP sorting, really should be done by another server, not a router. Unless you are talking about port forwarding, then they all do that.
You could very easily just buy an Acer Veriton Core 2 Duo system (I'd put in at least 2gb, though that much is probably not really needed) http://www.cdw.com/shop/products/def...px?EDC=1581393
Less than $500 easy... and that would be way more than enough processing power for a large network... let alone a mid-size or small. I'm just using that one as an example, VIA chips/boards seem to be more expensive pound for pound and something like a Core 2 Duo or Athlon X2 really would be cheaper and faster.
But either way, I highly recommend SMOOTHWALL. www.smoothwall.org
There are a couple of problems with that computer:
Originally Posted by clickwir
1) It only has 1 ethernet port (not hard to fix)
2) It's not rackmountable. I'm looking for something that will go in a computer rack, take up 1u maby 2u and to be rather short.
We've been able to put off the purchase of new router hardware for now, but there's a good chance we will have some very massive growth in the next 6 months. At that point, we won't have a lot of time for anybody to evaluate such things.
If you look at encryption benchmarks, I'm pretty sure the VIA chips will beat out the others, until they get some hardware acceleration (coming soon). I would think that outside of encryption, pretty much any x86 CPU in production would be plenty fast.
I'm also aware that puting FTP and SFTP on another server instead of the router would generally be better, but ours isn't hit all that hard. We're getting about 75GB/month of data, much of it clumped together, and I'm guessing about a third to half is data that we have to pull from other FTP servers. Once we get the data, we move it to other servers, and no one ever accesses it again through FTP.
It seems silly to have a second machine with the proliferation of computing power in a single system, and the simplicity of handling FTP. Although there is a rackmount case that accepts two mini-itx boards, which would be rather cool to have, and virtual machines might be an option for some of this. We have to rent the space, and I don't want our rack to fill up with idle servers.
Not sure if the issue is still current, but we use a Picosys 2101 (VIA Eden V4 1 GHz, 512 MB RAM, 80 GB HDD). It is fanless and has 6 Ethernet ports.
Our Picosys 2101 runs Shorewall, which is not point-and-click but very powerful and flexible. The VIA crypto acceleration is really nice, IPSec works at close to wire speed.
We've been able to move our web server to a fairly high-end router/firewall/vpn device we were given where the vpn portion doesn't work at all. We get a few more working features than a simple home firewall/router, but that's all we need at the moment. I'm not quite sure of the current capacity, but I'm expecting to outgrow it in the next 6-12 months. I've been able to go from frantically searching for a solution to collecting ideas.
The Picosys 2101 is very close to what I'm wanting. The only improvements I could ask for is rackmount and possibly a Nano-based processor. Neither are deal breakers, since we already have devices with similar form factors and room for more.
I'm glad to hear about the VIA Eden speed. Is that one of the C3 or C7 based chips and is it close to the line speed of the 100 Mbit or Gbit ports? I could only find a couple of sites with any information on the system (all of which are German stores, which tend to be pricey for those in the US) and nothing on the Eden V4.
The CPU is C7 based, V4 refers to the FSB. We use IPSec on the 100 Mbit ports only.
The PicoSys 2101 is actually a rebranded box from a Taiwanese manufacturer. It is sold under various other brands (eg. FabiaTech FX5621), so maybe you can find a box with the same specifications at a US store.
Tags for this Thread