Recommendation for a business grade router/firewall

Forums › IT Pro and developers › Recommendation for a business grade router/firewall

lchiu7

6470 posts

Uber Geek

Trusted

#37097 7-Jul-2009 14:20

Looking at putting in a Citylink connection into a building with a Internet connection on the back of it. This will be 25Mbs/symmetric. Most of the time the connection will be standalone only accessible via wireless or if a PC is plugged into specific ports on the network and therefore not connected to the corporate WAN.

But in a DR situation (well main network failure) we are looking to use this connection for backup connectivity via a VPN solution. When that happens we would disconnect our main WAN and plug this Internet connection into the main switch from the router.

I am not sure in this instance 60-70 users a home grade wireless router can cut the mustard, both performance and security wise. I don't want an expensive Cisco router but is there some sort of SMB router/firewall people might be familar and could recommend.

How good are the BSD based router solutions like Smoothwall or pfSense?

Thanks

Larry

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

1 | 2

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#232059 7-Jul-2009 14:34

Do you have a preference for hardware or software-based?

I like (and have deployed on a couple of occasions) Endian Firewall. Based on IPCop, but much improved since they started. And free.

www.endian.com

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

lchiu7

6470 posts

Uber Geek

Trusted

#232063 7-Jul-2009 14:41

Don't really care so long as it's robust. So I could just put this on a standard PC with two NICs?

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#232069 7-Jul-2009 14:49

Yes. And apparently 2.3 is coming out really soon, with even more nice stuff (VLAN support and advanced ACLs for proxy, for example).

I've setup one to run at my old office with 4 NICs for the multiple zones they required (internal, public, dmz, etc) and it does the job flawlessly.

I recently setup another box (this being a Celeron with 256MB -- totally not recommended for serious traffic) for a friend. Still, it does the content filtering quite well.

A recent C2D PC with upwards of 1GB of RAM should handle most of your traffic needs. Recent hardware scales better than old one, anyways.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#232160 7-Jul-2009 18:32

lchiu7: Looking at putting in a Citylink connection into a building with a Internet connection on the back of it. This will be 25Mbs/symmetric. Most of the time the connection will be standalone only accessible via wireless or if a PC is plugged into specific ports on the network and therefore not connected to the corporate WAN.

But in a DR situation (well main network failure) we are looking to use this connection for backup connectivity via a VPN solution. When that happens we would disconnect our main WAN and plug this Internet connection into the main switch from the router.

I am not sure in this instance 60-70 users a home grade wireless router can cut the mustard, both performance and security wise. I don't want an expensive Cisco router but is there some sort of SMB router/firewall people might be familar and could recommend.

How good are the BSD based router solutions like Smoothwall or pfSense?

Thanks

Larry

What do you consider 'expensive'? You can get a Cisco router for around $700 plus maybe $300 to configure it, so for around $1000 you'd have a rock-solid firewall. I wouldn't recommend running a PC-based firewall - if you bought a new computer for the job you'd be paying close to $1000 anyway, and if you ran it on old hardware then you're opening yourself up to some risk of hardware failure. SMB routers like SonicWall wouldn't be that much cheaper than the Cisco box anyway.

lchiu7

6470 posts

Uber Geek

Trusted

#232177 7-Jul-2009 19:33

I thought of Sonicwall and tried calling them. No reply (Sydney) or no returned calls. I just wanted to find out what they meant by comes with 10 nodes and you have to pay for additional nodes? I think it's to do with the VPN solution but nobody called me back.

I am not interested in the VPN solution - we have a solution for that - just want the routing and basic firewall capability and ensure it passes IPSEC traffic.

As for whether an appliance is better than a PC, well this thing is not protecting the entire network all the time - usually only a few off-network users. The only time it might need more is when it's in a backup network mode and that would be hopefully only be for a few hours. So it just seemed overkill to look for an industrial strength solution.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#232181 7-Jul-2009 19:53

Although I agree with amanzi on the price-point question, I disagree on the problems he mentioned with a PC-based firewall, especially on this case. You're saying it's a backup system, and you don't want to (or can't) spend a lot. For $500 or less you can get a decent solution (hardware included) and still have reliability. Even old servers can do it, with their multiple PSUs, NICs, etc.

Appliances are better when you can afford them, but they don't necessarily make the PC a no-go. They're just more tailored for a single (or a few) task(s), whereas the PC is able to be used for other means as well.

Also on the hardware-failure subject: that's a box of chocolates. Any piece of hardware can go bad, even Cisco switches (hell, everyday at the office I see a few stacked on the shelves, waiting for the next recycling run). Of course, certain brands (or lack thereof) could be less reliable, so pick wisely (eg. I wouldn't run a firewall with D-Link nics). Valid point nonetheless, amanzi.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

lchiu7

6470 posts

Uber Geek

Trusted

#232184 7-Jul-2009 20:02

magu: .. (eg. I wouldn't run a firewall with D-Link nics). Valid point nonetheless, amanzi.

I have had 3 Dlink routers at home fail on me so amen to that!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

onehundredwatt

19 posts

Geek

#232185 7-Jul-2009 20:04

Zyxel USG 200 - IPSEC VPN's, Layer 7 Firewall and SSLVPN in one device. Highly configurable and performance is excellent.

lchiu7

6470 posts

Uber Geek

Trusted

#232188 7-Jul-2009 20:15

And where does one buy that?

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#232189 7-Jul-2009 20:17

lchiu7: So it just seemed overkill to look for an industrial strength solution.

I guess our definitions of 'business grade' and 'industrial strength' differ a bit. Personally I wouldn't consider a desktop PC running a firewall app to be business grade, but I also wouldn't call the entry-level Cisco boxes industrial strength (that's what the big, $100k devices are for). But that's just my personal opinion.

magu: Also on the hardware-failure subject: that's a box of chocolates. Any piece of hardware can go bad, even Cisco switches

Not saying that Cisco switches don't break, but I would definitely say that a desktop PC has a higher chance of a hardware failure over a Cisco router. I don't have any hard evidence to back that up, it's just based on my own experience.

At the end of the day, it's what you feel comfortable with and how much risk you're willing to take. You seem to imply that because it's a DR connection, it's not that important - but in the event of a DR situation, it will be your most critical device. I'm just a fan of using the right tool for the right job. Sure, you may save a few hundred dollars now, but work out how much it will cost if that PC fails you in the event of DR.

onehundredwatt

19 posts

Geek

#232199 7-Jul-2009 21:02

lchiu7: And where does one buy that?

Campbell Software are the NZ distributors for Zyxel

http://shop.campbell.co.nz/index.php?main_page=index&manufacturers_id=1&sort=20a&filter_id=9

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#232200 7-Jul-2009 21:03

onehundredwatt: Zyxel USG 200 - IPSEC VPN's, Layer 7 Firewall and SSLVPN in one device. Highly configurable and performance is excellent.

I've never had a personal experience with Zyxel hardware, but I've heard of some very cases where they performed quite well. No idea of pricing, though.

amanzi:
Not saying that Cisco switches don't break, but I would definitely say that a desktop PC has a higher chance of a hardware failure over a Cisco router. I don't have any hard evidence to back that up, it's just based on my own experience.

Personal experience varies a lot indeed. So far, only one component on one of the firewalls I installed had issues: a D-Link NIC!

amanzi:
At the end of the day, it's what you feel comfortable with and how much risk you're willing to take. You seem to imply that because it's a DR connection, it's not that important - but in the event of a DR situation, it will be your most critical device. I'm just a fan of using the right tool for the right job. Sure, you may save a few hundred dollars now, but work out how much it will cost if that PC fails you in the event of DR.

Great way of putting it.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

onehundredwatt

19 posts

Geek

#232202 7-Jul-2009 21:11

We have hundreds of Zyxel routers and firewalls installed and in the 4 years I have been using them I would say they have been very reliable and great value for money. My previous post has a link with pricing. IPSEC tunnels to CISCO PIX or ASA devices are no problem and configuration is (relatively) straight forward. Campbell Software provide excellent over the phone help too.

Fraktul

836 posts

Ultimate Geek

Trusted

#232206 7-Jul-2009 21:32

Zyxel are ok from personal experience. Regarding Cisco kit pricing to be fair this isnt apples to apple as you are compairing a new router with an install on an old pc. 2nd hand cisco vs old pc would be a more fair comparison - when you look at it that way it may be easier to stomach.

DataCraft

173 posts

Master Geek

#232213 7-Jul-2009 21:58

I have used the draytek DV2910 before on a uns connection, they are very stable and easy to use. I have a spare one that is not being used if you want to borrow it and try it with your citylink connection.

1 | 2