Hardware Firewall/Router Opinions

[bluestrobe]

I've brought this up before but with a different context.

I need a hardware firewall/router that does the following:

1. Act as a firewall for the internet.
2. Able to support a FTP Server and a Web Server, one DMZ and the other port fowarding. (This is what I currently have but will change as needed)
3. DHCP
4. Remote VPN access for a later plan in the works. Mainly remote server access.
5. Configured to set and forget.
6. $200ish

What I don't need or care for is anti-virus or wireless features. Due to the room the current router is in this can't be another PC with a software solution. This will be replacing a WRT54GS so the space and power would be the same if possible. I thought about a D-Link enterprise setup such as DFL-700 or DFL-200 or this Linksys one RV042

However in another thread I found this Checkpoint Safe@Office but the downfall is its limiting the number of systems due to its built in anti-virus software which I don't want or need. If I could disable the anti-virus stuff and get rid of the limitations, then it would be great but doubt it.


Anyone use any of these? Looking for opinions of people who have used these and not a wild uneducated opinion or WTR54G fanboys. This unit will be supporting 2 high use computers, 1 FTP server (moderate use), 1 web server (low use at the moment) a solitaire game machine, and some systems at differtent times for different reasons (DC, troubleshoot/upgrading other computers, ect).

 

[JackMDS]

Able to support a FTP Server and a Web Server, one DMZ and the other port forwarding.

Once you put a Computer on the DMZ all the ports are opened toward it, so no more port forwarding otherwise.

DMZ means No Firewall. So it is a good tool for debugging and here and there for problematic gaming, but not for as a long run solution.

Depending on the traffic you might want to look for a SOHO Router that is VPN End Point (around $500).

Otherwise there is few Entry Level VPN End Point Routers (eack of the major Brands makes one of them), there is no sentential differences between them, look at the major brand read the data sheet and choose the one that seems to have the menu structure that you like.

On Cable/DSL Router, Cable/DSL Routers - NAT, Ports, SPI.

VPN primer, VPN - Virtual Private Networks for small settings.

:sun:

 

[DaiShan]

As always Jack made a great post, but out of curiosity did you ever bother with CLI configuration on the wrt54g? It runs linux and iptables which is an extremely versatile firewall and can provide all of the features that you are looking for if you don't mind getting your hands dirty at the CLI. I even have mine set up to detect attacks on daemons running on the internal network then automatically drop connections from the offending IP addresses for 3 days which kills pretty much any attack. As for VPN, I don't know what all you want to do, but with SSH and port forwarding you can grant access to processes on your internal network from the WAN over an encrypted tunnel. There is no need for a full VPN deployment if you only want to secure a few processes.

 

[Boscoh]

Originally posted by: JackMDS

Able to support a FTP Server and a Web Server, one DMZ and the other port forwarding.

Once you put a Computer on the DMZ all the ports are opened toward it, so no more port forwarding otherwise.

DMZ means No Firewall. So it is a good tool for debugging and here and there for problematic gaming, but not for as a long run solution.

I would have to disagree with you somewhat Jack. This holds true on a lot of small soho devices like Netgear, DLink, Linksys, etc. On bigger devices and in corporate speak, DMZ != no protection. An an example the PIX 515 is available in a 3-interface model called the "DMZ Bundle." The third interface is where you put your web-facing systems which need the most ports opened to them and receive the most exposure. These systems are still protected by the firewall, and only have the ports opened to them that you explicitly allow.

So while you're correct about the definition of DMZ in most home devices, that definition doesn't hold true with higher end devices (and some soho-class devices too).

To the OP: My vote is for the Linksys RV042

 

[jwhitt]

old box 2 nics m0n0wall

 

[jwhitt]

or if you want to be real smooth pfsence

 

[FreshPrince]

Originally posted by: bluestrobe
I've brought this up before but with a different context.

I need a hardware firewall/router that does the following:

1. Act as a firewall for the internet.
2. Able to support a FTP Server and a Web Server, one DMZ and the other port fowarding. (This is what I currently have but will change as needed)
3. DHCP
4. Remote VPN access for a later plan in the works. Mainly remote server access.
5. Configured to set and forget.
6. $200ish

What I don't need or care for is anti-virus or wireless features. Due to the room the current router is in this can't be another PC with a software solution. This will be replacing a WRT54GS so the space and power would be the same if possible. I thought about a D-Link enterprise setup such as DFL-700 or DFL-200 or this Linksys one RV042

However in another thread I found this Checkpoint Safe@Office but the downfall is its limiting the number of systems due to its built in anti-virus software which I don't want or need. If I could disable the anti-virus stuff and get rid of the limitations, then it would be great but doubt it.


Anyone use any of these? Looking for opinions of people who have used these and not a wild uneducated opinion or WTR54G fanboys. This unit will be supporting 2 high use computers, 1 FTP server (moderate use), 1 web server (low use at the moment) a solitaire game machine, and some systems at differtent times for different reasons (DC, troubleshoot/upgrading other computers, ect).

I used the checkpoint...which is why I recommended it in the other thread...

it does NOT limit the number of workstations, just the number of users...

I mean will you have more than 5 vpn users connected to that box at any point in time? I highly doubt it....most of the time, my box has 0 users connected and once in a blue moon when I do need to remote into my home network, it will have 1 user connected to it...get it now? it's not a limitation because it is built for home/small businesses. if you want unlimited users, buy the enterprise version. besides, the limited vpn users is because vpn encryption takes a toll on the box and that particular one can only handle 5 concurrent users. They also sell an unlimited vpn users version, but that box will have faster hardware built-in...most likely hardware vpn accelerator. does this make any sense now?

hope this helps...

and again, the anti-virus/spam/spyware...blah blah blah is the only part that requires an annual subscription. you don't need one just for the firewall/router/vpn. I mean, every vendor out there tries to sell you the annual subscription crap, but it's up to you if you need it. me, I don't subscribe because I have symantec av enterprise version and spybot...I don't need it. But if I want my PC to perform better, it's best to let the router do it. Now if I have a laptop...then no, I would want that software installed on my laptop.

frankly, this box is too good for normal day to day home use, only enterprise customers buy it because they want the best firewall to protect their small businesses. I just happen to know about this device because because I implemented it for my entire enterprise and I make enough $ to purchase one for myself. Not that $200 is so much $..I mean c'mon...it's chump change.

A regular $50-80 linksys/netgear/blah blah blah is just fine for home use. You can go into compusa and buy any one of those devices and get the job done. You really don't need the checkpoint.

checkpoint just developed and implemented stateful packet inspection and application intelligence into their firewall products. everyone else know this is the best firewall technology and just pay them to use it in their products. that is why all you see in home firewalls now is SPI this and SPI that....because checkpoint made it and it's the best. end of story.


just buy the damn safe@office already

 

[FreshPrince]

Originally posted by: Boscoh

Originally posted by: JackMDS

Able to support a FTP Server and a Web Server, one DMZ and the other port forwarding.

Once you put a Computer on the DMZ all the ports are opened toward it, so no more port forwarding otherwise.

DMZ means No Firewall. So it is a good tool for debugging and here and there for problematic gaming, but not for as a long run solution.

I would have to disagree with you somewhat Jack. This holds true on a lot of small soho devices like Netgear, DLink, Linksys, etc. On bigger devices and in corporate speak, DMZ != no protection. An an example the PIX 515 is available in a 3-interface model called the "DMZ Bundle." The third interface is where you put your web-facing systems which need the most ports opened to them and receive the most exposure. These systems are still protected by the firewall, and only have the ports opened to them that you explicitly allow.

So while you're correct about the definition of DMZ in most home devices, that definition doesn't hold true with higher end devices (and some soho-class devices too).

To the OP: My vote is for the Linksys RV042

exactly...all the fw's I've dealt with has protected dmz...

DMZ is just another physically separated network from your internal network. it does not mean no protection... It's like having a 10.0.1.x internal network with all your internal servers and workstations in it and a 10.0.2.x dmz network with all your web servers and ftp servers...blah blah blah in it accessible from the internet. the 1.x network is internal and you don't want any access to it from the internet. but your 2.x network has all your webservers in it and well you do want people to hit your web server right? that is why you need the physical seperation. so it's like putting all the 1.x computers in one switch and all the 2.x computers in a completely separated switch. the firewall has multiple interfaces that can handle the multiple networks and be able to route traffic and forward applications to a specific port number.

hope this helps!

 

[bluestrobe]

Originally posted by: JackMDS
Once you put a Computer on the DMZ all the ports are opened toward it, so no more port forwarding otherwise.

DMZ means No Firewall. So it is a good tool for debugging and here and there for problematic gaming, but not for as a long run solution.

Currently they both work. The DMZ server (ftp) does have a software firewall. I still can hit the web server (port forwarding) from the outside on port 80. I've found routers with dual DMZ ports but they aren't in my price range. I would do port forwarding on both but the FTP server sends the lists out over a 2000 port range and I didn't feel safe opening that many ports to the internet.

About the VPN stuff, I still have to do the research but I was told to have it for a business operation we plan on starting up here at the end of this year. I'll use the router for the VPN server and have the client log in to it when they need to. I know the Linksys model I listed does this, don't know about anyone else as I haven't got that in depth to the other models.

Originally posted by: jwhitt
old box 2 nics m0n0wall

Next time read before posting. I don't want to run another computer as in my OP.

 

[bluestrobe]

So the RV042 would be it?

 

[Aarondeep]

I would get the safe@office, I haven't used the checkpoint before, but I am familar with Netscreens, I have setup about 6 sites with NS-5GT and the firewall is great and simple to configure, from what I have read the checkpoint is even easier to configure than the netscreen. The limitation that you are seeing is not the number of computers behind the firewall but is the number of VPN connections it can make. 5 should be plenty, If it isn't enough down the road you can probally purchase a new license upgrade.
Also, I would reccomend buying this from a reputable retailer or company direct. (software updates are usually limited on these enterprise devices)
For ~200 buxx it's totally worth it.

 

[bluestrobe]

Originally posted by: aarondeep
The limitation that you are seeing is not the number of computers behind the firewall but is the number of VPN connections it can make. 5 should be plenty

Interesting. We learn something new everyday. I did like the screen shots of the S@O unit too.

 

[jwhitt]

im sorry i guess i could of sugested a soekris net 4801 with a cf card

 

[bluestrobe]

Originally posted by: jwhitt
im sorry i guess i could of sugested a soekris net 4801 with a cf card

Looks to be linux. I don't need to learn with a device that is supposed to keep me secure. Bad things happen that way.

 

[jwhitt]

no man its free bsd, and its all web based... your linksys wrt54g is the same thing.. this just has more configurable, and flexable options thats all

 

[smashp]

Originally posted by: bluestrobe

Originally posted by: jwhitt
im sorry i guess i could of sugested a soekris net 4801 with a cf card

Looks to be linux. I don't need to learn with a device that is supposed to keep me secure. Bad things happen that way.

monowall is secure, i have yet to hear or read of it being hacked yet. plus the configuration of it is similar to many commercial firewalls. if you understand the theory they are all the same.


plus its default state is locked down. you have to open up access through full featured nat rules and corisponding firewall rule sets. you can block access to certain IP ranges for services inbound and outbound, get ipsec, openvpn, and traffic shaping
you can get a old pc with two nic cards or you can get a wrap box and you get a lan,wan,dmz,and Wap all on one device.



read my sig, Im not big on open source or alot of linux appps, because ive witnessed how they cost you major amounts of time to configure, and setup, and maintain. Monowall is so simple its increadable and it will work on embedded hardwae.

I was using smoothwall before and it isnt bad either , monowall just offers more needed features.

 

[bluestrobe]

Originally posted by: smashp

monowall is secure, i have yet to hear or read of it being hacked yet. plus the configuration of it is similar to many commercial firewalls. if you understand the theory they are all the same.


plus its default state is locked down. you have to open up access through full featured nat rules and corisponding firewall rule sets. you can block access to certain IP ranges for services inbound and outbound, get ipsec, openvpn, and traffic shaping
you can get a old pc with two nic cards or you can get a wrap box and you get a lan,wan,dmz,and Wap all on one device.



read my sig, Im not big on open source or alot of linux appps, because ive witnessed how they cost you major amounts of time to configure, and setup, and maintain. Monowall is so simple its increadable and it will work on embedded hardwae.

I was using smoothwall before and it isnt bad either , monowall just offers more needed features.

I have reviewed monowall but I don't want to run another rig because of the limitations I have. I'm still sold on the S@O setup but my friend says its for entry level noob's.

 

[smashp]

Originally posted by: bluestrobe

Originally posted by: smashp

monowall is secure, i have yet to hear or read of it being hacked yet. plus the configuration of it is similar to many commercial firewalls. if you understand the theory they are all the same.


plus its default state is locked down. you have to open up access through full featured nat rules and corisponding firewall rule sets. you can block access to certain IP ranges for services inbound and outbound, get ipsec, openvpn, and traffic shaping
you can get a old pc with two nic cards or you can get a wrap box and you get a lan,wan,dmz,and Wap all on one device.



read my sig, Im not big on open source or alot of linux appps, because ive witnessed how they cost you major amounts of time to configure, and setup, and maintain. Monowall is so simple its increadable and it will work on embedded hardwae.

I was using smoothwall before and it isnt bad either , monowall just offers more needed features.

I have reviewed monowall but I don't want to run another rig because of the limitations I have. I'm still sold on the S@O setup but my friend says its for entry level noob's.

monowall will run on an embedded device that will cost you about 200 ish. check the homepage for the hardware section. Monowall runs off of a CF and the box is smaller than most modern cable/dsl routers

 

[bluestrobe]

Originally posted by: smashp
monowall will run on an embedded device that will cost you about 200 ish. check the homepage for the hardware section. Monowall runs off of a CF and the box is smaller than most modern cable/dsl routers

That was a thought but I want to buy one device that is made by one company then use it. Building an embedded device to run freeware does have its limitations.

The prices on Soekris products seem to be too much for my budget. mOnOwall needs at least 64mb of ram to upgrade properly and the cheapest embedded pc I could find was over $300. It was an interesting deal but the hunt continues.

 

[servin247365]

smoothwall.org its works great, easy to use and free you just need an older system like P2 400 mhz or something

 

[bluestrobe]

Originally posted by: servin247365
smoothwall.org its works great, easy to use and free you just need an older system like P2 400 mhz or something

We're swaying from the topic. I don't want another computer box to take care of.

 

[FreshPrince]

Originally posted by: bluestrobe

Originally posted by: servin247365
smoothwall.org its works great, easy to use and free you just need an older system like P2 400 mhz or something

We're swaying from the topic. I don't want another computer box to take care of.

I have a spare safe@office...

 

[bluestrobe]

Originally posted by: FreshPrince

Originally posted by: bluestrobe

Originally posted by: servin247365
smoothwall.org its works great, easy to use and free you just need an older system like P2 400 mhz or something

We're swaying from the topic. I don't want another computer box to take care of.

I have a spare safe@office...

new, used?