Reccomendations for a ~$500 firewall... SonicWall? Watchguard?

[Superwormy]

I need some reccomendations for a hardware firewall in the $500 range. Here's the situation:

AT&T T1 -> Cisco 1721 Managed Router, 5 static IPs -> Firewall -> LAN


Requirements:
- Needs to be able to handle the 5 incoming static IP addresses
- Need to be able to place a few machines behind the firewall and have them accessible via a few of the public static IP addresses provided by AT&T (1:1 NAT? better option?)
- Other machines will just be NATed so they have internet access (but are not accessible via public IP addresses)
- QoS - We're using SIP/VoIP, so I want to be able to use QoS, preferable solution would be to give priority to one or two specific ports on the firewall/router
- Wireless would be nice... but is not necessarily a requirement
- Be able to block some ports
- Something reliable


Suggestions?

 

[drebo]

Cisco PIX 501.

Do NOT use a SonicWall. They're garbage, particularly since you're using VoIP. I've had no end of problems with SonicWalls in my VoIP scenarios. Which provider are you using, by the way?

I'd stand by the PIX 501. They work well and are within your budget.

And, though I've never used one, I've always heard pretty good things about the Watchguard Fireboxes.

 

[Superwormy]

Where are you finding a PIX 501 for around $500? I'm seeing prices around $750... which is probably do-able, just curious if there was a good place to get it cheaper.

On a side note... does the PIX 501 only support 32 DHCP leases/if I end up with a 10-user license, does that mean that only 10 computers on the LAN will have Internet access? What happens if I have more than 32 computers...?

 

[stlcardinals]

Pix 501's have been replaced with the ASA 5505. You would need to get a 50 user license if you have more than 30 computers. With a 10 user license, after the 10th computer has made a connection to the internet, no other computer besides the first 10 will be able to connect to the internet.

 

[Cooky]

I've had a Watchguard before, and was not very happy w/ it.
The VPN software was flaky, and the support wasn't the greatest when I called.
Not sure if that's changed, but that's what I experienced 3 years ago.

 

[Superwormy]

Anyone have experience with Fortinet Fortigate/FortiWifi firewalls?

 

[mikeyes]

I would look at replacing your 1721 with an 1800 series Cisco router with the Firewall feature set in the IOS

 

[Superwormy]

Replacing the 1721 is not an option, it's a managed router owned and provided by AT&T for the T1 connection.

 

[drebo]

Originally posted by: Superwormy
Where are you finding a PIX 501 for around $500? I'm seeing prices around $750... which is probably do-able, just curious if there was a good place to get it cheaper.

On a side note... does the PIX 501 only support 32 DHCP leases/if I end up with a 10-user license, does that mean that only 10 computers on the LAN will have Internet access? What happens if I have more than 32 computers...?

Do you have a server on your LAN running Server 2000 or Server 2003? If so, run DHCP off of that and you won't need to worry about the DHCP lease limits of the PIX.

As for where...I don't get them from Newegg, but they are available. I get mine from Ingram Micro and pay much less. But, here are two:

10 User License

50 User License

I don't have any experience with the ASA 5505, but it does look like a fairly nice appliance, cheaper than the PIX 501 as well. Hmmmmmm.

 

[stlcardinals]

The user licensing on the ASA/Pix is not associated with DHCP. The user count is for how many inside hosts it will pass traffic for.

 

[irwincur]

Sonicwall - no way

WatchGuard - Easy to manage and setup. But poor to no SIP support. They are just coming out with these features and any of the Edge series models are not going to treat it well.

Cisco - PIX501 can be had cheap if you look around. I routinely find 50 user and unlimited models for less than $500. Even less if eBay is an option. Used Cisco appliances tend to have a good record and you can order a SmartNet on them for around $100. But, if you are not accustomed to setting up a PIX you may need some help. The ASA5505 is a very nice series. Still a bit buggy on the GUI side but very powerful for the price.

I would say that Fortinet is pretty much in the same range as the WatchGuard and Juniper would be between a WatchGuard and Cisco appliance in terms of functionality.

The nice thing about the PIX is the lack of feature licensing. WG, SW, Fortinet, and Juniper all get you on their licensing - SW in particular. A PIX is pretty much a one time cost, unless you want to maintain warranty, then a low cost SmartNet can be purchased annually. Nowhere near the costs of the other boxes over its lifetime.

For small shops I would also recommend a m0n0wall firewall. It is a free UNIX based firewall. Very efficient, and very functional and as secure as the big boys. Custom hardware can be hard for less than $200 or you can just use any old PC. Tend to work great on cable, DSL, and true T1 lines. Have had problems on integrated circuit T1 lines. Your ATT is most likely a true T1 so you should have some luck. Would not hurt to try first if you have an old PC laying around, anything better than a Pentium 133MHz with 64MB of RAM should do. Just toss in two NICs and you are good to go.

 

[Superwormy]

Right now I'm leaning towards either a Cisco or pfSense. pfSense is looking really slick... I got it installed on a P3 1ghz box without any problems at all and everything seems very clean and pretty much seems to "just work". I'm impressed...

My boss has recommended we look at Netgear as well as we have a few Netgear switches already. Any experiences with Netgear?

 

[jlazzaro]

Originally posted by: Superwormy
My boss has recommended we look at Netgear as well as we have a few Netgear switches already. Any experiences with Netgear?

no, and there's a reason for it...stay away.

 

[Modelworks]

Originally posted by: Superwormy
Right now I'm leaning towards either a Cisco or pfSense. pfSense is looking really slick... I got it installed on a P3 1ghz box without any problems at all and everything seems very clean and pretty much seems to "just work". I'm impressed...

I have run a pfsense box for over a year without a single problem
Its really easy to configure and it would cost much more money to buy a dedicated router with the same features.

I ran it on an old compaq p3-1ghz, 512MB ram, 20GB hd .
It never dropped a packet in all that time.

People will often say that a pc can't be as good a router as a standalone router.
They don't realize that inside that router is a cpu, usually running linux.

 

[Superwormy]

Hrm, spoke to my boss... looks like we're going to at least initially go with pfSense, and then if we have problems with it, we'll take a look around again at a real standalone router.

I've got this to say though: pfSense sure is easy to setup... and it sure does a ton of neat stuff... and it looks pretty... and it's cheap... I'm very impressed so far.

 

[jlazzaro]

Originally posted by: Modelworks
People will often say that a pc can't be as good a router as a standalone router.
They don't realize that inside that router is a cpu, usually running linux.

thats a rather gross, innacurate, oversimplification...

 

[Modelworks]

Originally posted by: jlazzaro

Originally posted by: Modelworks
People will often say that a pc can't be as good a router as a standalone router.
They don't realize that inside that router is a cpu, usually running linux.

thats a rather gross, innacurate, oversimplification...

Actually its not.
I just retired a few years ago from embedded cpu/mcu work and it basically boils down to a cpu whether its running mips or some variant . An os usually stored in flash of some form. An interface chipset, a network interface.

Theres no magical circuitry in a router. Its just a computer designed to do a single task.

 

[spidey07]

Originally posted by: Modelworks

Originally posted by: jlazzaro

Originally posted by: Modelworks
People will often say that a pc can't be as good a router as a standalone router.
They don't realize that inside that router is a cpu, usually running linux.

thats a rather gross, innacurate, oversimplification...

Actually its not.
I just retired a few years ago from embedded cpu/mcu work and it basically boils down to a cpu whether its running mips or some variant . An os usually stored in flash of some form. An interface chipset, a network interface.

Theres no magical circuitry in a router. Its just a computer designed to do a single task.

You are completely and totally neglecting the switching plane. And to say it's a cpu running linux is so far off base I don't really know where to start. Sure from a resource management/kernel perspective there are some parts of unix in there but that's about it.

A "real" router or fireall does most all of the switching/forwarding in hardware and the CPU is left out of it. To compare a computer to a router/firewall is good enough for control plane stuff, but at today's speeds CPUs do not exist to meet the demands.

OP - I don't play in this area but I would assume something from cisco/juniper/nokia/checkpoint would meet your needs. A pix 501 would be a poor choice as it's older than dirt and won't do what a modern firewall can.

 

[Modelworks]

Originally posted by: spidey07


A "real" router or fireall does most all of the switching/forwarding in hardware and the CPU is left out of it. To compare a computer to a router/firewall is good enough for control plane stuff, but at today's speeds CPUs do not exist to meet the demands.

LOL
I suggest you take a tour of the facility at Cray research.
Guess what we prototype the 'network hardware' on ?
CPU's in pc like computers. They usually aren't x86 based, but the principle remains.
Then its converted to a dedicated interconnect chip or chipset.
The reason its converted ? Not because the pc based setup can't keep up, but because of cost and size. Who wants to have a pc setting in the server room when a rackmount unit will work ?

 

[spidey07]

modelworks, I still don't think you get it yet. That's fine, you're just used to your environment and I'm used to mine. But I sure don't see any Cray computers switching the Internet. Not once, ever.

We just have a disconnect between your world and mine.

 

[Modelworks]

Originally posted by: spidey07
modelworks, I still don't think you get it yet. That's fine, you're just used to your environment and I'm used to mine. But I sure don't see any Cray computers switching the Internet. Not once, ever.

We just have a disconnect between your world and mine.

http://www.sandia.gov/news-cen...th/redstormrising.html
Cray doesn't sell computers that would be used for switching networks, but we did design one hell of a chip with the seastar and that was developed and running on pc like systems before it ever was in a dedicated hardware form.

The seastar would be twiddling its thumbs if it was used on something like switching on the internet and that was running on a pc like setup, so if it can be emulated in pc form, then I know a standard office router can.

 

[spidey07]

I repeat, you are focusing on CPU...that's fine, that's your world. That's what you know and the processing is impressive.

Switching plane is different. We'll just have to agree to disagree because we come from different worlds.

 

[nightowl]

Originally posted by: Modelworks

Originally posted by: spidey07
modelworks, I still don't think you get it yet. That's fine, you're just used to your environment and I'm used to mine. But I sure don't see any Cray computers switching the Internet. Not once, ever.

We just have a disconnect between your world and mine.

http://www.sandia.gov/news-cen...th/redstormrising.html
Cray doesn't sell computers that would be used for switching networks, but we did design one hell of a chip with the seastar and that was developed and running on pc like systems before it ever was in a dedicated hardware form.

The seastar would be twiddling its thumbs if it was used on something like switching on the internet and that was running on a pc like setup, so if it can be emulated in pc form, then I know a standard office router can.

All networking devices have a general purpose CPU and in some cases the are even Intel or AMD based. These CPUs (in most cases) are only for management of the box itself. For example, processing routing updates, spanning tree, etc. None of these processes have anything to do with forwarding traffic. Once CPU calculates the path and other functions, hardware (ASICs) is programed with the forwarding information.

There is a reason in the network world that you do not want traffic "punted to the CPU" or "forwarded in software". The reason is that performance goes down the drain.

 

[azev]

I have been wondering about this topic for some times now. With the recent increase of the use of open source router such as quagga, I started to wonder what is the benefit of a hardware router such as cisco platform compared to a open source solution.
I have a friend who run a huge ISP (not going to mention the name) but they slowly are starting to migrate all their border routers from cisco 6500/7600/GSR to use unix base server running quagga. The server is runing dual quad cpu with at least 8gig of ram, Multiple port gigabit/10gig nic card running on pci-e bus.
According to him the server based router is way faster compared to the hardware router platform.