As I have mentioned before, I am in the process of setting up a firewall
for a small institution, for which I work as a part time "IT-person".
I have been telling the decision makers, that a "software-firewall"
(i.e. m0n0wall) seems to be a viable alternative to a
"hardware-firewall" (i know these terms are flawed) in our case, since
1) it only requires a minor investment and thus no risk in that
sense (if we decide move to a different solution later we will not be
bound by a large investment in hardware),
2) since management of the firewall would be just as easy as with a
3) since it would provide us with more flexibility for future needs
(we'll be moving a lot and our needs may expand),
4) working with something I like, will make me more likely to enjoy
my job (I know I'm lucky, my employers actually care ;), and
5) since I think that I can provide the same uptime, and the
necessary performance with a m0n0wall.
I have however, based on the information that I have been able to find,
started worrying if 5) is really true.
I am hoping someone here with more experience than myself can help me
judging whether 5) is true.
Also, our consultants is pressing for us to upgrade our novell server
and let them install a novell bordermanager firewall. I don't have much
factual knowledge of whether bordermanager is a good solution for us or
not. However having the firewall as a piece of software on the server
does not seem right. Also, I am not too happy about the Novell servers
(too complex and buggy, feature overkill for our needs). And, I don't
think that it is in the best interest for the institution' that we are
in fact dependent on Novell and these consultants. But on the other hand
I can't provide a complete alternative solution as of now, and I need to
work together with these consultants, so I need to have good
(constructive) arguments ready, if I am to install a m0n0wall.
UPTIME. Although not critical, uptime is a priority for the institution,
since the employees communicate daily with other institutions via email.
I will not be available to troubleshoot the m0n0wall all the time, so I
have planned to have an extra m0n0wall handy (even if I install on a
Soekris or WRAP) in case the primary goes down for some reason, and to
instruct someone how to turn one off and the other on. Ideally, I would
like them to dynamically fail-over, but that doesnt seem to be an
available option now. I've been made aware of pfsense (thanks Holger),
but I can't use alpha software, so while this might be an option in the
future, it isnt an option now.
NORMAL PERFORMANCE. We have 30-40 employees on the same amount of
windows XP machines. We do not generate much traffic (probably I'm
responsible to the majority of the traffic <grin>), so we nowhere near
saturate our 10mbit line, so on this point I am fairly confident that
any m0nowall will handle the traffic. We'll be using many-to-one NAT on
the connection with portforwarding for the mail server etc., or perhaps
do something like a filtered bridge, since we actually have plenty of
IP-adresses available, which as far as I can see is perfectly within the
performance capability of m0n0wall. I'm a bit worried whether, on longer
terms, IP-telephony might cause the Soekris to become obsolete, but then
again, the minor investment connected with a m0n0wall justifies not
being too farsighted as to what performance we will need in the future.
VPN. We are in the process of enabling people to work from home, so VPN
is a requirement for our firewall. I don't expect more than 10-20
concurrent connections in the near future (guesstimate), with each user
doing word processing on documents on our fileserver, from home,
checking email, minor surfing, occasional larger filetransfer, for
instance video material, to and from the fileserver.
I need your help in assessing what this translates to in performance
requirement to the VPN part of m0n0wall.
I'm leaning towards installing m0n0wall on two Soekris 4801, since WRAPs
does not seem to be available at the moment. But, judging from the
information that I have been able to find on this mailing list and in
Manuel Kasper's performance benchmarks, the Soekris does only provide
about 2mb/s of throughput for VPN, and I am worried about whether this
is enough for our needs. Again I need help judging whether this is
enough. And I dont think the spare PC-hardware, that I have available
will fare any better (amd k-6 or pentium 2 based machines) as a m0n0wall
box. VPN performance is my main concern as to whether a m0n0wall will
So, I hope I've described what I need help to do in an understandable
way, and that You'll reward my efforts with some help to further a good
Tor Bechmann Sorensen