[ previous ] [ next ] [ threads ]
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  Vincent FLEURANCEAU <v dot fleuranceau at parc dash landes dash de dash gascogne dot fr>
 Cc:  m0n0wall mailing list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Corporate VPN (multiple tunnels) - Feedbacknedeed
 Date:  Sat, 3 Apr 2004 14:58:46 -0700
At 12:45 AM 4/1/2004, Vincent FLEURANCEAU wrote:
>I'm looking for people who use m0n0wall in a corporate environment, for 
>their customers or for their own needs.

We have two uses.

The first is an exterior firewall between our ISP (AT&T) and all the rest 
of our gear.  That runs on a Soekris net4501, and does the typical blocking 
of RFC-1918 addresses, spoofed versions of our own addresses, the 
draft-Manning address set, throttling of ICMP for DoS attacks, etc.  It is 
fed a 100Mbps FDX ethernet from AT&T.  According to our SNMP monitoring, we 
average around 2Mbps long term, but do burst to the full 100Mbps.  Since 
that box is a single point of failure, there is a second identically 
configured net4501 in the rack with Cat5 certified RJ-45 switches as a hot 
standby.  We're planning to eventually implement VRRP or something like it 
to make the failover automatic.

The other use is to implement a hack/kludge.  We are an ASP, and most of 
our customers connect via a VPN to our inner firewall (which is a Sun E250 
running Checkpoint Firewall-1).  The net between the inner and outer 
firewalls is our untrusted network (or DMZ).  Because the customer is 
always right, we allow their own network addresses to traverse the 
DMZ.  That means, inevitably, we have collisions on RFC-1918 address 
spaces.  We use a net4501 to do 1:1 NAT on one block of addresses to 
another (non-conflicting) block of addresses.

>More, I plan to use m0n0wall on Soekris hardware, so I have 2 other questions:
>- Does the 4501 (basic) model suit for all 5 gateways?

Probably.  But the cost difference between it and the net4801 is small 
enough you might not want to gamble.

>- Is the VPN add-on card useful (or even needed) for all 5 gateways?

It moves the encryption for key exchange and IPsec into hardware from 
software.  So, the more tunnels you need to terminate, the more you'd want 
the card, or the faster 4801, or both.

Since you said these offices are going to be connected by DSL, my guess is 
the data rates will be slow enough you will not have to worry.  But only 
you can actually test in your own environment.

Has anyone on this list benchmarked a 4501 with VPN card against a 4801 

Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228


This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.