At 12:45 AM 4/1/2004, Vincent FLEURANCEAU wrote:
>I'm looking for people who use m0n0wall in a corporate environment, for
>their customers or for their own needs.
We have two uses.
The first is an exterior firewall between our ISP (AT&T) and all the rest
of our gear. That runs on a Soekris net4501, and does the typical blocking
of RFC-1918 addresses, spoofed versions of our own addresses, the
draft-Manning address set, throttling of ICMP for DoS attacks, etc. It is
fed a 100Mbps FDX ethernet from AT&T. According to our SNMP monitoring, we
average around 2Mbps long term, but do burst to the full 100Mbps. Since
that box is a single point of failure, there is a second identically
configured net4501 in the rack with Cat5 certified RJ-45 switches as a hot
standby. We're planning to eventually implement VRRP or something like it
to make the failover automatic.
The other use is to implement a hack/kludge. We are an ASP, and most of
our customers connect via a VPN to our inner firewall (which is a Sun E250
running Checkpoint Firewall-1). The net between the inner and outer
firewalls is our untrusted network (or DMZ). Because the customer is
always right, we allow their own network addresses to traverse the
DMZ. That means, inevitably, we have collisions on RFC-1918 address
spaces. We use a net4501 to do 1:1 NAT on one block of addresses to
another (non-conflicting) block of addresses.
>More, I plan to use m0n0wall on Soekris hardware, so I have 2 other questions:
>- Does the 4501 (basic) model suit for all 5 gateways?
Probably. But the cost difference between it and the net4801 is small
enough you might not want to gamble.
>- Is the VPN add-on card useful (or even needed) for all 5 gateways?
It moves the encryption for key exchange and IPsec into hardware from
software. So, the more tunnels you need to terminate, the more you'd want
the card, or the faster 4801, or both.
Since you said these offices are going to be connected by DSL, my guess is
the data rates will be slow enough you will not have to worry. But only
you can actually test in your own environment.
Has anyone on this list benchmarked a 4501 with VPN card against a 4801
Chad R. Larson (CRL22) chad at eldocomp dot com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228
-- CONFIDENTIALITY NOTICE --
This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.