[kwlug-disc] IPCop (and friends) vs hardware router

unsolicited unsolicited at swiz.ca
Thu Jun 18 02:19:08 EDT 2009


You want a layer 3 switch. <kidding>. <sort of>. (The layer 3 switch, 
and many other devices, would let you distinguish between managing 
your internal network, and managing your external network. You could 
cross-over some things too, if for some reason that were desirable. 
e.g. block some things at the layer 3 switch to reduce the workload of 
your real firewall.)

Break it down another way. What discrete functions do you want to run? 
On how many devices? e.g. One box firewall, another box VPN, another 
box monitoring, etc. Or one box to rule them all.

I doubt any D-Link or Linksys or like cheapo router will handle your 
load in the way you want it to.

My own experience demonstrates to me that when you mix too many things 
on one box, it becomes burdensome to maintain / keep things straight 
in terms of bits of interaction in multiple places.

You have been playing with system logging and the like. There are some 
advantages to running all such stuff on the firewall box.

I can see the PC route would have advantages in terms of flexibility 
and community support, since it would run FOSS software. (And provide 
more solution possibilities than some other dedicated box solutions 
might, such as multiple DMZs.) You could clone it, and gain redundancy 
in various ways. i.e. You probably have multiple PCs available to you 
- you may not have 2 of any other devices.

I can't recall the last time I've seen Linux, vs. BSD, etc. used on a 
firewall.

But break down the discrete functionality you want, first. e.g. Pick 
what software packages you would like to run. One sort of defines the 
other, and vice versa.

P.S. Have Rogers send you the offending logs. You have to tell them to 
e-mail it to you beforehand. i.e. Logs of things you've already 
experienced will be long gone.

Paul Nijjar wrote, On 06/17/2009 11:36 PM:
> 
> In one corner, I have a an IPCop box that I am getting increasingly
> unhappy with. IPCop has been pretty solid for me and I have
> appreciated a few of the add-ons, but I have been trying to block all
> traffic on certain ports and it is not working. 
> 
> In the other corner I have a Linksys WRT54GL router, onto which I
> have the option of installing some open firmware. (I am so done with
> proprietary black box firmware with bad logging. Sorry, D-Link.) 
> 
> In the third corner I have the possibility of playing with pfSense or
> Xorp or whatever the Next Big Thing is in putting a router on an x86
> box.
> 
> In the fourth corner I have me, whimpering and rocking back and forth
> as I struggle to understand all of the options and get something
> working so that Rogers quits threatening to shut down our internet
> access. 
> 
> I don't want much more than what a home router offers. Maybe these
> things are not offered by all home routers:
>   - I do want the ability to expand (e.g. with OpenVPN) in the future
>   - I do want good logging
>   - I do want to block traffic on some ports
>   - I do want to expose some ports on a server
>   - I want the protection against Internet attacks to be good
>   - I want something that is maintained and has updates 
>   - I want both exposure to internals if I need twiddling, and a
>     reasonable GUI so that I (and my co-workers) don't have to twiddle
>     with everything
>   - I do NOT want wireless at this time (even though the Linksys has
>     wireless)
>   - I want to get this working at a basic level without a lot of
>     twiddling 
>   - I want performance to be good enough so that my users don't
>     notice that something has changed
> 
> Maybe I am asking for pie in the sky. Maybe not. Which of the first
> three corners should I focus on, and why?
> 
> In terms of the second corner, there appear to be a number of different
> firmwares available. Which do I want to use? 
> 
> In terms of the third corner, which of the many router distributions
> should I consider and why?
> 
> I realize that this cry for help sounds a lot like "Which distribution
> is the best?" because that is exactly what it is. However, telling me
> what you have chosen and why will be probably be enlightening. 
> 
> - Paul
> 
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
> 



More information about the kwlug-disc_kwlug.org mailing list