[kwlug-disc] netalyzr/ispgeeks interpreting [was: Re: Reliable Broadband speed test]

unsolicited unsolicited at swiz.ca
Mon Mar 7 12:32:06 EST 2011 

Cedric Puddy wrote, On 03/07/2011 11:59 AM:
> I can't recall what tuning opportunities exist for PIX 501's
> (presumably running 6.3(5) or so, if I remember the "latest"
> version number right).

Correct.

> As an aside, we are selling 10 user ASA-5505 boxes for less than
> $600 these days (and there is always eBay!), and they are a drop in
> replacement for PIX boxes (same config language -- you just load
> your old config on the new box via tftp, it converts it to the new
> format.  You do a bit of tidy up, and you're back in the game.).

 > As has been remarked before, Tomato can be really cheap n' *very*
 > easy when it comes to QoS, generally runs well.

The real motivator for any move is QoS.

And if I'm going to move to a device, I'd likely just use my Netgear 
wndr3700. It's got OpenWRT running on it - though I've done nothing 
with it beyond loading the (OpenWRT) stock. OTOH - I do see Tomato 
here on the list somewhat frequently.

Not entirely comfortable with the wi-fi gateway + other gateways 
(wired) on the same edge box, though. Probably mostly due to 
problematic experiences in the past with hardware sections within a 
box not being entirely segregated, let alone problematic NAT'ting when 
you have to NAT both source and destination IPs at the same time. 
Seldom, but it does happen.

> Alternatively, a pfsense/IPCop/etc can make really full featured
> replacements.

Yet I keep running into references of myth, lmce, asterisk, and on and 
on, wanting to be the master of the universe and edge device. Leading 
me towards a box, not a device, nor a black box.

Truth?

I've long thought there is a quick point at which doing too many 
things on one box makes everything harder to maintain, especially as 
you get into unexpected inter-relationships and 'race' conditions (A < 
  B here in this section, but B < A in the other, and you need the two 
to cooperate. Before processing C, here, but after processing C, there.)

[Easiest to maintain has always seem a firewall on the edge, VPN box 
with some firewall abilities next, then the rest of the internal 
network. Seems to cover all eventualities. Can even permit some 
redundancies, too.]

However, I keep seeing where these apps want to be the edge devices.

Perhaps analysis paralysis.

>  I keep meaning to download and explore Vyatta as a
> possible software firewall, since they make so much noise about
> being a commercial grade alternative to Cisco and friends, and do
> have a freely downloadable Core edition.

Well ... the trial by fire nature and testing of playing with 
firewalls does tend to irk the internal network users ... some of whom 
are sufficiently close to be able to strike us with rubber baseball 
bats ... mentioning no person or gender in particular, you understand. 
Despite all their claims to non-violence and passive resistance.

The nature of the beast means such playing can be hazardous to ones 
health. And humans seem to have a reasonably well refined sense of 
self-preservation.

> (Oh, and I'd just like to say it would really make me happy if a
> industry consortium would make OpenVPN an across-the-board standard
> -- I'm really not happy about this
> proprietary-one-manufacturer-at-a-time thing that's going on with
> SSL VPN offerings these days.)

WHAT? A ONE TRUE WAY? No more re-learning curves? As in, the problem's 
been solved, and the mousetrap is sufficiently invented to be able to 
move on to other things?

Heathen!

Apparently.


Let alone - even the function set of edge devices seems to be be in a 
state of flux and expansion these days, a moving target. Leading to 
repeated cycles of oneupmanship. And, presumably, putting food on your 
table.

More information about the kwlug-disc mailing list