[142535] in North American Network Operators' Group
Re: Firewall Appliance Suggestions
daemon@ATHENA.MIT.EDU (Rhys Rhaven)
Thu Jun 30 17:49:48 2011
Date: Thu, 30 Jun 2011 16:48:53 -0500
From: Rhys Rhaven <rhys@rhavenindustrys.com>
To: nanog@nanog.org
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C840C7E3A@SHSBS.shenrons-house.local>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You can run pfsense in a VM, and the GUI is rather easy. VLANs are
configured as separate interfaces. So once you configure which VLANs are
which, your NOC monkey can simply go to the firewall and edit each VLANs
separate firewall rules. The multiple Phase 2 in a single Phase 1 was
added to version 1.3, which never was released as a stable as all
development went to version 2.0. So you will have to run 2.0RC3, but
hear me out.
I've been using 2.0 on production networks and use quite a few of the
features since November of last year, at which time it was still a
snapshot release. I have consistently been updating a VM, a few home
built machines, and our embedded devices in remote offices nearly every
week since then. It has never broken anything, ever. I only put it into
production once the bugs became minimal enough that they wouldn't bother
me. Currently there is only one bug not addressed, and it isn't hard to
avoid. http://redmine.pfsense.org/projects/pfsense/issues?query_id=3D10
Also, its free, so not hard to try out. Heres the RC3 announcement with
download links. http://blog.pfsense.org/?p=3D589
On 06/30/2011 10:50 AM, Blake T. Pfankuch wrote:
> Howdy,
> I am looking for something a little unique in a bit of =
a tough situation with some sticky requirements. First off, my requireme=
nts are a little weird and I can't bend them a whole lot due to stipulati=
ons being put on me. I am in need a firewall appliance which can be run =
on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations w=
ithin a single Phase 1. I am also in need of something that can support =
VLAN interfaces on the LAN side, and ideally something with multi zoning =
so I can keep LAN side networks separate from each without ridiculous fir=
ewall rules. Meaning build a zone for "Customer network 1" and it displa=
ys separately (ease of management and firewall config hopefully). I need=
a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for LA=
N to WAN (to dedicate all outbound connections to a single IP from a spec=
ific zone), ideally something extremely scalable (100-200 zones). And he=
re is the super fun part! I need something that is going to be web manag=
ed primarily as minions will be doing most of the day to day maintenance,=
or very simple CLI config. Willing to pay for something if need be, but=
looking for something that can easily handly 50-100mbit of throughput.
>
> Any Ideas?
>
> Thanks!
>
> Blake Pfankuch
