Alternaive to cisco router?



  • Hi, I'm very new to the world of firewalls so sorry if this is a stupid question.

    At work we're installing some new debian servers in a rack which we have at a data center. The servers will be used for live video streaming to several thousand users and so we will be using about 1Gbps of bandwidth. This high end of firewalls is beyond me at the moment so I'm trying to learn.

    We have been advised by the dc that a cisco ASA5550 would be the best device to get as is has the throughput. We have 2x1GBps ports coming into our rack and then about 5 servers inside the rack. Each server will have its own public and private IP address.

    What I want to know is, is it possible for the m0n0wall box to deliver the same reliability of the cisco ASA5550 (we're willing to spend money on this if it's cheaper than a ASA5550 so something like a £1000 dell Xeon with RAID 1 SCSI drives which I know is overkill but this is mission critical) and also deliver the traffic to the servers based on the public IP address whilst still filtering out hack attempts etc?

    One last question, obviously we'd have the two incoming connections hooked up, but we would also want to have two connections to the rack switch for redundancy purposes. Is this possible?

    Thanks for any and all advice.

    Andrew.


  • LAYER 8 Moderator

    First, you are talking about pfSense. No m0n0wall here ;)
    As for the reliability: I have two pfSense firewalls in our datacenter each one hooked to a seperate 100MBit/s connection. Both are working in CARP redundancy mode and since I started using them, I have no more bad feeling in powering off the active node, 'cause I simply know that the second one will take over almost instantly, even with streaming video/audio or active remote connections.

    Only limiting thingy IMHO is the hardware you run pfSense on. Buy apropriate and supported hardware and it should work. I think there have been reports around the forums here, what is necessary for running 1GB/s smoothly.



  • You may be interested in this thread where foomanjee talks about his pfSense firewalls running foxnews.com and foxbusiness.com.
    http://forum.pfsense.org/index.php/topic,7668.msg43776.html#msg43776

    Also make sure you are using server class Intel Gigabit NICs. Intel handles the processing on the NIC itself and saves your CPU.

    When pfSense 1.3 is released it will be running on FreeBSD 7. FreeBSD 7 TCP stack is even faster.
    http://blog.pfsense.org/?p=173



  • Does pfsense work with NAT-T?  That was a deal breaker for me.



  • @valnar:

    Does pfsense work with NAT-T?  That was a deal breaker for me.

    1.3 will.


Log in to reply