0

The company that I work for has three internet connections. We're planning to install a single firewall appliance that covers all of the three connections.

I can theoretically imagine it being done by connecting all of the network lines to a single very very expensive appliance.

However, I would like to use an OpenSource solution for eg opensense or pfsense. So I will need to assemble my own hardware.

What would be the most effecient way to do this without having to buy enterprise grade firewall appliance?

Arpan Adhikari
  • 1
  • 1

1 Answers1

0

As for my experience, I can tell you that no cheap nor expensive hardware would lead you to the same performance as the embedded UTM appliance. I tried Endian both as VM and on bare metal. There's no chance it will ever perform fast as their UTMs.

I can suggest you to try the way of opensource (pfsense is a good choice too) but you'll have to see if it works well with your environment.

Many functions such as content filtering/antivirus on the http(s), or such as traffic shaping, mail proxy etc will become slow in a big environment. With Endian I experienced damn slow proxy with less than 30 clients!

If they have both free community supported software and enterprise grade hardware appliances, there should be a difference! Otherwise the price of 4-5-10000€ for their HW appliances won't be justified, compared to free ISO that can run on every 10 years old PC.

So to answer your question, if you want to go the cheap way use free software and HW you already have, but consider that you will have to give tests their time before putting such a solution in production.

Both distros mentioned here are multi-uplink ready. You can setup multi WAN having one NIC for the red side and handle routers through a managed switch using VLANs (supported by both distros) or you'll need one NIC per router. I suggest the first one. Then, you'll use your multiple WANs defining either a failover policy or a policy routing ruleset, or preferably both!

Marco
  • 1,679
  • 3
  • 17
  • 31
  • thanks for your suggestion. :) But how about connecting multiple WANs to the firewall? – Arpan Adhikari Jul 21 '17 at 07:34
  • Both distros mentioned in my answer are multi-uplink ready. You can setup multi WAN having one NIC for the red side and handle router through a managed switch using VLANs (supported by both distros) or you'll need one NIC per router. I suggest the first one. Then, you'll use you multiple WANs defining either a failover policy or a policy routing ruleset, or both, too! – Marco Jul 21 '17 at 08:43
  • Did you find my answer exhaustive or you're looking for further informations? – Marco Jul 21 '17 at 16:34
  • We bought an old Dell R710 and threw 128GB of RAM into it to run pfSense. It outperforms any appliance that you could purchase. When you use pfSense, I recommend getting the Gold subscription. for $100 / year, you have automatic backups of your configuration (read: 1 hour rebuild) and you get access to the indepth documentation. You'll need to read up on multi-homed routing. – Jonathon Anderson Jul 21 '17 at 18:18
  • @Marco I'm still looking for answers. : ) . – Arpan Adhikari Jul 26 '17 at 14:54
  • @NonSecwitter thanks for your suggestion. I am more inclined towards opensense but will definitely consider your suggestion. – Arpan Adhikari Jul 26 '17 at 14:54