High-speed firewall for home useage
April 22, 2010 9:18 AM Subscribe
How do I find a firewall for at home that can deal with a very fast (32-100 Mbit) cable connection in Switzerland?
I have a local home network with about five devices that all want to access the Internet. Up till now, I have always used ADSL for connecting to the Internet. I used a router that hooked directly into the telephone line and allowed me to connect to ADSL. The router also acted as a NAT and Firewall between the Internet and my local network, so I had a "reasonable" amount of security in place.
However, I am now "upgrading" from a 5 Mbit ADSL line to a 32 (and possibly later on 100) Mbit cable connection. The cable company, a Swiss company not Comcast(!), provides a cable Modem, which I would like to hook into my network. However, if I understand this right, if I would use my existing ADSL router, it would consider this connection part of the LAN and therefore not provide any firewall. I am therefore looking for a firewall that plays nice with the Thomson cable modem.
I have found devices such as the Netgear Prosafe 8-Port gigabit VPN Firewall, which would provide me with a firewall between my local network and the WAN. However, although all the network ports are Gigabit ports, this specific device only provides up to 25Mbit/s transfer rates between the WAN and the LAN, whereas my cable connection should be faster than that with speeds up to 100Mbit. When I look around for other devices, they all seem to be even slower.
What am I missing? Am I misinterpreting some of this information? Do I need to buy a really expensive, professional, firewall in order to get this to work?
BTW: I prefer Netgear as I have had really good experiences with their hardware!
I have a local home network with about five devices that all want to access the Internet. Up till now, I have always used ADSL for connecting to the Internet. I used a router that hooked directly into the telephone line and allowed me to connect to ADSL. The router also acted as a NAT and Firewall between the Internet and my local network, so I had a "reasonable" amount of security in place.
However, I am now "upgrading" from a 5 Mbit ADSL line to a 32 (and possibly later on 100) Mbit cable connection. The cable company, a Swiss company not Comcast(!), provides a cable Modem, which I would like to hook into my network. However, if I understand this right, if I would use my existing ADSL router, it would consider this connection part of the LAN and therefore not provide any firewall. I am therefore looking for a firewall that plays nice with the Thomson cable modem.
I have found devices such as the Netgear Prosafe 8-Port gigabit VPN Firewall, which would provide me with a firewall between my local network and the WAN. However, although all the network ports are Gigabit ports, this specific device only provides up to 25Mbit/s transfer rates between the WAN and the LAN, whereas my cable connection should be faster than that with speeds up to 100Mbit. When I look around for other devices, they all seem to be even slower.
What am I missing? Am I misinterpreting some of this information? Do I need to buy a really expensive, professional, firewall in order to get this to work?
BTW: I prefer Netgear as I have had really good experiences with their hardware!
Have you looked at this?
http://www.smallnetbuilder.com/component/option,com_chart/Itemid,189/
It shows the reported WAN-to-LAN speeds of various routers.
posted by chengjih at 9:54 AM on April 22, 2010 [1 favorite]
http://www.smallnetbuilder.com/component/option,com_chart/Itemid,189/
It shows the reported WAN-to-LAN speeds of various routers.
posted by chengjih at 9:54 AM on April 22, 2010 [1 favorite]
First, allow me to say: I am really goddamn jealous.
With that out of the way, I think that the answer is "yes," as in, yes you will probably be looking at a significant piece of networking equipment. A 100 Mb uplink is a really fat pipe, and most home/SOHO gear is just not designed for that kind of throughput. It'll handle it on the LAN side, sure, but that's because it's just acting as a switch on that side. It's not doing NAT or stateful firewalling or anything else that requires much intelligence. It does have to do that stuff for traffic going out to the WAN.
You have two options, basically. One is that you could suck it up and buy a piece of Real Networking Gear capable of handling a 100Mb uplink. The other is that you could construct one using a commodity PC and one of the many "appliance OSes" like Smoothwall. This will be cheaper in the short term but will probably consume more power ... although it might not if you went with a very compact SFF PC. Just do yourself a favor and get something with two NICs. (You can actually run a firewall on one NIC using a good managed switch and VLAN tagging, but it's a pain.)
There are some threads on the Smoothwall discussion board that will give you an idea of system requirements for a 100Mb WAN, but there seems to be a lack of real-world experience. My WAG is that if you get something with two GigE ports and a real processor (so not an Atom or ARM) you should be fine. You won't need a lot of disk and probably not that much main memory — enough to run the distro comfortably but not a lot more — but I/O and processor are going to be the limiting factors. However, anything designed to act as a small general-purpose server (not a NAS appliance though!) ought to be fine.
I'd probably go with the DIY route but that's just me. There are places on the web where you can get used/off-lease Cisco gear that's not hideously expensive, or you can always shop the 'bay, or look locally at various corporate-surplus places (where I've found the best deals). I don't know much about Cisco so I'll leave recommending models to others.
posted by Kadin2048 at 10:06 AM on April 22, 2010 [1 favorite]
With that out of the way, I think that the answer is "yes," as in, yes you will probably be looking at a significant piece of networking equipment. A 100 Mb uplink is a really fat pipe, and most home/SOHO gear is just not designed for that kind of throughput. It'll handle it on the LAN side, sure, but that's because it's just acting as a switch on that side. It's not doing NAT or stateful firewalling or anything else that requires much intelligence. It does have to do that stuff for traffic going out to the WAN.
You have two options, basically. One is that you could suck it up and buy a piece of Real Networking Gear capable of handling a 100Mb uplink. The other is that you could construct one using a commodity PC and one of the many "appliance OSes" like Smoothwall. This will be cheaper in the short term but will probably consume more power ... although it might not if you went with a very compact SFF PC. Just do yourself a favor and get something with two NICs. (You can actually run a firewall on one NIC using a good managed switch and VLAN tagging, but it's a pain.)
There are some threads on the Smoothwall discussion board that will give you an idea of system requirements for a 100Mb WAN, but there seems to be a lack of real-world experience. My WAG is that if you get something with two GigE ports and a real processor (so not an Atom or ARM) you should be fine. You won't need a lot of disk and probably not that much main memory — enough to run the distro comfortably but not a lot more — but I/O and processor are going to be the limiting factors. However, anything designed to act as a small general-purpose server (not a NAS appliance though!) ought to be fine.
I'd probably go with the DIY route but that's just me. There are places on the web where you can get used/off-lease Cisco gear that's not hideously expensive, or you can always shop the 'bay, or look locally at various corporate-surplus places (where I've found the best deals). I don't know much about Cisco so I'll leave recommending models to others.
posted by Kadin2048 at 10:06 AM on April 22, 2010 [1 favorite]
Whu? Really? Are you doing something special that needs extra security? Pretty much everyone I know is on 100 mbits at home and is covered well enough with the provided cablemodem/router and home user level firewall, usually Windows built in one.
posted by Iteki at 10:11 AM on April 22, 2010
posted by Iteki at 10:11 AM on April 22, 2010
What Kadin said. 100Mb is huuuuuuge. Cisco's ASA line will cover it, but you're talking a few thousand $$$ minimum.
Question: what will you actually be doing with this pipe? Are you going to be maxing out the pipe all the time? If you're only doing a few Mb of transfers at a time you don't need the full 100mb throughput.
posted by anti social order at 10:44 AM on April 22, 2010
Question: what will you actually be doing with this pipe? Are you going to be maxing out the pipe all the time? If you're only doing a few Mb of transfers at a time you don't need the full 100mb throughput.
posted by anti social order at 10:44 AM on April 22, 2010
There's no reason to buy expensive gear for a simple 100mbit home connection.
Pick a decent home "router" and you'll have no problems whatsoever.
The ones marketed as "gaming" are sometimes more tolerant of large numbers of multiple connections, but these days just about any but the cheapest home gateways can handle your connection needs.
Your ADSL gateway might work (depends on how it can be configured) but probably not if it's the plug-directly-into-the-line type.
posted by madajb at 11:35 AM on April 22, 2010
Pick a decent home "router" and you'll have no problems whatsoever.
The ones marketed as "gaming" are sometimes more tolerant of large numbers of multiple connections, but these days just about any but the cheapest home gateways can handle your connection needs.
Your ADSL gateway might work (depends on how it can be configured) but probably not if it's the plug-directly-into-the-line type.
posted by madajb at 11:35 AM on April 22, 2010
@madajb - he's talking about a 100mb cable modem connection.
posted by kenliu at 8:06 PM on April 22, 2010
posted by kenliu at 8:06 PM on April 22, 2010
Best answer: Cisco's ASA line will cover it, but you're talking a few thousand $$$ minimum.
You might be overspeccing there, just slightly. If this was for a business, I think you could get by with a Cisco SA 520, Juniper SSG5, SSG20 or a Sonicwall TZ series, all of which are under 1K.
Seeing as this is for a home connection though, apparently the Linksys WRT610N can push 136Mbps WAN to LAN with SPI turned off.
A 100Mbit WAN connection is definitely not fucking around territory. If you don't want to pay cash money, you can make a powerful enough firewall out of commodity hardware and open source software. There's a learning curve, but I've really been digging Vyatta lately. For something a bit easier to use there's also Untangle, Endian, or Smoothwall mentioned already upthread.
posted by tracert at 11:32 PM on April 22, 2010
You might be overspeccing there, just slightly. If this was for a business, I think you could get by with a Cisco SA 520, Juniper SSG5, SSG20 or a Sonicwall TZ series, all of which are under 1K.
Seeing as this is for a home connection though, apparently the Linksys WRT610N can push 136Mbps WAN to LAN with SPI turned off.
A 100Mbit WAN connection is definitely not fucking around territory. If you don't want to pay cash money, you can make a powerful enough firewall out of commodity hardware and open source software. There's a learning curve, but I've really been digging Vyatta lately. For something a bit easier to use there's also Untangle, Endian, or Smoothwall mentioned already upthread.
posted by tracert at 11:32 PM on April 22, 2010
madajb - he's talking about a 100mb cable modem connection.
Ummm...yes, I know?
Still no reason to spend $1000 or more for hardware.
Any higher-end gateway (read not the $40 cheapie with limited memory and a weak processor) can handle 100mbit at wirespeed.
posted by madajb at 12:19 AM on April 23, 2010
Ummm...yes, I know?
Still no reason to spend $1000 or more for hardware.
Any higher-end gateway (read not the $40 cheapie with limited memory and a weak processor) can handle 100mbit at wirespeed.
posted by madajb at 12:19 AM on April 23, 2010
Response by poster: Thanks for all the feedback, this discussion was very helpful, albeit a bit confusing between suggestions for expensive profesional equipment, building your own and getting it to work with a standard "out of the box" router.
chengjih, what confused me was that all the routers at the top of the chart were all wireless routers, whereas I was focusing on a broadband router / basic firewall. Upon further reading, I realized that the wireless routers also have the broadbant router and firewall functionality and more.
anti social order, the only slightly unusual thing I am doing with this pipe apart from the "regular Internet stuff" is that I create and publish large 360 panorama and gigapan images (500Mb-1GB) that need to be up and downloaded and I was trying to speed up that process while enjoying a faster connection.
Iteki, for example, I have a NAS on the network and would not want someone to access or destroy the data on there, so wanted to have some firewall protection / security mechanisms that allows me to separate my LAN and WAN. Besides, when I read any security related articles, they always recommend to have a two level firewall, one hardware and one on your PC.
I eventually decided to go with the Netgear WNDR3700, which is reasonably priced, seems to meet the needs, has some basic firewall capabilites, including SPI, and, as a bonus, I get to upgrade my wireless network from a g to an n network in the process.
posted by eurandom at 4:35 AM on April 23, 2010
chengjih, what confused me was that all the routers at the top of the chart were all wireless routers, whereas I was focusing on a broadband router / basic firewall. Upon further reading, I realized that the wireless routers also have the broadbant router and firewall functionality and more.
anti social order, the only slightly unusual thing I am doing with this pipe apart from the "regular Internet stuff" is that I create and publish large 360 panorama and gigapan images (500Mb-1GB) that need to be up and downloaded and I was trying to speed up that process while enjoying a faster connection.
Iteki, for example, I have a NAS on the network and would not want someone to access or destroy the data on there, so wanted to have some firewall protection / security mechanisms that allows me to separate my LAN and WAN. Besides, when I read any security related articles, they always recommend to have a two level firewall, one hardware and one on your PC.
I eventually decided to go with the Netgear WNDR3700, which is reasonably priced, seems to meet the needs, has some basic firewall capabilites, including SPI, and, as a bonus, I get to upgrade my wireless network from a g to an n network in the process.
posted by eurandom at 4:35 AM on April 23, 2010
« Older What are the disadvantages of credit unions as... | Is this going to be a National Lampoon-style... Newer »
This thread is closed to new comments.
Ex:
IPFire
IPCop
SmoothWall
posted by namewithoutwords at 9:54 AM on April 22, 2010