Downside of running Cisco router w/o firewall

[Ur_Mom]

I have been having issues with my pfSense firewall lately. So, I got a Cisco 2811 running for my router to my ISP (NAT, DHCP running on the router). Are there any issues with running it this way, to the switch and to the PC's. No 'real' firewall being used.

pfSense seemed to cut my speeds in half. Default configuration, just set up for ISP. Got the Cisco running, and my speeds are running better than advertised. NAT works fine, online gaming works fine, pings are lower. Not sure what's wrong with the pfSense install that borks my speeds, but I'll work on that later.

Is IOS security (ACL's and such) enough for a home environment? I am going to set up some basic rules.

 

[/usr/home]

As long as you have a ACL applied to the outside interface that only allows established/related in and denies everything else, you'll be fine. Something like:

access-list 100 permit tcp any any established
access-list 100 permit udp any any eq 53

Apply it to the WAN interface:

int fa 0/1
ip access-group 100 in

You need the second rule to allow DNS traffic back in.

This is basically what consumer grade routers do anyways.

 

[D-EJ915]

They do have firewall functionality in IOS: zone based firewall I've never set it up so I can't offer any opinions or assistance, however.

 

[MurphysLaww]

For ZBF features, Gotta be K9, and 12.4T, AFAIK, which a 2811 probably has, but maybe not K9 (Crypto)

 

[shade91]

IOS firewalling capabilities are horrid. Do-able but you won't like it.

 

[jahsoul]

IOS firewalling capabilities are horrid. Do-able but you won't like it.

Are you thinking about the classic context based or ZBF. Honestly, if you were talking about the old method, I would agree with you 100% but ZBF is actually pretty good. I just hate that for ISR G2, it's license dependent but all in all, it's a pretty good setup.

 

[Mackintire]

Just asking....

What is the hardware you are running PFsense on? CPU clk speed etc...

 

[TType85]

Just asking....

What is the hardware you are running PFsense on? CPU clk speed etc...

Would be interesting to know. I have a 100/100 line running through my Atom based pfSense box and see no slowdown (using as firewall/IPS/IDS)

 

[calvinj]

If your going to keep it simple for now as a stop gap, simple context based should be fine

Here's what I've had on my 3750 forever and it just works:

interface FastEthernet0/0
 ip address dhcp
 ip access-group outside_in in
 ip wccp web-cache redirect out
 ip nat outside
 ip inspect Incoming out

ip access-list extended outside_in
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit 41 any any
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit udp any any eq ntp
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any echo

 

[Ur_Mom]

Just asking....

What is the hardware you are running PFsense on? CPU clk speed etc...

It should definitely be more than capable. i3 CPU, 3 GB RAM, 250 GB HDD. I'm think it could have been a bad NIC... I like pfSense a lot, though. I'd like to go back to it. Although, the Cisco is pretty damn awesome.

 

[Arch]

It should definitely be more than capable. i3 CPU, 3 GB RAM, 250 GB HDD. I'm think it could have been a bad NIC... I like pfSense a lot, though. I'd like to go back to it. Although, the Cisco is pretty damn awesome.

Honestly you'd probably have better luck using OpenWRT at home over a Cisco widget. I used an 871 for years at home. It simply isn't a great home router. The DHCP server is mediocre at best, the DNS resolver does only the most basic functions, it does VPN, AnyConnect and IPsec, but those clients are pretty awful on OSX which is my primary platform.

OpenWRT by contrast have dnsmasq which is much better suited at DHCP and DNS for home use. OpenVPN runs perfectly on the platform which has clients for iOS and OSX that are both outstanding.

The only thing I've found the 871 to be better at is QOS configuration.

 

[mi7chy]

Software processed Cisco routers are horrible performers at NAT, ACL and firewalling. You'll see your throughput drop significantly as you enable those features and as the rules grow in size. You're better off with the PFSense box. Make sure you're not running into duplex mismatch or avoid it by manually forcing the speed and duplex on both ends.

 

[tangoseal]

Ios and zone firewall are totally different things. Please do not volunteer opinion unless you know Cisco. Zfirewall is extremely powerful and granular. It also requires special license to run of which I do.

IOS its self is NOT a firewall and AC Lists are not a alternative. Access lists provide rules on interface flow but do NO stateful level inspections. Be careful of the Cisco opinions on this and other sites.

Software processed Ciscos Lol???

Pfsense is a piece of software also. Cisco switches and routers perform as they are classed for particular enterprise segments they were designed for. You dont buy a Cisco 1921 to run as a data center core router and you dont run an asr1000 for your home.

To say that Cisco nat etc... is a horrible performer is an idiotic statement. I run a 1921 with zone firewall and it runs my Comcast biz class at my subscribtion speed 24/7 with no hiccups and I am using firewall nat and IPS services and still get 500mbps intervlan routing speed using my 8 port gig ehwic interface card.

also you guys are using 10 year old T1 based routers lol like 871... no fucking shit they suck. Get an ISR Gen2 Cisco like a 1921 or 2900 series and eat your crow.

 

[Andri]

If your going to keep it simple for now as a stop gap, simple context based should be fine

Here's what I've had on my 3750 forever and it just works:

interface FastEthernet0/0
 ip address dhcp
 ip access-group outside_in in
 ip wccp web-cache redirect out
 ip nat outside
 ip inspect Incoming out

ip access-list extended outside_in
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit 41 any any
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit udp any any eq ntp
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any echo

3750 dosent even support NAT .... ???

 

[tangoseal]

I will add that no lower end branch level Cisco is going tonroute fast enough for these new 1gig fiber tonthe home connections you need to get into the higher level 3000+ series for that stuff. Which are highly cost prohibitive. In this case pfsense etc.. are perfect candidates.

 

[mi7chy]

Your 1921 might be good for a basement network with a couple of nodes and not serving anything to the internet but beyond that the wimpy RISC CPU inside it is no match for an Intel i3. Why do you think Cisco SE will steer you towards the ASA with Intel CPU inside for heavier firewalling and NAT instead of a router? Even Cisco 6500/7600 with Sup720 is no match. You'll need a FWSM module to be more equivalent to the i3/pfSense.

 

[Ur_Mom]

Make sure you're not running into duplex mismatch or avoid it by manually forcing the speed and duplex on both ends.

I will throw it back in and give that a try.

Although, I did notice today a lot of memalloc errors on the Cisco. Ran out of memory (I have 256MB, but have sticks to take it to 1GB). I'll move the Cisco to the lab part of the network and put the pfSense back in there with manual duplex/speed settings.

Thanks for the help!

 

[tangoseal]

:|.......

 

[jahsoul]

Your 1921 might be good for a basement network with a couple of nodes and not serving anything to the internet but beyond that the wimpy RISC CPU inside it is no match for an Intel i3. Why do you think Cisco SE will steer you towards the ASA with Intel CPU inside for heavier firewalling and NAT instead of a router? Even Cisco 6500/7600 with Sup720 is no match. You'll need a FWSM module to be more equivalent to the i3/pfSense.

The SE will actually do that do get you to buy more stuff. lol. It has nothing to do with Intel. According to Cisco, my 1941 has a higher firewall throughput than the ASA 5520. And the firewall throughput of the 39x5E compares to that of the high end next gen ASA.

The key advantages of pfSense is the price, the amount of processing power we have in CPUs now, and the fact that you can do so much on the box. I love pfSense but I also know that ISR G2 hardware ain't a pushover neither.

 

[tangoseal]

The SE will actually do that do get you to buy more stuff. lol. It has nothing to do with Intel. According to Cisco, my 1941 has a higher firewall throughput than the ASA 5520. And the firewall throughput of the 39x5E compares to that of the high end next gen ASA.

The key advantages of pfSense is the price, the amount of processing power we have in CPUs now, and the fact that you can do so much on the box. I love pfSense but I also know that ISR G2 hardware ain't a pushover neither.

I stopped participating but you summed it nicely.

 

[calvinj]

3750 dosent even support NAT .... ???

Good call.. 3725, sorry. Been working on one too many switches.