My boss is been looking to expand his side business of trading online. He asked me to look into finding him the best and fast router possible that would give him the best speeds possible. He is currently using the asus black diamond router and the Motorola SB6120 modem but would like to know if there are better options, spending a few hundred on a router isnt a big deal. He also wants to know if there is anything else he can do with his pc, like network card or modem. Thanks
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Looking for best possible router money can buy
- Thread starter Kingpin
- Start date
The best possible setup would be a small PC running something like pfSense. I would go with a small Mini ITX mobo, the thin-mini-itx intel board is perfect, is has dual lan, etc. Then a low end Ivy Bridge i3, some ram, and a small mSATA SSD, and put it all into a nice small case and you're set. Virtually unlimited functionality, and you can put as much horsepower in there if you want. For example if you see this guy wanting to use a bunch of VPN and wants good VPN performance then move to an i5 so you get the AES-NI enabled which will significantly speed up the encryption/decryption capabilities. (You will need to wait for pfSense 2.1 for AES-NI support but that will be out very soon.) I use similar setups at home, my in-laws, and some of my clients small businesses. They have been bulletproof. I have an OpenVPN site-to-site link between my house and the in-laws so I can take care of their stuff from, home really easy. This also allow me easy access to my ZFS storage box from their house. I can VPN into any of my clients using this setup and then access anything on the network as if I was right there. Since pfSense is built on 100% free open source software you don't have to worry about licenses or any limitations. You can essentially scale the setups as big as you want, and the only limits are your hardware. pfSense also has a paid support plan if you are interested in something like that which gives you that support net if you want/need it.
Im assuming he is talking about speed of the internet vs local network. You cant really do anything about it other than making sure his current router has the throughput to support the line. Which it probably should. Now if ur talking about features such as vpn, utm, etc he can always go for enterprise gear or just do like suggested above and build a pfsense box.
Soldier101
Gawd
- Joined
- Jan 8, 2002
- Messages
- 639
A dual WAN port router will be crucial if he is doing day trades or anything like that. Below is an example of one and the reasons why something of this sort would be nice. I'm not saying to run out and get this specific router, though it will probably do the job just fine. This is just an idea of some points that may not have crossed his mind as far as his requirements go.
The FVS336Gv2 ProSafe Dual WAN Gigabit Firewall Router with SSL and IPsec VPN from Netgear would probably do what he needs fine. The SSL and IPsec VPN may not be used but the dual wan ports etc will be nice (for reasons stated below)
If he is trading online he will want the following (if he wants to take it to the next level)
1. Multiple ISP's
This is required because if he is day trading he doesn't want to get stuck with an open trade that he wants to close because his main provider goes down. This means a dual WAN router will be essential.
2. Backup Laptop/Desktop read to go (same as reason 1 and 3....redundancy)
3. Battery Backup
Same as above but in relation power needs and uptime
The main thing about the router above is this:
Reliable
Supports two broadband connections in either a load-balancing or fail-over configuration
Load-balancing configuration enables maximum throughput by utilizing both WAN connections to distribute traffic across two broadband connections, possibly with different ISP providers
Alternatively, the second WAN port may be configured as a failover connection in case the primary connection fails
Housed in a metal rugged unit and comes with a lifetime warranty
Includes 24/7 technical support
so he could load balance and get faster speeds or have it set for failover / redundancy
The FVS336Gv2 ProSafe Dual WAN Gigabit Firewall Router with SSL and IPsec VPN from Netgear would probably do what he needs fine. The SSL and IPsec VPN may not be used but the dual wan ports etc will be nice (for reasons stated below)
If he is trading online he will want the following (if he wants to take it to the next level)
1. Multiple ISP's
This is required because if he is day trading he doesn't want to get stuck with an open trade that he wants to close because his main provider goes down. This means a dual WAN router will be essential.
2. Backup Laptop/Desktop read to go (same as reason 1 and 3....redundancy)
3. Battery Backup
Same as above but in relation power needs and uptime
The main thing about the router above is this:
Reliable
Supports two broadband connections in either a load-balancing or fail-over configuration
Load-balancing configuration enables maximum throughput by utilizing both WAN connections to distribute traffic across two broadband connections, possibly with different ISP providers
Alternatively, the second WAN port may be configured as a failover connection in case the primary connection fails
Housed in a metal rugged unit and comes with a lifetime warranty
Includes 24/7 technical support
so he could load balance and get faster speeds or have it set for failover / redundancy
Soldier101
Gawd
- Joined
- Jan 8, 2002
- Messages
- 639
Load balancing means taking 2 (or multiple) connections and spreading the work load across them
failover meaning that if the primary connection fails the secondary takes over automagically
failover meaning that if the primary connection fails the secondary takes over automagically
i thought this was pretty funny since the op asked for 'best that money can buy' lol
but seriously, cisco is coming out with ISA500 that might be of interest to you, comes with ips, wan redundancy and all sorts of goodies, of course since this is an untested product it could be a total pos too...
damarious25
Limp Gawd
- Joined
- Dec 27, 2010
- Messages
- 227
+1
I'd have to agree with everything said here. Everything. I've been running pfSense for ages and love every bit of it. All other commercial "home" routers I've used since piss me off because they always seem to be lacking features/options/capabilities of a home built (upgrade-able) pfSense box.
Farkle
Lurker
- Joined
- Jan 1, 2007
- Messages
- 1,610
Not much sense in "best money can buy" router for this application, even if this is [H]ard|Forum -- it'd be like shooting at aluminum cans with a 57mm PAC. With that said:
Mikrotik RB450G, pfSense on a something like an Alix 2C3, a Cisco RV042, ZyXEL USG50, or even a Peplink Balance series are all overkill for this scenario and can provide you with dual WAN failover. The usage pattern on this residential network (yes, even with massive torrents) won't generate enough packets per second to even bring CPU past 30% on the Asus Black Diamond router that he already owns. Motorola SB6120 is only going to support about 45,000 concurrent connections on it's routing table before it starts dropping entries to save itself; anything behind it just needs to be able to handle that capacity at the link speed provided, with a hair of extra CPU and RAM for NAT concurrency and any type of SPI firewall or QoS you'd want running on the gateway (or bridge) interfaces.
Mikrotik RB450G, pfSense on a something like an Alix 2C3, a Cisco RV042, ZyXEL USG50, or even a Peplink Balance series are all overkill for this scenario and can provide you with dual WAN failover. The usage pattern on this residential network (yes, even with massive torrents) won't generate enough packets per second to even bring CPU past 30% on the Asus Black Diamond router that he already owns. Motorola SB6120 is only going to support about 45,000 concurrent connections on it's routing table before it starts dropping entries to save itself; anything behind it just needs to be able to handle that capacity at the link speed provided, with a hair of extra CPU and RAM for NAT concurrency and any type of SPI firewall or QoS you'd want running on the gateway (or bridge) interfaces.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,985
It really depends on the upgradability, scalability, management, and ease of use and deployment.
If this guy wants durable,just go get the Zyxel USG. Set it up and forget it. If you need to do support you can VPN in and log into the admin gui. No assembly required, no fans.
If this guy wants durable,just go get the Zyxel USG. Set it up and forget it. If you need to do support you can VPN in and log into the admin gui. No assembly required, no fans.
Absolute Best in my opinion:
OpenBSD and good old pf
For load balancing and WAN redundancy setup CARP
Run on at least 2 systems on separate UPSs
CNG GenSet
Backup client systems (laptops)
If power isn't a big issue you can try to rely on UPSs alone, but you're never going to get more than a couple of hours without a fairly massive setup.
Thats what our enterprise system is running for our datacenter that supports 400 users at 20 locations. With 20 minute battery backup and a CNG GenSet we're at less than 5 minutes downtime in the past 3 years.
Important considerations for real redundancy:
- Internet links on separate backbones and cabling running on different routes (ie - DSL and T1 will likely use the same last mile cable - cheapest option would likely be 1 DSL and 1 Cable line if both are available). Depending on the neighborhood, getting one delivered above ground and one via buried cable.
Downside - no direct OEM support, so if you get hit by a bus he couldn't just call up Joe Blow IT Consulting for instant help.
sooo... going Cisco or unTangle or similar may be a better option.
OpenBSD and good old pf
For load balancing and WAN redundancy setup CARP
Run on at least 2 systems on separate UPSs
CNG GenSet
Backup client systems (laptops)
If power isn't a big issue you can try to rely on UPSs alone, but you're never going to get more than a couple of hours without a fairly massive setup.
Thats what our enterprise system is running for our datacenter that supports 400 users at 20 locations. With 20 minute battery backup and a CNG GenSet we're at less than 5 minutes downtime in the past 3 years.
Important considerations for real redundancy:
- Internet links on separate backbones and cabling running on different routes (ie - DSL and T1 will likely use the same last mile cable - cheapest option would likely be 1 DSL and 1 Cable line if both are available). Depending on the neighborhood, getting one delivered above ground and one via buried cable.
Downside - no direct OEM support, so if you get hit by a bus he couldn't just call up Joe Blow IT Consulting for instant help.
sooo... going Cisco or unTangle or similar may be a better option.
As something of a networking buff and someone who has actually worked on networks that tally end-of-day stock prices for a 16Tn-dollar investment bank I feel like I can safely wade into this one.
Don't go into pfsense. It's alright for a geek at home that wants to play with things, but that's about it - past that it's a support burden that no-one but you will ever be able to work properly. And even then frankly most people who set up a box with pfsense don't do it right anyway - they'll install pfsense and tell themselves they're having a ball and being a great security guru, then fail to patch the dang system itself.
Get something a little more common and supportable.
In my opinion you have two real choices and one far-out choice:
1. Stay the consumer route. Just keep what you have and be happy, because nothing is really going to offer "faster" speeds anyway, not on a consumer Internet connection.
2. If you must get a bit more "prosumer" with the endeavor, get a Cisco ASA 5505. It's business-class hardware and you can post a question about its configuration anywhere and get a dozen people who can knowledgeably answer your question. Plus if you're the "IT guy" for your company (sounds like a small business?) you're going to want to build on your tradable skill set in case you ever want to change jobs - and putting "experience with Cisco ASA platforms" on your resume is going to go much, much further than "experiencing pfsense/Zyxel/etc".
3. If you want to be a bit more extreme and spend somewhere between 1-2k, maybe even look at an ASA 5512-X... it would be total overkill, but it's a faster platform yet and is certainly "enterprise-grade" hardware. Same pros as #2.
Between us though you might consider looking for a new job if your current boss is actively pursuing ways to spend less time growing the business you work for and more time expanding his own portfolio. What's worse is he's even paying his employees to help him on that front as well; when you spend time building the business you help your collective future, when you spend your work hours building his success rather than the businesses you're not. That's not the kind of attitude that says "everyone at this company is going somewhere" and is typically a warning bell.
Don't go into pfsense. It's alright for a geek at home that wants to play with things, but that's about it - past that it's a support burden that no-one but you will ever be able to work properly. And even then frankly most people who set up a box with pfsense don't do it right anyway - they'll install pfsense and tell themselves they're having a ball and being a great security guru, then fail to patch the dang system itself.
Get something a little more common and supportable.
In my opinion you have two real choices and one far-out choice:
1. Stay the consumer route. Just keep what you have and be happy, because nothing is really going to offer "faster" speeds anyway, not on a consumer Internet connection.
2. If you must get a bit more "prosumer" with the endeavor, get a Cisco ASA 5505. It's business-class hardware and you can post a question about its configuration anywhere and get a dozen people who can knowledgeably answer your question. Plus if you're the "IT guy" for your company (sounds like a small business?) you're going to want to build on your tradable skill set in case you ever want to change jobs - and putting "experience with Cisco ASA platforms" on your resume is going to go much, much further than "experiencing pfsense/Zyxel/etc".
3. If you want to be a bit more extreme and spend somewhere between 1-2k, maybe even look at an ASA 5512-X... it would be total overkill, but it's a faster platform yet and is certainly "enterprise-grade" hardware. Same pros as #2.
Between us though you might consider looking for a new job if your current boss is actively pursuing ways to spend less time growing the business you work for and more time expanding his own portfolio. What's worse is he's even paying his employees to help him on that front as well; when you spend time building the business you help your collective future, when you spend your work hours building his success rather than the businesses you're not. That's not the kind of attitude that says "everyone at this company is going somewhere" and is typically a warning bell.
I setup a pfsense box for my last place's canteen wifi with content filtering etc and in 2 years, apart from a few updates I never needed to touch it. I still doubt I would use it over an ASA though, in fact I ditched my Atom pfsense box for an ASA5505 at home.
damarious25
Limp Gawd
- Joined
- Dec 27, 2010
- Messages
- 227
Speak for yourself buddy. The comments in this thread alone will tell you pfSense is a very popular choice with a large community of support if needed.
Also, saying "cisco is better then pfSense/BSD/Unix on a resume" is a little odd considering how many fields their are in I.T. these days. If a job description says "cisco needed" then cisco looks great, but if a company wants someone with "unix" experience then a BSD variant looks great. Neither need to have anything to do with being a security guru and both can look equally appealing to employers...
You got some great advice Serra, so share that instead
/dev/null
[H]F Junkie
- Joined
- Mar 31, 2001
- Messages
- 15,182
/thread. Best advice here.
Gotta agree here - with some caveats.Speak for yourself buddy. The comments in this thread alone will tell you pfSense is a very popular choice with a large community of support if needed.
Also, saying "cisco is better then pfSense/BSD/Unix on a resume" is a little odd considering how many fields their are in I.T. these days. If a job description says "cisco needed" then cisco looks great, but if a company wants someone with "unix" experience then a BSD variant looks great. Neither need to have anything to do with being a security guru and both can look equally appealing to employers...
You got some great advice Serra, so share that instead
In large corporate environments with a faceless team of 100 IT drones, yes, anything you can put down on paper that checks off a box on the Human Resources "IT Guy Requirements" list will be a plus. This is where Cisco/SonicWall experience is a plus.
HOWEVER most competent IT managers/CIOs should realize that experience with pfSense/BSD/etc can indicate a deeper understanding of what's actually happening on the network - where Cisco can do a lot of hand-holding, you're not getting very far with an BSD firewall unless you actually know your shit most of the time. This is a total generalization - and at the high-end a Cisco Expert should be able to figure out pf, and a pf expert should be able to figure out Cisco just as easily - it's all the same concept with different structure and syntax.
So in my experience, both are valued, but the values attributed to them change depending on the employer.
Speak for yourself buddy. The comments in this thread alone will tell you pfSense is a very popular choice with a large community of support if needed.
Also, saying "cisco is better then pfSense/BSD/Unix on a resume" is a little odd considering how many fields their are in I.T. these days. If a job description says "cisco needed" then cisco looks great, but if a company wants someone with "unix" experience then a BSD variant looks great. Neither need to have anything to do with being a security guru and both can look equally appealing to employers...
You got some great advice Serra, so share that instead
I appreciate the sentiment, but I respectfully disagree.
In regards to community support, please take a look at the rest of my statements about most people setting up pfsense incorrectly and/or not to best practices because they don't know any better - it's 100% true. In addition, while you may find some "this worked well enough for me in my HOUSE" suggestions, what you won't find nearly as much of is "this worked in my enterprise-grade deployment", which you can find in spades for any major Cisco product. With that said, which would you prefer for business use - something that you hacked together based on suggestions from a community of people who set stuff up at their homes, or advice from professionals who do nothing but work with their respective products day in/day out and who must deliver business-grade stability?
Regarding employment. If you want a *nix job, you don't get it by demonstrating your ability to do networking on a *nix platform unless your prospective employer is a very small company. Why? It's not something you'll ever see in reality (again, outside of small companies and - because someone will surely bring one up - the very, very odd larger one). If you want a *nix job, you do some impressing programming or at least scripting with *nix. Learn C/C++... automate some process that helps the business... something like that. Your ability to use *nix to do something which there are better options for on the market is really not a selling feature; it's more the opposite to be honest, and a smart manager knows that. He doesn't want to pay people to spend a lot of time hacking up a solution when they could spend less time/money and do it better with something else.
In addition, I would add that while you say that neither have anything to do with being a security guru, as I pointed out most people don't set up pf-sense correctly because they're just following community advice from other (well meaning) people who don't necessarily know every last binary in *nix and who can't secure it properly themselves. When your manager asks what other security measures were taken in addition to just installing a "firewall program" you look pretty bad when you say "um... nothing. That's all I thought you had to do.".
This is based only on my experience, but I would respectfully disagree with you as well.
For starters, you just said that Cisco (just to use them as an example - could be any major vendor) hand-holds people through things while UNIX does not... setting up pfsense from a GUI doesn't make you a network guru, and it will absolutely work without a lot of networking knowledge. I know - I've done it. Doing basic tasks on systems which weren't really designed for them doesn't make you an expert, it just means you've spent a lot of time trimming a square peg so that it fits into the round hole.
To speak to one of your last lines in a way that may help illustrate my point, with all humility possible I must say that I am what would be considered a "Cisco Expert" (more generally I would like to consider myself a "networking expert who knows Cisco syntax) and while I do definitely have at least entry-level *nix knowledge I think it would be a stretch to say that I could just run with pfSense because it's just different syntax... I'll assure you that it isn't. There are things you straight up can't do with one box that you can with another, and if you're getting into the low-level of things there are a lot of differences.
To add some flavor that should illustrate my point, about 5 years ago I actually spent a very considerable amount of time working with networking on *nix when I was running routers in virtual space on a *nix box (dynamips!) and had to dig into *nix networking to do some custom stuff and found that the majority of my "networking" time as you paint over it was not spent networking. Why? Because 95% of my time was spent dealing with driver interactions and program dependencies, which have nothing at all to do with networking... that's all *nix administration. Only the last 5% was the actual networking, and I'll assure you that passing IP based on networks and ports is only a very, very small fraction of actual networking.
Bottom line here is that if your manager thinks that you playing with pfSense means you know more - or are even marginally likely to know as much as - someone who picked up a proper piece of network kit, they shouldn't be hiring the network people. Am I saying it couldn't happen? No, but I know I don't hire someone with skillset A over someone with skillset B if I'm looking for skillset B. I have dealt with many, many server folk over the years as a professional networking consultant, and frankly have yet to meet one with anywhere near my level of networking knowledge.*
*I don't want to sound up on myself when I say that - I am actually a pretty humble person - but I take pride in knowing my area of expertise to a great depth. At the same time it would be very fair for me to say that although I can get around in windows and *nix environments, I am sure I am not more than a novice in any of those areas, and less so in areas such as SAN fabrics. Those server people who don't know my area beyond the very basics are experts in those areas and I defer to them fully in those capacities. Because even though I may even know how to tune traffic with granularity to meet their specific system needs, the fact is that I don't need to master their systems to do so - and I don't.
Your assertion that one can "play with" pfSense in some less important way than you can "play with" Cisco is somewhat insulting. I'm talking about actual knowledge and skill - not claimed mastery over a web GUI because you can get to Google.
I'm not saying anyone who's ever run a network could pick up pfSense or Cisco (or Vyatta, or SonicWall, or whatever) and instantly know the syntax. I'm saying the base skills are transferable in both directions. I did a lot of my early learning from Cisco Academy courses that were offered through my High School. They're excellent material and I would recommend them to anyone regardless of their flavor of choice. My favorite thing is that they DON'T hand-hold in the course material. Everything was done through CLI and that teaches a real base of knowledge.
As for issues with Driver and Program dependencies when setting up a *nix server - that just sounds like it may be due to poor planning. If you read an HCL, drivers should be a non-issue, and dependencies are generally documented (and can be auto-installed with most packages). I can have BSD installed and PF running in about 20 minutes if it's all supported hardware.
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
the times they are a changing....
best not to ignore these disruptive technologies like pfsense... especially with budgets being cut left and right... i'm an IT manager that leverages these sorts of technologies and i've seen it work out for the greater good of my company for sure...
from an employment perspective... having the knowledge to properly deploy pfsense is much more valuable to me than someone who can install an ASA... i realize at this point i'm probably of the vast minority, but once these dinosaurs start retiring or taking on other positions, it's the way things are going to be heading...
for the OP, i would suggest something simple, as you've been tasked with something you probably shouldn't (and maybe needn't) be tasked with...
best not to ignore these disruptive technologies like pfsense... especially with budgets being cut left and right... i'm an IT manager that leverages these sorts of technologies and i've seen it work out for the greater good of my company for sure...
from an employment perspective... having the knowledge to properly deploy pfsense is much more valuable to me than someone who can install an ASA... i realize at this point i'm probably of the vast minority, but once these dinosaurs start retiring or taking on other positions, it's the way things are going to be heading...
for the OP, i would suggest something simple, as you've been tasked with something you probably shouldn't (and maybe needn't) be tasked with...
thedocta45
[H]ard|Gawd
- Joined
- Oct 10, 2007
- Messages
- 1,325
This thread is so silly, just get a nice consumer model paint it gold, and tell him its the special edition ultra or some shit.
He won't know the difference.
And neither would anyone else.
He won't know the difference.
And neither would anyone else.
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
I think the Cisco 5505 suggestion is my favorite. It's an entry-level business class firewall/router with most of the Cisco goodies (make sure you get a decent license for it if you want to do extra VPNs and such) and you get good experiencing doing it.
pfSense works amazingly well in my enterprise-grade deployment(s).
FYI - you can get superb (immediate, no BS, expert) support from pfSense (BSDPerimiter) if you want/need it.
D
Deleted member 88227
Guest
he FVS336Gv2 ProSafe Dual WAN Gigabit Firewall Router with SSL and IPsec VPN from Netgear recommended above has my interest. I used to have a Nexland Pro800 Turbo router that had dual WAN connections w/ load balancing; 8 LAN ports plus it had a serial port for connection a serial 56k external modem. I had two DSL connections running on that baby back in ~2000 - 2001 ERA at 1.5Mbps each, I then later used 1 DSL and 1 Cable connection since when the DSL went down, that usually meant both went down. That router died on me a couple years ago and I've been wanting to get another router that will easily do dual wan connections w/ load balancing. Think I might bite on that; but I need to find a good wireless router to connect to it.
Anyone have any experience with the NETGEAR SRX5308-100NAS ProSafe Quad WAN Gigabit SSL VPN Firewall? It's got quad WAN ports.
Anyone have any experience with the NETGEAR SRX5308-100NAS ProSafe Quad WAN Gigabit SSL VPN Firewall? It's got quad WAN ports.
Last edited by a moderator:
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
Awesome.
I definitely do not mean to insult you or anyone else, and I sincerely apologize if I have. I think though that you took what I said a bit too broadly, so I will try to clarify again to help ensure no-one is insulted by what I have written.
When I say a person can play with PFSense at home I'm not saying they can't learn it deeply and learn a lot in the process - they can. Absolutely. What I am saying however is that they will not be learning as much about networking as they would be if they picked up a traditional network platform (assuming they spent the same amount of time on each). And that's a two-way street - if they picked up a traditional network platform they wouldn't learn much (if anything at all) about *nix. At the same time, PFSense in industry is something like 1% or less of the market and will likely continue to be so for at least the next 5 years (probably forever, but what do I know?), so it's absurdly difficult to argue that learning on that platform versus another with 20% of the market share is a more marketable skill. Thus I feel it is fair to say that while there are a lot of people playing around with PFSense at home, it's just not in the same class as using traditional networking equipment - when we're narrowly talking about networking.
Put another way, all I'm saying is that if you want to learn NETWORKING - in the pure sense of the word - to the greatest depth you don't do it with a non-network device... or, at least, you don't do it on a non-network device and expect the same results in the same amount of time.
I can assure you that when you get down to the very low-level of PFSense - or most any other *nix networking thing if I'm honest - you must start looking at things like driver interactions, and then you are in a hole from which the Internet cannot rescue you. Blocking ports? I agree, easy with the right hardware (where "right hardware" only needs to be defined as hardware capable of passing traffic). But what about when you need your hardware to do specific things with trunking, changing the way LACP works, offloading - or hell, something weird like processing trill - etc? You start to need to look at what is provided by the packages you have installed, what is supported in your kernel, what your hardware supports, what your drivers will support that hardware doing. On a standard network platform all that jazz is already worked out and a user is presented with a "dumbed-down" UI that simply either offers a feature or doesn't, and it's very straightforward to understand what is and is not supported. When something isn't supported you will spend hours if not days or weeks trying to figure out why - and none of that time will be spent learning networking, though you may learn a lot about *nix along the way.
Saying "as long as the hardware is supported..." is just waving your hand at how programs, kernels, drivers, and hardware actually work together and is a good example of a potentially costly mistake that people who don't know a lot about the subject area they're talking about make. And please don't be insulted when I say that - I've made similar mistakes myself in the past; we're all guilty of over-generalizing an IT discipline that we aren't deeply involved with. Let me use hard drives as an example here to pull an example that many of us may be familiar with - even most enthusiasts think they're pretty simple things, but there is a lot of firmware logic in there that we don't ever know about. A great example of that might be TLER; a feature even many enthusiasts have never heard of, but if you choose a drive without TLER and put it into a RAID array you might just find yourself dropping drives constantly if they don't support it.
Similarly, with PFSense what you get is a package that "does anything"... as long as your kernel, drivers, installed modules, and hardware support it. And frankly, that never has been nor ever will be the case for all possibilities.
PFSense is hardly a disruptive technology - for one thing it's been around nearly 10 years without substantial change and for another it was preceeded by iptables, which had been around since the dinosaurs and which were to firewalls of their time what PFSense is to firewalls of today (and neither has taken any particular foothold). Disruptive it is not.
I'm not saying that it can't do a job, but it lacks a lot of enterprise-grade features and functionality... or, more accurately, relies too heavily on *nix to make it work. The issue you quickly run into there is that you start to need to make a choice between getting *nix specialists or getting network people. It may seem like the answer is that a network person can simply learn the *nix they need to learn to do their job, but the reality is that a *nix system can do a lot more than your average router, and it's like handing someone a rail gun to kill a fly when you only need the non-networking parts of the system to do things like offer management options... it's death by choices and non-standardization. I am not implying there that network people aren't smart enough to run the system either; only that they need to spend their time doing networking and not trying to figure out whether they need to upgrade a kernel to make feature X work properly, or trying to figure out C programming to add a new one that everyone else has.
Now in speaking about "dinosaurs" I don't really get what you mean. Are you saying that platforms made to do jobs well are obsolete? Well, OK... as long as you don't mind downtime I guess. Or inefficiency due to lack of standardization. Both of which cost you money and actually detract from your ROI of course. And you realize that they do come out with new firewalls every few years right? And that you can virutalize them if you need (and it's correct - it's not always best to virtualize..)...?
I'm sorry, but if you're trying to replace a well-trained network team with a bunch of *nix admins and assuming it's going to work out for the best you're making a classical management mistake of assuming that it's all "just computers" and interchangable - it's not. I once made that assumption about SAN fabrics - assuming they were more or less just networking gear with a different protocol - but you know what? After an embarrassing few sessions with a SAN expert I learned just how wrong I was. The upshot for me was that I made sure to have those discussions before it led to an expensive blunder (and learned something along the way)... I hope you get the chance to have a similar discussion with someone that a third party confirms is a networking expert that you trust before you start trying to play with the tried and true staffing model.
As well, take a look at my response above about features and functionality. Have you ever noticed how different firewalls offer different features, and different firewalls within a line will often even support different low-level features (well, being a manager you may not be in that deep with the minutae of network gear features and platforms, but take my word for it that they do)? It's because program / driver / kernel / hardware interaction is a tricky bit, and PFSense (et al.) assume that the kernel/hardware/drivers "just work", but that's just not how the world actually works. Traditional network gear on the other hand is purpose-built and you know what should work and can depend upon it to work, because they don't have to worry about 500 types of NIC's or 15 different CPU classes etc. With PFSense... well, you can get a lot of basic functionality, but you won't honestly take it too far. And if you can't take it too far that means it doesn't scale, which means it's probably not the right solution excepting in very specific circumstances.
Edit
Let's think about this a different way yet. The truth is pretty well every firewall platform out there today is built on some kind of *nix platform already. The difference between buying a firewall from Cisco or CheckPoint and making one of your own is that Cisco and CheckPoint have already hired hundreds of people to fully optimized the software, test all the features, and create user interfaces that let people focus on doing their job and doing it well. When you decide to build one yourself you're taking that load on. The lack of testing and optimization across wide ranges of feature sets means that you will be limited in features - unexpectedly - and will probably see more downtime, and the lack of standardization and stripping down of unnecessary items means your people will spend more time trying to get to where they need to go. Plus the up-front training for those people is an absolute bear. Sure they'll become experts at creating those particular firewalls, but the time they spend going through all those hoops could have alternatively been spent on learning more about networking best practices, standardizing implementations, etc - in other words, doing the job that you are paying them to do (and/or doing it better).
All of that is why, as a general rule, heavy customization is less efficient and less effective than leveraging industry standard, purpose-built tools. The only time one should ever engage in such a practice is when industry standard tools are prohibitively expensive (which is not the case in this field, which has been very highly commoditized) or when features you need are not available in those tools.
Last edited:
PFSense is a GUI on top of FreeBSD. Working with PFSense doesn't make you a *nix person or even truly give you much *NIX experience.
You do realize that a majority of enterprise grade firewalls are linux/bsd based right? Hell even a majority of WAPs, routers, UTM, even some switches are *nix based. I don't see how you could say it "relies on unix to much."
I personally virtualize PFSense, it runs as a VM without any issues.
PFSense is marketed as a router distro, and I think it does very well for that. Being a distribution rather than an appliance actually GIVES it the ability to scale much easier than many enterprise products I've worked with, because as long as you use hardware that's on the HCL, its within your control rather than buying a pre-configured box.
You do realize that a majority of enterprise grade firewalls are linux/bsd based right? Hell even a majority of WAPs, routers, UTM, even some switches are *nix based. I don't see how you could say it "relies on unix to much."
I personally virtualize PFSense, it runs as a VM without any issues.
PFSense is marketed as a router distro, and I think it does very well for that. Being a distribution rather than an appliance actually GIVES it the ability to scale much easier than many enterprise products I've worked with, because as long as you use hardware that's on the HCL, its within your control rather than buying a pre-configured box.
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
i do think you are greatly exaggerating just how much customization is required to get pfsense to replace even low cost enterprise grade routers that can cost upwards of $10k...
when all you need is horsepower and routing performance, either device could be set up in minutes...
hardware worries sort of go out the window when using intel boxes with intel chipsets and intel NICs...
if you're having to worry about optimizing interactions between kernels and driver stacks to get the performance you need, sure... take the Cisco, that should rightfully cost a pretty penny and take up a 1/4 rack... but for 90% of our uses, it's not needed....
as far as it being "easier" to use off-the-shelf products, i don't disagree whatsoever... and you say the beef isn't expensive, but that's because you're used to spending money, it's all relative to you...
in my area, it actually is cheaper to pay an employee to learn it rather than buy the off the shelf products... it may be that wages are low, but also an important factor is how much we're using similar OSS-based solutions to take care of other tasks... like IP Telephony and IP Surveillance... OSS powered storage solutions...
nobody is saying it doesn't have it's quirks, but i'm a patient person and feel the time spent is well worth it... i guess i just enjoy the independence from the vendors... saying it's unreliable is nothing but FUD....
i've got 25 locations running linux based routers w/ vpn and UTM features and have had 1 hardware failure due to insufficient power protection (lightning storm) and my VPN only goes down when i take it down... 2.5 years they've been running and i've done 0 maintenance... i'd venture to say uptimes on a couple of the boxes are nearing those 2.5 years... but i'm quite sure there have been some reboots due to automatic updating... but i honestly don't notice
not to say i'll get the same stability from pfsense, because i havn't gone down the road yet, but it's happening by 2Q 2013...
Last edited:
Nicklebon
Gawd
- Joined
- May 22, 2006
- Messages
- 982
This thread kills me. The OP asked for a router recommendation and yet almost every reply is about a firewall and in fact seems to have diverged into a pfsense vs the world thread. I cannot count the number of issues we run into that are caused by customers using a firewall as a router. Just remember, just because you can do something doesn't mean you should. Even in a home environment a user is better served with this arrangement:
Internet - bridge - firewall - router - switch - Internal
Access points could be hung off the firewall or the router depending on your paranoia level. I'm willing to concede a router/switch combo device in a home though I would recommend hanging AP off the firewall if someone chose to do that. Please note the bridge would be a cable or dsl modem in an enterprise environment you would replace that with another router. Also router means router, not firewall or other PAT device.
Internet - bridge - firewall - router - switch - Internal
Access points could be hung off the firewall or the router depending on your paranoia level. I'm willing to concede a router/switch combo device in a home though I would recommend hanging AP off the firewall if someone chose to do that. Please note the bridge would be a cable or dsl modem in an enterprise environment you would replace that with another router. Also router means router, not firewall or other PAT device.
shabazkilla
Lurker
- Joined
- Jan 4, 2004
- Messages
- 439
Cisco 2501
You can perform some very simplistic firewall elements via ACL. But yes its a generally useless device
Cisco 2501
Even then you can do access lists and what not which some consider firewall features.