On Fri, Aug 08, 2008 at 02:59:02PM -0700, phoenixcomm wrote: > MartC-n Coco wrote: > > > > Hi misc, > > > > I'm currently looking for hardware alternatives for firewalls that > > should have more than four NICs. > > > > Currently we are buying R200s from Dell, but we have the 4 NIC > > limitation. We could tell Dell to install a quad port NIC (in addition > > to the two-port onboard card), but I haven't read good things about the > > way they work. > > > > I've also looked into soekris, but they don't seem to have enough CPU > > for what we want (this is pure speculation) as we also have intense > > IPSec traffic on some of these firewalls (I've seen that some of them > > could have encryption boards added to increase performance, but I don't > > know if it works for any kind of protocol, or at what rate). > > > > In any case, what I would like to have is firewalls with multiple NICs > > (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at > > least at ~50Mbps (internal backbone firewalls). The multiple NICs are to > > use trunk, pfsync, real network interfaces, etc. > > > > Thanks, > > Martmn. > > > > > > > Hi Gang, > well heres my 3 cents, > first why use a stupid PC (any os) for routing...... REALY BAD jue,jue brake > down and buy a old Cisco 7200, 7500, 3600 they are all very good routers, I > used a 7500 for a while and now use a 3640 > i use pf as a transparent bridge behind my router.. and protects my servers > I have 3 nics, (world, dmz, ssh) >
3600 are old and slow. They max out at 20Mbit/s at least the 3660 and 3640 we use are saturated easily. And getting a bgp full feed on them is just impossible now. 7200 are a bit better but unless you like to get the very expensive NPE-G1 card they max out around 200kpps and the backplane is plain PCI-32/33MHz so don't expect too much from the expansion cards. Again no luck with a bgp full feed I doubt you can fit more then 256MB RAM into the smaller CPU boards. The 7500 has it own issues manly the power consumption is insane for the capabilities of those beasts. Every remotely modern PC with PCI-E/PCI-X gigabit cards will smoke each and every of these systems. > you could put up a firewall before your router and put everything out one > vlan to the router. > and I have a cisco 2900-xl-en switch with 3 vlans on it... and no bleeding.. > enjoy Using switches for fanout is great but remember most older 2900 cisco switches had a limit of 64 VLAN. Not a problem here but again a limit that I have run into causing unneccessary pain. Oh and getting IOS updates for used ciscos is another fun story unless you don't care about licensing. -- :wq Claudio
