Both the Juniper SRX, and the Mikrotik will work. The problem isn't firewalling, it's NAT. NAT is evil.
Perhaps having enough IP Addresses would be a better solution? https://www.youtube.com/watch?v=v26BAlfWBm8 On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfre...@mtu.edu> wrote: > I'm a huge fan of Juniper's SRX line. I use all the features you point out > at home on my SRX210, although that product is end-of-life. A refurbished > SRX220 lists on Amazon for about $375, and a new one for $700. Naturally > support is extra, but I'm not sure how much. > > I haven't used it myself but I have seen the packet capture in action. > It'll save any traffic you want right out to a pcap file too. I also like > "show security flow session" - shows you the source, destination, ports, > how long a session has been going, and number of packets and number of > bytes transferred. > > Matt Freitag > Network Engineer I > Information Technology > Michigan Technological University > (906) 487-3696 > http://www.mtu.edu/ > http://www.it.mtu.edu/ > > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann > Sent: Thursday, May 5, 2016 2:51 PM > To: Mel Beckman <m...@beckman.org> > Cc: nanog@nanog.org > Subject: RE: sub $500-750 CPE firewall for voip-centric application > > Your exactly right, Mel. Dell has really turned the Sonicwall platform > around in the past few year. We dropped it a year or two before Dell took > them over. Back then Sonicwall was full of issues and lacked important > features that our enterprise customers required. If you have budget, Palo > Alto is something to look at as well, but don't overlook Sonicwall and > FortiGate. > > > Sincerely, > Nick Ellermann - CTO & VP Cloud Services BroadAspect > > E: nellerm...@broadaspect.com > P: 703-297-4639 > F: 703-996-4443 > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > > -----Original Message----- > From: Mel Beckman [mailto:m...@beckman.org] > Sent: Thursday, May 05, 2016 2:49 PM > To: Nick Ellermann <nellerm...@broadaspect.com> > Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org > Subject: Re: sub $500-750 CPE firewall for voip-centric application > > I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto > firewalls. The best SMB devices are definitely SonicWall and Fortigate. > SonicWalls are easier to configure, but have fewer features. Fortigate has > many knobs and dials and a very powerful virtual router facility that can > do amazing things. The two vendors have equivalent support in my opinion, > although Fortigate tends to be more personal (Dell is big and you get > random techs). > > Cisco ASA is overpriced and under-featured. Cisco-only shops like them, > but mostly I think because they're Cisco-only. PaloAlto is expensive for > what you get. Functionally they are on the same level as Fortigate, with a > slightly more elegant GUI. But Fortigate can be configured via a USB > cable, which is a huge advantage in the field. Legacy RS-232 serial ports > are error-prone and slow. > > -mel > > > On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com> > wrote: > > > > We have a lot of luck for smaller VOIP customers having all of their > services run through a FortiGate 60D, or higher models. 60D is our go to > solution for small enterprise. However, if we are the network carrier for > a particular customer and they have a voip deployment of more than about > 15 phones, then we deploy a dedicated voice edge gateway, which is more > about voice support and handset management than anything. You do need to > disable a couple of things on the FortiGate such as SIP Session Helper and > ALG. We never have voice termination, origination or call quality issues > because of the firewall. > > FortiGate has a lot of advanced features as well as fine tuning and > adjustment capabilities for the network engineering type and is still easy > enough for our entry level techs to support. Most of our customers have > heavy VPN requirements and FortiGates have great IPsec performance. We > leverage a lot of the network security features and have built a > successful managed firewall service with good monitoring and analytics > using a third-party monitoring platform and Fortinet's FortiAnaylzer > platform. > > > > Worth looking at, if you haven't already. If you want to private message > me, happy to give more info. > > > > > > Sincerely, > > Nick Ellermann - CTO & VP Cloud Services BroadAspect > > > > E: nellerm...@broadaspect.com > > P: 703-297-4639 > > F: 703-996-4443 > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > > > > > -----Original Message----- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase > > Sent: Thursday, May 05, 2016 1:54 PM > > To: nanog@nanog.org > > Subject: sub $500-750 CPE firewall for voip-centric application > > > > Looking around at different SMB firewalls to standardize on so we can > start training up our level 2/3 techs instead of dealing with a mess of > different vendors at cust premises. > > > > I've run into a few firewalls that were not sip or 323 friendly however, > wondering what your experiences are. Need something cheap enough > (certainly <$1k, <$500-750 better) that we are comfortable telling > endpoints to toss current gear/buy additional gear. > > > > Basic firewalling of course is covered, but also need port range > forwarding (not available until later ASA versions for eg was an issue), > QoS (port/flow based as well as possibly actually talking some real QoS > protocols) and VPN capabilities (not sure if many do without #seats > licensing schemes which get irritating to clients). > > > > We'd like a bit of diagnostic capability (say tcpdump or the like, via > > shell > > preferred) - I realize a PFsense unit would be great, but might not > > have enough brand name recognition to make the master client happy > > plopping down as a CPE at end client sites. (I know, "there's only one > > brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get > > irritating for end customers.) > > > > /kc > > -- > > Ken Chase - Guelph Canada >
