Choosing A Router/Firewall For A Small Office

net4801_2_lOne project that I’m am about to start is moving from my m0n0wall router to a new one build around pfsense. The motivation for the project is the integration of our Comcast Business Class internet service into the rest of the household. At present there are two separate networks, with only a few devices enjoying the high speed cable service. The pfsense system will be configured for dual WAN, accessing both the cable service and Covad DSL circuit.

My existing m0n0wall runs on an old Soekris Net4801. In service for many years, it has been extremely reliable. If m0n0wall does what you need I have no hesitation in recommending the software. Support from the user community is tremendous as well.

slimnas-t5700-solo-copyFor the pfsense system I’m going to use a HP T5700 thin client. It has one NIC on-board, so I’m using the expansion chassis to add a dual-port Soekris NIC card. The internal flash “disk-on-module” is only 256 MB, not quite enough to handle pfsense so this system will boot from a USB stick.

In both cases my router is essentially an appliance, even though they run open source software. My Asterisk server is also an appliance. By appliance I mean diskless, fanless, low-power consumption, low heat output and silent.

I know that the teams behind m0n0wall,  Astlinux and Askozia believe as I do that the appliance approach has tremendous merit. I recall a time when there was a significant group badgering Digium to offer an appliance, which eventually came to pass.

Sometimes these things that I take for granted seem to be strange and foreign to others. For example, earlier this week I was describing my pfsense project to someone. He balked at the idea of running pfsense as my primary firewall. He said that I really should buy “a real firewall.” This stopped me cold. A real firewall. What does that mean?

As the conversation progressed he went on to say that,  “…a firewall should not have any moving parts.” He was essentially telling me that it should be an appliance, which is something that we could agree on. But his assumption was that m0n0wall and pfsense were just software to be run on a server, and that was not a suitable solution.

His initial comment haunts me still. Are m0n0wall or pfsense truly suitable solutions for small business and home offices? Clearly m0n0wall has served me well over the years. But is there something that I’m missing? Some critical form of protection that I’m lacking? Should I be looking at Vyatta as a more complete solution? Or is that just a bigger learning curve with less potential ROI?

My impression is that one of us is at least little misinformed. I thought that I should get a little independent confirmation that I was going down the right path for my needs. So earlier today I Tweeted  as follows:

mjgraves Earlier this week someone told me to set aside pfsense and buy a “real” firewall. I suspect that they’re simply uninformed. Opinions?

And the responses I received thus far are:

leif_madsen @mjgraves: pffft… anything iptables based has done me better than something like Sonicwall or anything Cisco.

and

Darrick Hartman

As far as a “real” firewall, was this guy a sales rep for Cisco or just someone who’s worked in a large corp for so long that they have the attitude that it’s not ‘good’ unless you spend lots of money on it?

VUC regular Karl Fife and I have also discussed this issue before, and he recommended me to Centipede Networks as a source of commercial support for both m0n0wall and pfsense. Based on these responses, from people whose opinions I respect, I’m going forward with pfsense as planned.

However, I’m still curious know what you think? Are open source router/firewall solutions adequate? Or should I be looking into commercial alternatives? I oversee a number of small offices across ths US, so I don’t want to get this wrong as I revisit the network core at each site.

  • Warmbowski

    I have run pfSense for a few years at various office sites that I support. I find it fast to set up, very reliable, and very versitile. I haven’t used monowall, but I get a sense that pfSense has a bit more to it that one might use in bigger offices. For instance, Multi-WAN (failover and load balanced). The biggest plus is that if there is a problem, I can prepare another system (or use an old unused computer as a hot standby) and migrate the configs in about 5 minutes (try doing that with inexpensively with a cisco pix).

    The only complaint that I ever get, is when I set up an office for people from various companies on a construction job, and inevitably there are a couple of people who want to connect their MS PPTP VPN’s to the same external ip address at the same time, and the pfSense will only allow one. But that same problem is inherent in any BSD or Linux base firewall solution that you may install. And I have no sympathy for anyone still using PPTP instead of IPSec for a VPN.

    One thing to keep in mind is that you can install it on a disk from an ISO and run it like a regular BSD computer system, OR you can copy an embedded img version onto a CF card. I assume this is a version that keeps most of the running system in a ram drive and makes as few disk writes as possible to keep the CF card running well much longer. I prefer systems that do this because even if the physical disk corrupts or breaks down, the firewall won’t stop running, and I usually see some errors and get another system disk set up and ready to replace it.

    Another tip that you might find handy is that you can actually do all your interfaces on a single physical interface using VLANs, but that requires a VLAN switch to help tag traffic. So you can nix the expansion chassis if you have VLAN in your switch. I have seen people argue about the security of having WANs and LANs on the same physical interface, but haven’t seen a consensus.

    I just want to give my props to the pfSense folks for making the best darned firewall/router and say that it has been a pleasure to use it.

  • Scott Burrell

    I work on all of the above and a few more. It all depends on the usage, situation, and budget. I recently installed a Firebox X 750e (when topped off w/ a 3yr and 2yr sub ran nearly 8k) and could just as easily achieved the same results with half a dozen open source solutions. In any situation if the solution, open source or commercial, is poorly setup and implemented it will not matter how much it cost. I say move forward and just check, check and re-check your work.

  • In commissioning the pfsense system I found that traffic shaping is not supported on dual-WAN under v1.2.x. As a result I have to either try the v2.0 alpha release, or wait a while before I can deploy a dual-WAN solution and keep my VoIP phones running.

  • I’m a big supporter of pfSense as well. I push it where I can but my company (consulting firm) has been a long time supporter of Cisco PIX and ASA and at first, had a really hard time swallowing alternate solutions.

    As you know, pfSense and m0n0wall for that matter are very simple to setup and actually just “work” out of the box. Some others, not so much. Price wise, an ALIX box with wireless runs in the neighbor hood of $230 while a Sonicwall TZ180 (10 User) is about $500 and a Fortinet 30B is about $275. Each of them has a feature that the others do not and vise versa. Configuration is, in my opinion, the easiest on pfSense. As you are a VoIP person, the Cisco ASA has some neat NAT features for that service as well as pfSense some packages to aid in the process.

    My second choice would probably be Cisco just because of comfort level, but I still can’t justify the cost. It does have a very beautiful SSL VPN client but I am confident that OpenVPN will be just as easy to setup in the near future with pfSense 2.0.

    In any solution, there will be give and takes; I would personally put pfSense in place unless I had a compelling reason to pay more for something else. On support, wiping and restarting a fresh install on a failed pfSense box is faster than calling ANY support desk and rebooting 16 times.

  • Dmitry

    Not all people really understand, that a lot of devices now can be virtualized and turned into a software appliances – including routers, NAS devices, VoIP boxes, etc.

    My dream is to get a powerful home server with VMware or XenServer installed, which will host all needed home network services: such as wired and wireless router /firewall /traffic shaper /VoIP PBX / NAS server..

    What do you think about it, Michael?

    • To my mind that’s too complex and possibly fault sensitive for me. I like little, low-power, silent boxes that just run and run and run. Witness my use of recycled HP T5700 thin clients for FreeNAS/SlimNAS, Astlinux, pfsense, etc. It’s hard to argue with a low cost box that’s extremely reliable and draws <10 watts.

      I'm really interested in the new Fit-PC2, which is essentially a netbook style platform in a 4" x 4" x 1" form factor. Draws about 6 watts! And can mount to the VESA connector on the back of your LCD monitor. Wow!

  • Dmitry

    Michael,

    Which hardware are you using as NAS device?

  • Dmitry

    Michael,

    Really 250 Gb HDD only? When I’m speaking about NAS, I mean at least 1-2 Tb storage space. Do you have HD Video player? Favorite films collection?

    • Oh, no. The FreeNAS/SlimNAS device is solely for the online portion of my music library. I have a 5TB LaCie NAS for other files. But we have TivoHD for video so we don’t store any video on either NAS.

  • Rami

    Hello MjGraves!

    I like to ask you question regarding HP T57XX platform for pfsense.
    Today i run for 2 years monowall on T5700 with 256mb ram. I tried pfsense on this platform it’s was very slow 2 years ago.

    Do you have any experience to run pfsense on HP T57XX platform? Any success?

    • Yes, I have run pfsense on a T5700 with a 1 GHz CPU and 512 MB of memory. This router has been on a DSL line with 2/1.5 mbps performance. It has been adequate but my needs were light.

      pfsense does require more robust hardware than m0n0wall. I suspect that your platform has too little memory. My older T5700s have a bios that limits the maximum amount of memory to 512 MB, which ultimately limits their usefulness in some applications.

      • Rami

        I order T5730 with 2Gb RAM – such one should without issue to run pfsense?
        do you experienced with Squeeze Center also on such hardware? my one on T5720 with 1Gb ram also very slow…
        I very happy with Askozia 1.01 on T5700 with 256mb ram.

        TIA.

        • Even with more memory the T5700 series are at the low end of the hardware recommended for pfsense. However, it should work for you with no problems.

          How did you add the second NIC? Could that be the issue?

          What do you find slow? The GUI? That’s merely an inconvenience.

          • Rami

            on T5700 with 256mb ram – pfsense gui – is super slow… unusable. i purchase box extension and added dual PCI intel card from ebay for $12.

            i see the problem with squeeze center – paging on flash card…it’s very slow.
            i will try to remove it.

            in general 256mb ram it’s enough for pfsense?

  • William

    I’d be interested to know if you are still using pfsense? If not, what firewall/router are you using these days?

    • mjgraves

      I’ve stayed with monowall. I may yet move to pfsense, but there hasn’t been the time to tinker with it, or a pressing need.

  • The post is written in very a good manner and it entails many useful

    information for me. I am happy to find your distinguished way of

    writing the post. Now you make it easy for me to understand and

    implement the concept.