One project that I’m am about to start is moving from my m0n0wall router to a new one build around pfsense. The motivation for the project is the integration of our Comcast Business Class internet service into the rest of the household. At present there are two separate networks, with only a few devices enjoying the high speed cable service. The pfsense system will be configured for dual WAN, accessing both the cable service and Covad DSL circuit.
My existing m0n0wall runs on an old Soekris Net4801. In service for many years, it has been extremely reliable. If m0n0wall does what you need I have no hesitation in recommending the software. Support from the user community is tremendous as well.
For the pfsense system I’m going to use a HP T5700 thin client. It has one NIC on-board, so I’m using the expansion chassis to add a dual-port Soekris NIC card. The internal flash “disk-on-module” is only 256 MB, not quite enough to handle pfsense so this system will boot from a USB stick.
In both cases my router is essentially an appliance, even though they run open source software. My Asterisk server is also an appliance. By appliance I mean diskless, fanless, low-power consumption, low heat output and silent.
I know that the teams behind m0n0wall, Astlinux and Askozia believe as I do that the appliance approach has tremendous merit. I recall a time when there was a significant group badgering Digium to offer an appliance, which eventually came to pass.
Sometimes these things that I take for granted seem to be strange and foreign to others. For example, earlier this week I was describing my pfsense project to someone. He balked at the idea of running pfsense as my primary firewall. He said that I really should buy “a real firewall.” This stopped me cold. A real firewall. What does that mean?
As the conversation progressed he went on to say that, “…a firewall should not have any moving parts.” He was essentially telling me that it should be an appliance, which is something that we could agree on. But his assumption was that m0n0wall and pfsense were just software to be run on a server, and that was not a suitable solution.
His initial comment haunts me still. Are m0n0wall or pfsense truly suitable solutions for small business and home offices? Clearly m0n0wall has served me well over the years. But is there something that I’m missing? Some critical form of protection that I’m lacking? Should I be looking at Vyatta as a more complete solution? Or is that just a bigger learning curve with less potential ROI?
My impression is that one of us is at least little misinformed. I thought that I should get a little independent confirmation that I was going down the right path for my needs. So earlier today I Tweeted as follows:
mjgraves Earlier this week someone told me to set aside pfsense and buy a “real” firewall. I suspect that they’re simply uninformed. Opinions?
And the responses I received thus far are:
leif_madsen @mjgraves: pffft… anything iptables based has done me better than something like Sonicwall or anything Cisco.
As far as a “real” firewall, was this guy a sales rep for Cisco or just someone who’s worked in a large corp for so long that they have the attitude that it’s not ‘good’ unless you spend lots of money on it?
VUC regular Karl Fife and I have also discussed this issue before, and he recommended me to Centipede Networks as a source of commercial support for both m0n0wall and pfsense. Based on these responses, from people whose opinions I respect, I’m going forward with pfsense as planned.
However, I’m still curious know what you think? Are open source router/firewall solutions adequate? Or should I be looking into commercial alternatives? I oversee a number of small offices across ths US, so I don’t want to get this wrong as I revisit the network core at each site.