[olug] Home network, firewall, vpn design..

Phil Brutsche phil at brutsche.us
Tue Feb 17 16:38:44 UTC 2004


Nathan D. Rotschafer wrote:

> Or save yourself a whole lotta headaches and get yourself a cisco 2611.
> That router can terminate VPNs, run DHCP, do NAT, static NAT or port
> forwarding.  All in a nice 1U box that never has to have it's hardware
> upgraded :-)

One detail you for got to mention is that a 26xx is EXTREMELY slow doing 
VPN work unless you get an EXTREMELY EXPENSIVE crypto accelerator 
card... slow to the point where your firewall is the bottleneck, not the 
internet connection, and expensive to the point that it's cheaper to get 
a PIX or a SonicWALL, which can also do IPsec, DHCP, and dynamic and 
static NAT.

Alternatively, just put the VPN functionality on the OpenBSD box ;)

The costs:
  * new Cisco PIX-501: $400
  * new SonicWALL TZ 170: $400
  * used Cisco PIX-506: $700 - $800 (ebay pricing)
  * used Cisco 2611: $500+ (ebay pricing)
  * used PC that'll spank 'em all: under $100.  Or "free", since you have
    a P-100 ;)

As you can tell, I'm not a fan of using an IOS router as a firewall... 
I've done it and haven't been impressed compared to a PIX, SonicWALL or PC.

-- 

Phil Brutsche
phil at brutsche.us



More information about the OLUG mailing list