JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Pix 501, ASA 5505, or something else?
OK, I need to upgrade my firewall/router at home. My current WRV54G just doesn't have it anymore. Actually it never really worked right from the start but that's a long discussion. I currently have 6 PC's here and one IP phone (will add another shortly) for a total of 8 devices. I do use VPN and terminate it on the router so I require something that will do IPSec VPN, something pretty much every current "home" router can't do; and the ones that can haven't been getting favorable reviews.
For that reason I've considered getting a Pix 501 since they are so cheap on ebay now. My dad suggested I look at the ASA5505 since it is newer but I can't get it for less then $350ish and that's only the 10 user version, I'm looking at the 50 user version on the Pix for about $180.
The problem with the Linksys is that it seems to fall flat on it's face when a high concurrent connection download is going on. Even one single P2P download will make the router unstable. Sure the download will continue but good luck surfing from another computer. I have a 6/1 Comcast connection and primarily use a VPN tunnel to get access to my Exchange server and other things at the office (office has a Pix 520), but also use P2P to download things so I need something that can handle a high connection rate. The Pix 520 at the office could and has handled this nicely but the VPN tunnel is too slow to transfer large files over so my file server is here at home now.
I'm not opposed to a router like the 851/871. The problem there is finding one with the right IOS on it to give me 3DES/AES support and the firewall feature set and still keeping it at around $200 or so. I might be able to spend more money such as the $350 for the ASA if someone can convince me it would be worth it.
I've read a few threads about this already where people generally suggested a Linksys router with DD-WRT on it. I don't have a problem with that, in fact I've got a WRT-310N here with DD-WRT on it but it only supports VPN passthrough of IPSec. It was my first attempt at solving this problem and it didn't work out so well. At least I can still use it in client mode and use it as an ethernet bridge.
So what would you suggest? Is a Pix 501 going to do what I need? I don't really believe the 60 Mbps they claim it can do. The 3-4 megs encrypted would seem to be about right but regardless my internet connection isn't that fast so it's moot. I looked at the 506/506e but they are just as expensive as the ASA so I'd just get that instead.
Regarding DD-WRT, if the original factory firmware didn't support terminating IPSec, will the aftermarket firmware support it? What I'm getting at is my WRT-310N didn't support VPN stock but would one that does still support VPN termination with DD-WRT? I'm thinking if all else fails I could get one of the business grade Linksys routers that supports IPSec termination but replace it with DD-WRT to hopefully clear the firmware issues (assuming they are firmware issues). But if DD-WRT doesn't terminate IPSec no matter what then this idea won't work either.
Thanks,
Joel |
|
Bink
join:2006-05-14
Denver, CO
 ·Qwest.net
| I think you’ll be fine with either Cisco device. Another alternative, if you’re open to it and can tolerate a bit of a learning curve, is to use PC-class hardware and install a customized open source solution like pfSense on it. I personally run OpenBSD at home for this task and it can do IPSec better than many other solutions. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs: | I'd thought about that. I've got enough heat generating devices here in the desert and only a swamp cooler to combat them. I'd prefer a smaller device that doesn't put out as much heat. |
|
Bink
join:2006-05-14
Denver, CO | I use an older notebook for this, which puts out little heat and uses little energy, but, you’re right, it still puts out more heat than a tiny PIX, ASA or similar device. |
|
JoelC707
join:2002-07-09
Tucson, AZ
clubs:
| Yeah, that's a good idea. And a laptop has a built in battery backup so that's even better. If I could get my dad's old laptop to turn on again I'd use that actually but alas it won't and I don't have any other laptops to use. Too bad too, because I've actually wanted to play with something like that. I've even thought it using of my my existing machines at the house that has Server 2003 on it as the router/firewall. I know it can do IPSec but I've never had much luck getting it to work right. Nothing like using existing hardware for another purpose (essentially free). |
|
smunro622
join:2006-02-15
Madison Heights, MI | joel
I have used pfsense and packet fence with great results, it ran it on a p3 512 mb memory and dual 100mb nics. it is easy to setup and configure it can be up and running in now time at all. |
|
