From owner-freebsd-questions@FreeBSD.ORG Wed Jul 21 18:38:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 330CE16A4CE for ; Wed, 21 Jul 2004 18:38:30 +0000 (GMT) Received: from mbox.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F9B43D46 for ; Wed, 21 Jul 2004 18:38:29 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 14697 invoked by uid 1002); 21 Jul 2004 18:38:29 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 1.056473 secs); 21 Jul 2004 18:38:29 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 21 Jul 2004 18:38:27 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Wed, 21 Jul 2004 14:38:27 -0400 (EDT) Message-ID: <2957.209.167.16.15.1090435107.squirrel@209.167.16.15> In-Reply-To: <2D5D66504FBF4E4FB3A199F121C862382D08E0@exch1.nfmwe.com> References: <2D5D66504FBF4E4FB3A199F121C862382D08E0@exch1.nfmwe.com> Date: Wed, 21 Jul 2004 14:38:27 -0400 (EDT) From: "Steve Bertrand" To: "Paul Hillen" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: Firewall, OpenVPN and Squid question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 18:38:30 -0000 > I have around 100 users at our site that would require the use of squid, > we > house are own webserver, mail server, public DNS servers in the DMZ and 2 > private DNS servers on the internal network, used by both Internal and VPN > users. > > Sites connecting Gateway to Gateway, there are apprx as follows; > Site 1 - 25 users > Site 2 - 5 users > Site 3 - 12 users > Our site VPN users are Apprx 25, and about 50% of them are connected at > any > given time. > > My first thought is to put up a Firewall box that can the load of > publishing > many internal boxes and "publish" a box with OpenVPN and another for SQUID > and just keep them all separate. > > Will this setup put to much strain on the FIREWALL box or will it have no > problem handling the NAT/ROUTING in this configuration. I'll go as far as to say that it should have no problem. At the ISP I am currently working full time for, we recently deployed an ipfw bridge configured firewall (internally) to protect our core servers from improper access. There's 8 servers in all (mail, web, mysql, ftp, radius, ssh and dns). We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I could even run tcpdump for hours, and it would rarely ever drop even a single packet. Sounds like a good setup you are planning. I would set it up, implement it (with the old setup on standby), and if you find performance problems, pull the drive out of the P3 and do as you say, go on a 'spending spree', and put the drive directly into a p4 with a gig of memory, and drop it back in place. Please note that natd is NOT running on the ISP firewall, but on the other such setup it is, and I"ve never seen any performance problems at all. Steve >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > >