Date: Wed, 21 Jul 2004 16:40:35 -0400 From: Paul Hillen <PHILLEN@NFM.NET> To: freebsd-questions@freebsd.org Subject: RE: Firewall, OpenVPN and Squid question Message-ID: <2D5D66504FBF4E4FB3A199F121C862382D08E8@exch1.nfmwe.com>
next in thread | raw e-mail | index | archive | help
From: Steve Bertrand [mailto:iaccounts@ibctech.ca] >>> I have around 100 users at our site that would require the use of squid, >>> we house are own webserver, mail server, public DNS servers in the DMZ >>> and 2 private DNS servers on the internal network, used by both Internal >>> and VPN users. >>> >>> Sites connecting Gateway to Gateway, there are apprx as follows; >>> Site 1 - 25 users >>> Site 2 - 5 users >>> Site 3 - 12 users >>> Our site VPN users are Apprx 25, and about 50% of them are connected at >>> any given time. >>> >>> My first thought is to put up a Firewall box that can the load of >>> publishing many internal boxes and "publish" a box with OpenVPN and >>> another for SQUID and just keep them all separate. >>> >>> Will this setup put to much strain on the FIREWALL box or will it have >>> no problem handling the NAT/ROUTING in this configuration. >>> >>> Thanks in advance >>> Paul >>> >> >> Considering that many of the current hardware firewall solutions aren't >> much more than either a BSD or Linux kernel in a ROM chip, with a 486 or >> 586 based cpu, memory, and a nice gui (Windows or Internal Web nterface), >> I can't see why a similar system on a PC would be any different. I would have to guess if a hardware firewall like Watchguard that offers VPN also, that it would have to be beefer than that. Steve going back to your initial response about the PIII 800MHz network, are you using a proxy for the internal users or are they connecting directly to the firewall as their only means of getting out? It seems most hardware firewalls do not include a proxy server, just NAT/VPN, which in this case the proxy would be on a separate internal machine anyway. Comment about the ISA Server setup, which I actually like and not sure if I can pull off the same type of setup with FreeBSD. The setup is like this: External ISA Server (not actual ips) ISP / 10.10.10.6 | |-> Postfix Relay Server 10.10.10.5 |-> TinyDNS for internet publishing 10.10.10.4 |-> TinyDNS for internet publishing 10.10.10.3 |-> Webserver 10.10.10.2 | |-> Internal ISA Server 10.10.10.1 / 10.0.0.1 | |-> Exchange Server 10.0.0.2 |-> TinyDNS internal publishing 10.0.0.3 |-> TinyDNS internal publishing 10.0.0.4 |-> Rest of internal servers and network etc... External sites are actually creating a VPN tunnel with a VPN tunnel and it works good, but the ISA Server gets to flaky after about a month of use. I have rebuilt them more than ever thought I would. At this point I will be happy to just get the firewall and VPN to work, but I like the additional layer someone would have to break through in the above scenario. > Yes, but take into consideration disk reads/writes. It is possible to > eliminate these tasks, and I have even done setups where everything was > flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a > custom build, frequently referring to: > > http://neon1.net/misc/minibsd.html and put the system on an IDE->CF card > converter. > Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2D5D66504FBF4E4FB3A199F121C862382D08E8>