Date: Sat, 22 Sep 2007 22:28:16 +0300 From: Cristian KLEIN <cristi@net.utcluj.ro> To: Christer Hermansson <mail@chdevelopment.se> Cc: freebsd-net@freebsd.org Subject: Re: Firewall and VPN considerations Message-ID: <46F56CD0.6070400@net.utcluj.ro> In-Reply-To: <46F52404.2090903@chdevelopment.se> References: <46F52404.2090903@chdevelopment.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Christer Hermansson wrote: > Hello > > I am planning on setting up a FreeBSD Firewall that will be used to > protect a LAN. > > The firewall will also act as a VPN-gateway for external workstations > running Windows XP Professional, I will use Microsoft's ipsec software > included in the Windows XP. > > I will also use the firewall's external side to connect with ipsec to > other LAN which have Cisco VPN equipment. > > The firewall will use IPFW and doing NAT for the internal LAN. > > I would like to have som advice/opinions on the following isusses: > > - To achive NAT with IPFW I must use ipdivert, no other methods exists, > wrong or right ? I personally like to use IPFW with IPNAT or PF. I also heard that starting with 7-CURRENT, IPFW is able to use libalias to do NAT in kernel-space. > > - In this thread > http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html > they say quad core does not raise the performance compared to duo core > when building a router. I will have more than packet forwarding and > userland processes, e.g. NAT and IPSEC so I think more cores will help. > Should I get a machine with duo core cpu or quad core cpu, does quad > helps the performance ? > > - In this thread > http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html > they suggest not to use gif together with ipsec to achive compatibility > with cisco etc, so I'm planing to skip gif, wrong or right ? What are > the benefits of using gif ? > > - In this mail > http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html > they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I > find the text "is an experimental implementation", maybe the man page > just needs an update or is FAST_IPSEC not suited for production > environments ? > > In the offcial FreeBSD handbook > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > they say not to use FAST_IPSEC, and show the use of gif, however I think > this needs to be updated/rewritten. (If I get the time I really feel for > writing an alternative page about IPSEC with FreeBSD and maybe the > result get accepted for inclusion in the handbook.) > -- +-------------------------------------+ | Cristian KLEIN | | Network Engineer | | Communication Center | | Technical University of Cluj-Napoca | +-------------------------------------+ | Tel: +40-264-401247, int. 247 | | WWW: http://www.cc.utcluj.ro | +-------------------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F56CD0.6070400>