From owner-freebsd-net@FreeBSD.ORG Sat Sep 22 19:28:25 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9BD416A418 for ; Sat, 22 Sep 2007 19:28:25 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from bavaria.utcluj.ro (unknown [IPv6:2001:b30:5000:2:20e:cff:fe4b:ca01]) by mx1.freebsd.org (Postfix) with ESMTP id 658C613C44B for ; Sat, 22 Sep 2007 19:28:25 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from localhost (localhost [127.0.0.1]) by bavaria.utcluj.ro (Postfix) with ESMTP id 100D450891; Sat, 22 Sep 2007 22:28:24 +0300 (EEST) X-Virus-Scanned: by the daemon playing with your mail on local.mail.utcluj.ro Received: from bavaria.utcluj.ro ([127.0.0.1]) by localhost (bavaria.utcluj.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zllIFst8PlzH; Sat, 22 Sep 2007 22:28:18 +0300 (EEST) Received: from [172.27.2.200] (c7.campus.utcluj.ro [193.226.6.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bavaria.utcluj.ro (Postfix) with ESMTP id E069850871; Sat, 22 Sep 2007 22:28:17 +0300 (EEST) Message-ID: <46F56CD0.6070400@net.utcluj.ro> Date: Sat, 22 Sep 2007 22:28:16 +0300 From: Cristian KLEIN User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Christer Hermansson References: <46F52404.2090903@chdevelopment.se> In-Reply-To: <46F52404.2090903@chdevelopment.se> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Firewall and VPN considerations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2007 19:28:26 -0000 Christer Hermansson wrote: > Hello > > I am planning on setting up a FreeBSD Firewall that will be used to > protect a LAN. > > The firewall will also act as a VPN-gateway for external workstations > running Windows XP Professional, I will use Microsoft's ipsec software > included in the Windows XP. > > I will also use the firewall's external side to connect with ipsec to > other LAN which have Cisco VPN equipment. > > The firewall will use IPFW and doing NAT for the internal LAN. > > I would like to have som advice/opinions on the following isusses: > > - To achive NAT with IPFW I must use ipdivert, no other methods exists, > wrong or right ? I personally like to use IPFW with IPNAT or PF. I also heard that starting with 7-CURRENT, IPFW is able to use libalias to do NAT in kernel-space. > > - In this thread > http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html > they say quad core does not raise the performance compared to duo core > when building a router. I will have more than packet forwarding and > userland processes, e.g. NAT and IPSEC so I think more cores will help. > Should I get a machine with duo core cpu or quad core cpu, does quad > helps the performance ? > > - In this thread > http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html > they suggest not to use gif together with ipsec to achive compatibility > with cisco etc, so I'm planing to skip gif, wrong or right ? What are > the benefits of using gif ? > > - In this mail > http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html > they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I > find the text "is an experimental implementation", maybe the man page > just needs an update or is FAST_IPSEC not suited for production > environments ? > > In the offcial FreeBSD handbook > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > they say not to use FAST_IPSEC, and show the use of gif, however I think > this needs to be updated/rewritten. (If I get the time I really feel for > writing an alternative page about IPSEC with FreeBSD and maybe the > result get accepted for inclusion in the handbook.) > -- +-------------------------------------+ | Cristian KLEIN | | Network Engineer | | Communication Center | | Technical University of Cluj-Napoca | +-------------------------------------+ | Tel: +40-264-401247, int. 247 | | WWW: http://www.cc.utcluj.ro | +-------------------------------------+