From owner-freebsd-questions@FreeBSD.ORG Fri May 28 23:40:47 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB7431065672 for ; Fri, 28 May 2010 23:40:47 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id 37CB88FC08 for ; Fri, 28 May 2010 23:40:47 +0000 (UTC) Received: (qmail invoked by alias); 28 May 2010 23:40:45 -0000 Received: from adsl-78.79.107.71.tellas.gr (EHLO moby.local) [79.107.71.78] by mail.gmx.com (mp-eu004) with SMTP; 29 May 2010 01:40:45 +0200 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX19Urg85QLBUYiYqbJ/YiltXJCEBw7/JgOQDGN4SZt Z3C6hUaM3yfLzN Message-ID: <4C005478.1070008@gmx.com> Date: Sat, 29 May 2010 02:40:40 +0300 From: Nikos Vassiliadis User-Agent: Thunderbird 2.0.0.23 (X11/20100313) MIME-Version: 1.0 To: "Svein Skogen (Listmail Account)" References: <4BFFA988.7020807@stillbilde.net> In-Reply-To: <4BFFA988.7020807@stillbilde.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router - large scale X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 23:40:47 -0000 Svein Skogen (Listmail Account) wrote: > Actually, I'd find an answer from the FreeBSD Networking gurus useful as > well. My trusted Cisco 3640 is getting old (had it's > ten-years-of-service birthday a little while ago), so I guess I must be > prepared to replace it with something new. Preferrably something that > can do proper NAT port mapping to the inside servers in an > RFC1918-adressed DMZ, proper NAT mapping for the client net, incoming > VPDN (virtual private dialin network, such as PPTP+MPE and L2TP+IPSEC > tunelling), sane IDS in the border-gateway, GRE or IPinIP tunelling with > crypto for remote-sites, etc > > If somebody has a good starting-point for documentation on these > features, I'm more than willing to "do a procject on it" to create a > mini-howto/handbook-section on "setting up FreeBSD as your border > gateway", provided I have someone to ask when the documentation is ... > flaky. ;) Although I feel that you'll have to write book to cover all the things mentioned above, I'll try to reply to your question... These is just pointers... Several forms of NAT are supported with the following tools: ipfw pf ipf ng_nat I doubt there is some form of NAT you will miss. the net/mpd5 port can do PPTP, the MPPE part is blurry to me. L2TP is supported for LNS/LAC scenarios. I don't know "if you can"/"how difficult is to" combine IPSEC with L2TP. The most famous open source IDS is snort, you'll find it in the ports. For GRE and IPIP read gre and gif manual pages. Again, IPSEC is not integrated to these, yet there is IKE support via ipsec-tools port. You'll have to check for yourself the documentation. Though I can say that all the FreeBSD stuff mentioned above are well documented as usual and there is always this list if you have questions. Good luck replacing the aging Cisco... Nikos