Time for a new router again.

[esh]

Well I got a Netgear DGFV338 about 2 months ago to replace an aging USRobotics generic black box which served faithfully for nigh on 10 years. It wasn't a bad unit, but I had a) run out of firewall rules on it, and b) it did not reconnect itself automatically. The Netgear unit was going to be the answer. Unfortunately after battling with it since I got it, it looks like it's going to have to go back. Netgear support threw in the towel this morning and said my problem is "probably not going to be resolved", so I'm in the market again, so to speak.

So I guess I'm looking for suggestions. If anyone has any they would be most welcome. Here's a few things that I am looking for :-

a) LAN ports are good. The DGFV338 had 8 LAN ports which was very attractive. This seems increasingly rare these days. I'm probably going to have to be prepared to buy an HP ProCurve switch or the likes to have enough LAN ports though. The only other 8 port I could find was some Linksys/Cisco dual WAN device.

b) Wireless is optional. It's nice but this can go on a switch easily enough. I want WEP2 as a minimum as well.

c) I need plenty of rules in the web admin tool. The USR router had a 32 rule limit which I have since exceeded. I also need QoS.

d) We're moving more towards software VPN these days, tunnelling over SSH links, so VPN hosting isn't really needed.

e) A proper logging facility is very welcome. The Netgear unit emailed me rotated logs periodically as well as logged itself to a linux syslogd server which was very nice.

f) Reliability is tops. I need it to stay up, and bring itself back up if BT start arsing around. It's a remote server with sometimes no one around. At the very least the server should be able to telnet into it with a script and give the software a kick up the rear side if it can't access the internet.

g) Don't need ADSL2. Looks like I'll be on the 21CN some time in the 22nd century.

Sorry if this sounds like a rant or is completely incoherent. I was up til 3am on Christmas night, not partying, but fending off attacks on our servers. I hadn't seen that before but it certainly brought the impact of security back home. Anyway, I'm prepared to spend money on whatever needs be. It's not like the Netgear unit was cheap either, but the Cisco £600 units are probably a little excessive Any ideas, folks?

[Rik]

You need someone with more expertise than me, Esh. I suspect you may be best off with a separate switch to achieve all you want, but let others advise.

[esh]

It's not really very easy at this level. I'm in that terrible niche between consumer and enterprise level networking. It'd be nice to not have a separate modem, switch, and router, though.

[Rik]

I think you've hit the root problem, though. Your needs are well above average consumers, so it's going to be something of a niche market. Have Draytek got anything which comes close?

[esh]

Hmm, I have heard good things about DrayTek, though I know next no nothing about them. I'll give them a poke.

[Rik]

They did tend to position in the prosumer market.

[somanyholes]

are you able to to supply the following info?

Size of infrastructure i.e. amount of nodes on lan
topology / system roles
Budget (Please don't say as little as possible )

[esh]

I think we have between 12 and 16 systems requiring ports (varies due to laptops) and there are 4 servers. These servers are data nodes generally establishing SQL and SSH connections for long periods, but because they are accessed quite extensively during the night and sometimes at weekends when no-one is around it is obviously useful to have some mechanism where it can re-establish the link if needs be. I would prefer to keep the budget under 400 if possible.

[somanyholes]

If your really determined to use an all in one device then your probably are best going for one of the draytec models. Their products do seem to have got better over the years, however I have to say I'm not the biggest fan of the interface.

Personally if It was me I would be tempted to get a modem and stick an asa behind it like one of these http://www.hardware.com/store/Cisco/ASA5505-50-BUN-K9. Then you can start segmenting your network, e.g. webservers on one interface, db servers on another etc etc. It does sound like you really are on the edge of the typical soho space.

Again these probably wont appeal much to you as your going to need separate devices but you can always build one of your own network devices and again stick a modem in front of it.

http://www.pfsense.org/
http://www.untangle.com/
http://m0n0.ch/wall/

[esh]

Thanks for the ideas, somanyholes. I do think I'll be lucky for an all-in-one device the further I look. I can probably convince the necessary people than more units are a requirement though, as I'm basically given free reign on the technical equipment, "just make sure it works well".

I was actually tinkering around with pfSense a little while ago in a VM. It seemed quite nice from what I saw of it. Do you know if it is required to be on physical hardware to get any reasonable performance out of it? We're only a 100Mbit backbone here so we don't need gigabit speeds. Also, if you are going to stick a separate modem device in front of it, be it an internal card or external unit, how does one deal with reconnecting the DSL? Is that still the modem's job?

[somanyholes]

If you like what you have seen with pfsense then go for that one In your position I would go for a hardware build and not virtual, and pfsense is probably the best of the bunch, untangled does provide more features if you want them but most probably aren't necessary.

Things to read / bear in mind

Hardware
-----------

min requirements
http://www.pfsense.org/index.php?option=com_content&task=view&id=45&Itemid=48 min requirements

http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 Hardware Sizing Guidance

http://www.freebsd.org/releases/7.2R/hardware.html Hardware compatbilty guide MUST READ!


I don't know much about your network or requirements but from what I do know I'd say get at box with the following.
1ghz or higher proc
1gb ram (more won't hurt though)

As far as what box to get do you have any lying around in a reasonable condition? Pfsense will run on most hardware, the main thing to check are the network cards that you'll be using are supported so check the link above. The reason I have said use 1gb or more of ram is that you may find that you wish to use snort and other services so better to have more than needed, especially if your network is public facing and people/code are trying to abuse it snort etc will come in handy. You also don't necessarily know how much bigger your network is likely to grow so better to plan in advance.

DESIGN
-----------

How many network interfaces do you think you will need? If you are having issues with attacks it would be wise to segment your network which will increase your security by a long way if done correctly. You can then have a small unmanaged switch hanging off each interface, netgear switches would suffice for this something like one of these on each interface you require, excluding the outside interface of course http://www.ebuyer.com/product/35437 You could of course get a managed switch and setup vlan's but reading between the lines this probably isn't needed and will push your costs up a fair whack.

e.g

1-Outside (internet facing)
2-Webservers      192.168.1.0/24
3-Database servers        192.168.2.0/24
4-Internal network   192.168.3.0/24
5-Guest access      192.168.4.0/24

MODEM
-----------

Again make sure to look at the compatibility guide. The best thing to do is, decide/research a specific model. As far as config goes, setup your wan username and password etc on the ppoe/wan interface of the pfsense firewall, the modem should just pass this request through to the pfsense box. I would probably go an for external modem, but that's just personal preference.

ROUNDUP
-----------

There are probably many more things to think about but hopefully this gets you started. Pfsense have a good support section on their site and I'll happily assist if needed though I can't guarantee an immediate response. This may all seem like a lot of effort but in the long run it does have rewards. Having the capability of seeing and controlling your network to a higher degree does pay off:)

[esh]

This is all very useful information, thank you very much!

I have had a little experience with FreeBSD as I set it up on my Dell laptop once for some rather fussy bit of software. Also most of the network cards we have are Intel (e100/e1000) as they are very good in general. I've had one switch that didn't work properly with e1000s once, but that was it. There is the possibility of repurposing a 1.8GHz dual AMD for a pfSense box. The only completely unused ones are a 700 MHz P3 and a 450 MHz Celeron (woo!). I'd rather use the 8-CPU Xeon box for something other than routing packets too

The difficulty with buying new routers in general is finding out if it will really do what you want, at least that's what I feel. The consumer level ones rarely advertise stuff like QoS support and so on but *might* have it, so I often go for pricier units since I generally assume they will have it. With pfSense and the like you know what you're getting, though of course it would be highly unlikely for the £300 Cisco unit to lack something!

Is there a specific reason you recommended the Cisco ASA5000 unit over say one of the 800 series routers with an extra switch if needs be? I'm just double checking my options, as going the pfSense route with a server would likely mean we'd want a standby as well.

Again, thanks for all this. It's a slightly awkward niche to say the least.

[somanyholes]

The only completely unused ones are a 700 MHz P3

You could use the 700MHz box and I'm sure it will run with no issues, it really depends on how many services you are going to be running on it and much much larger your network is likely to grow. You could just build it enable everything you think you are likely to end up using and do some load testing.

I'd rather use the 8-CPU Xeon box for something other than routing packets too

I'd have to agree there

Is there a specific reason you recommended the Cisco ASA5000 unit over say one of the 800 series routers with an extra switch if needs be? I'm just double checking my options, as going the pfSense route with a server would likely mean we'd want a standby as well.

The 800 series devices will only provide you with a wan, lan and possibly a wireless interface, as far as I'm aware you can't have access-lists on the switch ports so if you do this you won't be able to separate your internal/database/webservers. You really don't want to have front end facing stuff on the same interface as your internal network. You could get one of these and then stick in a pfsense box as well, you would need to double nat things, but that won't cause a problem.

I should also say that link to the asa i provided http://www.hardware.com/store/Cisco/ASA5505-50-BUN-K9 only has one additional port so either webserver and database exist on the same interface or the database servers exists on the inside interface with the rest of the lan. It would probably best if going down this route to just have the webservers on the dmz and the database servers on the inside.

So far it seems like the best way forward is probably this terribly done attached image, see what you think


[attachment deleted by admin]

[somanyholes]

just thought I would add this as you advised your systems were being attacked. Many many good webapp security resources

http://www.owasp.org/index.php/Phoenix/Tools

[esh]

Thank you again for all your hard work somanyholes. I think I have a good idea of which direction to take things in now, so I'll set things in motion over the coming week.

Regarding the attacks I mentioned, the typical ones are the weekly (same time every week) ssh brute force attempts, but the last surprise was a massive jump on the VNC servers instead. The ssh ones are easy enough to fix software wise using some simple rules, but the VNC apps on the Windows servers don't offer that kind of job out of the box, sadly. I've locked them off for the time being anyway.

Cheers!

[somanyholes]

but the VNC apps on the Windows servers don't offer that kind of job out of the box

Only allow vnc to be tunneled through ssh from the wan?