8-Port Router/Firewall For 100Mb WAN? 7
One reader from the Anonymous Coward Horde asks: "I'm looking for a cheap router/firewall to put between my private LAN and DMZ. I already have a Netopia R7100 (DSL modem + router/firewall + 8 port 10Mb hub) so I've been looking at the Netopia R9100 (router/firewall + 8 port 10Mb hub). The issue is that the port on the WAN side of the R9100 is 10Mb though I'll have a 100Mb hub connected to the LAN side via the uplink. This means that communication between my LAN hosts and DMZ hosts will be 10Mb rather than 100Mb. All the products I've found "suffer" from this limitation (okay, in the $200 - $500 bracket, I did find one for ~$2k). I don't want to start building a Linux box for a router! Any pointers?"
Re:100Mbps for cheap, not right now (Score:1)
Why 100MB? (Score:1)
Netopia sucks ass - build a linux box! (Score:1)
So now I use the r7100 for what it's primary purpose only - routing between the frame relay dsl link and the 10mb ethernet lan. On the internal side of the r7100 I have a p120 w/ 48 megs of ram, two 10/100 nics, and two modems (one to dial out if the internet explodes, and the other to let me dial in and fix things). I use vtun w/ ssl to create the vpn between the two offices and you know what? I haven't touched it for two weeks.
It's a helluva lot cheaper than anything you can buy from netopia (1 case/power supply, board, chip, ram, 520mb hd, floppy (optional), 2 nics, modems optional... very cheap) and it works beautifully.
Off topic? Depends on the scope!
Source for information on all SOHO routers (Score:1)
So far there are no products with a 100 Mbps link to the WAN, but as others have pointed out, the 'net will have to get a whole lot faster before it will make any difference to your access speed.
Multi Port 100MB Firewall w/ DMZ Support (Score:4)
Let me first issue a caveat. Cheap is in the eye of the beholder.
That said, I think the solution is here. Find any old preferable Pentium based box with at least 2 PCI slots, and some Trendnet 4 port 10/100 hub pci card kits w/ a single port 10/100 card and a 15 cable [egghead.com] ($79 incl. shipping) and there you have it. Bridge the 2 hub cards and use whatever other nics you want and have room for. Use the Linux Router Project [linuxrouter.org] Eiger [plain.co.nz]based version. Here's a link [steinkuehler.net] to an image w/ DNS caching, dhcpd, dhcpcd (if you need it), some web based reporting. This guy [steinkuehler.net]already did the hard part for you. Just add the rtl8139 module to it and follow the directions to run it headless (easy to do). Yes, tulip based cards have less latency but these work well.
Your total investment should be under $300 for a 16 MB firewall, with 8 port hub, fast ethernet on the DMZ and WAN side, etc. Pick a system like a decent clone or the Dell Optiplex that doesn't need keyboard, mouse and monitor hooked up. I'm using a similar configuration for building infrastructure in office buildings. And it works well.
Er, for 100Mbps, get a real firewall! (Score:5)
I just checked the Linksys BEFSR81 [linksys.com] and it is in the same boat, 10Mbps on the WAN side. And I don't really call those NAT devices "firewalls". I think "firewall" gets overused like "3-D accelerator". So if you are talking a 100Mbps connection, why not get a real firewall? Or at least add a little protection with a DMZ port on the firewall.
On the cheap, you could build a headless Linux or OpenBSD box with three (3) 100Mbps NICs for under $500. I've had great success with Linux IPChains for all kinds of configurations (e.g., setting up a "test" server internally and properly routing it for internal systems so it appeared on a public IP), etc... I'm starting to get into OpenBSD (the various BIND 8 hacks make me think that Theo knows what he is talking about when it comes to OpenBSD sticking with BIND 4 ;-).
Otherwise, the SonicWall PRO [sonicwall.com] is an excellent box that can be found for under $2,500. It features 100Mbps for WAN, DMZ and LAN. Excellent boxes for the price, good feature set (although the logging good be improved a bit, but everything else is great). Personally used these solutions as well (and identified a few trojans that people had accidently downloaded and installed on their PC with IE/Outlook). I even had an external server on it's DMZ port get hacked (c/o a known BIND 8 exploit that I failed to patch), but the internal systems on the LAN port were left untouched.
BTW, I just came up a good analogy yesterday on a LUG list regarding firewalls:
So "passer-bys" can see in.
So "passer-bys" can't see in, but they can still get in. And you can easily get out.
A bit of difficulty to get in. You can still easily get out.
Much more difficult to get in. Blocks some things from getting out (and you can add limitations too).
Hard to get in when properly configured. Doesn't allow poorly designed protocols to get out by default.
Problem: Like a dual-keyed deadbolt lock, sometimes you leave it unlocked because it is a pain to deal with (or leave the key in the inside lock).
-- Bryan "TheBS" Smith
100Mbps for cheap, not right now (Score:5)
The cheapest you can find on the market with 100Mbps is going to run you about US$2k, and the most expensive you can get is a cisco pix [cisco.com].
Even a dual 100Mbps NIC linux router will not be able to maintain a high packet rate between the two interfaces, even with a 500 Mhz pentium III powering it. There are just some limitations you will have to accept. Just go for the best priced 10Mbps you can get, and accept the slightly longer transfer times when you make a full dump of your website.
In my place, I've got an outside network consisting of DSL and cable, with two routers and a pix 515. The outside net is 10BaseT, because the total bandwidth to the internet is only about4.5 Mbps. My pix has 6 interfaces: in, out, and 4 DMZ each with a fully routable subnet. The inside is 100Mbps, because that is what we run in this house. But to the DMZs and outside, its all 10Mbps because it doesn't buy us anything to the outside world.
the AC