[CentOS] [OT] Corporate Firewall

Lamar Owen lowen at pari.edu
Fri Nov 11 15:05:58 UTC 2005 

On Thursday 10 November 2005 07:06, Bryan J. Smith wrote:
> "T. V. Sivaraman" <tvsraman at ngri.res.in> wrote:
> > You can try IPCOP or SmoothWall, free downloads, these are
> > pretty good also.

> Last time I checked, IPCop prefers private IPs.  I could be
> wrong though.  And it can be solved with 1:1 NAT and or
> SNAT/DNAT public IP pooling options (which might actually be
> better than using "raw" public IPs).

The commercial SmoothWall is what I use, but I use NAT here (32 outside IP's, 
three class C 1918's inside).  The commercial smoothwall is not cheap, but 
does seamless L2TP/IPSec VPN with Windows boxes (that is, a Windows XP SP2 
user simply sets up a 'Dialup Networking' VPN and configures it for L2TP 
optional encryption (note: L2TP has three layers of encryption capability; 
this option does not shut off the IPsec encryption, just the L2TP 
encryption), along with some other non-default options.  The SmoothWall 
SmoothTunnel distribution includes a GUI for installing the crypto 
certificates in the right place on the Windows side, and the SmoothWall Web 
GUI does all the Certification Authority work for you.  There is no 
additional client software to install for Windows 2000 and XP clients, and a 
free Microsoft L2TP client for other Windows.  It also supports raw IPsec 
tunnels for both point to point and IPsec roadwarriors (like Linux users).

The reason the DuN wizard is used is because, to the Windows box, the L2TP VPN 
_is_ a point to point dialup connection; it's PPP over L2TP over IPsec.

As a general purpose router it's probably not the best solution, but I have 
found it has met our needs.  But, again, I'm using NAT; I have not tried 
configuring it without NAT.

I do have the SmoothHost, SmoothTraffic, and SmoothRule modules in addition to 
the SmoothTunnel module that gives it more of a 'real' router feel; including 
blocking outbound traffic by port, time of day, etc, as well as bandwidth 
throttling.

But due to my network core redesign it's going to get replaced with a much 
smaller box, a Cisco 7401ASR running IOS 12.4.4T.  In one rack unit I get 
everything I need, including the VPN endpoint.  What I get with the 7401ASR 
that I can't get with SmoothWall is HSRP on the LAN interfaces; I'm building 
a new core network using Cisco 8540CSR's in full redundant mode with meshed 
Gigabit EtherChannels; the SmoothWall box can't do HSRP for one, and couldn't 
handle multiple inside interfaces anyway, and thus becomes a single point of 
failure.  And SmoothWall doesn't do either OSPF or EIGRP.....

(In case you're wondering, the Cisco gear was all donated, otherwise there 
would not be an upgrade.)
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

More information about the CentOS mailing list