[CentOS] [OT] Corporate Firewall
Lamar Owen
lowen at pari.edu
Fri Nov 11 15:05:58 UTC 2005
On Thursday 10 November 2005 07:06, Bryan J. Smith wrote:
> "T. V. Sivaraman" <tvsraman at ngri.res.in> wrote:
> > You can try IPCOP or SmoothWall, free downloads, these are
> > pretty good also.
> Last time I checked, IPCop prefers private IPs. I could be
> wrong though. And it can be solved with 1:1 NAT and or
> SNAT/DNAT public IP pooling options (which might actually be
> better than using "raw" public IPs).
The commercial SmoothWall is what I use, but I use NAT here (32 outside IP's,
three class C 1918's inside). The commercial smoothwall is not cheap, but
does seamless L2TP/IPSec VPN with Windows boxes (that is, a Windows XP SP2
user simply sets up a 'Dialup Networking' VPN and configures it for L2TP
optional encryption (note: L2TP has three layers of encryption capability;
this option does not shut off the IPsec encryption, just the L2TP
encryption), along with some other non-default options. The SmoothWall
SmoothTunnel distribution includes a GUI for installing the crypto
certificates in the right place on the Windows side, and the SmoothWall Web
GUI does all the Certification Authority work for you. There is no
additional client software to install for Windows 2000 and XP clients, and a
free Microsoft L2TP client for other Windows. It also supports raw IPsec
tunnels for both point to point and IPsec roadwarriors (like Linux users).
The reason the DuN wizard is used is because, to the Windows box, the L2TP VPN
_is_ a point to point dialup connection; it's PPP over L2TP over IPsec.
As a general purpose router it's probably not the best solution, but I have
found it has met our needs. But, again, I'm using NAT; I have not tried
configuring it without NAT.
I do have the SmoothHost, SmoothTraffic, and SmoothRule modules in addition to
the SmoothTunnel module that gives it more of a 'real' router feel; including
blocking outbound traffic by port, time of day, etc, as well as bandwidth
throttling.
But due to my network core redesign it's going to get replaced with a much
smaller box, a Cisco 7401ASR running IOS 12.4.4T. In one rack unit I get
everything I need, including the VPN endpoint. What I get with the 7401ASR
that I can't get with SmoothWall is HSRP on the LAN interfaces; I'm building
a new core network using Cisco 8540CSR's in full redundant mode with meshed
Gigabit EtherChannels; the SmoothWall box can't do HSRP for one, and couldn't
handle multiple inside interfaces anyway, and thus becomes a single point of
failure. And SmoothWall doesn't do either OSPF or EIGRP.....
(In case you're wondering, the Cisco gear was all donated, otherwise there
would not be an upgrade.)
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the CentOS
mailing list