Re: Firewall and VPN considerations
- From: Cristian KLEIN <cristi@xxxxxxxxxxxxx>
- Date: Sat, 22 Sep 2007 22:28:16 +0300
Christer Hermansson wrote:
Hello
I am planning on setting up a FreeBSD Firewall that will be used to
protect a LAN.
The firewall will also act as a VPN-gateway for external workstations
running Windows XP Professional, I will use Microsoft's ipsec software
included in the Windows XP.
I will also use the firewall's external side to connect with ipsec to
other LAN which have Cisco VPN equipment.
The firewall will use IPFW and doing NAT for the internal LAN.
I would like to have som advice/opinions on the following isusses:
- To achive NAT with IPFW I must use ipdivert, no other methods exists,
wrong or right ?
I personally like to use IPFW with IPNAT or PF. I also heard that starting with
7-CURRENT, IPFW is able to use libalias to do NAT in kernel-space.
- In this thread
http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html
they say quad core does not raise the performance compared to duo core
when building a router. I will have more than packet forwarding and
userland processes, e.g. NAT and IPSEC so I think more cores will help.
Should I get a machine with duo core cpu or quad core cpu, does quad
helps the performance ?
- In this thread
http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html
they suggest not to use gif together with ipsec to achive compatibility
with cisco etc, so I'm planing to skip gif, wrong or right ? What are
the benefits of using gif ?
- In this mail
http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html
they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I
find the text "is an experimental implementation", maybe the man page
just needs an update or is FAST_IPSEC not suited for production
environments ?
In the offcial FreeBSD handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
they say not to use FAST_IPSEC, and show the use of gif, however I think
this needs to be updated/rewritten. (If I get the time I really feel for
writing an alternative page about IPSEC with FreeBSD and maybe the
result get accepted for inclusion in the handbook.)
--
+-------------------------------------+
| Cristian KLEIN |
| Network Engineer |
| Communication Center |
| Technical University of Cluj-Napoca |
+-------------------------------------+
| Tel: +40-264-401247, int. 247 |
| WWW: http://www.cc.utcluj.ro |
+-------------------------------------+
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- References:
- Firewall and VPN considerations
- From: Christer Hermansson
- Firewall and VPN considerations
- Prev by Date: BFD support
- Next by Date: Re: Inline/Bypass ethernet NIC for FreeBSD
- Previous by thread: Firewall and VPN considerations
- Next by thread: BFD support
- Index(es):
Relevant Pages
|
|
