Which hardware for an entreprise router/firewall/content filter/proxy on a single server [closed]

I have to set up a "secure" network for my boss. For now, I have a ADSL router linked to a switch. All users are connected to this switch. Security is obviously bad. I want to put a server between the ADSL router and the switch. This server will, I think, be a bridge. But it has to be a firewall, a proxy and a web content filter. There are about 20 users (who use a lot the Internet for surfing no downloading).

What kind of hardware should I use for the server ? Of course, I need two NICs.

  • How many RAM would be enough ?
  • Is the bridge solution a good one in term of performance ? (perhaps NAT, or static route ...)
  • Should I use Debian or NetBSD ? I read that NetBSD is good for that kind of job
  • SHould th server be the router for the lan or I keep the ADSL router ?

Thank you for your answers.

PS : Sorry for my poor english


I have the exact the same problem as you but for a slighty bigger network.

I would suggest you to use Pfsense which is based on BSD and is configured via an extremely powerful yet simple and clear web interface. It is firewalling a zones of 70 servers on a Celeron 3Ghz processor with 2GB of RAM (largely unused).

Configuring it as a transparent bridge was the most efficient setup as it allowed to modify practically nothing on the actual architecture.

I therefore suggest you either get one nice Dell server (low end will be far enough) for reliability of the hardware components and install pfsense on it. Or you can reuse two older servers on PFsense with redundancy (CARP) which is really simple to configure.


I would suggest something similar to Antoine, get a nice low-end Dell Server. 2-4GB RAM should be more than plenty. Install SHorewall as a 2 interface bridge on Debian (my Server OS of choice) - Firewall Install Squid and SquidGuard as your proxy and blacklist (can block ads as well, which users like!)

Shorewall will route the traffic and should be set as your machines default gateway. I would also recommend installing Apache on it and serving your proxy details via a proxy.pac, and/or WPAD.dat file if you are a windows house.