Basic firewall, switch, & router device? [closed]

networking hosting firewall router vpn

I am a developer and haven't dealt with server admin or networking in years, so "rusty" is very generous. I am setting up a new web server cluster (starting with two 1U web servers and one DB server). As I haven't done this in a few years, I don't really know what options are available today.

I would like all in one device:

  • Small, basic gbit switch
  • Small, basic firewall
  • Small, basic router/DHCP/gateway
  • Small, basic VPN access
  • Fits in a 1U space

Something simple with a minimal web interface I can set up and then forget about - 2 steps above a home router device, I suppose.

Edit: the initial reaction from sysadmins is often "no way" because to them, devices that do all this are usually crap. Please realize for my purposes, that's currently OK. My setup (and budget) are just not big enough to justify dedicated equipment that does this stuff really well. I just need something that does this stuff at all.

Recommendations?


Solution 1:

Here's what I'd recommend:

  1. Stay away from Linksys consumer routers (even putting DD-WRT on it, etc) at all costs for any server scenario, they get flaky under load and more advanced scenarios (VPN, etc) and I have a little pile of dead/bricked ones. They were made for home use and you should keep it that way.
  2. Separate the switch from the firewall/gateway. A consumer/prosumer gigabit switch would probably be fine for this (i.e. a Netgear 5-port). In the setup you're asking for, simple and efficient is better - putting your servers together on a simple fast Layer 2 switch gives you a solid and simple backbone, and some firewalls or all-in-ones will add additional overhead to their built-in switchports and/or Layer 3 functionality that you don't need here.
  3. For the firewall / DHCP / gateway / VPN - Some of the Cisco all-in-one's are great, but may have more functionality and enterprisey-ness than you're looking for. Check out a Juniper SSG-5. These used to be Netscreen NS5-GT until Juniper bought Netscreen. I think the SSG-5's are about $600 a piece new and if you wanted you could find an eBay Netscreen NS5-GT for under $200 now, and make sure you find the "Unlimited User" version.
  4. VPN - Juniper/Netscreen will do VPN, but you need the Netscreen client software. Alternatively, you could just set up Routing and Remote Access on a Windows server for a simple PPTP VPN to use without any client software. If you wanted to go even more "just make it work", use Hamachi from LogMeIn, works great.
  5. On Windows Network Load Balancing - This works OK but in some cases does NOT play nicely with Cisco Layer 3 routing (as it relies doing some magic tricks with ARP caching to 'share' a IPv4 address across servers, and Cisco devices view this as an evil force that must be stopped). So if you go the Cisco route make sure you configure the Cisco device correctly for this (there are a bunch of articles on it).

With a Juniper/Netscreen + 5-port gigabit switch you should be able to fit both in 1U and you'll have a simple, fast, and reliable infrastructure that can do some pretty advanced stuff if you ever need it.

Hope that helps!

P.S./edit: - A couple people recommending Vyatta, Linux, etc: Those are not bad solutions, (also, the Untangle.com offering looks like it has potential), and I have used them and love them for office endpoint routers... but I did not recommend this type of solution because this is an application hosting scenario; in principle, the idea behind modular software running on generic hardware is to squeeze all of the normally 'expensive' features you can into the most cost-effective and lowest common denominator hardware. I think this is fine for the user-endpoint (home, office, branch office VPN, etc), but even for small/basic hosting scenarios I think the 'datacenter' side warrants specifically designed hardware coupled with specifically designed firmware.

Solution 2:

Go take a peek at Vyatta. They have a pretty comprehensive product that uses Linux Kernel, offering such things as VPN, Router, NAT, DNS Forwarding, DHCP Server, and More... www.vyatta.com or www.vyatta.org for the community versions. You can run it on their appliance, your own hardware, or as VM. Their model 514 device is full-featured with RIPv2, OSPF, and BGP, OpenVPN, IPSEC VPN, etc. for < $800.00.

This link is pretty impressive: http://www.vyatta.com/products/product_comparison.php

Solution 3:

Linksys has some decent routers which are above a home router, but below a full on kick a** router. Something like the WRV54G. It's small, supports IPSec VPN, is a router, DHCP, etc. Only part it doesn't fit is that it's 100 Meg. But to overload 100 Meg you'll have to push a lot of traffic.

This won'd handle load ballancing (which wasn't in your requirement list, but with two web servers I assume that's needed, so you'll need to find something to handle that).

Solution 4:

I see two ways:

  1. By Cisco router. It can do everything above and does this very good but costs $$
  2. Do it yourself. Buy 1U server, put in NICs and setup BSD/Linux. It can do everything above + much more (i.e loadbalansing)

PS. Do you really need all-in-one? May be separating router and switch is acceptable?

PPS. added to favorites in case you will find cheap 'n cool hardware.

Related

Setting time zone on linux (ubuntu)
sshd shuts down with "No supported key exchange algorithms" error
Does SELinux make Redhat more secure?
How to determine number of open sockets? VM Resource Issues
After enabling HTTPS on my Apache2 server - I get 404 errors on every request [closed]
Why is selinux blocking remote ssh access without a password?
Bind, force zone update on slave
Why do I want to run DD-WRT firmware on my router?
GUI in MacOS for defaults?
What requirements does an IT department work space need? [closed]
Read only bind-mount?
NginX Log Rotation