8-Port Router/Firewall For 100Mb WAN?

One reader from the Anonymous Coward Horde asks: "I'm looking for a cheap router/firewall to put between my private LAN and DMZ. I already have a Netopia R7100 (DSL modem + router/firewall + 8 port 10Mb hub) so I've been looking at the Netopia R9100 (router/firewall + 8 port 10Mb hub). The issue is that the port on the WAN side of the R9100 is 10Mb though I'll have a 100Mb hub connected to the LAN side via the uplink. This means that communication between my LAN hosts and DMZ hosts will be 10Mb rather than 100Mb. All the products I've found "suffer" from this limitation (okay, in the $200 - $500 bracket, I did find one for ~$2k). I don't want to start building a Linux box for a router! Any pointers?"

Er, for 100Mbps, get a real firewall!

[BitMan]

I just checked the Linksys BEFSR81 and it is in the same boat, 10Mbps on the WAN side. And I don't really call those NAT devices "firewalls". I think "firewall" gets overused like "3-D accelerator". So if you are talking a 100Mbps connection, why not get a real firewall? Or at least add a little protection with a DMZ port on the firewall.

On the cheap, you could build a headless Linux or OpenBSD box with three (3) 100Mbps NICs for under $500. I've had great success with Linux IPChains for all kinds of configurations (e.g., setting up a "test" server internally and properly routing it for internal systems so it appeared on a public IP), etc... I'm starting to get into OpenBSD (the various BIND 8 hacks make me think that Theo knows what he is talking about when it comes to OpenBSD sticking with BIND 4 ;-).

Otherwise, the SonicWall PRO is an excellent box that can be found for under $2,500. It features 100Mbps for WAN, DMZ and LAN. Excellent boxes for the price, good feature set (although the logging good be improved a bit, but everything else is great). Personally used these solutions as well (and identified a few trojans that people had accidently downloaded and installed on their PC with IE/Outlook). I even had an external server on it's DMZ port get hacked (c/o a known BIND 8 exploit that I failed to patch), but the internal systems on the LAN port were left untouched.

BTW, I just came up a good analogy yesterday on a LUG list regarding firewalls:

• Open Door = Nothing
  So "passer-bys" can see in.
• Closed Door = Private Network Router
  So "passer-bys" can't see in, but they can still get in. And you can easily get out.
• Closed Door w/doornob lock = Basic firewalls, non-ICSA certified "black box"
  A bit of difficulty to get in. You can still easily get out.
• Closed Door w/doornob & deadbolt lock = SonicWall, ICSA-certified "black boxes"
  Much more difficult to get in. Blocks some things from getting out (and you can add limitations too).
• Closed Door w/doornob & dual-keyed deadbolt lock = Linux, OpenBSD and complete custom firewalls
  Hard to get in when properly configured. Doesn't allow poorly designed protocols to get out by default.
  Problem: Like a dual-keyed deadbolt lock, sometimes you leave it unlocked because it is a pain to deal with (or leave the key in the inside lock).

-- Bryan "TheBS" Smith

100Mbps for cheap, not right now

[anticypher]

Do you really need 100 Mbps between your home network and the one or two machines on the DMZ? Do you regularly pass huge files between the two? Or are you just a bandwidth snob who doesn't understand that it really doesn't matter when your connection looks like 100M-->10M-->512k-->internet

The cheapest you can find on the market with 100Mbps is going to run you about US$2k, and the most expensive you can get is a cisco pix.

Even a dual 100Mbps NIC linux router will not be able to maintain a high packet rate between the two interfaces, even with a 500 Mhz pentium III powering it. There are just some limitations you will have to accept. Just go for the best priced 10Mbps you can get, and accept the slightly longer transfer times when you make a full dump of your website.

In my place, I've got an outside network consisting of DSL and cable, with two routers and a pix 515. The outside net is 10BaseT, because the total bandwidth to the internet is only about4.5 Mbps. My pix has 6 interfaces: in, out, and 4 DMZ each with a fully routable subnet. The inside is 100Mbps, because that is what we run in this house. But to the DMZs and outside, its all 10Mbps because it doesn't buy us anything to the outside world.

the AC