Linux To Power Super Router

VE3OGG writes "While Cisco might not be shaking in its multi-billion dollar booties, a couple of network experts have decided to see if they can come up with a possible alternative to Cisco. Termed 'Open Linux Router,' and joining such other ambitious projects as the Extensible Open Router Platform (XORP), the Open Linux Router project aims to compete in the realms of Cisco routers and PBX. Some of the features include SSL web interface, serial console, wireless support, VLAN support, and packet filtering."

In other news...

[kongit]

A 14 year old kid put linux on a pentium 2 he bought for 20 dollars and is running it as an open-source router.

Re:In other news...

Check out Sixnet, which makes routers with all those features (minus wireless), and they run linux. (I work there)

Re:In other news...

In additional news... The person who let a 14 year old kid make major equipment decisions at a University was summarily fired. Get a brain!

College kids...

its a laugh. They think of competing with the big boys. Cisco provides KILLER hardware and software. Even if they provide the killer hardware, they're still killing themselves for not using FreeBSD + pf like what is located in PFsense.

Again, a better router solution... PFsense (FreeBSD + PF)

PF is worlds better than Netfilter, and understandable too. Netfilter is the perl of firewalls.

Re:College kids...

When you are looking at filtering, Cisco access lists really aren't cutting it. Even the Linux iptables, which you apparently consider inferior to pf, really shines compared to access lists.

Also, not all applications require killer hardware. The user may want to route over a DSL line, and typical PC performance is more than adequate for that.
In fact, a PC has so much more performance than the central processor of a typical Cisco router, that in case central processor activity is required the PC will always win hands down. Only the hardware-assisted routing on a Cisco can outperform a PC, but that often does not matter.

Try to run a couple of IPsec tunnels and/or datacompression on a Cisco. It will require extra help in the form of a plug-in encryption module. The PC will do that no sweat.

Re:College kids...

On the other hand, those college kids' efforts could improve the code in the areas that are lacking. Without someone actually doing something, how will things ever improve?

Re:College kids...

[jessecurry]

although I do love the effort, it will be a very long time before a group like this could actually compete. Along with the hardware/software that you mentioned there also needs to be some entity that will take the blame when something goes wrong. If that's not there we'll never see a project like this be adopted by any large corporations, even if they were to beat Cisco on the hardware/software front.

Re:College kids...

Err... you might want to reconsider your statement. Try to run one - yes, only one - IPsec tunnel at full gigabit speed on a PC.

Hardware-assist for encryption is needed for anything above fast-ethernet.

Re:College kids...

[Lars+T.]

Also, not all applications require killer hardware. The user may want to route over a DSL line, and typical PC performance is more than adequate for that.
In fact, a PC has so much more performance than the central processor of a typical Cisco router, that in case central processor activity is required the PC will always win hands down. Only the hardware-assisted routing on a Cisco can outperform a PC, but that often does not matter. Sure, but how would this qualify as a "super router"? That's like claiming a PC is a super-computer because most people don't need anything more. Heck, you even admit that a PC will go to its knees when you dare use it for Routing.

Re:College kids...

[mypalmike]

Sure, but how would this qualify as a "super router"?

"SUPER" here stands for "Software-based Unspectacular Performance for Enterprise Routing".

Re:College kids...

[Joe+The+Dragon]

most typical PC don't the pci bus bandwidth that is needed for most routing. You can't even run one gig-e card at full speed on it.
Pci-e can but most systems only have 2-3 pci-e x1 slots.

Re:College kids...

[MightyMartian]

Other than access lists, IOS is horrible. I see no reason why, on good hardware, a Linux-based router can't do just as good a job. Mikrotik is a good example of Linux-based routing software in this regard, though I prefer the roll-your-own method.

Re:College kids...

You need very compressible content to route a gigabit ethernet over a DSL line, or a couple of bundled DSL lines.
My statement is that a PC can very well be used as a router on a (small) business connected to Internet via one or a few DSL lines.
Even when you want to run a couple of IPsec tunnels over that (say, about 10-20).

A cisco router cannot do that without encryption module and will run into limitations that a PC+Linux solution does not.
(like load-balanced NAT over multiple Internet connections)

Re:College kids...

[Noexit]

We've been using MikroTik on our network for about a year and half now. Works great, all the features we need, and the cost is unbeatable. We've been able to build and deploy a truckload of equipment using MikroTik for a fraction of what one Cisco router would have cost. Yeah, we're a small shop, YMMV.

Re:College kids...

[LordWoody]

OK, I call.

1) A PCIx socket carries the same bandwidth as a 1-lane PCIe socket.

2) Using either PCIx or PCIe (1-lane even!) you can run 1G bidirectionally through a Linux system with as little as a single 2.4G P4HT (been there, done that, got the proverbial smoking copper cable to prove it). The CPU will not be stressed.

3) You can buy up to 6 ports on one full height PCIx or PCIe card. If you buy a multi-port PCIe NIC, it will most likely be of the 4-lane variety (and if not, keep shopping).

4) The Linux kernel's ability to route and intellegently bridge are both high performance capable. Throughput loss comes from engaging netfilter and more specifically conntracking. However, perform load testing on a top-end Cisco with and without ACLs and watch what happens to its performance; the results are very interesting. In short running any kind of ACL (Cisco, iptables, etc...) is expensive.

5) If you are building a performance Linux router, you are not using low-end desktop equipment. I hold in my hands a lower-end Intel AspenHill (S3000AH) server mainboard and it has 1 PCIx socket and 2 PCIe sockets (4 and 8 lane). The Intel Alcolu (S5000PAL) server board has a flexible socket layout (depends on the reiser card you buy) of (1) PCIx and either (2) 8-lane or (4) 4-lane. Either way, that is a fair number of potential interfaces to route across. Drop in a nice Core2 Duo on the Aspen Hill or a Dual Core2 Duo (or Dual Core2 Quadros if you decide to load up 16 interfaces) on the Alcolu and you have a ton of CPU horsepower to handle the interupts and make routing decisions. While not cheap per say, the costs are still less than Cisco routing gear with equivelent horsepower.

The larger issue in using x86 equipment to act in routing duties is interrrupt processing. Using NAPI enabled cards such as those produced by Intel and Broadcom lessens the interrupt load (you get multiple packets per interrupt). PCIx/PCIe single-lane as a dual NIC pair or PCIe multi-lane for multiple paths provides enough bus bandwidth to move the packet data. PCIe makes the process even smoother due to the dedicated contollers per lane (think of it as one socket per bus instead of the old all sockets on one bus model). In addition, PCIe supports simultanious reads and writes (which lowers per packet latency in bi-directional communications). All other flavors of PCI are read or write at any one time.

What you do get when you buy Cisco, is (in theory as in practice it seems to vary) a tried and proven user interface and and solid under pinning of which you the admin require little knowledge. You buy the components Cisco tells you to put in it depending on the job you want to do.

With Linux, you are usually on your own in selecting hardware, setting up the software and using the many interfaces required to configure each component of a Linux system used in a routing function. Very few admins have the time or resources to test hardware compatibility and evaluate the performance of various equipment options. If any group can put together a recommended (read: tried and tested and performance evaluated) hardware set and for it produce a ready to run (read: quick install with a single interface for the all router setup (IPs, ACLs, routes, etc...)), then more power to them. It makes it that much more likely that Linux based routers will show up in performance demanding environments.

Food for thought.

Re:College kids...

[the+eric+conspiracy]

Yeah yeah... but who uses 1 GB anymore. Wonce you get to the LER you are dealing with 10 GB/s ports. What I want is a box that will do protocol classification and deep packet inspection at 10 GB/s.

Re:College kids...

[afidel]

Uh, doing ACL's on most Cisco equipment will have no affect on throughput and little affect on latency so long as you know what your are doing and are willing to live within the hardware limitations. So long as you live within the rules that can be compiled to and fit within the ASIC's on a given platform you can run at linespeed with little additional latency. Sure it takes some knowledge, but if you have it you can do things that only the other Tier-1 vendors can touch, no PC based platform is ever going to touch them.

Please fix summary

[MichaelSmith]

SOme fo the features

Re:Please fix summary

[operato]

how is this offtopic? people should fix these things so they don't bug the hell out of the little guys like this one.

Re:Please fix summary

[antoinjapan]

Maybe they are calling anyone who cares a SO fo, which is a little like MO fo , except son instead of mother. I dunno maybe it's a secret code masquerading as bad spelling/grammar. Maybe they all were over the years, who knows what sensitive information slashdot and supposedly random "commenters" have been secretly releasing to the enemy under the guise of bad spelling and grammar while simultaneously employing subterfuge by periodically posting stories about the declining education of the children in U.S schools. Just a sec there's someone at the door

Re:Please fix summary

[operato]

sorry it was just the sound of me whacking my head off the keyboard after reading that.

Re:Please fix summary

[JLester]

I am still trying to parse "aims to compete with the realms Cisco routers and PBX". That phrase makes no sense to me.

Re:Please fix summary

Never mind that it's either 'the features include' or 'some of the features are'.

Re:Please fix summary

[antoinjapan]

Yes it was your banging I heard, there was no one at the door, I swear..and my earlier comment about messages encoded as bad spelling and grammar was just a joke and should not be taken seriously. Hlep HLeP dey Is gone to kLil me.

Re:Please fix summary

[operato]

bum bum in my bum bum... i hope you understand that one.

Re:Please fix summary

[Endo13]

Try parsing "aims to compete with the realm's Cisco routers and PBX".

The original article's writers...

[c0l0]

...obviously don't know what they're talking about all too well.

Other Linux-based projects targeting firewall and network server include ClarkConnect, IPCop, m0n0wall, and Smoothwall. Unless m0n0wall hasn't switched kernels, they're still using FreeBSD as their basis.

"Super" = lots of features?

[Ingolfke]

I was expecting to read about a router that could compete with Cisco's hardware based on performance, not features. It looks like an interesting project for smaller shops or routing applications that aren't business critical... maybe more of a competitor to low end routers and all-in-one appliances, not enterprise routers. It doesn't look like it has any stateful failover capabilities.

Re:"Super" = lots of features?

[lavid]

Yeah, seriously. My DDWRT hacked router runs linux, and it's pretty super, especially along those criteria. The real bottleneck is the hardware it runs on. DDWRT is being ported to run on x86... that's just as relevant as this article, IMHO.

Re:"Super" = lots of features?

[grimwell]

It doesn't look like it has any stateful failover capabilities.

OpenBSD has had stateful failover for a while now.
Failover Firewalls with OpenBSD and CARP
PF: Firewall Redundancy with CARP and pfsync

I agree with you, that it is the hardware of the "big boys" that makes their toys useful. An actual switch that ran linux/bsd would be an interesting item.

Re:"Super" = lots of features?

[lathama]

One Link

http://imagestream.com/

To pwn them all.....

Re:"Super" = lots of features?

Plus PF is _way_ nicer than iptables or whatever the latest fad in Linux is.

Re:"Super" = lots of features?

[Bert64]

Well, running on a PC-based architecture will never be able to compete with high end routing devices, regardless of software.
Perhaps a multi socket opteron system with network interfaces connected via hypertransport, but not much short of that. The way PCI buses are designed makes them very poor for routing large amounts of data around. There's no way that any current system could outperform a catalyst 6500 at the same price point.

solaris

At the first ISP i worked for back in 1996 they were not using cisco at all they were using solaris to route everything, i dont know how they set it all up though, but this isnt a new idea, maybe just newer software for it.

Just my 2 cents worth

Re:solaris

[EveryNickIsTaken]

Did you work in Sales by any chance?

Re:solaris

No i didnt, I was techincal working on the helpdesk but not working closely with the network engineering team, other jobs after this i was configuring cisco routers. So i am familiar with routing to some degree and also more savvy with linux and solaris in the last 11 years !
I assume by the post you think its not possible to route traffic with solaris !

Re:solaris

[EveryNickIsTaken]

No, you just made it clear that you have no idea what you're talking about. The Solaris machine was likely used to monitor the routes, not to do the actual routing.

Re:solaris

Im not talking about 1 machine im talking the whole backbone was using solaris machine(s) to route the internet traffic. I understand how you think 1 machine would have trouble seing as most isp's i have worked for have thousands of routers.

Re:solaris

[Slashcrap]

im talking the whole backbone was using solaris machine(s) to route the internet traffic

Why do I have visions of a whole load of Ultra 5s daisy chained together with short lengths of Coax?

It exists already

[Jagungal]

It's tested, mature .. forked and works well with a number or protocols.

  http://www.quagga.net/

Re:It exists already

[DaMattster]

I do like Quagga very much. But, its performance still doesn't quite match the Enterprise Cisco router. That said, Quagga works very well for small to medium sized businesses and Quagga may even outperform the lower end Cisco routers. The enterprise Cisco router has a slight advantage in that its hardware and architecture are designed for purely routing. I was bummed to find out that there was a performance gap. A Canadian University, University of Toronto, has a routing cluster based on Quagga. The administrator, Russell Sutherland, even said that UoT would be moving to a Cisco or Juniper router config as he said that he would need fewer Cisco units than Quagga servers to achieve the same amount of routing. The cost savings in power alone is not insignificant. It is a neat experiment and I hope that one day Quagga will surpass enterprise Cisco. Here is a PDF detailing what Russell Sutherland has done: Back to the Future: BSD on the Edge of the Enterprise.

Piece of bullsh**

The website of this wonderul "Super Router" is http://www.openlinuxrouter.com/

It's a bullshit news - there is NOTHING DONE YET. The project is IN PLANS and I don't know how it could be better than e.g. m0n0wall [1] or Lintrack [2]

[1] http://m0n0.ch/wall/
[2] http://www.lintrack.org/

Re:Piece of bullsh**

[El+Torico]

Did you notice the line below "Download Now"? It states, "Currently no stable releases". It's a bit premature to put this on your network, but this project does have merit and it lists a useful set of features.

As for the intro - Cisco already has alternatives; Juniper is what the big boys (Tier 1 ISPs) use; Foundry and Extreme are solid alternatives too. I do like the "by your own bootstraps" mindset of this and other open source projects, so hopefully this will compete in the SOHO market.

Re:Piece of bullsh**

Mods on crack again. Troll? WTF?

Other routers

[Toreo+asesino]

For what it's worth, Linux already powers all the NetGear DG routers at least(Wireless, LAN) etc, and I have to say they work very well.

Re:Other routers

What you are describing is a toy router that will route a few megabits at best. Cisco's Catalyst 12000 can route several gigabit links. Nice try.

Glass

Re:Other routers

[notanatheist]

A far more informative AC post than the parent. Linux already runs on a huge variety of 'consumer' hardware. My Linksys WRT54G(v4) runs DD-WRT and I routinely sell the WRT54GL flashed to DD-WRT for clients. Sure it is extensible and open but I'm not expecting to route the data from a render farm or be the backbone of a bank.

SuperRouter

[DeeVeeAnt]

Is it a hub? Is it a switch? No! It's ...

Re:SuperRouter

[true_hacker]

It's a bridge!

Re:SuperRouter

Very small rocks_

Until...

Using Linux to power the control plane of the router is the easy part. Designing the ASICs, programming the FPGAs, and writing the hardware drivers is the hard part. High-end routers don't process packets with software routines; it's done with very fast, specialized hardware. And you want your control plane to be as lightweight as possible, both to control software defects and to improve performance.

Yes

But does it...doh!

SuperRouter? Please rename it.

[HockeyPuck]

When I read the summary I thought they'd be competing with Cisco's service provider grade box http://www.cisco.com/en/US/products/ps5763/index.h tml

Guess they'll need to come up with some pretty fast interfaces b/c I dunno if Frys/CompUSA carries OC-192/768 interfaces for the PC.

Sounds like another LEAF project http://leaf.sourceforge.net/

Re:SuperRouter? Please rename it.

[icoer]

Actually there are a few companies out there doing this. http://www.simplir.com/ has a full Blade appliance center that runs on an embedded linux kernal. Linux is out there and in some major applications, just not always advertised as such. The nice thing about that Simplir products, is that they allow you access to a command prompt via SSH. You can make any custom modifications as needed.

And more to the point

[Sycraft-fu]

Make all the features you do have work well. That's one thing I have to give Cisco gear, whatever features they choose to include on a given system, they all work. Often times their smaller stuff is much less feature complete than OSS equivalents but it all works. I use m0n0wall at home because I want a little, embedded firewall and I'd like features I don't feel like paying for on a Cisco for a home network (though I'm going to have to take a real look at the new ASAs). However I've continually had to fight with m0n0wall over getting stuff it has to work. There's been bugs, and there's a number of features that are called "advanced" and "unsupported" which is apparently code for "We can't figure out how to make it work right so we are going to blame the problem on you and refuse to help."

What makes Ciscos "super" isn't their feature list, it is that they work WELL. Performance, stability, etc, all are great. IOS may make the easy things more difficult than perhaps they need to be but it makes the difficult stuff possible.

Also if you asked me the name is really misleading. The name and description implies that it'd be competing against the high end stuff, spicily IOS XR. However reading a little further it is just something else for making a desktop PC in to a router which competes maybe against their mid-low range gear.

Re:And more to the point

That's one thing I have to give Cisco gear, whatever features they choose to include on a given system, they all work.

I disagree with that. A while ago I had to setup an (in my opinion simple) configuration with a Cisco 3725.
It included two ADSL lines that use PPPoA, and an ISDN BRI module for dial backup. One ethernet would be connected to the LAN and there would be IPsec tunnels to other locations with similar routers, the other to a DMZ with some servers with access to/from Internet.

Seemed to be simple enough, but I hit several critical IOS bugs and limitations.
No loadbalancing/failover on the ADSL lines, no working routing policy for tunnel interfaces, problems with IP CEF in combination with PPPoA, etc.
Getting support from Cisco turned out to be very hard, and after spending a lot of time on providing data to them they stamped the bugs as feature requests and did not implement them.
In the end I got a partially working solution by removing the ADSL WICs and using external modems, but it still is a clumsy solution.

Would this have been a Linux box, I at least could have decided to fix the bugs and recompile. But with Cisco you are dependent on the blackbox IOS they provide to you.
(which has another disadvantage: it is one monolytic block of code. it has happened a few times that installing a newer version fixed some problem but introduced another in a completely unrelated corner. in that case you cannot decide to update one module and leave another alone. you have to swap everything in one go)

Re:And more to the point

[blargh-dot-com]

Make all the features you do have work well. That's one thing I have to give Cisco gear, whatever features they choose to include on a given system, they all work. Very strongly disagree. Examples:
- Kerberos. Cisco claims to support it. Techincally they kind of do if you don't mind 56 bit encryption over telnet and other issues...
- ARP inspection and DHCP snooping took MANY versions to settle into something remotely approaching working, and there are still quite a few issues there (try uploading the binding database via SCP sometime...)
- The 3750 RPS hardware solution sucks. (I'm hoping the 3750-Es are re-engineered) This on top of us getting a bad batch of 3750s with flakey power supplies (we had 5 or 6 blow a couple weeks after install) was not fun. (The RPS will only power 1 device out of 6, and when it does kick over, you have to manually push a button to have it revert back to the (fixed) 3750. When you do, you have a 50/50 shot of it working fine, or rebooting the stack...)
- The Sup720 line still has a few issues - we have multiple instances of one of a "redundant" pair of Sup720s crash, and take the other sup with it, leaving both in rommon...
- Etc. etc. etc.

Re:And more to the point

[afidel]

To me what makes Cisco great is not the hardware, and certainly not the (fairly buggy) software, it's the TAC. Cisco's support organization is the best in the industry bar none. It's why having Cisco hardware without smartnet is a complete non-starter for me, it's fairly overpriced hardware without the support organization behind it.

Cisco has their own Linux Router

If you dig around in Cisco's acquisitions a few years ago, you will notice that they bought a company that was doing a Linux based enterprise router that was the equivalent of their IOS routers. I am NOT referring to Linksys. They have a Linux group that is keeping parity with the IOS offerings just in case they need to compete with someone else's Linux based routers. When I worked at Cisco, it was a topic of rather heated discussion. It's not something Cisco plans on ever releasing unless they need to blow a potential competitor out of the water.

Cisco really has nothing to fear for a long time.

[Xenomorph.NET]

Free / open / alternative systems and routers may come out. Companies, especially larger ones, will still gladly purchase "authentic Cisco" products. When they buy Cisco, it may cost a lot, it may even be a rip off - but its still an established product from and established company. There is plenty of documentation and support for the product.

No they are just using the term Linux

Like so many people are - interchangable with the term/idea 'Open Source'.

2 examples:
Open Source Development Labs - Not open source, just Linux. (And they are changing their name to be something Linux now)
"The Web Server is Linux" - No, the web server is Apache.

The author is being loose with words - just like so many before. If one has a problem, then go yell at the others before who mis-use what "Linux" means.

Re:No they are just using the term Linux

[Schraegstrichpunkt]

"The Web Server is Linux" - No, the web server is Apache.

You've obviously never heard of kHTTPd.

Cisco's stuff isn't that great...

[blargh-dot-com]

We've had a huge number of problems with Cisco's stuff, and unfortuantely are basically locked into Cisco for everything.

Cisco IOS is badly fragmented across Cisco's different product lines. Entire command sets are different for no easily acceptable reason (i.e. commands that do the same thing are named different, or have their parameters in a different order, or a different format). Their SNMP support is absolutely pathetic (no Q-BRIDGE-MIB on anything, they use idiotic community indexing, SNMPv3 has more bugs than I care to think about (contexts (which they use for community indexing in SNMPv3) barely work, and you can't wildcard them).

Their software-only platforms are almost as bad. ACS is notorious for having absolutely no useful diagnostics. (Someone can't authenticate against your LDAP server? Good luck figuring out why...) CallManager isn't quite so bad, except its backup software locks up every week or so and keeps future backups from running until we get in and kill the task. All their Java interfaces require /different/, /conflicting/ versions of Java - one may require 1.4 and nothing else will work, another will require 1.5... and nothing else will work. (Fortuantely they're getting away from Java for their web-based front ends and just going with straight web pages).

Their hardware is OBSCENELY expensive. Our pricing is under NDA, but its still stupid, stupid expensive.

Their technical support is horrid - we groan every time we have to open a TAC case cause we know we're going to waste at least two hours with some idiot before we finally get bumped to someone who actually knows what all the funny little acryonyms in our cases stand for. We have been flat out lied to by TAC on numerous cases, as well.

But, they're Cisco, and the Powers That Be know the word "Cisco", and have seen it around a while, so we go with it.

Re:Cisco's stuff isn't that great...

Why is this "obvious troll" marked informative? All he's doing is ranting.

Re:Cisco's stuff isn't that great...

[crotherm]

We tend to have very very few problems with CISCO. The stuff just works. And as for different command sets, load a new IOS, or even if you can't, the syntax is not that hard.

I will agree that the one major problem we had with setting QoS it took way too long before a new engineer came along and new the answer right away. It was something that all of their engineers should have known.

Re:Cisco's stuff isn't that great...

[blargh-dot-com]

Their QoS stuff is different across every platform they have it seems. Some lines have the very nifty auto qos feature (3750s, for example). Others you need to sit there and calculate out queueing strategies and so on yourself, and its different for every blade. Now, I can understand wanting the ability for that level of detail, but I guess I just like the auto qos better. (We primarily use QoS for the VoIP phones, which is what auto qos was designed for...)

pfsense

Although not done with linux (its bsd) pfsense has most of those listed features. Ive been running it for a while and have zero issues with maintenence or performance. Was previously running a smoothwall but it would occasionally require reboots and also timed out sometimes with over 10k concurrent connections.(think torrent traffic)

Hardware not software

[crotherm]

Repeat after me, it is the hardware that makes CISCO untouchable by software on a PC. The ASICs, the switch fabric on the interfaces, etc etc.

It seems every few months another group gets together and say the same thing... "Surely us uber linux doods can make a better product than CISCO."

Not to say it can't happen, it just will take a bit more capitalization than these guys have.

And since this talk of "SUPER ROUTER", why not compare to Cisco's IOX?

Obligatory (I'm so sorry)

[Bugs42]

Yeah, but does it run --
Oh.
Well then, I guess we're all set here. Someone else wanna take over, maybe throw in an "all your base" or "Beowulf cluster" reference?

Mikrotik

I liked mikrotik from the time i started using it, but what really cinched it for me was this:

after a few months of using at the borders of my office lan ad getting used to its policy based everything, i called up our hoting provider to ask them to make achange to the production PIX

We had people scraping our site and wanted to redirect them to a static site. Outright blocking them would tip them off more quickly (abd obviously) to the change.

I asked our provider to set the NAT on the firewall to forward packets to host B for these particular douchebags, and host A for the rest of the world. My PIX knowledge was so rusty, and this bargain-basement routerOS box did it so readily, that it never crossed my mind that the PIX woulnd't do it.

Sure enough, "uhh... yeah this box won't NAT to different addresses based on the source IP."
me: but..but.. my $40 firewall does it!

*sigh*

the biggest thing missing form RouterOS is decent failover. can't someone port CARP linux already?

Re:Mikrotik

[hjf]

not sure about the PIX, but I'm pretty sure that NAT to different addresses based on the source IP can be accomplished easily with even the 2501's I used back then in the CCNA course. just an ACL for filtering packets and that's it. Never touched a PIX firewall, but AFAIK, it has more firewalling features than the 10 year old 2501, so it *SHOULD* be able to do what you want.

I think your hosting provider was too stupid to configure it. He tried the web config looking for "NAT to different addresses based on the source IP" and didn't find it, so he told you that... j/k

Wouldn't OpenBSD be better suited?

[Graabein]

Wouldn't OpenBSD be better suited than Linux? Not looking to start a flamewar here, but what with PF and OpenBGPD et al...

Just a thought.