firewall/router for SME / SOHO

[pak000]

Our cisco pix 501 died over the weekend and I'm trying to find a replacement, we've been recommended the cisco ASA 5505 50user by our external IT support, but they are quoting an extortionate amount. I'm thinking (a) it does things that I don't need (b) doesn't do other things that I would like (c) overall seems to be a bit expensive for something I'm not happy with

Can anyone here suggest a suitable firewall/router?

I'm not sure on the throughput requirements - which seem to be the most significant factor when it comes to cost, but we have about 15 users in the office who connect to a server, this is all on one subnet and doesn't touch the firewall. I would also like a seperate terminal server (which will have at most 5 external users at any one time) to be on a seperate subnet which is firewalled from the main office network, the terminal server will need to be able to connect to the sql databases on the main network.

The terminal server currently has OpenVPN set up for the external users to connect, our IT support people would like to be able to use a VPN on the firewall, they apparently prefer cisco, but can cope with most things

I'm also thinking that would should go wireless, so incorporating that into the firewall seems like a good idea

I've been looking at the
- zyxel zywall 2wg
- draytek Vigor 2910VG

any thoughts?

Thanks

[edit]I forgot to mention, it will need to do multinat (I don't know the proper term) such that
1 external IP goes to the terminal server which also has its own internal IP
1 external IP maps to the main server which also has its own internal IP
all office / user PC's map to a 3rd ip

I was looking at the zyxel and couldn't decide if this was possible

[peterb]

The Drytek are pretty highly regarded and I have seen them in the sort of situation you describe - and considering the capabilities, not outrageously expensive either - so worth a punt anyway.

[Jay]

we have recently started to replace Drayteks with 800 series routers and ASA 505

[smargh]

http://m0n0.ch/wall/ (lean) or http://www.pfsense.com/ (less lean)
Both have VMWare images you can test things with.

Hardware - completely fanless, small, nifty, useful! I own an old Wrap board and a newer Alix. They are awesome.
http://linitx.com/viewcategory.php?catid=176&pp=176

Perhaps plus a VPN accelerator card (56eur from http://soekris.eu/shop/vpn_boards/vp...ockets_en.html). Googling suggests 25Mbit+ without one.

[Jay]

smargh they are all very good, don't get me wrong, but I just don't think they are the correct way to go this time.

[smargh]

smargh they are all very good, don't get me wrong, but I just don't think they are the correct way to go this time.

The hardware, or pf/m0n0?

[Jay]

the software. I think a solid asa would be the best choice

[pak000]

Thanks for your input.

I'm reluctant to go down the cisco route, I know they are good quality and more than up to the task, I just feel their cost for what we need is a little excessive, I'm also aware that they arn't exactly the most user friendly devices.

smargh - building a router would be fine, but unfortunately I don't have the time at work to be experimenting with set ups I've never come across before - IT isn't my main job, it's just dumped on me like in a lot of small offices

[loki]

Zyxel make pretty decent stuff. It's not quite as configurable as the Cisco and doesn't have some of the high end features. The NAT thing worries me slightly. I don't know if they'll do full NAT like an ASA or other high end firewall would. I think the zywall 35 did but I can't remember if the lower end models did.

What you're talking about with the differently rulled subnets is just a DMZ as far as I can see. Again the zywall 35 did it, not so sure about the lower end models.

You'll struggle to find a new PIX because they're no longer sold.

Also you're just doing NAT. You just need to have enough public IPs to cover your NAT rules or your going to be getting into PAT, and I'd try to stay away from that.

[gss03]

Personally if its for a Business I'd go with the Cisco recommendation - Their your IT company. They wouldn't recommend it if it didn't do the jobs you ask of it.

After that my order of preference would be
- Draytek
- Zyxel
- Sonicwall

[controlfreak]

D-Link has a UTM firewall for SME/SOHO coming out in Q3 sometime. They are usually fairly good at SME/SOHO networking equipment. Model is DFL-160. Perhaps worth having a look. Details can be found by googling the model name.

[scaryjim]

The unit I currently work for uses a Watchguard Firebox X. I won't go into the crazy-mad way we're using it, but I've found it to be incredibly reliable, easy to configure - pretty much issue free. Of course, it may not be entirely suitable for your needs, but they could well have something worth looking at their range: http://www.watchguard.com/