Share your setup for firewall+proxy+antivirus+dns Server

Discussion in 'Business & Enterprise Computing' started by cybermonk, Dec 3, 2012.

  1. cybermonk

    cybermonk Member

    Joined:
    May 15, 2003
    Messages:
    134
    Location:
    australia
    Hi Guys,

    Trying to decide and try what Distro for Firewal+proxy+anti-virus+dns server, DHCP server and vpn server.

    Please share you setups and recommendations.

    I need something easy to maintain and real-time reports.

    Around 65 users in the company.

    Free or pay, will see what is the best option.

    Thanks in advance.:thumbup::)
     
  2. 303-Acid

    303-Acid Member

    Joined:
    Jun 29, 2001
    Messages:
    2,565
    Location:
    Beaumaris, Vic
  3. OP
    OP
    cybermonk

    cybermonk Member

    Joined:
    May 15, 2003
    Messages:
    134
    Location:
    australia
    Free version or pay version?
    Do build your own hardware or vmware?
     
  4. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,743
    Location:
    In your street
    pfSense for a build your own
    or ClearOS

    Sophos UTM's as an appliance are awesome boxes!
     
  5. 303-Acid

    303-Acid Member

    Joined:
    Jun 29, 2001
    Messages:
    2,565
    Location:
    Beaumaris, Vic
    I use the free Sophos UTM home version on my own hardware. Perfectly fine for my needs of a couple of users. In your case you'd need a paid version for more than 50 ip's. I had it on a VM for testing and moved it to a dedicated box for production.
     
  6. Herballizard

    Herballizard Member

    Joined:
    Oct 9, 2002
    Messages:
    1,533
    Location:
    .
    Clearos as a connectivity server is fine but not as a UTM, poor reporting, the firewall pisses me off to no end some days. The fact they have dropped IPSec cause its in the too hard bin. Lack of reporting is fine since you can build your own but its lacking all the same.

    pfsense for a utm every day of the week and twice on sunday
     
  7. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,205
    Location:
    Baulkham Hills, Sydney.
    THIS. SO MUCH THIS.

    Ive done what you are doing already. Read the whole thread (specifically post #47), but the short of it is ClearOS is good on paper, but sucks for everything else.


    Click to view full size!


    You can see what I have installed, and just a very small portion of what pfSense can do.

    All you need is some solid hardware. Me for 50 odd users, IPsec tunnels, OpenVPN access and transparent proxy, filter, snort, using almost no resources. FOR FREE. It's been in production for over a year, and i've never had a issue with it.

    install it on something, have a play with all the packages. Don't be tempted to update the packages all the time though, if you find a stable mix, stick to it.
     
  8. kom

    kom Member

    Joined:
    Apr 13, 2012
    Messages:
    101
    I've been thinking of setting up a pfSense box to act as a local gateway/proxy/firewall, but I'm not sure if my approach is a good one. What I was thinking of doing (@home), is:

    192.168.1.1/24 (Router) --- 192.168.1.10/24(pfSense) --- 192.168.1.X/24 (LAN)

    Is this a good idea?
     
  9. evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    516
    Location:
    Australia, Sydney, NtRyde
    I've heard good things about smoothwall. Custom build, software, utm, virtual appliance its all downloadable off their website for a 30 days trial.
     
  10. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
    http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

    I may be biased... but yeah, the Sophos UTM for Home Use is free. The only thing you don't get is the High Availability module...

    But you get full Firewall, ipSec/PPtP/L2TP for remote access support, even the HTMLv5 portal which essentially publishes RDP/HTTP/SSH services and exposes apps through any HTMLv5 capable browser; inclusive of Android and iOS devices ;)
     
  11. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,205
    Location:
    Baulkham Hills, Sydney.
    Why would you bother putting a router in front of a pfsense install? pf will route for you fine, if you have a xDSL connection then it will also do the pppoe/a for you. Cable is a slightly different beast, but you can try and put the modem into half-bridge, and pass the public ip to pf. this is the simplest way to go, then you can play around to your hearts content. pm me if you need any help.

    Wow, smoothwall has come along way! i like it because it's Linux based, not freeBSD based. makes things (for me anyway) easier to change. However, i still wouldn't pay for it.

    Again, why pay for it? OP cant use this, 50 user cap.

    My VoIP guy uses pf in his core routing/firewall setup on a series of cheap dell pizza boxes, servicing many clients, and it's never gone down. With failover and CARP you can even pull the power out of a box and it still works.

    </pffanboi>

    Seriously though, I haven't found anything that will so what pf will do, with a nice pretty front end, for free.
     
  12. h-90

    h-90 Member

    Joined:
    Aug 19, 2002
    Messages:
    880
    Can you use the home edition for business use though? I had a quick look on their site and I couldn't see, might be something to consider.

    We use Astaro (Sophos UTM) for all of our sites.
     
  13. OP
    OP
    cybermonk

    cybermonk Member

    Joined:
    May 15, 2003
    Messages:
    134
    Location:
    australia
    Guys about hardware?
    I'm been looking in soekris.

    Any recommendations for something similar in Australia?

    Again thanks for the advice.:thumbup:

    It seems pfsense is the most use.
     
  14. Herballizard

    Herballizard Member

    Joined:
    Oct 9, 2002
    Messages:
    1,533
    Location:
    .
    I used to use smoothwall then went over to clark connect which turned into clearos. There are a few things that they sort of kinda do well and will get there one day, one its an SBS replacement, two its pretty simple out of the box. As a UTM its entirely flawed, there is some awesome stuff that works out of the box and even as a dev myself I just can't bring myself to recommend it as a UTM. I would be more than happy to smack pf onto a clearbox and have it sitting in front of my clear server

    I have honestly tried
    monowall
    ipcop
    smoothwall
    astaro
    untangle
    engarde

    And a few others after them all, i would say for a UTM pfsense is awesome, I don't entirely like bsd but hey it works and if you want HA it supports carp. Personally I would like to hear from anyone using it in a multi tenant scenario

    Ha after bagging out the cos reports PB has finally gotten his arse into gear and released the testing repo
     
    Last edited: Dec 4, 2012
  15. ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,074
    Location:
    Tokyo, Japan
    pfsense

    It is extremely easy to setup everything you need, then some more (ntop and snort for example).

    For hardware I'd just use an MiniITX board with dual Intel NICs, plenty fast. My Supermicro Intel Atom D510-based board will happily allow 180mbit transfers over my net connection, and I get about 30mbit over IPSEC VPN - probably because of the hardware on the other end.

    I wouldn't recommend a Soekris or similar boards unless you had a very simple setup - you'll want at least 512mb of memory and a largish hdd.
     
    Last edited: Dec 5, 2012
  16. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,695
    Location:
    3350
    Getting a new branch where these pfsense or sophos utm might meet our needs time to run up some VM's.

    One thing i know for sure is when the kids are old enough either pfsense or sophos will become our home gateway :).
     
  17. OP
    OP
    cybermonk

    cybermonk Member

    Joined:
    May 15, 2003
    Messages:
    134
    Location:
    australia
    The Soekris comes up to 1.6 ghz of cpu and 2gb of ram.
    I'm thinking that should do the job.
     
  18. ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,074
    Location:
    Tokyo, Japan
    Soekris have many different models - most people like the low end models, the better Atom boards tend to be expensive compared to just getting something like this.

    But yes, the Atom based Soekris should do it nicely.
     
  19. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,422
    Location:
    qld.au
    Have a look at Vyatta (http://vyatta.org/), it's more at a Cisco / Juniper level functionality but it's rock solid (and even on modest hardware outperforms Cisco by a large margin).

    The Ubiquiti EdgeMax router (http://www.ubnt.com/edgemax) is looking really interesting too and it's based on the Vyatta open source code. Doesn't look like anti-virus will be included initially but possibly available once they produce the larger versions. It's Debian based too, so I'm sure there will be a number of 3rd party add-ons coming once it's released.

    Last ETA I saw was mid-December for release and it was going to be around $130-140 in Australia.
     
  20. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,160
    Location:
    Adelaide
    Holy shitballs those Ubiquitis look awesome. They've just made it onto my 'to evaluate' list.
     

Share This Page