Firewall and VPN considerations

Cristian KLEIN cristi at net.utcluj.ro
Sat Sep 22 12:28:26 PDT 2007 

Christer Hermansson wrote:
> Hello
> 
> I am planning on setting up a FreeBSD Firewall that will be used to
> protect a LAN.
> 
> The firewall will also act as a VPN-gateway for external workstations
> running Windows XP Professional, I will use Microsoft's ipsec software
> included in the  Windows XP.
> 
> I will also use the firewall's external side to connect with ipsec to
> other LAN which have Cisco VPN equipment.
> 
> The firewall will use IPFW and doing NAT for the internal LAN.
> 
> I would like to have som advice/opinions on the following isusses:
> 
> - To achive NAT with IPFW I must use ipdivert, no other methods exists,
> wrong or right ?

I personally like to use IPFW with IPNAT or PF. I also heard that starting with
7-CURRENT, IPFW is able to use libalias to do NAT in kernel-space.

> 
> - In this thread
> http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html
> they say quad core does not raise the performance compared to duo core
> when building a router. I will have more than packet forwarding and
> userland processes, e.g. NAT and IPSEC so I think more cores will help.
> Should I get a machine with duo core cpu or quad core cpu, does quad
> helps the performance ?
> 
> - In this thread
> http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html
> they suggest not to use gif together with ipsec to achive compatibility
> with cisco etc, so I'm planing to skip gif, wrong or right ? What are
> the benefits of using gif ?
> 
> - In this mail
> http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html
> they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I
> find the text "is an experimental implementation", maybe the man page
> just needs an update or is FAST_IPSEC not suited for production
> environments ?
> 
> In the offcial FreeBSD handbook
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
> they say not to use FAST_IPSEC, and show the use of gif, however I think
> this needs to be updated/rewritten. (If I get the time I really feel for
> writing an alternative page about IPSEC with FreeBSD and maybe the
> result get accepted for inclusion in the handbook.)
> 


-- 
+-------------------------------------+
| Cristian KLEIN                      |
| Network Engineer                    |
| Communication Center                |
| Technical University of Cluj-Napoca |
+-------------------------------------+
| Tel: +40-264-401247, int. 247       |
| WWW: http://www.cc.utcluj.ro        |
+-------------------------------------+

More information about the freebsd-net mailing list