Martmn Coco wrote:
Hi misc,
I'm currently looking for hardware alternatives for firewalls that
should have more than four NICs.
Currently we are buying R200s from Dell, but we have the 4 NIC
limitation. We could tell Dell to install a quad port NIC (in addition
to the two-port onboard card), but I haven't read good things about
the way they work.
I've also looked into soekris, but they don't seem to have enough CPU
for what we want (this is pure speculation) as we also have intense
IPSec traffic on some of these firewalls (I've seen that some of them
could have encryption boards added to increase performance, but I
don't know if it works for any kind of protocol, or at what rate).
In any case, what I would like to have is firewalls with multiple NICs
(at least 6 NICs) *and* sufficient CPU to let IPSec work alright at
least at ~50Mbps (internal backbone firewalls). The multiple NICs are
to use trunk, pfsync, real network interfaces, etc.
i see that people have already made this pointlessly heated, but i'll
just put in my 2 cents nicely:
unless you're routing ridiculous amounts of traffic, in which case
openbsd might not be able to handle the pps count, it is probably best
to trunk the four interfaces into the switch, put vlans and/or carp on
top of that and not add a slough of extra interfaces. it's not for me to
say that you don't need the extra interfaces but trunking and vlans will
likely (1) save ports on your switches, (2) make your setup more
resilient by having a larger number of interfaces for each link to fail
through, (3) simplify the cabling and (4) minimize the number of
switches required.
btw, commercially available hw encryption accelerators are not very
relevant anymore since there is so much idle cpu power in most modern
machines. it's usually a better idea just to buy a faster machine or one
with a cpu that does its own crypto acceleration, e.g. via C7.
cheers,
jake
Thanks,
Martmn.