New on LowEndTalk? Please Register and read our Community Rules.
EdgeMAX Router as a firewall?
Hello LET,
Recently(5 minutes ago ;P), I've been looking around to see if I could get my hands on a cheap gigabit firewall. I know routers(specifically this one: http://www.ubnt.com/edgemax) aren't supposed to be firewalls by nature, however, looking at this thread: http://forum.ubnt.com/showthread.php?t=60711 I see that it could also be used as a pretty good firewall (I don't need >100MBits of throughput atm). Anyone have experience with this router? I'm looking to stop floods consisting of UDP, SYN, and fragmented IPs.
Also, if such an option is not viable, please make an alternative suggestion.
Comments
Is this for a Home setup? If so, you're tapped.
Otherwise, I'd much rather see you use something 'fit for purpose' and not a 'hacked router' to acheive mediocre effects, especially if you're running a company, don't cut corners.
Use something profound and known, so any issues you hit, there's documentation for it somewhere on the net.
@eastonch
Recommendations? This isn't going to be for home use.
This is what I've started using for the school I work at.
http://www.endian.com/en/community/
I just can't justify buying a firewall when you can build one so cheap. I've got an old, faithful, reliable Dell with 256mb RAM and a Celeron running this. Your needs may vary, but you might consider this kind of path if money is tight.
I have one here for testing. Throw me some things to try and I'll see what I can do.
Pfsense
+1 Or m0n0.ch if you don't need all of pfsense's features.
If your looking for something hardware based you can pickup cisco ASA5505's pretty cheaply.
I am. Looks good for $150 on eBay.
Can it sustain over 100MBits of spoofed traffic though?
I think the 5505 is rated for 150Mbs, the 5510 does either 300 or 500Mbs and the model above that will do gigabit throughput/inspection.
Mikrotik can do that for you. They have nice appliances. You can use it as x86 server too..
Pfsense can only handle 40K PPS, any higher rated firewalls that wil run good on a DC or QC machine.
Have you worked with cisco asa before?
They are a pita serting up. Good when running but manage...
I dislike asa for this cause alone.
How would pfSense work? One ethernet is used for inbound(from EGI's router), the other for outbound(to my switch)?
For example, yes. But of course there are several scenarios how you could configure it
Take a look at http://routerboard.com/RB2011UAS-RM for 99€: This mikrotik box can handle 56 kpps @ 1518 bytes with 25 firewall rules.
Just before Christmas I replaced a Cisco ASA with a Mikrotik. I've never looked back. Bang for buck, you can't beat Mikrotik.
Mikrotik is very good at the lower-end, but it's not something I would put in a mission-critical environment.
@Microlinux Lot´s of people using CloudRouter based on Mikrotik as core router or firewall on big environments. It supports from vrrp, ospf to bgp all what you need. Install it on a X86 Intel E5 Box with 10GE NICs and you have big router/firewall for small budget.
Looks well within my budget. I'm probably going to get this. Do you have any pictures of the interface?
Also, what's the difference between routing mode and bridging mode? Which one should I be using if I want the device to act like a firewall?
@fileMEDIA
"Big" and "mission critical" are not necessarily the same thing. I have been using Mikrotik for many, many years in variety of capacities, there are some places I would not put it.
Bridging is more like a switch, where traffic just passes through. This mode will work for the firewall (make sure you enable the firewall in bridging mode, it is disabled by default), and is probably what you want if you already have a router. This would make the firewall transparent.
It is interesting to point out, the EdgeMax purports to have far, far greater performance (something like 1,000,000 pps @ 64 bytes) than anything else in the price range.
It's based on Vyatta, so in theory, whatever the Vyatta firewall can do, this box should do. I'm not sure what implications that has for packet-offloading. I'm sure you could get a quick answer on the Ubiquiti forum.
I just checked with my local reseller, they're out of stock. Now I definitely need alternatives. I'm planning to put in the firewall on Feb 2.
What country are you in?
Edit: NM, it looks like they are just starting to ship, I thought they already hit the channel.
USA, California.
Got any other Vyatta firewall alternatives? Vyatta looks cool, and seems trustworthy.
Don't look down the EdgeMax as a simple "router". In the linked thread people changed dedicated SonicWall boxes to it. $2300 -> $99 box, it must know something.
If I would to buy something I'd only buy Mikrotik or this EdgeMax.
What packet sizes and throughput are you facing?
Wow, looks pretty sweet, I may have to get the lite edition to try it out.
77k PPS UDP
I've decided to just put Vyatta on a server and route traffic through there. It sounds like that would be the best option at the moment, considering EdgeMax isn't out in the US.
@mnpeep 77k pps are not much, that can do every mikrotik or a vyatta appliances on a x86 box over 200€.
@Microlinux If you have mission critical use cases like enterprise application then you must go with the big ones (cisco, juniper, fortigate,..), but if you don´t have any use cases of them or high bandwidth >10G, vyatta, mikrotik,.. can do the same.
Oh god no. EGI would put a null route no matter what if the DDoS is >1Gbit.