Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


EdgeMAX Router as a firewall?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

EdgeMAX Router as a firewall?

mnpeepmnpeep Member
edited January 2013 in General

Hello LET,

Recently(5 minutes ago ;P), I've been looking around to see if I could get my hands on a cheap gigabit firewall. I know routers(specifically this one: http://www.ubnt.com/edgemax) aren't supposed to be firewalls by nature, however, looking at this thread: http://forum.ubnt.com/showthread.php?t=60711 I see that it could also be used as a pretty good firewall (I don't need >100MBits of throughput atm). Anyone have experience with this router? I'm looking to stop floods consisting of UDP, SYN, and fragmented IPs.

Also, if such an option is not viable, please make an alternative suggestion.

«1

Comments

  • Is this for a Home setup? If so, you're tapped.

    Otherwise, I'd much rather see you use something 'fit for purpose' and not a 'hacked router' to acheive mediocre effects, especially if you're running a company, don't cut corners.

    Use something profound and known, so any issues you hit, there's documentation for it somewhere on the net.

  • @eastonch

    Recommendations? This isn't going to be for home use.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2013

    This is what I've started using for the school I work at.
    http://www.endian.com/en/community/

    I just can't justify buying a firewall when you can build one so cheap. I've got an old, faithful, reliable Dell with 256mb RAM and a Celeron running this. Your needs may vary, but you might consider this kind of path if money is tight.

  • I have one here for testing. Throw me some things to try and I'll see what I can do.

  • Pfsense

  • prae5prae5 Member
    edited January 2013

    @ShardHost said: Pfsense

    +1 Or m0n0.ch if you don't need all of pfsense's features.

    If your looking for something hardware based you can pickup cisco ASA5505's pretty cheaply.

  • @prae5 said: If your looking for something hardware based you can pickup cisco ASA5505's pretty cheaply.

    I am. Looks good for $150 on eBay. :) Can it sustain over 100MBits of spoofed traffic though?

  • @mnpeep said: Can it sustain over 100MBits of spoofed traffic though?

    I think the 5505 is rated for 150Mbs, the 5510 does either 300 or 500Mbs and the model above that will do gigabit throughput/inspection.

  • Mikrotik can do that for you. They have nice appliances. You can use it as x86 server too..

  • Pfsense can only handle 40K PPS, any higher rated firewalls that wil run good on a DC or QC machine.

  • mikhomikho Member, Host Rep

    Have you worked with cisco asa before?
    They are a pita serting up. Good when running but manage...
    I dislike asa for this cause alone.

  • How would pfSense work? One ethernet is used for inbound(from EGI's router), the other for outbound(to my switch)?

  • @mnpeep said: How would pfSense work? One ethernet is used for inbound(from EGI's router), the other for outbound(to my switch)?

    For example, yes. But of course there are several scenarios how you could configure it :)

  • Take a look at http://routerboard.com/RB2011UAS-RM for 99€: This mikrotik box can handle 56 kpps @ 1518 bytes with 25 firewall rules.

  • Just before Christmas I replaced a Cisco ASA with a Mikrotik. I've never looked back. Bang for buck, you can't beat Mikrotik.

  • Mikrotik is very good at the lower-end, but it's not something I would put in a mission-critical environment.

  • @Microlinux Lot´s of people using CloudRouter based on Mikrotik as core router or firewall on big environments. It supports from vrrp, ospf to bgp all what you need. Install it on a X86 Intel E5 Box with 10GE NICs and you have big router/firewall for small budget.

  • mnpeepmnpeep Member
    edited January 2013

    @fileMEDIA said: Take a look at http://routerboard.com/RB2011UAS-RM for 99€: This mikrotik box can handle 56 kpps @ 1518 bytes with 25 firewall rules.

    Looks well within my budget. I'm probably going to get this. Do you have any pictures of the interface?

    Also, what's the difference between routing mode and bridging mode? Which one should I be using if I want the device to act like a firewall?

  • MicrolinuxMicrolinux Member
    edited January 2013

    @fileMEDIA

    "Big" and "mission critical" are not necessarily the same thing. I have been using Mikrotik for many, many years in variety of capacities, there are some places I would not put it.

  • MicrolinuxMicrolinux Member
    edited January 2013

    @mnpeep said what's the difference between routing mode and bridging mode

    Bridging is more like a switch, where traffic just passes through. This mode will work for the firewall (make sure you enable the firewall in bridging mode, it is disabled by default), and is probably what you want if you already have a router. This would make the firewall transparent.

  • It is interesting to point out, the EdgeMax purports to have far, far greater performance (something like 1,000,000 pps @ 64 bytes) than anything else in the price range.

    It's based on Vyatta, so in theory, whatever the Vyatta firewall can do, this box should do. I'm not sure what implications that has for packet-offloading. I'm sure you could get a quick answer on the Ubiquiti forum.

  • @Microlinux said: It is interesting to point out, the EdgeMax purports to have far, far greater performance (something like 1,000,000 pps @ 64 bytes) than anything else in the price range.

    I just checked with my local reseller, they're out of stock. Now I definitely need alternatives. I'm planning to put in the firewall on Feb 2.

  • MicrolinuxMicrolinux Member
    edited January 2013

    What country are you in?

    Edit: NM, it looks like they are just starting to ship, I thought they already hit the channel.

  • @Microlinux said: What country are you in?

    USA, California.

    Got any other Vyatta firewall alternatives? Vyatta looks cool, and seems trustworthy.

  • Don't look down the EdgeMax as a simple "router". In the linked thread people changed dedicated SonicWall boxes to it. $2300 -> $99 box, it must know something.

    If I would to buy something I'd only buy Mikrotik or this EdgeMax.

  • @mnpeep said: Got any other Vyatta firewall alternatives?

    What packet sizes and throughput are you facing?

  • Wow, looks pretty sweet, I may have to get the lite edition to try it out.

  • mnpeepmnpeep Member
    edited January 2013

    @Microlinux said: What packet sizes and throughput are you facing?

    77k PPS UDP

    I've decided to just put Vyatta on a server and route traffic through there. It sounds like that would be the best option at the moment, considering EdgeMax isn't out in the US.

  • @mnpeep 77k pps are not much, that can do every mikrotik or a vyatta appliances on a x86 box over 200€.

    @Microlinux If you have mission critical use cases like enterprise application then you must go with the big ones (cisco, juniper, fortigate,..), but if you don´t have any use cases of them or high bandwidth >10G, vyatta, mikrotik,.. can do the same.

  • @fileMEDIA said: high bandwidth >10G

    Oh god no. EGI would put a null route no matter what if the DDoS is >1Gbit.

Sign In or Register to comment.