Buying a new Firewall/Router

February 27, 2010 at 10:11 pm Leave a comment

For about a year I’ve been using a CheckPoint Safe@Office for my home Firewall.  It’s a demo unit that my boss actually won at a CheckPoint event as a door prize.  Since he didn’t need it, he gave it to me to “evaluate” for as long as I wanted.  I’m actually generally pretty happy with it, as it is very powerful and easy to use.

Previously, I used a Soekris net4801 single-board computer to run Monowall, Zeroshell, and pfSense.  Monowall 1.2x was well suited to the net4801.  The Zeroshell revisions I ran on it worked great as well, but it wasn’t nearly as easy to use as Monowall.  I liked pfSense a lot, but it ran on the slow side with the older versions.  I recently tried pfSense 2.0 BETA on my net4801 and it was abysmally slow, taking 20-30 seconds between page loads, not to mention being a bit on the buggy side (but, it is just out of ALPHA).

Recently, I’ve been interested in a new Firewall/Router.  I didn’t want a full-fledged machine due to power and price.  After looking around a bit at some alternative options, I ordered a MikroTik RB750G router.  It was under $80 shipped.  It is a fully featured router with 5 Gigabit Ethernet ports and includes a switching chip.  I figured worse case scenario (if I didn’t like it) would be that I’d put all 5 of the ports into “switch” mode, and have a managed 5 port Gigabit switch.

This switch chip was actually a key feature for me.  This means you can tie any of the 5 ports together to act as a switch, and their packets will be hardware switched between each other, not hitting the processor.  Speaking of the processor, this router has a 680 Mhz ARM its core.  My experience has been that clock-for-clock, an ARM is faster than an x86 chip, so I imagine this would be at least 3 times faster than my net4801, though proving that may be difficult since they won’t run the same OS.

Anyhow, I’ve had it now since Thursday night.  It has taken a bit of getting used to, but it is awfully powerful if you can figure out how to use it!  There are things you can do with the Firewall features of this box that I’ve never seen on the Enterprise firewalls I’ve worked on (IBM and most recently CheckPoint).  The ability to detect Bruteforce attacks and then add the attacking source IPs to an ACL (to be dropped) is pretty neat, and the ability to detect other types of attacks and “tarpit” them automatically is really nice too, for example.

The way the firewall works takes some getting used to…  You have three chains to add rules to, the “input” chain, the “output” chain, and the “forward” chain.  This doesn’t translate well from the Cisco world.  An “input” chain is relative to traffic destined to the router, regardless of the Interface it is coming in on.  The “output” chain is relative to traffic generated by the router itself.  Finally, the “forward” chain is related to traffic flowing through the box.  I’ve heard that this is the chain you are most likely to be using.

In practice, (in my mind at least) the “input” chain seems to be the main one to be concerned with, for a home router.  In this case, any attack would be destined to the public IP of the router itself.  If you want to block traffic from a specific internal host (I have my reasons), the “input” chain would be the spot to block it as well.

Setting up NAT is very easy with this box.  One rule NATs the internal hosts out to the Internet.  I was able to set up a “Port forward” as a “dstnat” action, though I’ve also seen it listed as a “netmap” action.  Not sure of the advantage of one over the other.

There’s another functionality called “Mangle” on this box.  Personally, I would think you wouldn’t want to “mangle” any packets, but that’s not really what this is about…  It lets you tag packets for later processing.  I’m not real clear on the exact advantage of this, or how it works yet, but I’m going to look into it further, as it sounds very interesting and perhaps very powerful.

I’d love to have the power of this in an easy to use (and comprehend) WebGUI, but the WebGUI that comes with RouterOS is very limited.  Anyhow, I’m really liking the power and speed of this thing…

Oh – I forgot to mention this…  A few days ago, I was testing pfSense on a net4801 with my Comcast Cable Internet.  With, I was getting just under 15 Mbit/sec.  With this new unit, I’ve seen a peak of 21 Mbit/sec!


Entry filed under: Networking.

MikroTik – suprisingly good stuff! Going Paperless… With Fujitsu and Adobe?

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


February 2010
« Nov   Mar »

Most Recent Posts

%d bloggers like this: