From owner-freebsd-net@FreeBSD.ORG Sat Sep 22 14:43:31 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B04C716A417 for ; Sat, 22 Sep 2007 14:43:31 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: from av12-1-sn2.hy.skanova.net (av12-1-sn2.hy.skanova.net [81.228.8.185]) by mx1.freebsd.org (Postfix) with ESMTP id 3B0E713C447 for ; Sat, 22 Sep 2007 14:43:31 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: by av12-1-sn2.hy.skanova.net (Postfix, from userid 502) id E368638195; Sat, 22 Sep 2007 16:17:40 +0200 (CEST) Received: from smtp4-1-sn2.hy.skanova.net (smtp4-1-sn2.hy.skanova.net [81.228.8.92]) by av12-1-sn2.hy.skanova.net (Postfix) with ESMTP id CF68037E70 for ; Sat, 22 Sep 2007 16:17:40 +0200 (CEST) Received: from melissa.chdevelopment.se (90-227-26-163-no68.tbcn.telia.com [90.227.26.163]) by smtp4-1-sn2.hy.skanova.net (Postfix) with ESMTP id BE42437E46 for ; Sat, 22 Sep 2007 16:17:40 +0200 (CEST) Message-ID: <46F52404.2090903@chdevelopment.se> Date: Sat, 22 Sep 2007 16:17:40 +0200 From: Christer Hermansson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.6) Gecko/20070811 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Firewall and VPN considerations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2007 14:43:31 -0000 Hello I am planning on setting up a FreeBSD Firewall that will be used to protect a LAN. The firewall will also act as a VPN-gateway for external workstations running Windows XP Professional, I will use Microsoft's ipsec software included in the Windows XP. I will also use the firewall's external side to connect with ipsec to other LAN which have Cisco VPN equipment. The firewall will use IPFW and doing NAT for the internal LAN. I would like to have som advice/opinions on the following isusses: - To achive NAT with IPFW I must use ipdivert, no other methods exists, wrong or right ? - In this thread http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html they say quad core does not raise the performance compared to duo core when building a router. I will have more than packet forwarding and userland processes, e.g. NAT and IPSEC so I think more cores will help. Should I get a machine with duo core cpu or quad core cpu, does quad helps the performance ? - In this thread http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html they suggest not to use gif together with ipsec to achive compatibility with cisco etc, so I'm planing to skip gif, wrong or right ? What are the benefits of using gif ? - In this mail http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I find the text "is an experimental implementation", maybe the man page just needs an update or is FAST_IPSEC not suited for production environments ? In the offcial FreeBSD handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html they say not to use FAST_IPSEC, and show the use of gif, however I think this needs to be updated/rewritten. (If I get the time I really feel for writing an alternative page about IPSEC with FreeBSD and maybe the result get accepted for inclusion in the handbook.) -- Christer Hermansson