I’m in firewall/router hell.
After a long time of pondering, shuffling and avoiding I had to bite the bullet and put a firewall in between our production web servers and database.
I started with a Linksys RVS4000 that I already had in the office. Seemed like a good option as it offers 1GB on both sides. The web based configuration is easy to work with and it didn’t take very long to get the access rules configured. I put it into place last weekend.
By Monday afternoon I was hearing rumblings that “something is slow” in production. On Tuesday one long running script actually timed out. Well, if the only thing that has changed is the addition of new gear, you know where to look…
The database server has two NICs so I ran back to the data center and configured the second NIC to bypass the firewall. This way we could do some testing and easily measure the impact of the firewall.
Turns out the RVS4000 slows traffic down to what appears to be 20Mbps speeds. Forget gigabit – it is even slower than if I forced the bypass NIC to 100Mbps. *sigh*
Next I grabbed a WatchGuard x55e device. These are aimed at being a small office firewall but I had a spare. Only 100Mb interfaces, but even that would be way faster than the Linksys, right?
Configured it up, set the rules and swapped it out Saturday morning. Tested it and found that it won’t route any traffic. Why? Well, I have it between two private networks (using 10.0.x.x addressing) and it appears to be hard-wired to drop packets on the “WAN” interface from private networks. In fact, there doesn’t appear to be a way around that. Guess I’ll open a support incident tomorrow…
Depending on how that support call goes I might find myself shopping tomorrow. Any ideas on what to look for? A Cisco 2800 series maybe? I just need to do some routing and packet filtering…
What does the rest of the world use for this stuff?
[update]
I’m also sourcing opinions over at ServerFault.com. Feel free to join in there if you so desire.
[updated a week later]
I flashed the WatchGuard to firmware v11.0.1 and, after a bit of tweaking, have it working quite nicely now.
Possibly Related posts:
October 4th, 2009 
Tags: 
Our company uses Astaro which you can test for free. It’s the best firewall out there for the price and can do pretty much anything with it that you could imagine.
A small computer with pfsense is what I’d use in your place…HW firewalls are a PITA, IMNSHO.
Hi Chris,
We caught this due to the first post about Astaro. I swear that I’m not the same Tim from that comment (although people internally thought otherwise). At any rate, if you’re still looking for great firewall/UTM solution feel free to contact me. Call 1-888-4-astaro (1-888-427-8276). Ask for Tim (in support) and you’ll be transferred.
I hope you consider us, you’ll be happy that you did.
Hmmm, so many Tims!
I’m sure Astaro is a wonderful too (and it was when I last looked at it a year or two ago) and I appreciate both Tims taking time to leave comments. However, for what I’m doing right now a UTM would be overkill. Huge overkill in fact
But thanks for the comments!
You have to love those support incidents. Almost anything qualifies as a deduction against your entitlement.
Anyways, if they happen to be windows boxes you can just use packet filters. You won’t even notice any slowdown. Especially when one end is a db server.