Firewall, OpenVPN and Squid question

Paul Hillen PHILLEN at NFM.NET
Wed Jul 21 11:27:57 PDT 2004 

I have around 100 users at our site that would require the use of squid, we
house are own webserver, mail server, public DNS servers in the DMZ and 2
private DNS servers on the internal network, used by both Internal and VPN
users.

Sites connecting Gateway to Gateway, there are apprx as follows;
Site 1 - 25 users
Site 2 - 5 users
Site 3 - 12 users
Our site VPN users are Apprx 25, and about 50% of them are connected at any
given time.

My first thought is to put up a Firewall box that can the load of publishing
many internal boxes and "publish" a box with OpenVPN and another for SQUID
and just keep them all separate.

Will this setup put to much strain on the FIREWALL box or will it have no
problem handling the NAT/ROUTING in this configuration.

Thanks in advance
Paul



-----Original Message-----
From: Steve Bertrand [mailto:iaccounts at ibctech.ca] 
Sent: Wednesday, July 21, 2004 2:10 PM
To: Paul Hillen
Cc: freebsd-questions at freebsd.org
Subject: Re: Firewall, OpenVPN and Squid question

> There are 3 remote sites connecting to our network using GATEWAY to
> GATEWAY
> VPN and around 25 remote VPN users that must be dealt with also. Last
> item,
> there is a chance that I will have to connect 3 more remote sites into the
> picture within the next 6 months, so this needs to be scalable to handle
> the
> load..
>
> My question is, what is the best way to set this up. Here are my thoughts,
> but not sure what is the best way.
>
> *	Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or
> *	Setup 3 separate boxes to break up the work load.
>

What will the load requirements be? (How many users will require the use
of squid).

I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients,
with 3 OpenVPN instances running simultaneously (Two are site->site, and
one is an XP-client->site). The box is also performing NAT (ipfw/natd) for
the internal users, which when all are accounted for equal ~120, and I
find it works great. There are about 30 users through the VPN's, though
usually never on all at the same time.

Depending on caching requirements though, you might be better off
splitting that off onto it's own box, especially if you have the hardware
readily available as you suggest.

YMMV.

Steve

>
>
> Many thanks in advance for being patient with what I am sure is stupid
> beginner questions to most of you.
>
>
>
> When giving your choice of which setup, please point me in the direction
> of
> the best resource to put it all together and the hardware requirement you
> would recommend. I have a truck load of PII 300 - 450's due to upgrades,
> so
> if I can use them great, if not, time to go on a spending spree.
>
>
>
> Thanks again
>
> Paul
>
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list