Firewall, OpenVPN and Squid question

[Steve Bertrand]

> I have around 100 users at our site that would require the use of squid,
> we
> house are own webserver, mail server, public DNS servers in the DMZ and 2
> private DNS servers on the internal network, used by both Internal and VPN
> users.
>
> Sites connecting Gateway to Gateway, there are apprx as follows;
> Site 1 - 25 users
> Site 2 - 5 users
> Site 3 - 12 users
> Our site VPN users are Apprx 25, and about 50% of them are connected at
> any
> given time.
>
> My first thought is to put up a Firewall box that can the load of
> publishing
> many internal boxes and "publish" a box with OpenVPN and another for SQUID
> and just keep them all separate.
>
> Will this setup put to much strain on the FIREWALL box or will it have no
> problem handling the NAT/ROUTING in this configuration.

I'll go as far as to say that it should have no problem. At the ISP I am
currently working full time for, we recently deployed an ipfw bridge
configured firewall (internally) to protect our core servers from improper
access. There's 8 servers in all (mail, web, mysql, ftp, radius, ssh and
dns).

We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I
could even run tcpdump for hours, and it would rarely ever drop even a
single packet.

Sounds like a good setup you are planning. I would set it up, implement it
(with the old setup on standby), and if you find performance problems,
pull the drive out of the P3 and do as you say, go on a 'spending spree',
and put the drive directly into a p4 with a gig of memory, and drop it
back in place.

Please note that natd is NOT running on the ISP firewall, but on the other
such setup it is, and I"ve never seen any performance problems at all.

Steve

>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>
>