Firewall, OpenVPN and Squid question

[Steve Bertrand]

>> We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I
>> could even run tcpdump for hours, and it would rarely ever drop even a
>> single packet.
>
> What size hardware is your firewall running on to handle the potential of
> 6000 users accessing your internal servers for mail, etc... The best I can
> come up with is a P4 1.8Ghz with 768MB memory, other than that I have
> PII's
> with around 384MB memory. I would have to assume the Squid server would be
> the best place for the P4?

This one is a P4 2.0 Ghz with 1024M memory. I'd try the P3 as the firewall
and the P4 as the squid server initially (all things considered so far).

>> Sounds like a good setup you are planning. I would set it up, implement
>> it
>> (with the old setup on standby), and if you find performance problems,
>> pull the drive out of the P3 and do as you say, go on a 'spending
>> spree',
>> and put the drive directly into a p4 with a gig of memory, and drop it
>> back in place.
>
> Okay, the tough question, due you know of any good resources that I can
> use
> to put this together. Any pitfalls that I might want to think about in
> this
> design?

Well, searching "ipfw+natd+howto" in google is a great place to start. I
did not use one single definitive guide, I used a variety of sources, man
pages, sample rules, and finally conjured up what works for us.

In planning rules, I placed each openvpn connections rules in it's own
ruleset, as to allow a reload of each connections rules individually if
they needed to be changed.

I also would set up a 'fwd' rule, to forward all packets destined to ``any
80'' from the Internal net to be passed directly to the squid box, as then
you would have a transparent proxy. This will prevent you from having to
change browser settings.

>> Please note that natd is NOT running on the ISP firewall, but on the
>> other
>> such setup it is, and I"ve never seen any performance problems at all.
>
> I am assuming that I will have to use NATD on the firewall in this
> scenario,
> am I thinking right here?

It appears so, yes. natd(8) is quite flexible, and will allow you to many
things, including port forward etc. By the sounds of it, you are planning
on ridding yourself of a DMZ, which means your mail(etc) servers will be
behind the NAT router. natd will take care of this, however, another
option is to put in a third NIC into the box, connect it to a switch, plug
in the servers into the switch. Give each server it's own IP, and route
packets as nessicary to the servers.

Effectively, this will still allow you to keep your DMZ, but eliminating
one entire firewall server, and thus, one license of MS ISA server (and
the headaches that comes with it :o)

Sounds like you'll want to do some testing in a lab first. Hopefully all
your P3's you have available are still loaded with Windows so you can test
effectively and ensure everything works properly.

Steve

>
> Thanks again
> Paul
>
>