Last night I finally got around to decommissioning the last of my obsolete power-hungry hardware. For the past three years, a clunky AMD K6 system running OpenBSD and, later in life, SmoothWall Firewall has been chattering along accomplishing the monotonous task of dutifully inspecting, filtering, and redirecting billions of packets across my LAN, VPN, and DSL interfaces. Not that I’m not grateful for its three years of dedicated firewall service, but no tears will be shed as I toss its rotting carcass out into the street in hopes that it will find a new home with a deserving owner before being smashed with cinder blocks by the neighbor kids.
As a replacement, I’ve officially become a consumer and picked up a Linksys BEFSX41 EtherFast Cable/DSL Firewall/VPN Router. It’s small, it’s quiet, it supports SPI, VPN, and DMZ, and it neatly stacks with my existing access point. Sure, it doesn’t have all the functionality of a BSD- or Linux-based firewall, but it’s perfectly adequate for our needs. My only complaint is the fact that it tops out around 2 MBps (16 Mbps) when passing packets across the firewall. Although those speeds are faster than any consumer-priced Internet connection, transferring large files to and from the Web server outside the firewall is much slower than the grumpy old AMD K6. If I end up moving the Web server into the DMZ, I’ll get true 100 Mbps, but I’ll need to research exactly how the DMZ operates and make sure traffic can’t leak from the DMZ back into the LAN.
In addition, I’ve also picked up a Netgear MR814 Wireless Cable/DSL Firewall Router ($20 – $30 rebate available) to setup a secondary public/guest wireless network that sits outside the primary Linksys firewall. Not only will this move all non-trusted traffic to its own isolated honeypot, but the physical location of the antenna will dramatically improve outdoor reception in the backyard, garage, and on the back deck. Right now, the Netgear is setup in the Hedgie Room, but I’ll be looking to extend the range even further with external antennas for both the public and private access points. This should extend the range enough to allow the cool neighbors down the block to jump online.