Good firewall for small office?

[+BudMan MVC]

Dude this is NOT an enterprise, nor even a SMB - this is at BEST a ma and pop shop. They have like 20 people.. Merger??

Sorry but someone already mentioned a sonicwall product and hey stated it was out of the question. So now your talking a ASA for a ma and pop shop? After you say normal admins don't understand NAT and VPNs?

And now you want them to use cisco ios ;)

I want to repeat that part about small office :) Someone suggested a Dell SonicWALL TZ 205 and at 1000?s that is WAY over the top.

This is a SMALL Office, I think the USG 50 is going to be about has high of a budget as they go ;)

[pes2013]

The 210 was retired for the 215 back in October. It is the 205 and the 215 now. I believe you can still buy it but Dell doesn't actually make them anymore.

Dell SonicWALL TZ 205 Im seeing it for $346 and the 215 for $599. I think I can problably convince them for the 205...

If you don't give them the admin password they will not be able to control it.

Yes, but some members of the office would like to be able to control it as well.

"A issue also with pFsense is that other people in the office mostly know how to control it....With most common routers, this is possible With pFsense you have to take 10 minutes."

I don't get it. It's a problem when people know how to control it? It takes a whopping 10 min to look at the GUI to figure it out? To me, it sounds like he doesn't want them to be able to figure it out and it is a problem if they can.

Well, I mind if they mess around and disconfigure something.....but at least 2 in the office will.

I perfer that if the if nothing helpful is being said, nothing is said at all.... Thank to all that help :)

[Hizzoner]

May I suggest the free Comodo Firewall; or the Comodo Internet Security Pro 2013 pkge.

[#Michael]

Dell SonicWALL TZ 205 Im seeing it for $346 and the 215 for $599. I think I can problably convince them for the 205...

Understand that is just for the basic firewall and probably 1 year of product service/warranty. If you want any other service such as content filtering/QoS/VPN/etc... then you need to buy a license for it. That is why it can become pricey very quickly.

[pes2013]

Example (I problably did something wrong but).

I booted a LiveUSB of pfSense and did the default config: Unplugged all my network cables. When the time came, I choose autodetection and plugged one of my network cards to a switch with internet conectivity. It detected it as WAN. Next, I choose autodetection and plugged in my other network card into a standalone switch (only the pfSense was plugged in). The WAN side got a local DHCP IP, the LAN got the standard 192.168.1.1 Next, I plugged in my PC to that standalone switch, changed the IP on my PC to 192.168.1.23, subnet /24 and gateway 192.168.1.1

I could not access thru my web browser or ping 192.168.1.1 If I spent 5 minutes configuring that, I cannot simply take time to troubleshoot where the problem is. I need some that just works :) I know many do no understand that but....

[#Michael]

Example (I problably did something wrong but).

I booted a LiveUSB of pfSense and did the default config: Unplugged all my network cables. When the time came, I choose autodetection and plugged one of my network cards to a switch with internet conectivity. It detected it as WAN. Next, I choose autodetection and plugged in my other network card into a standalone switch (only the pfSense was plugged in). The WAN side got a local DHCP IP, the LAN got the standard 192.168.1.1 Next, I plugged in my PC to that standalone switch, changed the IP on my PC to 192.168.1.23, subnet /24 and gateway 192.168.1.1

I could not access thru my web browser or ping 192.168.1.1 If I spent 5 minutes configuring that, I cannot simply take time to troubleshoot where the problem is. I need some that just works :) I know many do no understand that but....

IMO at this point you need to turn network operations over to someone who can actually do network and firewall administration. This is basic networking 101 which it seems you don't have the patience for.

[sc302 Veteran]

My guess, it is only a guess though because I am not there to troubleshoot for you, is that you have your pfsense plugged into the same network as your current network causing an ip conflict on the pfsense computer. This would cause exactly what you are seeing. The pfsense server will replace your router so just have the lan side connected to a switch that is off your network and configure it properly.

[majortom1981]

I also suggest PFSENSE. I am a network admin at a library and we use pfsense. We just got a 100/100 fiber line at the time and any firewall/router that was able to handle the bandweidth with 50+ users and vpns was very expensive. We took a look at pfsense and we loved it. Its free and does everything you will need. they have paid tech support if needed.

If you cant manage pfsense a lot of other firewalls will be even worse to configure.

[pes2013]

IMO at this point you need to turn network operations over to someone who can actually do network and firewall administration. This is basic networking 101 which it seems you don't have the patience for.

Only person that can truely do it is me. Also, you offering no help to why this happening is very helpful...

My guess, it is only a guess though because I am not there to troubleshoot for you, is that you have your pfsense plugged into the same network as your current network causing an ip conflict on the pfsense computer. This would cause exactly what you are seeing. The pfsense server will replace your router so just have the lan side connected to a switch that is off your network and configure it properly.

OK. So Ill just disconnect the WAN side, connect the LAN side to a switch and connect my PC to that switch and see if I can access the pfsense router. Thank you.

[pes2013]

Here is what I have currently configured (I set this up at my home to test it out in a VMWare). My network is 192.168.1.0

Cant ping 192.168.1.99

[sc302 Veteran]

You should choose 99 to install to the harddrive

After you installed to the harddrive and the same screen comes up, you should be able to access the web configurator by pointing your browser of your workstation to http://192.168.1.99 as it says on the screen.

the wan side and lan side should not be on the same network, in this case 192.168.1.x. It will create issues.

Once in the web configurator, it should be very simplistic to setup the rest of the router. You almost have nothing else to do, unless you want to change the ip or enable/disable dhcp, etc. Once you get to the point of getting it installed, everything else can be configured by the gui. It really isn't that hard to do.

[vcfan]

Windows firewall /thread

[sc302 Veteran]

Windows firewall /thread

Ok get off the software based firewalls. That is not what this topic is about.. Whoever named the software firewalls "firewall" should be shot. They are a bit more than a hardware firewall as they integrate at the os level and really muck up the os. Perhaps application gateway would be a better name, what is and what isn't allowed to communicate. That way people can easily distinguish the difference between a firewall and the software version.

[vcfan]

Ok get off the software based firewalls. That is not what this topic is about.. Whoever named the software firewalls "firewall" should be shot. They are a bit more than a hardware firewall as they integrate at the os level and really muck up the os. Perhaps application gateway would be a better name, what is and what isn't allowed to communicate. That way people can easily distinguish the difference between a firewall and the software version.

uhh,what the hell you talking about? all firewalls are software. What you think are hardware firewalls are actually little computers running the firewall software(aka firmware). And if you don't want to talk about "software firewalls" why the hell are you peddling this pfsense crap.

and if you don't have experience with windows firewall, please don't comment. if you have had any problems with it,say it,if not then you have no right to criticize "software firewalls" *cough*

[+BudMan MVC]

"up at my home to test it out in a VMWare). My network is 192.168.1.0"

And what interface(s) did you connect that too in vmware? Your not going to be able to ping it from you PC unless you have it bridged to your network card.

[sc302 Veteran]

windows firewall is a firewall that is directly correlated to the os. firmware based firewalls do not operate on the os layer. software firewalls operate on the os layer and hardware firewalls operate on the network layer. You can't tell the hardware firewall to block an executable, you can with a software/os based firewall. The only form of application layer that a hardware firewall allows is the allowance and blocking of a TCP or UDP port, this can be masked by calling it a application like Steam but in reality all it is doing is blocking the ports that that software communicates. A software firewall not only blocks the port but it can block the application as well, I can tell it to stop the steam executable from communicating entirely. understand the difference? we aren't talking about a os based firewall.

On another note, software firewalls like the windows firewall does not do nat. Nat allows you to use 1 internet connection and share it among other devices on your network, which is the main goal here. Because of nat, hardware firewalls also have 2 interfaces which is a unsecure and secure side. The unsecure side may be labeled wan, internet, or outside and the secure will usually be labeled lan or inside. The unsecure side will always be internet facing, and the secure side will be where all of your pc's and/or servers sit. It can be done with internet connection sharing in windows but that is a mess that no administrator would ever incorporate into anything even something make shift...I would rather go out and spend $30 of my own money and get a cheap router than deal with that.

[vcfan]

windows firewall is a firewall that is directly correlated to the os. firmware based firewalls do not operate on the os layer. software firewalls operate on the os layer and hardware firewalls operate on the network layer. You can't tell the hardware firewall to block an executable, you can with a software/os based firewall. The only form of application layer that a hardware firewall allows is the allowance and blocking of a TCP or UDP port, this can be masked by calling it a application like Steam but in reality all it is doing is blocking the ports that that software communicates. A software firewall not only blocks the port but it can block the application as well, I can tell it to stop the steam executable from communicating entirely. understand the difference? we aren't talking about a os based firewall.

wait, WHAT? you cant be serious with this statement. this is so wrong on so many levels. First of all, those firmware based firewalls do run on an OS . do you know anything about embedded systems? do you think a firmware based firewall is written with ASM language that communicates directly with the metal? There are many layers before a firewall can start operating. There are probably 4 or 5 layers. First comes the actual hardware like the NIC,then you go through layers and protocols like MAC, IP or IPSEC, TCP,etc... The windows one and the hardware one both go through the same layers my friend,and end up at the same place. There is no OS layer vs network layer. The firewalls are basically applications sitting on top of an OS,All firewalls. Just because windows allows you to run other applications at the same time,connect a display and keyboard doesn't make a difference to how the firewall operates. It might integrate some features from the OS,but its still filtering the network the same way firmware ones do.

[sc302 Veteran]

Lets do away with the terminology you don't like. In trying to keep things simple so that people can understand.

The windows firewall is a piece of software that is embedded into your operating system that allows or disallows communication of applications. This can be controlled per application. This can protect you from other pcs that may be infected on your network.

The pfsense or any other true to nature firewall is better known as a router (I hate the soho market place for terming these devices as such, but I digress). These have a secure and unsecure side, they are usually your gate keepers between you and the internet. These are your first line of defense prior to traffic reaching your network. They protect you by blocking ports from outside in, in soho cases. They can also be configured to only allow certain ports out, you won't be able to do this with a linksys router. These routers (fine I will call them that) will allow you to connect multiple pcs to a single internet connection. The other way to provide internet to you computer is to have a directly attached modem to each of your computers.

Routers work on the application layer of the OSI model.

Windows firewall operates on the API and Network layer of the OS model.

All you want to know about the windows firewall

http://technet.microsoft.com/en-us/library/cc755604%28v=ws.10%29.aspx

All you want to know about how a router works

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

If you are still confused, I cannot help you with your lack of understanding. I can not break it down any more simple.

[vcfan]

Lets do away with the terminology you don't like. In trying to keep things simple so that people can understand.

The windows firewall is a piece of software that is embedded into your operating system that allows or disallows communication of applications. This can be controlled per application. This can protect you from other pcs that may be infected on your network.

that's not all it does.seriously,have you ever used windows firewall?

The pfsense or any other true to nature firewall is better known as a router (I hate the soho market place for terming these devices as such, but I digress). These have a secure and unsecure side, they are usually your gate keepers between you and the internet. These are your first line of defense prior to traffic reaching your network. They protect you by blocking ports from outside in, in soho cases. They can also be configured to only allow certain ports out, you won't be able to do this with a linksys router. These routers (fine I will call them that) will allow you to connect multiple pcs to a single internet connection. The other way to provide internet to you computer is to have a directly attached modem to each of your computers.

windows firewall does all this,and you can have the windows device act as a router as well as a firewall. you can allow and disallow source ips,destination ips,ports,and mac addresses. It also works with incoming and outgoing packets.

Routers work on the application layer of the OSI model.

Windows firewall operates on the API and Network layer of the OS model.

oh good god. im done, really. this is totally wrong. you don't understand what these layers are or what they mean. Application layer of the OSI model is the layer applications like browsers use, for example HTTP and FTP are the application layer. Your browser for example uses HTTP to access the internet.Your browser doesn't have to know TCP to serve you a website. HTTP is built on top of TCP.TCP is the lower layer called the transport layer.

When your router wants to filter an IP,it parses the IP Datagram and get its info from the IP header. When it wants to filter a tcp packet,it parses the TCP header of the IP datagram.When it wants to filter a website,it parses the HTTP header. When any of these match your blacklist,it discards all packets that match this information. When windows filters these,it does the EXACT same thing.

Please stop acting like you know what you're talking about,because you don't.Stop spreading misinformation.Anyone who knows about TCP/IP or low level networking will laugh at your comments.

If you are still confused, I cannot help you with your lack of understanding. I can not break it down any more simple.

hahaha that's gold.

[sc302 Veteran]

You should really read the links I posted and look up the different models I referenced.

Using and understanding are two completely different things.

You may know how to use but you don't seem to understand.

Apparently you are considering ICS as part of windows firewall. I do not.

People who do this usually don't do this on a dedicated pc, if the computer that has ics enabled has issues (blue screens/app freezes/etc) it requires that the user reboot or the computer has disrupted service to everyone else. DHCP is an issue that you can't control it. From what I remember ICS only supports 10 concurrent nodes. It does not support one to one nat. It does not support outbound qos. I don't believe it supports VPN host in this mode (its been a while).

This is a very expensive machine to have dedicated as a internet gateway, and it is very foolish to have this as someones workstation. If you would rather have this as your gateway so be it, but I would rather have more control over my network with more options. I would never recommend ICS at all. Perhaps if it did more, but even still there are things like content monitoring/filterning that is enabled in many of the higher end routers and can be installed in pfsense that aren't enabled in ICS.

[vcfan]

You should really read the links I posted and look up the different models I referenced.

Using and understanding are two completely different things.

You may know how to use but you don't seem to understand.

dude,these links say exactly what ive been saying. if there is something you want to show me,point me to it. tell me where to read it on the page.

in the first link,it just explains what a NAT is and how it works

When a packet enters the adaptive security appliance, both the source and destination IP addresses are checked against the network object NAT rules.

and from the windows firewall link

The TCP/IP driver (Tcpip.sys) controls the flow of information between a network adapter and a program or system service. As incoming traffic flows through the TCP/IP driver, the traffic is inspected by the NAT driver. The NAT driver processes the traffic based on the entries in the Windows Firewall exceptions list. If the traffic matches an exception, the NAT driver determines that the traffic is allowed; the packets continue through the TCP/IP driver. If the traffic does not match an exception, the NAT driver determines that the traffic is unsolicited; the packets are dropped and do not continue through the TCP/IP stack. Neither the NAT driver nor the TCP/IP driver sends a notification to the sender when packets are dropped (this is sometimes referred to as a silent discard).

exactly what i said. they work exactly the same way.

[pes2013]

Ill try bridging it now (in VMWare my WAN card is disconnected, my LAN is NAT which I thought was wrong but Im not exactly sure why I did not changee it.....hmm)

[grunger106]

A Cisco ISR, or take a look at Zyxel's USG series.

[pes2013]

A Cisco ISR, or take a look at Zyxel's USG series.

Any models number for Cisco?

[+BudMan MVC]

A 800 series would be best suited for your setup, but your still talking over 300 for any of the models in that line.

And if you can not figure out pfsense -- good luck using cisco ios ;)

So did you FIX your dns problem yet? Telling you that most likely will remove many issues you might be having, since your current router is not going to to help your boxes find your AD.. Did you up your dhcp lease from 1 hour?