Passing the Firewall Torch
I’ve had a Netscreen firewall handling my internet connection at home for almost a full decade now. I first got my hands on a Netscreen 5 back in Feb of 2001, and it was amazing that you could get that much flexibility in such a tiny device for a reasonable price. I quickly setup all sorts of rules and filtering that was light years ahead of anything that you could attempt with the broadband routers of the time. At the time, Netscreen was a little known organization that was trying to compete with the likes of Checkpoint and Cisco.
In mid-2002, as a bonus for several well-executed projects, I was able to procure Netscreen 5XT firewalls for my IT Operations team. The 5XT was even faster than the Netscreen-5, and it supported robust QoS as well as easy IPSec VPN connectivity. It was a breeze to setup tunnels with friends, colleagues and clients.
For the past 2 years, I have had FiOS connectivity at home. This is where the problems began for my poor NS-5XT. Over the years, I have accumulated many internet capable devices: Servers, Desktops, Laptops, Android Phone, Wireless Media Players, Wii Game System, and even an iPod Touch. The NS-5XT was purchased with the 10-user license, since this was 60% of the cost of the unlimited license. At the time, that was no problem, but 7+ years later, that started to be a limit for me.
The relatively easy solution for this problem was to install a Proxy server, and configure the servers to use it for their internet access. (For a time, I had all the desktops using it via Group Policy, but that’s a tale for another time…)
The second problem was a little trickier, however. The WAN port on my NS-5XT was only 10Mbit/s. While I was using cable and DSL connectivity for Internet access, this was no issue, because those connections were all in the 2-6Mbit/sec range. My FiOS connectivity, however, is a rather robust 25/5 (25 Mbit/sec DOWN and 5Mbit/sec UP).
This has proven to be more frustrating than one would think for a home network.
So began my search for a replacement device that would give me all of the functionality that I had before, but be up to the task of my current bandwidth. I looked at current Juniper Netscreen devices, and even at the Fortigate firewalls from Fortinet (my new favorite enterprise FW company). The problem was cost. I really didn’t feel like paying $200+ for a good firewall.
Enter DD-WRT. Now, you can take an otherwise standard broadband router that has enough flash and operating memory, and turn it into a much better piece of equipment. After a fair amount of research, I selected the Netgear WNR-3500L and turned it into a beast.
Some of the best features derived from the upgrade include:
- Multiple SSIDs with their own security configuration
- Support for SNMP and 802.1x authentication
- Support for VPN (although only SSL, not IPSec)
- QoS (although, not quite as straightforward as with the Netscreen)
- Support for a NAS (not using today)
- Extremely flexible routing, including the ability to route of WLAN off my LAN
- VLAN support
- Gigabit uplinks
Now, my uploads and downloads are positively screaming. I’m routinely getting 25-30 Mbit/sec down, and 5-8 Mbit/sec up. No more throttled download because of a functional and well-featured firewall that was getting long in the tooth.
Overall, I am very happy with my new firewall and its robust feature set by way of DD-WRT. And it only cost me US$80 plus a few hours to get all the configuration completed.
On a side note, Microsoft has completely revamped Windows Live Writer, and while I am very happy that they finally made it easier to change font styles and colors right from the tool bar (what took them so long?), they also made other Word-like changes that I’m not so sure about.