cisco 1811 equivalent out there?

[lordvdr]

I've been looking for an 1811 equivalent.
needs:
1. 2 eth wan ports that support the assignment of /28 subnets
2. 1 eth lan port and at least basic outbound load-balancing
3. NAT, NAPT/PAT
4. Good ACL support (firewall rules) (I'm ok with less than PIX functionality, but it should be complete where I can say no X outbound or inbound except for Y)
wants:
5. 2+ eth lan ports w/ vlan support for segmenting servers from clients
6. inbound dns load balancing
7. vpn (very not important)
The 1811 does all of the beautifully, but at $800. I'm shooting for the $400-500 area.

I've found the xincom twinwan series, but it seems to miss a little on 1 and 4.

Thoughts?

 

[cmetz]

lordvdr, try a WRT54GL with third-party firmware, e.g., OpenWRT.

 

[Goosemaster]

Originally posted by: cmetz
lordvdr, try a WRT54GL with third-party firmware, e.g., OpenWRT.

no way dude...completely different uses.

Maybe try an old 2600 ceries ciscoo?

 

[nweaver]

Originally posted by: cmetz
lordvdr, try a WRT54GL with third-party firmware, e.g., OpenWRT.

please don't compare a soho router with 3rd party F/W to an enterprise grade solution

 

[Goosemaster]

Originally posted by: nweaver

Originally posted by: cmetz
lordvdr, try a WRT54GL with third-party firmware, e.g., OpenWRT.

please don't compare a soho router with 3rd party F/W to an enterprise grade solution

honestly, cmetz usually knows his stuff, and the openwrt firmware can do a LOT, by why he would recommend a consumer router with a consumer MTBF and such is beyond me....


maybe he knows somethign we don't

 

[lordvdr]

I'm running a wart at home and while it may be technically possible (it does support multiple vlans, which is the basic start to a decent router) to make it support two wan and two lan subnets, I doubt it would be with any decent performance and like some of the others said, certainly not enterprise (or even small biz) reliable. It would also require a LOT of custom coding which I'm not capable of doing.

Any other ideas?

 

[Boscoh]

Fortinet and Netscreen both make units similar to what you're looking for (although I don't think they support VLAN's for the price range you're in). They're closer to $600.

The units I'm thinking of would be the Fortigate 60, and the Netscreen 5GT or XT. Can't remember. You're sure you want VLAN's? Remember that if the clients are to communicate with the servers, all the traffic will have to be *processed* by the firewall, not merely L2 forwarded through it's integrated switch or a switch you hang off the back of it. That's a lot of extra processing for a SOHO device to be doing.

[EDIT] Forgot that the 1811 is wireless...which neither of the aforementioned units have. Also, 800 bucks is a pretty fair deal on that unit. The lowest price I'm seeing online is 1000 after 8x5xNBD SmartNet. I'd say go with the Cisco because you aren't going to find a solid reliable unit with everything you want and Cisco's level of support for less than that. The Fortigate 60 model with wifi and 8x5 support will probably cost you around the same as the 1811, and you dont get VLAN support in that unit. I think the Netscreen 5GT Wireless will be about the same, and I'm not sure that it has VLAN support either.

 

[nightowl]

You can also look at the Cisco 870 series. They are like the 1800 series but lower cost.

 

[bluestrobe]

Originally posted by: cmetz
lordvdr, try a WRT54GL with third-party firmware, e.g., OpenWRT.

High use will kill any WRT54G router. Seen it done personally. No firmware can prevent hardware failure of that nature. The WRT series isn't an end-all solution for replacing current enterprise routers.

 

[lordvdr]

Originally posted by: Boscoh
Fortinet and Netscreen both make units similar to what you're looking for (although I don't think they support VLAN's for the price range you're in). They're closer to $600.

The units I'm thinking of would be the Fortigate 60, and the Netscreen 5GT or XT. Can't remember. You're sure you want VLAN's? Remember that if the clients are to communicate with the servers, all the traffic will have to be *processed* by the firewall, not merely L2 forwarded through it's integrated switch or a switch you hang off the back of it. That's a lot of extra processing for a SOHO device to be doing.

[EDIT] Forgot that the 1811 is wireless...which neither of the aforementioned units have. Also, 800 bucks is a pretty fair deal on that unit. The lowest price I'm seeing online is 1000 after 8x5xNBD SmartNet. I'd say go with the Cisco because you aren't going to find a solid reliable unit with everything you want and Cisco's level of support for less than that. The Fortigate 60 model with wifi and 8x5 support will probably cost you around the same as the 1811, and you dont get VLAN support in that unit. I think the Netscreen 5GT Wireless will be about the same, and I'm not sure that it has VLAN support either.

Wireless isn't that important to me. A WAP hidden in a closet doesn't get very far.
VLANs let me DMZ the servers with ports open to the internet secure from my clients and other servers. I've figured ways around that, but it was a nicety. I will definately look at what you guys have suggested. Thanks.

 

[cmetz]

Goosemaster, show me a new 2600 with a firewall feature set for under $500. Heck, show me a used one with a legit software license. Even getting a 2600 with illegitimate software is pushing that cost limit.

nweaver, how a device is marketed does not necessarily say everything about its technical capabilities. The WRT is marketed as a SOHO device, but the hacked firmware gives it the capabilities and performance of an entry-level enterprise device. Is it a M40? No. Is it as good a router/firewall as a PIX 501, NS 5GT, etc.? Nearly. (VPN performance is not there, though. It can do it, but I wouldn't seriously use a WRT for it.)

bluestrobe, I have not seen OpenWRT fall over under reasonable load. If I'm bored sometime, I'll hook one up to traffic generators in my lab and see what it can do. If I'm really bored and/or ambitious, I'll run the same tests on some enterprise gear. My gut is that you will be surprised at how well the WRT compares, and will also be surprised at how badly *all* of them do relative to how well you think they could do. (routers / firewalls that can handle a lot of load are expensive, and that's not just because the vendors want to make a big profit) At least with the WRT, I'm not expecting a carrier-grade device.

The OP's price point is tough, it's an in-between price point. Not quite enough $$ to be able to buy real enterprise gear, but more $$ than SOHO gear. There are many vendors who make glorified SOHO gear that's marketed to enterprises in that cost bracket, but they aren't much better than a hacked WRT and much more expensive.

I've been very happy with the reliability on WRTs I've fielded, and I've put them in places where I'd know if they had any disruptions. That said, from what I've seen on the 'net, the wall wart is the number one reliability problem. If this worries you, you can buy two WRTs, run VRRP, and buy a third for cold spare, within the OP's budget.

The main win the OP has is a need for all-Ethernet. If you needed to bring a T1 or so directly in, you'd be playing in a whole different field.

The main downside of a WRT/OpenWRT is that the UI is *not* easy to use. That is a major downside to consider.

 

[Goosemaster]

Originally posted by: cmetz
Goosemaster, show me a new 2600 with a firewall feature set for under $500. Heck, show me a used one with a legit software license. Even getting a 2600 with illegitimate software is pushing that cost limit.

nweaver, how a device is marketed does not necessarily say everything about its technical capabilities. The WRT is marketed as a SOHO device, but the hacked firmware gives it the capabilities and performance of an entry-level enterprise device. Is it a M40? No. Is it as good a router/firewall as a PIX 501, NS 5GT, etc.? Nearly. (VPN performance is not there, though. It can do it, but I wouldn't seriously use a WRT for it.)

bluestrobe, I have not seen OpenWRT fall over under reasonable load. If I'm bored sometime, I'll hook one up to traffic generators in my lab and see what it can do. If I'm really bored and/or ambitious, I'll run the same tests on some enterprise gear. My gut is that you will be surprised at how well the WRT compares, and will also be surprised at how badly *all* of them do relative to how well you think they could do. (routers / firewalls that can handle a lot of load are expensive, and that's not just because the vendors want to make a big profit) At least with the WRT, I'm not expecting a carrier-grade device.

The OP's price point is tough, it's an in-between price point. Not quite enough $$ to be able to buy real enterprise gear, but more $$ than SOHO gear. There are many vendors who make glorified SOHO gear that's marketed to enterprises in that cost bracket, but they aren't much better than a hacked WRT and much more expensive.

I've been very happy with the reliability on WRTs I've fielded, and I've put them in places where I'd know if they had any disruptions. That said, from what I've seen on the 'net, the wall wart is the number one reliability problem. If this worries you, you can buy two WRTs, run VRRP, and buy a third for cold spare, within the OP's budget.

The main win the OP has is a need for all-Ethernet. If you needed to bring a T1 or so directly in, you'd be playing in a whole different field.

The main downside of a WRT/OpenWRT is that the UI is *not* easy to use. That is a major downside to consider.

I think this is one of those situations where, although your idea is good and all, it is too shocking, too seemingly risky from our perspectives.

I did read what you have been doing with them in other thread and am definitely impressed.

What I would REALLY look foward too is the ability to use routing protocols on my soekris box.. jus imagine, it is even smaller than my wrt54gs and has a 266mhz geode, 128mb ram, 5 interfaces and a 512MB flash card.

Talk about serious power in a VERY small package

 

[cmetz]

Goosemaster, there's certainly no reason why you can't run Linux/Zebra or OpenBSD with its BGPd/OSPFd on your Soekris. I've tended to avoid that platform; I've been told by reliable sources that the Soekris people (er, guy) is hard to do business with. (I think the core of the problem is that it's basically one guy there, he's just gotta be stretched too thin)

I have been looking a lot at the new Via C7 platforms. The C3/C5 platforms were seriously underpowered for what they were, but I have this eternal optimism that they'll either fix their performance or at least improve it enough. A C7 with a few on-board network ports, on-chip AES, and a low-depth 1U rackmount case would make a very interesting network device platform.

Of course, once you're just running a PC, you could just get the Dell/HPaq deal of the day box, and it's all about the software.