Scenario / Questions

I am a developer and haven’t dealt with server admin or networking in years, so “rusty” is very generous. I am setting up a new web server cluster (starting with two 1U web servers and one DB server). As I haven’t done this in a few years, I don’t really know what options are available today.

I would like all in one device:

  • Small, basic gbit switch
  • Small, basic firewall
  • Small, basic router/DHCP/gateway
  • Small, basic VPN access
  • Fits in a 1U space

Something simple with a minimal web interface I can set up and then forget about – 2 steps above a home router device, I suppose.

Edit: the initial reaction from sysadmins is often “no way” because to them, devices that do all this are usually crap. Please realize for my purposes, that’s currently OK. My setup (and budget) are just not big enough to justify dedicated equipment that does this stuff really well. I just need something that does this stuff at all.

Recommendations?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Here’s what I’d recommend:

  1. Stay away from Linksys consumer routers (even putting DD-WRT on it, etc) at all costs for any server scenario, they get flaky under load and more advanced scenarios (VPN, etc) and I have a little pile of dead/bricked ones. They were made for home use and you should keep it that way.
  2. Separate the switch from the firewall/gateway. A consumer/prosumer gigabit switch would probably be fine for this (i.e. a Netgear 5-port). In the setup you’re asking for, simple and efficient is better – putting your servers together on a simple fast Layer 2 switch gives you a solid and simple backbone, and some firewalls or all-in-ones will add additional overhead to their built-in switchports and/or Layer 3 functionality that you don’t need here.
  3. For the firewall / DHCP / gateway / VPN – Some of the Cisco all-in-one’s are great, but may have more functionality and enterprisey-ness than you’re looking for. Check out a Juniper SSG-5. These used to be Netscreen NS5-GT until Juniper bought Netscreen. I think the SSG-5’s are about $600 a piece new and if you wanted you could find an eBay Netscreen NS5-GT for under $200 now, and make sure you find the “Unlimited User” version.
  4. VPN – Juniper/Netscreen will do VPN, but you need the Netscreen client software. Alternatively, you could just set up Routing and Remote Access on a Windows server for a simple PPTP VPN to use without any client software. If you wanted to go even more “just make it work”, use Hamachi from LogMeIn, works great.
  5. On Windows Network Load Balancing – This works OK but in some cases does NOT play nicely with Cisco Layer 3 routing (as it relies doing some magic tricks with ARP caching to ‘share’ a IPv4 address across servers, and Cisco devices view this as an evil force that must be stopped). So if you go the Cisco route make sure you configure the Cisco device correctly for this (there are a bunch of articles on it).

With a Juniper/Netscreen + 5-port gigabit switch you should be able to fit both in 1U and you’ll have a simple, fast, and reliable infrastructure that can do some pretty advanced stuff if you ever need it.

Hope that helps!

P.S./edit: – A couple people recommending Vyatta, Linux, etc: Those are not bad solutions, (also, the Untangle.com offering looks like it has potential), and I have used them and love them for office endpoint routers… but I did not recommend this type of solution because this is an application hosting scenario; in principle, the idea behind modular software running on generic hardware is to squeeze all of the normally ‘expensive’ features you can into the most cost-effective and lowest common denominator hardware. I think this is fine for the user-endpoint (home, office, branch office VPN, etc), but even for small/basic hosting scenarios I think the ‘datacenter’ side warrants specifically designed hardware coupled with specifically designed firmware.

Suggestion: 2

Go take a peek at Vyatta. They have a pretty comprehensive product that uses Linux Kernel, offering such things as VPN, Router, NAT, DNS Forwarding, DHCP Server, and More… www.vyatta.com or www.vyatta.org for the community versions. You can run it on their appliance, your own hardware, or as VM. Their model 514 device is full-featured with RIPv2, OSPF, and BGP, OpenVPN, IPSEC VPN, etc. for < $800.00.

This link is pretty impressive: http://www.vyatta.com/products/product_comparison.php

Suggestion: 3

Linksys has some decent routers which are above a home router, but below a full on kick a** router. Something like the WRV54G. It’s small, supports IPSec VPN, is a router, DHCP, etc. Only part it doesn’t fit is that it’s 100 Meg. But to overload 100 Meg you’ll have to push a lot of traffic.

This won’d handle load ballancing (which wasn’t in your requirement list, but with two web servers I assume that’s needed, so you’ll need to find something to handle that).

Suggestion: 4

I see two ways:

  1. By Cisco router. It can do
    everything above and does this very
    good but costs $$
  2. Do it yourself. Buy 1U server, put
    in NICs and setup BSD/Linux. It can
    do everything above + much more (i.e
    loadbalansing)

PS. Do you really need all-in-one? May be separating router and switch is acceptable?

PPS. added to favorites in case you will find cheap ‘n cool hardware.

Suggestion: 5

I’d suggest a Sonicwall device in the SMB category. I have managed a few of these devices, and they did not ONCE let me down. The interface is a bit better than the typical Linksys.

I won’t be the first to suggest to use this only as the gateway/VPN/firewall device. Of course all the heavy switching needs to be done by the 24 port devices.

Suggestion: 6

To add the list my personal preference would be the Juniper SRX line.

But as soon as you need more ports use a real switch, don’t keep adding modules.

Suggestion: 7

I’ve had a lot of luck with my NetGear ProSafe FVS338. NetGear also has a Gb switch – FVS336G. US $200 and $300 respectively.

Pretty much does what you need it to do, and doesn’t break the bank.

p.s. I do run Windows NLB behind this. No big deal at all – I didn’t have to do anything.

Suggestion: 8

OpenBSD is especially nice for setting up a firewall as it is “secure by default”, meaning that there are no holes if you don’t make them.

Also, the configuration itself is very easy, even when you dig deeper into NAT, IPsec VPN, …

Of course you’ll have to know networking with any box (what NAT means, basics of how IPsec works, what are ports, netmasks, …).

Suggestion: 9

You might be interested in pfSense.

Suggestion: 10

If you really want a single box, doing all that, you could go for a Cisco 3750 (or comparable switch), it can do basic (admittedly VERY basic) firewalling (access-lists, nothing really fancy) and route packets. Don’t know to what extent they provide a “simple” VPN config, but you should be able to configure IPSEC endpoints as needed.

But, to be honest, you are probably better off doing these as separate boxes.