General Questions

Your network is important to you, as it should be. If you want to ensure that it remains secure and organized, you

need a good firewall and router. Combinations of both products have made life easy and seamless for Joe Homeowner

over the past 8 years or so. Take the explosion of Linksys, Belkin, Netgear, and other brands of firewall/router

products for example. It's great that these companies can provide users with an affordable solution that is simple

to configure. But then, the security provided by the products is inherently flawed and not very configurable.Beyond

these solutions are SMB products that will get your wallet thin quicker than a slim-fast commercial. At the low end

you have the Sonicwall and Adtran products, perfectly fine for SMB use with 50 or less users. Of course those

companies also serve up products for enterprise use but the only mention I will make here of high-end firewalls is

the Cisco PIX discussed in another thread here in the forums. Ridiculously expensive, and doubling the price if you

get the required Smartnet support over three years, these devices are almost identical to M0n0wall in architecture

and functionality. But what M0n0wall offers that the PIX cannot, is a stable web-based GUI that makes the PIX GUI

look like a grade-school hack on top of the command line interface (CLI). I haven't tried some of the newer

revisions of the PIX interface, but then the reason is that my company has abandoned Cisco as a provider for our

customers, all SMB. Granted, we don't get a CLI from the M0n0wall. But then, all of the M0n0wall's features are

written in plain english anyway, negating the need for a full CLI. There are other options besides the PIX that

make better sense for SMBs, and if we offer a pay-to-play solution it is going to be a sonicwall or Adtran.

You might ask if M0n0wall can really offer the same security and functionality of a PIX. For that matter, could

M0n0wall even compare to the cheaper Sonicwall and Adtran products? To begin we will look at the features of each.

All of these products offer VPN functions to remotely access your LAN with secure encryption. Cisco forces you to

buy licenses for clients to access VPN. The same applies to Sonicwall. Usually this means buying blocks of five

user licenses. Adtran has some product lines with VPN pre-licensed, but you pay extra. This can mean hundreds of

dollars in extra fees to use something the product already has implemented, or at least a more expensive initial

cost. You could get a Linksys RV0-series, but those are more or less too basic for anything more than a few users.

That product does have five client VPN licenses built in, and it's cheap too. But the firewall rules aren't very

granular and you can't create bandwidth rules at all, just a QoS page that is basic and may help with VoIP. On the

other hand, M0n0wall is free of charge and offers VPN server with unlimited access or client lists. This is not

only a huge relief in cost due to the system requirements of hardware and free cost of the software, but also means

you own the device. The other offerings are "owned" by the manufacturer and cannot be used in any other way or on

any other hardware (there are exceptions, but after paying top dollar for a firewall it is unlikely that you would

transfer the software to another device.) Any VPN sessions you want to provide to users depends on what you are

willing to pay. And in some cases, you need to subscribe to support on these products and chances are you will NEED

the support on those cryptic systems. That's why companies like Cisco force providers to get certified, to keep the

money flowing in and keep regular users out of their products. Cisco pros tend to charge exorbitant hourly fees and

block hours to work on your PIX. Keep all of this in mind before plunking down your bucks for a Cisco. Basically,

Cisco is selling "partly broken" devices that only they have the fixes for, at a price. Did you ever buy a car,

only to find no windows and have the dealer tell you that's an option- even though the windows were rolled down?

Now you pay the dealer to install the "optional windows" and he rolls them up. Pretty sketchy scenario. But that's

the status quo at Cisco.

For security, the firewall should be blocking any requests from the untrusted interface into your LAN. It should

also log those attempts and have a fine control over which protocols and devices you want to have access into

certain devices and ports on your LAN. All of these products have this ability. So it's pretty much a tie here. But

again, M0n0wall does an admirable job plus it's free to boot.

Captive portal is a great feature and allows you to have control over who gains access to the Internet. It also

provides a way to create a WiFi hotspot for public use. I've installed a M0n0wall at a car dealership (hopefully

they don't have optional windows in their cars!) and used it to create a hotspot. The WAN port of the M0n0 is

attached to a free port on one of their network switches. There are rules to forbid anyone on the M0n0 from

accessing the IP subnet the dealership uses for business, but allows the gateway to function for Internet access.

This system has been installed for over a year, and has needed zero reboots. Customers use this free service daily

and have never had a problem. The best part is that no existing network devices needed to be configured for any of

this to work. Just configure the M0n0, plug it in, and away you go. When wireless clients connect, they open a web

browser and are redirected automatically to a login page. The login is given out by employees or displayed on a

sign in the lounge. A desktop PC is set up for people who don't have a laptop, and it's connected to a Wireless

Access Point/Switch that is attached to M0n0's LAN port. Once users on the M0n0 have logged in, they get redirected

once again to the dealership web page. From there they can go anywhere they please. The captive portal interface

has limits on bandwidth so that the dealership can still conduct business without someone YouTubing them to death.

As far as the other products, I haven't seen an implementation yet or even at all that addresses captive portal in

such a simple and complete way.

One other thing that's unique with the M0n0wall is the ability to attach any number of NICs to the system, and each

one gets detected and installed as long as FreeBSD supports it. M0n0wall can act as a multiple interface router for

the cost of inexpensive network cards. So this means you can have multiple DMZ and LAN ports. The ability to have

one trusted LAN and another auxillary subnet for public use is invaluable, as is using a couple more network cards

for DMZs. Having a range of public IPs and hosts on your network is very easy to implement in this fashion. And

with Monowall, you aren't restricted to specific cards or limitations on how many interfaces you need to support.

One of the only features M0n0wall doesn't support yet is active failover or load balancing multiple WAN ports. In

these circumstances it's best to pay the piper and get a Sonicwall or Adtran, or heaven forbid a Cisco. I am hoping

that the M0n0wall developer can get this implemented in the next version. Besides, it's very difficult to get the

Adtran AOS to do active failover, or at least that was my experience. It needed multiple corrections and calls to

support to get it working properly. We also had to use CLI since the GUI is very buggy. The Sonicwall is much

easier to configure for this function.

I'm very happy with the M0n0wall's performance for myself and my customers. Some SMBs may need different features

that M0n0wall will not support. But it can be built for short money. And it does protect both remote and local

users quite well. One thing I cannot do with my home network M0n0wall is filter protocols or web traffic to forbid

certain users (my kids) from accessing certain content. In this case I added another server to do these duties,

it's called Untangle Server and if you haven't heard of it, you should. It does almost everything that M0n0wall

does, plus adds the filtering capabilities. I've enabled only the filtering and set up the server as a transparent

bridge to pass DHCP and all LAN requests to the M0n0. I could go on and on about Untangle, too, but this is a

M0n0wall forum, so for more into go to http://www.untangle.com for more info. It's also a free software solution

that runs on an x86 PC.

Hi,

I use M0n0wall for sharing wireless internet with people on historic boots here in my neighborhood. Love the features and dedicated development, but to a customer I recomment the Cisco ASA5505 firewall with 8! configurable switchinterfaces. They have to pay extra for the sec-plus license but you get everything but ssl-vpn. The last costs to much indeed. For wireless there are nice n-packages available to complete your ASA setup.

So, nice story, M0n0 can do all of that, but the ASA hardware/software combinaton is very competative these days. This customer has a installed base of PIXes making migration more easy of course. Just want to let you know that commercial supportng M0n0wall isn't my choice at this point.

Grt, HT.

EDIT: ASA5505 with full Security Plus License costs around $1000 , simple SOHO starts below half of that

So, nice story, M0n0 can do all of that, but the ASA hardware/software combinaton is very competative these days. This customer has a installed base of PIXes making migration more easy of course. Just want to let you know that commercial supportng M0n0wall isn't my choice at this point.

Grt, HT.

The original post was intended for those people who are choosing a solution for a small SMB or residential use. Not for enterprise use at all!
I'll recommend Adtran before Cisco for our larger customers, but when you have a very small company that has 15 users, there is no justification for an expensive router/firewall. And if you deal with tiny businesses, I sure hope you don't upsell them to get spifs. I used to work for a document imaging company in the late 90's as a specialist in networks from installing cable up to configuring or dismantling SCSI scanners. Anyway, the sales guys in our company upsold the customers since they had no idea what they needed, they went on what the sales staff recommended. So we had people buying SCSI 100-disk MO drives for big bank. And that's the point of the story. As an SMB you need to get the product that fits the size of your organization. Honestly, I've seen so much hardware go unused for the most part. Just a couple months ago I got to know the quality of work in sales and service for Best Buy's Geek Squad. The Sonicwall they bought was configured with g33ksqu4d as the admin password. The Win2003 SBS had no backups showing up. The whole four PCs it serves had no shares from the server. The only reason the server was there for is Exchange, which actually only needs four email addresses for the four total users. You can get a web and email server dedicated for $7 a month that will cover their needs and allow for plenty of expansion. Oh yeah, and forgot to mention the administrator password was the same as the company name. And the wireless access point was... OPEN.
Granted, it's true they did get some nice hardware and probably at a decent price. But it's overkill especially since none of it was secure or really being utilized. Wouldn't you say that a M0n0wall would cover those four users perfectly?
EDIT: How much would one of those 8-interface Ciscos cost, anyway? :0)