Previous 1 2 Next 16 Replies Latest reply: May 1, 2010 11:50 AM by MrHoffman
LewisO Level 1 Level 1 (0 points)
Hi, I'm looking for suggestions for a firewall, gateway, vpn box to place between my cable box and a Mac Mini Snow Leo Server. Looking for easy setup and support, affordable, and decent performance. Site has 3-6 active workers depending on season, would never grow beyond say 10. Maybe 2-3 vpn connections used very sporadically... ie. no one's used a vpn connection on old server in the last 7 months.

Mac Mini Server, Mac OS X (10.6.2)
  • foilpan Level 4 Level 4 (1,385 points)
    i usually spec embedded hardware (soekris or alix boards) running m0n0wall or pfsense if paid support isn't an issue. if clients want paid support, sonicwall has decent hardware, though i don't like their licensing structure or fees.
  • Antonio Rocco Level 6 Level 6 (10,330 points)
    Hi

    In addition you could look at ZyXel (the higher spec models), Cisco (of course); Vigor/Draytek have some nice models (IMO). The easy setup question is harder to answer? If you've never used them before they're not really easy are they? In my experience support is good from all three manufacturers. Depending on where you are in the world mileage may vary

    Tony
  • LewisO Level 1 Level 1 (0 points)
    Thanks for the feedback Tony and foilpan.
    On the suggestion for "higher spec ZyXel" - starting at what models?
    One note on Sonicwall, I tried to contact them with a pre-sales question... a couple of days now - nada! Thanks - Lewis
  • Antonio Rocco Level 6 Level 6 (10,330 points)
    Hi Lewis

    http://www.zyxel.com/web/product_category.php?PC1indexflag=20040908175941

    Any of the USG Models. If they're too complicated any of the standard ZyWall Units.

    http://www.draytek.co.uk/

    I've had a play with this model and thought it OK:

    http://www.draytek.co.uk/products/vigorpro5510.html

    Tony
  • carana Level 1 Level 1 (50 points)
    Lewis,

    I'm a fan of the Astaro line of unified security products. It sounds like you'd be well served with the ASG110.

    If you go to the Astaro website, and contact one of their resellers, you can usually arrange a 30-day demo unit.

    G. Discenza
  • LewisO Level 1 Level 1 (0 points)
    Had almost settled on a Zyxel unit when the office manager's nephew claims an Apple Airport in between the cable box and server will do just as well - then for the infrequent VPN use the built-in VPN in OS X SL Server. I can see Airport doing NAT, but it doesn't seem as full featured as a hardware security box. Office is trying to watch budget as well as do things 'right'.
    Comparisons say between the lower end/more modest Zyxel boxes and using an Airport?
  • Anthony Mellor Level 2 Level 2 (185 points)
    I 'm soon to have the same question: the little Snow Leopard book that comes with says on page 36 (English version) "Protecting your Network with Airport Extreme" and goes on to include Time Capsule is says "MACOSX Server can automatically manage it to protect your local network while allowing access to selected services from the internet."

    In my book that's offering firewall services, even though I cannot see anything like that (port forwarding etc) in my Time Capsule utility and a friend of mine loudly tells me no such thing is apparent in his Airport Extreme.

    That leaves hidden features becoming apparent when Server and Airport or Time Capsule are connected.

    Maybe you have an AP or TS you can experiment with.
    I have, but have not yet graduated from basic installation of a working system, so can't explore yet.

    Anthony
  • LewisO Level 1 Level 1 (0 points)
    HI Anthony, an Apple Airport most definitely does NAT (Network Address Translation) and port forwarding! What I'd like to be able to articulate clearly, is why a small budget conscious office should consider a low cost dedicated security hardware box over using the Airport for protection. - Lewis
  • foilpan Level 4 Level 4 (1,385 points)
    don't listen to your office manager's nephew. that sets bad precedent (unless he's right of, course).

    you'll be better off with a dedicated, more full featured firewall than using consumer gear like an apple airport base.
  • Anthony Mellor Level 2 Level 2 (185 points)
    Hi Lewis, Interestingly the port forwarding tab does not appear until Internet/Share a public ip address are selected, and then Advanced does show port mapping. I have never used that combination before now.

    To answer your question.
    Something like the Zyxel Zywall 2WG (edit: this is NOT a "modem" of any kind, you can't plug adsl into it)

    http://www.zyxel.com/web/productfamilydetail.php?PC1indexflag=20040908175941&CategoryGroupNo=81AD76FF-54E8-484F-A2C5-4 B2C83DFD32B

    can accept a 3g cellphone card for access to internet when/if the landline connection goes down. This is also useful if the LAN ever goes walkabout (travelling) like mine does.

    From a security point of view it is my understanding that such devices offer more sophisticated protection represented by these words: "Based on Stateful Packet inspection and Denial of Service (DoS) technology...". When I read up on that (long ago, so now somewhat faded) it seemed to me that this is more than mere port blocking (or opening), it is the testing of incoming packets to decide if they are "attacks". The attack parameters can be configured or left to default.

    Also you can configure (as I recall) the machine to email you with varying levels of report about its status and levels of attack: or even simply port accesses.

    Such a device is massively more sophisticated than an Airport or Time Capsule. edit: in firewall terms at the very least

    Do I think I needed it? No not really - except the Cellphone WiFi system backup and also ( a major point for me) is that it runs of 12 volts (which means a car battery- though regulated source would be a good idea)

    It also offers multiple WiFi networks so you can have your own or put your voip wireless phones or whatever through a separate net.

    Don't think it offers the 5gig network I just found my TC offers.

    I am now playing with the TC setup and Server Firewall, so I'll be using these for the reason of simplicity until I have more confidence - and there's nothing but test data on the whole machine anyway.

    If I had to stick my neck out to answer your question I'd suggest worthy of review is thatthe dedicated firewall offers "stateful inspection" and denial of service attack defence whereas the Apple items do not.

    Anthony

    Message was edited by: Anthony Mellor

    Message was edited by: Anthony Mellor
  • Anthony Mellor Level 2 Level 2 (185 points)
    about face. Just peeked into the Server firewall settings. This all looks pretty sophisticated stuff; my point being it may well give balance to my comments above about Apple TC and router not being so clever. The difference here is that the firewall stuff is built in to the server not the hardware - which is a whole other design discussion but clearly Apple have come down on the side of putting it in the software.

    I'd better stop talking: see About Firewall Security in Server Help.

    anthony

    Message was edited by: Anthony Mellor
  • Anthony Mellor Level 2 Level 2 (185 points)
    here's how I just enabled server management of airport/time capsule:

    (1) changed Time capsule Connection sharing to Share a public ip address
    (which makes "advanced" "port mapping" appear.)
    (2) set Time capsule Internet connection to connect to router on 192.168 network
    (3) set Time capsule to offer DHCP in 10.0.1 range
    (4) set Time capsule own address to be 10.0.1.1
    PLUG in ethernet cable to Mac Mini and Time Capsule
    Activate Ethernet and deactivate Airport
    (5) set Mac Mini Server Manual ip address to 10.0.1.2
    (6) set Mac Mini Server DNS addresses to 127.0.0.1, 10.0.1.1
    (7) set Mac Mini Server / Server Admin / DNS / Zones / Machine name / IP Address = 10.0.1.2

    and now I am seeing if anything still works - report back shortly.

    So:

    Server reads it's own web pages and surfs the internet
    Client on the 10.0.1 network does not, it has DHCP DNS given as 10.0.1.1 (the Time Capsule "router"). I have added 10.0.1.2 and since that overwrote the DHCP provided entry also 10.0.1.1 and this client laptop now access both the server web pages and surfs the internet. edit: laptop NOT accessing server... it hits the 192.168 networked router (the one whose WAN faces the outside world) and one beyond the Time Capsule.





    Message was edited by: Anthony Mellor

    Message was edited by: Anthony Mellor

    Message was edited by: Anthony Mellor
  • MrHoffman Level 6 Level 6 (13,020 points)
    An Apple Airport is a reasonable choice for a home user, and not as good for servers; ask your boss's nephew how to establish a VPN into the LAN when the server is down, for instance. If you use a remote power strip (about US$100) to force a reboot of this box, you need to connect to the power strip.

    A mid-grade firewall will also prevent the riff-raff from hitting and loading up the server itself, too.

    There are also some issues with Airport and L2TP; there are various reports around the forums ([here is one|http://discussions.info.apple.com/thread.jspa?threadID=2316810]) that the device does not necessarily correctly pass a VPN through to the host.
  • foilpan Level 4 Level 4 (1,385 points)
    i've also had general issues with airport bases not reliably passing ipsec traffic, and there's not much you can do to configure them if they're not doing what you want.

    i generally only tolerate the airport units in situations where consumer/home users have already bought them and have no firewall in place already. otherwise, i only recommend using the airport base stations for wireless access points.
Previous 1 2 Next