On 1/9/19 7:20 PM, Robin Laing wrote: > On 08/01/2019 17:52, George N. White III wrote: >> On Tue, 8 Jan 2019 at 12:10, Alex <mysqlstudent@xxxxxxxxx >> <mailto:mysqlstudent@xxxxxxxxx>> wrote: >> >> Hi, >> I need a gateway for our new office. I'd like it to run Fedora. What >> are my options? I'd like to be able to do the following: >> >> - provide VPN back to the main office >> - provide basic masquerading of hosts on inside network >> - be small enough to fit on a shelf. Preferably fanless >> - web-based administration >> - ssh access >> >> >> Have a look at https://www.pcengines.ch/apu2.htm ; These offer 2 or 3 >> ethernet >> ports, small form factor, and fanless. Fedora is not a good choice >> for this >> role unless you are willing to devote time and effort to testing new >> versions >> as they appear. In that case you would want a couple systems so each new >> release could be tested before going into serivice. Pcengines has >> centos7 >> images for apu systems. >> >> We're experienced admins, so a simple interface isn't specifically >> necessary, but desired. >> >> It's only for a few remote office workers, so it doesn't have to be >> particularly powerful, but should be responsive enough to support >> regular ssh and VPN activity. >> >> >> Avoid USB NIC's. Have a look at pfSense >> <https://www.pfsense.org/getting-started/> >> -- >> George N. White III >> >> > > Working on this as well. > > I have looked at pfSense and I am also looking at OPNsense > > https://opnsense.org/ ; > > I have a friend that uses pfsense for a small network at a resort and > does remote admin when required. For wireless he uses dedicated access > points. IPFire looks interesting but it looks like it wants to be more > than a firewall/gateway. > > https://www.ipfire.org/ > > The one point my friend mentions is using seperate network ports for the > various vlans and combine at the firewall. He prefers this method for > his network. > > I would look at a fanless solution as well. We have had some Intel > based units that have been major problems with heat. Needed to be in > cool rooms all the time. Cannot remember the name though. > > pfSense has a list of recommended hardware for throughput bandwidth. > > http://pfsensesetup.com/pfsense-hardware-requirements/ > > It is interesting to read. > > Have fun. If I may offer my $0.02, Fedora on production systems is not a great idea. We manage well over 2000 servers each in two data centers. The vast majority (>85%) are CentOS-based because of its relative stability. The remainder are generally Ubuntu LTS-based, again because of its relative stability. Fedora changes every 6 months--sometimes in major ways that are not necessarily backwards compatible with existing systems. It is very cumbersome to update 3000+ servers every 6 months and deal with the compatibility issues that crop up. We have to deal with those when CentOS or Ubuntu gets a major upgrade (such as CentOS6 -> CentOS7), but that happens every couple of years and is far more manageable. As far as security is concerned, any significant security patches are generally backported to CentOS and Ubuntu and applied when they come out. The few cases where a patch can't be applied, well, those are fairly rare and dealt with as what they are...exceptions to the general rule. At the network level, our VPNs and core routers are Cisco, our edge switches are Foundry. We have two 10Gbps uplinks to the Internet so smaller hardware is not an option. Fortunately, I'm well versed in these beasties as Cisco IOS isn't a particularly intuitive system. For a router/VPN gateway in a SOHO environment (even some medium-sized cases), I'd go along with those who recommended using OpenWRT on inexpensive router hardware. It is Linux-based and optimized for use on such devices. It is relatively easy to manage via its web-based GUI and does its job quite well. Fedora or any full-up Linux system, is (IMHO) overkill in such cases. Having said all that, do what you wish. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - There are only 10 kinds of people in the world -- those who - - understand binary and those who don't - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
