Hi,

Which would be the best solution for FreeBSD router with ~800 clients? The requirements are to have the ability to monitor all the traffic graphically, to be able to do traffic shapeing, to be able to disconnect users for the illegal content, to be able to block p2p... Also vpn server needed(at this time in the old environment openvpn is used). There are a lot of software, what would most of you recommend in such situation?

Thanks for any suggestions.

pfsense or m0n0wall? While researching
network routing, I ran across a *HUGE* howto
page for one-or-the-other (or a 3rd) of them. find
and check that (unknown) page at least...
hint: one-page-20-pages-long-with-illustrations
..........................
I just tried to find it and couldn't (online). Maybe
saved it as HTM but too many files to check...

You are on a loser if you want to block all p2p. p2p systems (with the exception of bittorent, which is designed as a legitimate way to transfer legal files) try to act as standard traffic, often using the http ports in normal ways: Allow http and you allow p2p too.

Of course, what you require is a check-box solution to convince a PHB that you are doing that, so all you need is some harmless block out rules on a few common ports. Totally ineffective, or course, but that is a feature, not a bug.

(I am sorry if this came across as an insult to anyone: It was merely a statement of fact (or maybe opinion): blocking all p2p without blocking normal traffic is not possible: encryption and abusing common port numbers (25, 80, 443, 110...) will get you through.)

You are on a looser if you want to block all p2p.

Um, if you are going to insult someone, at least do it with words you know how to spell... wow.

And BTW, with some well-written snort rules, you can block p2p traffic. So maybe it's you who's the 'looser'.

Personally, though, I wouldn't use monowall or pfsense until I had a firm grasp of the underlying technologies they use. Grabbing one of those security platforms is great, but if you don't know what makes them tick you will be the constant support slut on the mailing lists and forums, and your level of expectation will be constantly shot down.

So learn how PF works. Learn how snort works (and in which cases it's good and not-so-good.) Learn about BASE, and MRTG, and Cacti... actually educate yourself on the tools of the trade... before you pick one of those open-source platforms.

At a job we picked Astaro as a commercial firewall/IPS solution. It's not free, but it's menu/admin system is decent. Problem is, if we didn't know how to operate the underlying open-source apps it strings together behind it's glossy front-end, we'd be up the creek without a paddle a long time ago.

Go figure... actually knowing what you're doing can pay off. Huh.