Advice for SOHO firewall gear?

I'm planning to expand my home/hobby network from a small gateway-server setup to a larger, more secure screened-network architecture, and I would like advice on firewall gear. My requirements:

- Minimal space, noise, and power consumption

- Stability and reliability (no lock-ups, no corruption, no hassle)

- Reasonable cost for home/hobby use ($500 is OK, but $5,000 is not)

- Firewalled routing from perimeter network (DMZ) to trusted network

- Support for both full routing and NAT routing

A three-homed routed with WAN, LAN, and DMZ ports is OK, so long as it supports filtered routing in both directions between LAN and DMZ. A traditional two-router setup is also OK, so long as the initial cost stays well under $1,000 and the power consumption is very low.

Here's what I've been considering so far, with approximate costs. Please add your own comments, and feel free to recommend other equipment that meets my requirements.

Watchguard Firebox X5 ($300 + $100/year): At first, this three-homed router looked ideal. Unfortunately, its configuration is not flexible enough for my needs. For example, you can choose to permit routing from the DMZ network to the LAN, but you can't just open a single port (e.g., for mail routing) -- the DMZ->LAN firewall is all-or-nothing. That means I'd need two routers, which is pushing my budget limits.

SonicWALL TZ 170 ($350 + $100/year): This is another three-homed router. I think it'll do everything I need, but I couldn't tell from the manuals (which I found confusing, even though I'm good at reading manuals). I've heard a lot of positive comments about SonicWALL, but a few users have complained of poor stability and support in the TZ line. I'd appreciate more data.

SonicWALL TZ 170 Wireless ($550 + $100/year): As above, plus wireless networking. Seems overpriced, unless the wireless features are a lot better than what you can get from a Linksys receiver. Is the combo worthwhile, or should I buy a separate receiver?

Cisco SOHO 91 ($250 + $100/year): If I understood the spec sheets correctly, this is a two-homed router, so I'd need two of them. I know very little about this box.

D-Link DFL-200 ($250): Another three-homed router. I have very little information about it so far, except some rumors that it's OEMed from a reputable high-end firewall maker. I haven't had time to read the manual yet.

Small-form-factor computer ($600): I've also considered building a firewall computer on a Shuttle platform. The higher cost and power consumption would mandate the three-homed approach, since two routers would be too expensive. The major problem here is getting three Ethernet adapters into a Shuttle box, since they only have one built-in port and one PCI slot.

Reconfigured server ($50 + much labor and risk): I'm planning to retire my existing server; with just a couple of extra parts, I could turn it into a dedicated firewall/router instead. Unfortunately, it also means that I can't switch to the new network setup seamlessly. I expect a lot more risk and hassle with this approach.

You should call them - I've installed about 100 Firebox units in the last two years, none of the X5, so I can't say for sure, but I've always been able to create custom IP:Port to IP:Port rules through the LAN/DMZ on their SOHO units, same with their larger units.

Call and ask them specifically about this.

Also, where did you get the idea that it won't work?

That sounds like a lot more flexibility than the Firebox Edge units offer. Maybe it's just not obvious how to do it from reading the manual. It explains how to limit LAN->DMZ traffic, and how to disable DMZ->LAN filtering entirely, but there seemed to be no support for tailoring DMZ->LAN traffic.

I may do that, although I'm currently leaning away from the appliance solutions. Somebody pointed me to Soekris systems, which (at first glance) look ideal for my needs: inexpensive, configurable, small, and low power consumption.

I read the manual.

The problem with using a full-size PC is that I don't have much room or electrical power to spare. The Soekris 4801 is inexpensive, small, and only draws 15 watts, which means I can actually afford to build two routers for a complete screened-network setup.

Unless you are absolutely sure you know enough to secure the OS and firewall services running on the computer a appliance is the ideal way to go - they are small, consume less power than a PC, are more reliable than a PC, have less moving parts, the only drawback is that they don't always offer the ability to add everything-under-the-sun to the setup/config like a system running on a PC would.

I have yet to install a dedicated PC (other than for Firewall-1) in any location, the appliances have always provided the best cost/performance option for us.

I do.

The Soekris systems (and the similar WRAP systems) are embedded PCs. They have no moving parts and only draw 5 watts of power, but they're just as flexible as a general-purpose computer, at least for router duty. That's why they look ideal for my needs.

Hi Bradd,

You may wish to investigate "Security" of the Cisco Solution Designer:

Brad Reese BradReese.Com Cisco Resource Center Toll Free: 877-549-2680 International: 828-277-7272 Website:

Sorry, that was not at all helpful. It only produced a network map (which I already have) and a link to Cisco sales. Furthermore, the architecture it suggested is far beyond my needs and my budget.