[kwlug-disc] netalyzr/ispgeeks interpreting [was: Re: Reliable Broadband speed test]
unsolicited
unsolicited at swiz.ca
Mon Mar 7 12:32:06 EST 2011
Cedric Puddy wrote, On 03/07/2011 11:59 AM:
> I can't recall what tuning opportunities exist for PIX 501's
> (presumably running 6.3(5) or so, if I remember the "latest"
> version number right).
Correct.
> As an aside, we are selling 10 user ASA-5505 boxes for less than
> $600 these days (and there is always eBay!), and they are a drop in
> replacement for PIX boxes (same config language -- you just load
> your old config on the new box via tftp, it converts it to the new
> format. You do a bit of tidy up, and you're back in the game.).
> As has been remarked before, Tomato can be really cheap n' *very*
> easy when it comes to QoS, generally runs well.
The real motivator for any move is QoS.
And if I'm going to move to a device, I'd likely just use my Netgear
wndr3700. It's got OpenWRT running on it - though I've done nothing
with it beyond loading the (OpenWRT) stock. OTOH - I do see Tomato
here on the list somewhat frequently.
Not entirely comfortable with the wi-fi gateway + other gateways
(wired) on the same edge box, though. Probably mostly due to
problematic experiences in the past with hardware sections within a
box not being entirely segregated, let alone problematic NAT'ting when
you have to NAT both source and destination IPs at the same time.
Seldom, but it does happen.
> Alternatively, a pfsense/IPCop/etc can make really full featured
> replacements.
Yet I keep running into references of myth, lmce, asterisk, and on and
on, wanting to be the master of the universe and edge device. Leading
me towards a box, not a device, nor a black box.
Truth?
I've long thought there is a quick point at which doing too many
things on one box makes everything harder to maintain, especially as
you get into unexpected inter-relationships and 'race' conditions (A <
B here in this section, but B < A in the other, and you need the two
to cooperate. Before processing C, here, but after processing C, there.)
[Easiest to maintain has always seem a firewall on the edge, VPN box
with some firewall abilities next, then the rest of the internal
network. Seems to cover all eventualities. Can even permit some
redundancies, too.]
However, I keep seeing where these apps want to be the edge devices.
Perhaps analysis paralysis.
> I keep meaning to download and explore Vyatta as a
> possible software firewall, since they make so much noise about
> being a commercial grade alternative to Cisco and friends, and do
> have a freely downloadable Core edition.
Well ... the trial by fire nature and testing of playing with
firewalls does tend to irk the internal network users ... some of whom
are sufficiently close to be able to strike us with rubber baseball
bats ... mentioning no person or gender in particular, you understand.
Despite all their claims to non-violence and passive resistance.
The nature of the beast means such playing can be hazardous to ones
health. And humans seem to have a reasonably well refined sense of
self-preservation.
> (Oh, and I'd just like to say it would really make me happy if a
> industry consortium would make OpenVPN an across-the-board standard
> -- I'm really not happy about this
> proprietary-one-manufacturer-at-a-time thing that's going on with
> SSL VPN offerings these days.)
WHAT? A ONE TRUE WAY? No more re-learning curves? As in, the problem's
been solved, and the mousetrap is sufficiently invented to be able to
move on to other things?
Heathen!
Apparently.
Let alone - even the function set of edge devices seems to be be in a
state of flux and expansion these days, a moving target. Leading to
repeated cycles of oneupmanship. And, presumably, putting food on your
table.
More information about the kwlug-disc
mailing list