Why use a server-grade firewall-gateway for a small network?
Why do I recommend an external firewall-gateway router, and not running a host server as a network gateway?
The following is worded around Mac OS X and Mac OS X Server, but applies to the other host operating systems I've worked with over the years.
And most any general-purpose operating system will be a comparatively slow and expensive and awkward IP router; the hardware and software of a general-purpose OS just isn't built to shove packets through at speed. Use the right tool for the job,
What is a server grade firewall-gateway?
A server-grade firewall usually has some combination of a VPN server, advanced port-forwarding, dynamic DNS registration, a DMZ, a whitelist and a blacklist, a relay blacklist via Spamhaus or other providers, remote logging, and remote authentication (usually RADIUS) capabilities.
Why use an external gateway firewall?
It's because …
- …it is usually easier to configure a VPN server at the edge of a NAT network than to establish host-based VPN services. Your VPN-connected client works like another host on the target LAN, and you don't have to deal with port-forwarding and protocol support.
- …this avoids trying to run a VPN via NAT, as the usual one and increasingly two NAT traversals and gateways lurking in modern network connections can cause various VPN client connections to fail with obscure symptoms.
- …a VPN server is more typically going to be operational than will a target server. You're probably (also) using the VPN to remotely manage a server, and if the server is having troubles or is down, then a host-based VPN is also down. With a gateway-firewall VPN server, you can still connect to other clients or to a network-connected UPS or a network power strip and can also usually send a Wake-on-LAN (WoL, magic packet) to try to resolve the issue with the server.
- …you have to explicitly connect to the gateway to change security, where a host firewall can be (adversely) effected by installing or removing or reconfiguring software and services. Ending up with an unintentionally exposed port because of something you're doing on your LAN is no fun. Server Admin, Server Preferences and the other tools can open ports both onto your LAN and out on the WAN.
- …Apple's WiFi devices (Airport Extreme, Time Capsule) have had some issues with passing through VPN ports and protocols over the years, and L2TP has been the most problematic. (MobileMe can get in the way here, for instance.)
- …Having a directly-connected host getting hammered by an attack is not fun and does consume host resources, but that tends to be rate-limited by your network link. Getting hammered does fill your server logs, and that can be used to obscure something (else) that's going on in parallel.
- …It allows you to test your server more easily on your LAN. You can utilize your gateway-firewall and can disable any port forwarding, and you can drop your server firewall for LAN testing.
- …Mac boxes and most any other general-purpose server operating system make poor (expensive, slow, awkward) IP routers. It's possible to configure this with Mac OS X and Mac OS X Server, but it's not particularly well supported in my experience, and more than a few folks and more than a few operating systems have gotten to where you have to use the command line to manage these configurations.
There are other reasons, but I seem to be getting this question fairly regularly.
Selecting a Firewall-Gateway Product?
No, the vendors don't make this easy. They'll toss all sorts of charts and diagrams and (the worst offenders) giant feature lists. Simplicity and ease of use often gets short shrift, too.
I usually make the following general selection recommendations...
- Review the product manuals for clarity and content. If you can't fathom the product manual, you'll probably have difficulty with the product. (This is an amazing simple and effective and low-cost test for how much the product vendor has spent on the device user interface (UI). If the vendor is going to choose to short-change the UI or the product testing or capabilities to meet their costs and requirements, one of the first spots that'll will suffer for the trade-offs here is the product documentation.)
- Look for specific features, such as a VPN server, easily-managed port-forwarding, RADIUS, syslog remote logging, a DMZ or whatever particular additional capabilities you might require.
- Also ensure the web-management interface for the firewall-gateway product is supported with a web browser in addition to the usual Microsoft Internet Explorer support such as Mozilla Firefox or Google Chrome or Apple's Safari, if the product is not specifically supported with Mac OS X, Linux or a platform other than Microsoft Windows. Support for a browser other than Microsoft Internet Explorer means the UI is likely to work with a browser you have available to you; a web interface tailored for MSIE isn't necessarily compatible with other web browsers.
- Look for a product that does not require a vendor software client from the vendor as its exclusive means of establishing a VPN. Those tend to go stale, and you're left with a down-revision client or no client, and would then need to replace the firewall. Having a custom client in addition to a standard L2TP or PPTP or IPsec client is fine, but it should not be your only choice.
- Ensure you can acquire enough VPN client licenses for the product to meet your planned needs. Products can be limited in the numbers of VPN clients provided or permitted, or in the numbers of users that can be registered in the firewall-gateway if you're not using RADIUS authentication.
- If you're dealing with changing user base, then look to a certificate-based authentication scheme or RADIUS into your Open Directory (LDAP) directory for the VPN authentication, as that can be more easily revoked.
- If you need the anti-malware tools and services that many of the mid- and upper-end products offer, have a look at the capabilities and the costs of the subscriptions.
This can narrow your choices down to a few, and you can then see if you can try a few of these products on-site.
As for specific firewall-gateway product selection suggestions, I don't usually make those directly, as the products tend to change. (Some of these products seem to have a product lifetime comparable to a fruit fly, and corporate reorganizations and corporate acquisitions and Go To Market or Agile or Clo[u]d Services or whatever current buzz-phrasery infests corporate management and spew can play havoc with a product or a company in very short order.)
There are other things you can utilize here, too.
And those parental control blacklists? Parking Facebook there is obvious to various folks, but those are also great spots to list the big advertising servers on the Internet.
I'm presently testing pfSense and M0n0wall firewalls, so we'll see how those compare with the various available commercial firewall-gateway offerings I've worked with.
My opinions here, of course.
Interested in more information on these and related topics here at HoffmanLabs? See the Index: Mac OS X Server and Client Networking index page as a starting point.
- Hoff's blog
- To reply to this, are you a returning or new visitor

Comments
I was also surprised how some
I was also surprised how some important nodes were exposed directly to the wild. People mostly get cheapest router they could find and expect a lot from that little piece of plastic. Some are better and I assume linksys wrt54gl the one to buy, if you have no bucks to get enormous bang. For me, the choice is either dd-wrt or openwrt. Native firmware tends to lock user into preformed performance. After upgrade, I was able to scale up/down radio power and tweak almost all issues. The very hardware is less than ideal and some newer devices are available, for instance asus rt n16. Some routers let user to attach usb drive and torrent, download or control all that could be scriptable.
I have no experience with mac routers. Just could say that they are pretty expensive at my area.