Internet-BGP-Firewall or Internet-FW-BGP

cartman05 · February 27, 2019, 3:09pm

Hello guys first of all, thank you for all your support.

For the moment I have NO firewall and no BGP router, I have my own /22 IPv4 now, an I’m putting my network in order.

I have an “existential doubt” because I bought 2 CCR1036 for BGP, but I want to put one of those router as a Firewall (IDS with Suricata)

1rst: Is that a God idea ? My overall outgoing traffic is 600Mbps average with peaks of 800Mbps, I thought to put one router in front of all my traffic as a pass-throught firewall, and then add some rules to block “attacks” or undesirable networks, is that a good practice ? May I do that with the CCR036 ?

2nd: That Firewall in front or behind my BGP Router what is the best policies ?

p3rad0x · February 28, 2019, 6:26am

Hi

I would suggest the BGP at the edge and the FW ccr as the core.

Provider ↔ BGP CCR ↔ FW CCR ↔ Rest of your network

cartman05 · February 28, 2019, 7:15pm

Thank you p3rad0x, I was thinking how to Connect and configure the firewall, I Cannot get the Bridge config the right way.
[INTERNET]----eth1-[CCR BGP]-eth2-----eth1-[CCR FIREWALL]-ETH2-----[LAN SWITCH]

In “CCR Firewall” to let all the traffic IN, I have to BRIDGE eth1 and ETH2? enable IP Firewall and then apply Rules ? Or is there a mor eficient way to manage almost 1Gbps o ftraffic ? With that config may I filter L7?