SUGGESTIONS Hardware based firewalls... Is a home or small business router with built-in firewall acceptable ?

[Chris Sweeney]

What you expect from a Samsung? See how they work with Galaxy phones. No more Firmware updates for older models.
How much you think invest a producer of a router in security if the end price is just 10 -200 $
Nearly nothing.

LOL comparing cell phones with a 2 year at most lifespan to a router is hardly the same thing. Cell phones stop getting updates because they are obsolete and because newer software for them is often too much to run. Ask anyone with an Apple Product how well updates work on older phones. If you have an iPhone 4 running iOS7 for example you now have a laggy slow horrible phone. The phone has to be able to keep up with the software so that's hardly the same thing.

 

[magna.vis]

I don't know Chris. I see this often enough in the IT industry as well to know it's not limited to phones, and not usually strictly for technical reasons/limitations. They may give you whatever reasons they like, but the fact of the matter is that obsolescence is built into the lifecycle of these devices. The proof is in the simple evaluation of the question, "When does Samsung make money?" I don't intend to say that there isn't consideration of brand image when supporting devices, but the question then becomes, "How long must we to support this to look like we're doing our job to the average consumer, and what lies about supporting it are they most likely to buy- because question 1."

Not every version of a release has to be the same either. When the new iOS with Siri was released, that update was pushed to some older phones sans Siri. There's several companies like Linksys, Cisco, Belkin, etc, that all but abandon previous hardware generations when new lines come out. Go and find the firmware for the E3000 on the Linksys website. Pro-tip, don't waste your time. It's not there. Are you going to tell me that a simultaneous dual-band router with a Broadcom BCM4718 480 MHz processor, 64 MB of RAM, full gigabit (including WAN port), and USB support is too old to run Linksys' latest release? I have several friends running Tomato and DD-WRT (and 2 of these myself with Tomato on them), who would all disagree. These are highly capable devices with great performance. And the RT-N16 is still being sold new, it came out around the same time (middle 2010), and there are thousands of people happily running those. Heck, I still break out my old WRT54GS for testing sometimes. Good luck finding an updated Linksys firmware for that.

Don't get me started on the mobile phone market. That one gets me all kinds of bent out of shape.

http://en.wikipedia.org/wiki/Planned_obsolescence

 

[kmcdaniel]

PJBrown, as others have mentioned, your QoS plan isn't going to work. Additionally, you may run into another problem - buffer bloat (http://en.wikipedia.org/wiki/Bufferbloat).

How can you tell if you have buffer bloat? Easy - Start an upload of a video to YouTube. Browse the web. Do web pages start taking forever to load? If yes, then you likely have buffer bloat.

In your router, you need to be able to do two things:
1. Throttle your outbound traffic so that you can make absolutely sure your router is doing the queueing instead of anything upstream.
2. Provide prioritization of your data in the queue.

Pfsense does both of these things and is fairly easy to set up. It even has a wizard to set up traffic shaping for you. Keep in mind that in order for traffic shaping to work, you absolutely MUST tell the wizard a bandwidth value that is a little below your ACTUAL bandwidth (measure it).

That said, I've been fighting what I think is a bug in pfsense where it gets confused about the NAT states used by asterisk registrations to the VoIP provider.

Gomez, are you periodically losing trunk registration due to.the pfsense?

 

[GomezAddams]

Gomez, are you periodically losing trunk registration due to.the pfsense?

Well, I was. I ended up re-installing pfsense 2.1 from scratch, and the losing registration problem has not popped up since. One thing I did different this time around was to not turn any of the upnp stuff on.