Current Status (2008-03) — Now Using pfSense Open Source Router
(if you're not interested in this, skip to the "LinkSys BEFSX41 Overview" section, below)

In January of 2008, one after another, both our BEFSX41's developed hardware problems. We found that the current model won't run any of the "known good" firmware versions ... and I wasn't about to go through the pain of trying to find another firmware version that does work, given the complete flakeyness of LinkSys' firmware releases.

In anticipation of having to replace one or more of these units, I'd previously purchased and tested a LinkSys RVS-4000 and found that none of the firmware releases available up to January of 2008 were reliable (this is confirmed by hundreds of web/forum postings). Seeing a pattern here (du-oh!) I'll not purchase any more LinkSys router appliances (I believe in "voting with my $" and recommend the same, for others).

After extensive investigation, we purchased a pair of NetGear FVS336G units, with the understanding that they could be returned if they didn't work as spec'd. While these units are not cheap (>$250 each), they support dual-WANs and have a built-in gigabit switch. It also appears that NetGear has their act together when it comes to the firmware.

I was very enthusiastic about these NetGear units and, after a few days of bench-testing, we put them into production. Unfortunately, a problem developed a day later. While I believe that the problem was a hardware failure, the place where we purchased the units was not willing to support any further troubleshooting and, since previously trying to get an answer to a simple question from NetGear had proven fruitless, we didn't proceed. Too bad, given the week's worth of time spent and that fact that I think these units would actually have proven to be quite good, assuming there wasn't some fundamental hardware problem.

Having had my fill of wasted time on inexpensive units, I investigated buying a proper Cisco router but gave that up because the general consensus is that their web-based interface doesn't work properly and, unless you hire a consultant or take their expensive training, you'll likely never get it configured properly without a huge investment in time. Cisco is also reported to be very abusive with their licensing, supposedly not allowing their licenses to be transferred (so buying a used unit is not advisable).

My next strategy was to investigate open source network appliances, since we had a couple of ol' PCs lying around, doing nothing. I spent a week and came up with the following results:

• LinkSys open source versions: no good because they require older versions of the WRT54 that are no longer in production (killing the open source stuff seems to be another foolish LinkSys approach ... maybe they were scared of cutting into the lower-end Cisco business)
• Vyatta vc3: looked promising but you'd better be a networking expert to use their web-based interface and the web-based configuration was very buggy
• IPcop 1.4.18: limited to single WAN and the use of the "red/green" abstraction for networks just left me cold (don't try to subvert industry standard terminology!)
• Untangle Gateway: initially, I didn't like the UI and the fact that they're trying to "do everything" instead of being focused but, in the end, I never got it to work with any of the 4 different kinds of NICs I had (all very common ones and supported by the other products)
• m0n0wall 1.232: looked good, well focused and worked well but no dual-WAN support ... the first one to appear as a candidate for use! (but I'd need to use 2 of them)
• ClarkConnect Community 4.2: requires yearly payments to support dual WANs and seemed to be a serious resource pig (i.e., ran quite slowly)
• Endian Firewall 2.2Beta2: seemed to be just an updated version of IPcop
• pfSense 1.2RC4 (now updated to 1.2 release): easily the "hands down" winner!

Open Source pfSense Really Works!

At the time I was doing the evaluations, the pfSense website had left me with little confidence so I actually put them last in my evaluation priority. They've since updated the web site for the 1.2 release and it's much better now. Although that caused me to waste more time testing all the other products, it did give me a much better appreciation of pfSense's quality (rationalizing?).

pfSense development started with m0n0wall but, whereas m0n0wall's focus is primarily minimal embedded hardware, pfSense's focus is on heftier embedded hardware and general purpose PCs. For the normal home and/or small business user, an ol' 300 MHz+ PC with 128 MB+ of memory will work very well. E.G., we're using an ol' Gateway 2000 300 MHz Pentium II with 192 MB and 2 mid-1990's 10/100 NICs and a "not so old" eMachines 1.8 GHz with a GB of memory and 3 NICs plus the built-in NIC. The eMachines system handles all our server traffic and hardly ever uses 10% of the CPU and the Gateway machine hardly ever gets above 30% of the CPU. Both can easily outperform our 2.5 and 3.5 Mbit network connections.

There's also a well-used inter-office IPsec VPN tunnel always running between these two routers. The VPN has performed flawlessly. We're also using pfSense's traffic-shaping capabilities to prioritize VPN and VOIP traffic. In particular, the VOIP signal has been audibly more clear since moving from a different LinkSys/D-Link based solution to the pfSense solution for VOIP-traffic prioritization. At the time I wrote this, we've been using pfSense in production at both offices for about 1.5 months and have updated from 1.2 RC4 to 1.2RC5 to 1.2 release, all via the web-based interface and all without problems.

Although pfSense's web-based interface requires a little more knowledge about networking than, say, a LinkSys' web-based interface, it's not really that bad. More importantly, it uses standard networking terminology (so you can lookup terms and figure things out) and the web-based interface really works! I can't emphasize this enough ... pfSense has sort o' been like a Mac—it just works.

The community support is also quite good (I subscribe to the mailing list, but there are also forums). I'm a 30-year+ software type so I know high-quality software when I use it ... and pfSense definitely fits that bill. Very impressive. pfSense also scales to enterprise-level performance and features, supporting such capabilities as multiple WANs with failover and has commercial/paid support available. For small businesses, it's a shoe-in. If you're looking for a solid gateway/firewall/router/VPN/etc. appliance, look no further.

---

LinkSys BEFSX41 Overview

These instructions are designed to help you create a Virtual Private Network (VPN) connection, often called a tunnel, using Mac OS X 10.3.x and a LinkSys model BEFSX41 network appliance (it's a Router/Firewall/VPN). These instructions have been developed using OS X version 10.3.2 through 10.3.4 and LinkSys BEFSX41 firmware version 1.4.4.7 dated Jan 09, 2003. Other versions may or may not work (version 1.41.1 is reported to work, also). Version 1.45.3 did not work (no VPN) for me and I have not been brave enough to try Version 1.50.18, yet (but reports are that 1.50.18 works well). If you discover that other versions do/don't work and let me know the LinkSys and Mac OS X versions and I'll update this information, as appropriate. Readers confirmed that the "Instructions and IPSecuritas software works with OS X version 10.3.4 and a LinkSys BEFVP41 [using] firmware version 1.4.0.4 and 1.41.0 dated May 08, 2003." (thanks Justin and Mike!).

The key to accomplishing this task without requiring an extraordinary amount of effort and time is a fine piece of software called IPSecuritas. Furthermore, IPSecuritas is freeware! These instructions refer to version 2.0.5 of IPSecuritas. I also feel that we all owe Lobotomo Software at least a debt of gratitude (or, better yet, donations) for IPSecuritas. Christoph (of Lobotomo Software) has also been gracious enough to review these web pages and provide his feedback.