Features

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

This is a continuously updated list of what the security router software currently supports. There is also a comparison with other relevant vendors.

  • General
    • Combines a router, firewall, VPN and load balancer in the same product
    • Available as both software/virtual[1] and hardware
    • Open source; OpenBSD[2] with available patches, with web, LCD and other interfaces being open scripts (except for backend process)
    • Revision-managed single configuration file with soft reconfiguration
    • Open SOAP and REST API that controls the entire system
  • VPN
    • Manual key IPsec
    • IKE (ISAKMP) for automatic keying IPsec
    • IKEv2 with mobile support (MOBIKE)
    • L2TP and PPTP VPN server
      • DNS suffix (search domain) and explicit routes support via DHCP inform
      • RADIUS support with groups using filter-ID
    • GRE, IPIP (RFC 1933) and Ethernet (RFC 3378) tunnels
    • High availability using SA synchronization
  • Routing
    • BGP with support for IPv6, TCP-MD5 and VPNs using extended communities
    • OSPF and OSPFv3 (IPv6)
    • Equal-cost multi-path routing
    • VRFs using routing domains
    • Policy-based routing
    • IPv6 SLAAC and DHCPv6
    • LDP for MPLS (provider edge)
    • Multicast and DVMRP
  • Ethernet
    • PPPoE client
    • Bridges with RSTP
    • VLANs (802.1q)
    • QinQ VLAN s (802.1ad)
    • Trunking and link aggregation with LACP
  • Other
    • DHCP server, client and relay
    • DHCPv6 server, client, prefix delegation and relay
    • IPv6 router advertisement and solicitation
  • Management
    • Hierarchical human-readable configuration file format
    • Atomic commits (soft reconfiguration, no reboot requirement, ever) thanks to backend
    • Full SOAP API
    • Test configurations during specified time (always reverts perfectly)
    • Revision-based configuration, with message, user, timestamp and diffing
    • Full IPv6 support, even for online software updating
    • Root access option
    • The usual features, such as
    • NetFlow export
      • Much more...
  • Clustering
    • Optional zero-config clustering using dedicated cluster port
    • Active/passive and active/active high availability
    • CARP (address redundancy)
    • Configuration, firewall, IPsec and DHCP synchronization
  • Firewalling
    • Stateful packet filtering
    • Full IPv6 support (dual stack, without rule duplication)
    • Policy-based rulesets with packet tagging
    • Quality of service with hierarchical queueing
    • Alterations such as NAT, redirects and policy routing in-line with rules
    • PPTP and FTP proxies
  • Load balancing
    • Layer 3 forwarding with many probe conditions
    • Layer 7 proxy with SSL acceleration support
    • Route alternation
    • Internet failover