Our firewall is close to dead. My boss wants to buy an expensive one. I think it's better to build. We had problems extending the old firewall, plus it would give us a chance to actually have OpenVPN on the firewall box itself. The trouble is figuring out how to get to a working solution that's flexible and affordable. Should we go with a trihomed solution? Should OpenVPN then listen on all interfaces, or just the external one? How does this all fit in with our Active Directory and DNS server? Can OpenVPN easily deal with Active Directory? How should packets be routed from the VPN connection to the internal network and to the DMZ? Should we go with a powerful little box that has iptables on the hardware and something like Virtualbox + PHPVirtualbox for everything else? By the way, we were using a Secure Computing box before.<div>
<br></div><div>The AD box can then be virtualized and consolidated inside the one physical box. Our web box (virtualized) and file server box would still stay separate. Then, how do we tie the virtualized AD service back into the LAN? Through the internal network interface via virtual switch? What are the chances of the firewall box failing? Of course, we were thinking of a Mini-ITX board with Intel Atom (no fans) and RAID 1 SSD drives. Are there any good books dealing with issues like these? I can understand buying to save time, but how many headaches do you have to put up with down the road</div>