Of course you can find firewalls that are crappy routers and you can find
routers that are crappy firewalls, but generally, the two are not mutually
I completely disagree w/ such or similar statements.
On the vendor datasheet it says different. On books it says different.
And on real life it's different.
Firewalls are firewalls. Routers are routers. Routers should do some very
basic filtering (stateles, ACLs, data plane protection...) and firewalls
should do basic static routing. And things should not go far beyond that.
If you keep thinking like that you will soon believe an L3 switch is a
Firewalls and routers belong to different places in a serious topology.
Only small networks should have both functions in the same box. It raises
risks, makes different kernel tasks competing to each other for the same
resources. You may run out of states, memory and CPU specially if mixing
NAT & tunneling beyond firewalling and routing. A router nowadays has many
tasks to accomplish, from 6to4, dual stacking, to multiple routing services
(bgp, ospf, bfd). Don't add extra duties to the box.
Multiple purpose systems that can act like both things (say, a Linux box),
but it's just not right to have more than one critical service in the same
box. They should be distributed along your network. A firewall in front of
the router, a firewall after the router in front of the servers.
I just had a huge problem with an engineer who decided that a router should
be his CGN, and when the number of translated sessions run above the
expected and planned capacity, the box just sit down unresponsive. All of
this company (and it's a banking company, not an ISP who just pays some SLA
debit and it's good to go) connectivity was offline due to this confusion
of service profiles on the same box, and all, means servers and hosts with
registered IP addresses, not only RFC1918 addresses that needed to be
We just split the functions, distributed firewall and CGN to different
boxes and topologies in a much more logical way and the "auto DoS feature"
just went away.
So, please, don't insist. A firewall is a firewall. A router is a router. A
translation box is another alien. Unless you are SMB or willing to pay over
dimensioned boxes to mix all duties up together, which will be more
expensive than distributing the services alongside the network.