Of course you can find firewalls that are crappy routers and you can find
routers that are crappy firewalls, but generally, the two are not mutually
I completely disagree w/ such or similar statements.
On the vendor datasheet it says different. On books it says different.
And on real life it's different.
No, really it does not.
Firewalls are firewalls. Routers are routers. Routers should do some very
basic filtering (stateles, ACLs, data plane protection...) and firewalls
should do basic static routing. And things should not go far beyond that.
We can agree to disagree.
If you keep thinking like that you will soon believe an L3 switch is a
An L3 switch is just another kind of router and if it’s got the ability for its
switching matrix to include a packet classifier that can be preprogrammed for
the appropriate firewall functions at line rate in hardware, then, yes, it’s a
perfectly fine firewall, and, probably about the only solution that’s really going
to work in a high line-rate scenario, actually.
Firewalls and routers belong to different places in a serious topology.
You and I apparently have very different ideas of serous topologies.
Only small networks should have both functions in the same box. It raises
risks, makes different kernel tasks competing to each other for the same
resources. You may run out of states, memory and CPU specially if mixing
NAT & tunneling beyond firewalling and routing. A router nowadays has many
tasks to accomplish, from 6to4, dual stacking, to multiple routing services
(bgp, ospf, bfd). Don't add extra duties to the box.
If you are firewalling so far away from the edge that any of this matters, you have
already lost and your topology is very hard to consider “serious” in my opinion.
Multiple purpose systems that can act like both things (say, a Linux box),
but it's just not right to have more than one critical service in the same
box. They should be distributed along your network. A firewall in front of
the router, a firewall after the router in front of the servers.
I’m thinking more like a large Juniper with an ESPIC or other services
interface hardware solution.
I just had a huge problem with an engineer who decided that a router should
be his CGN, and when the number of translated sessions run above the
expected and planned capacity, the box just sit down unresponsive. All of
this company (and it's a banking company, not an ISP who just pays some SLA
debit and it's good to go) connectivity was offline due to this confusion
of service profiles on the same box, and all, means servers and hosts with
registered IP addresses, not only RFC1918 addresses that needed to be
You can always choose the wrong box for the job. I bet I can point to plenty of
routers that could have handled his CGN needs just fine and had plenty of memory
to hold all of his translated sessions.
This is no different than if he chose an incorrect CGN box that was purpose-built.
Your example is like saying “The 2514 was not adequate as a 100Mbps firewall,
so all routers are inadequate as firewalls”.
The 2514 was not adequate or even capable of being a 100Mbps router.
We just split the functions, distributed firewall and CGN to different
boxes and topologies in a much more logical way and the "auto DoS feature"
just went away.
That’s certainly one viable solution. Maybe even the right one for that particular
space. However, it does not change anything I said.
So, please, don't insist. A firewall is a firewall. A router is a router. A
translation box is another alien. Unless you are SMB or willing to pay over
dimensioned boxes to mix all duties up together, which will be more
expensive than distributing the services alongside the network.
Technically, a router is any device which takes an IP datagram on one interface
and delivers it to an interface with a different network number (whether the same
(hairpin) or another interface) after decrementing the TTL or Hop Count (depending
on whether IPv4 or IPv6).
Other than the (rather silly in virtually all circumstances) Layer 2 firewalls mentioned
earlier, every firewall is technically a router. Not every router is a firewall, though there
are plenty of routers that are also very capable firewalls.
I will grant you that there are virtually no purpose-built firewalls that make good routers,
but that’s yet another issue truly unrelated to what I said.
As to translation devices, well, those also have no place in a serious topology other
than dealing with limitations of an aging and hopefully soon to be deprecated protocol
that should have been obsoleted years ago.