I am searching for a firewall product (appliance or software) for an hosting/housing environment. The biggest problem is that the rules get very complex as more customers are behind the firewall. Some have only one server, others have a whole subnet. Some need NAT, some a VPN endpoint. Some customers want to only allow port http, others ssh as well. So the device needs to be able to support VLANs and it should be possible to group the rules per customer.
Speed is another important point. And being able to manage redundant devices easily.
I am searching for something that doesn't have all the extras like spam filter etc. I was searching a lot on the net but either they had all those extras as well (and with is an overloaded configuration interface) or they missed some of the features I need (e.g. VLAN).
The VPN endpoint is not the an important criteria. We were thinking about a separate machine for it.
I think you would have several options, your requirements arent that high. What serious firewall doesn't support VLAN?
We use a HA-setup of Clavister SG32xx, They support grouping of rules, VPN, VLAN and comes in different version depending on licensing (which defines the throughput). The performance ranges from 350Mbit to 1.5Gbit I think.
Their lower range also offers HA but doesn't sync connection-tracking IIRC. It's the SG5x series, with throughput up to 200Mbit. The feature support is technically the same.
You also have products from Checkpoint, Cisco (ASA-series) that might be of interest to you, however we choose Clavister mainly because of the ease of administration aswell as the impression we got from the company that demonstrated the product to us (and supply us with support).
Have a look at pfsense. It's supports all the features you just listed, is free, opensource, well documented, and commercial support is available if you need that. It also supports clustering for seemless failover including all active sessions. And runs on any x86 hardware so you can size the hardware to your needs easily.
I recommand the Fortigate serie by Fortinet. We had good experience with them. They support firewalling with groupping, VPN (SSL and ipsec), VLAN, HA. You can do some weighted load-balancing on your hosts, and they also supports VDOM, allowing you to offer virtual appliance and control to your guests and clients.
The licensing model is simple : each model of Fortigate has the same softwares features, only the hardware capabilities and options change. And you don't have to pay a leg and an arm to be able to use VPN, it just works, with any number of clients you need.