Security, performance, and flexibility are all important aspects of any business network. It's amazing how many companies either try a one-size-fits all (deploying the most expensive firewall option in both large and small networks), or simply don't recognize the appropriate device for the application.
HYPERION WORKS has several firewall setups that we tend to deploy given the application.
We're huge fans of the long-lived OpenWRT project. This allows us to use many firewalls from many manufacturers (giving us a wide variety of hardware choices), so we're not reliant on any one manufacturer. It also gives us software options of firewalls typically in the range of thousands of dollars, but for a fraction of the cost. These firewalls are good for small businesses, usually up to about 5-10 users.
pfSense gives us similar functionality as OpenWRT, but can run on much more powerful hardware, and is suitable for businesses beyond 5-10 users. Because the hardware that these firewalls use is more powerful, they tend to be more expensive than the OpenWRT option, but considerably less than their proprietary counterparts (like Cisco, WatchGuard, Fortinet, or Juniper), and with much more flexibility.
For those environments where more specific needs are required, we built custom firewalls from scratch based on Linux.
For instance, most every network has a single firewall. And while firewalls are normally solid-state devices that rarely completely fail, it does happen, and this makes the firewall a Single Point Of Failure (SPOF). When this happens, the connectivity between the local network and the internet is gone. In networks where uptime is a must, we've created custom dual-firewall setups with two firewalls that duplicate each others' functionality in real-time. If one firewall fails, the other kicks in and begins functioning in about one second.