Site to Site VPN for POS system, no budget

[The Spyder]

Wanted some opinions on this. I have a client/family friend who owns a Plant Nursery and has a custom POS system. I just found out they are opening a new location and want me to setup a new terminal at this new location.

First thing that came to mind was a site to site VPN using PFsense. However I have quite a few problems that I think will cause this to be problematic. The first, there is no budget. I am using existing equipment or used equipment for the PFsense boxes. The second, the only internet offered at their main location is a problematic, slow 1.5mg DSL that goes down for hours for no reason. The third, the POS maker is a horrible company and anything I setup that goes down in the future will be blamed on my incompetence. (Long story, I have had to fix EVERYTHING this company setup for them. They ran Cat5e over 400ft... Setup a unsecured AP for the hand CC scanners. Ran everything through a Linksys WRT54G, no firewall, no admin password, server open to the world via remote desktop. Showed up at their headquarters and chewed the owner out...)

The POS is terminal server based. A thin client connects to the server and runs the POS software. The DSL at the main location is maybe 1.5mg/768k. Will this be enough to run the daily goings of the nursery staff and a link to the other thin client? I think it will. No idea what the new site will run.

Best part- I have to get it going by Saturday.

 

[MikeTrike]

OpenVPN, Untangle, Endian

Untangle is a great solution if your hardware is capable of running it. Unbelievably easy to setup and manage is the key.

 

[The Spyder]

I run Untangle for several clients now. Great software. I might end up using it.

 

[Deleted member 109755]

If money isn't too big of a deal (we're talking having to buy 2 units, one for each site) I would suggest entry level Cisco ASA 5505 10 user bundle, using their site to site VPN ability. This would run around $800 for both units.

 

[swatbat]

With good passwords having remote desktop open is not that big of a deal. RDP is pretty secure. If anything maybe take the old router, flash with dd-wrt and use port forwarding to open a port to let rdp in. That way you can have it use a terminal session like the others.

Another option is to open 1723 on the router and setup the terminal server as a vpn server as well(custom setup just as vpn without the routing). Setup the desktop at the other location to connect to vpn at startup and have it establish a vpn session to the server. Then use rdp to get in.

Both of the above ways gives you options without using new hardware. Terminal services makes it easy since they are using it. Big issue then is just getting the dsl fixed or replaced.

Next option would be 2 cisco 871's/asa5000's or 2 sonicwall's. If you really wanted to go cheap the cisco small business routers(linksys business line) would also work. The RVS4000 is like 110 bucks and does vpn if I'm not mistaken. Under 250 bucks you have 2 of them.

 

[marley1]

any vpn product will work but with that problematic dsl any vpn doesn't sound good.

no other form of internet?

 

[Valnar]

If money isn't too big of a deal (we're talking having to buy 2 units, one for each site) I would suggest entry level Cisco ASA 5505 10 user bundle, using their site to site VPN ability. This would run around $800 for both units.

I would not recommend a Cisco ASA to somebody who has not used the product before, let alone needing to get it working flawlessly by Saturday.

If you are familiar with pfSense, run it. It works well. No license limit either, as I'm sure you know.

 

[The Spyder]

If money isn't too big of a deal (we're talking having to buy 2 units, one for each site) I would suggest entry level Cisco ASA 5505 10 user bundle, using their site to site VPN ability. This would run around $800 for both units.

Thats where the no budget part comes in. I have to spend as little as possible. Hence why 2 Compaq Evo's or Dells for $99 off craigslist will work with a UTM/Firewall installed will work. I used the ASA5505 at another clients, worked well. Wish I had the budget.

 

[The Spyder]

any vpn product will work but with that problematic dsl any vpn doesn't sound good.

no other form of internet?

None. Only provider in the area. Considering putting the server at the location since I can get Fios there.

 

[The Spyder]

Grabbing 2 Dell Optiplex 745's for $250 each with 17" LCD's, keyboards, and mice. I needed the monitors anyways. I had $1k to get 1 workstation and 2 Untangle/PFsense boxes, I think this will work great. Looks like its going to be right under $800

 

[Monkey34]

RDP is pretty secure.

((I was going to put a sarcastic remark here - but I'll hold back.))

Please use a vpn along with it.

 

[YeOldeStonecat]

RDP can be quite secure. Good passwords, esp on the Admin account, and set it to cancel answering for a while after X number of failed login attempts.

Dunno if you pulled the trigger yet on those Optis....but some other decent budget options..
Pickup a pair of old IBM Thinkpad T22 series (P3s)...some PCMCIA cards, and use PFSense. This is what I've run at home for a while. Small 14" screen models, built in keyboard and monitor and battery backup, lower power consumption. PFSense is solid for VPN tunnels.

Another dirt cheap option..pickup a pair of wrt54gl units, flash with DD or Tomato firmware.

 

[Ockie]

What if you move the server to a centralized position and have both nurseries VPN into the system location?

Your flaky dsl at the main facility is going to be a big problem IMO. No matter how well or how good equipment you have, if you lost communications you will be screwed.

 

[marley1]

i would go with something other than Untangle. you didn't mention anything else other then VPN. do you need anything that Untangle can offer other then VPN?

but good pick on machines, delloutlet?

put the server at the main location (is that the one with FIOS)?

thought since you said no budget.

what about a ATT/Verizon Broadband card as a redundant connection at the shitty DSL side? If you do Verizon or 3G you may have enough for RDP.

what ya think?

 

[Valnar]

what about a ATT/Verizon Broadband card as a redundant connection at the shitty DSL side? If you do Verizon or 3G you may have enough for RDP.

what ya think?

Whhaaa??

Verizon has not offered unlimited broadband plans for awhile now. For $60/month, you get a 5GB limit, and outrageous charges if you go over.

 

[Monkey34]

RDP can be quite secure.

But not as secure as I like. It's not foolproof. VPN can be had for free, and without much hassle for setup, so this is why I prefer it in conjunction with RDP.......and feel alot better about it.

 

[YeOldeStonecat]

But not as secure as I like. It's not foolproof.

Outside of the documented "in the labs" exploit about it..what have you found in the wild?
(and that exploit was for the old version, not current version)

 

[marley1]

Whhaaa??

Verizon has not offered unlimited broadband plans for awhile now. For $60/month, you get a 5GB limit, and outrageous charges if you go over.

And? This is a business. If your DSL drops out it generally will be fixed that day hopefully (our cable isp has 2-4 hour repair time unless problem is on pole then its done at night).

So if you think, a RDP session uses something like 30k, thats a pretty good size of data used before you reach that 5GB limit. And in the end, who cares? If your internet drops out at that locaiton, then location 1 and location 2 are offline and not making any business. So if you go over and end up paying an extra 100 bucks, your still in business making sales compared to dead in the water.

What do you think matters more?

 

[Valnar]

What do you think matters more?

The fact that the OP has repeatedly said it needs to be cheap. That seems to be factor numero uno. It seems many people are ignoring that in this thread.

If you want it reliable, perhaps they should just install and pay for a T1?

 

[swatbat]

Outside of the documented "in the labs" exploit about it..what have you found in the wild?
(and that exploit was for the old version, not current version)

Yea really. Nothing is fool proof. Big issue with RDP is weak user passwords. Rename the administrator account and limit the user accounts that can access it. Use a strong password. Past that you should be good to go.

 

[marley1]

he said the VPN had little budget, not internet connection.....

throwing the idea out there, i could care less what he wants to do, clients that have no budget have to live with these things, but i think if he explains that if the dsl drops, both locations are sitting dead that they may want to think differently.

 

[k1pp3r]

he said the VPN had little budget, not internet connection.....

throwing the idea out there, i could care less what he wants to do, clients that have no budget have to live with these things, but i think if he explains that if the dsl drops, both locations are sitting dead that they may want to think differently.

I have a similar point of view, mine is. A customer with no budget don't have budget to pay me, so no work for them.

Also, customers with no budget don't value IT in the slightest, everyone wants the best bang for their buck, but bang is never free.

 

[SJConsultant]

If you want an inexpensive site to site VPN solution for a minimal budget then I'd suggest a couple of Linksys RV042 Routers. Newegg has them for around $137 a piece.

 

[Berg0]

If you want an inexpensive site to site VPN solution for a minimal budget then I'd suggest a couple of Linksys RV042 Routers. Newegg has them for around $137 a piece.

+1

ideally I'd tell them to get a T1 at both locations and pick up a pair of ASA5505's, but you could try to find a pair of pix501's or something too?

 

[Monkey34]

Outside of the documented "in the labs" exploit about it..what have you found in the wild?
(and that exploit was for the old version, not current version)

Nothing.......but then I havn't used RDP without VPN. I am of the opinion to err on the side of caution.

 

[Madnes5]

I have a similar point of view, mine is. A customer with no budget don't have budget to pay me, so no work for them.

Also, customers with no budget don't value IT in the slightest, everyone wants the best bang for their buck, but bang is never free.

This is the most insightful comment in this thread.

To the OP, you're only hurting yourself by putting yourself in this situation. You said yourself that you will get blamed when (not if) this goes down. Your ruining your reputation by trying to do a favor. You need to learn to set better expectations with the client.

 

[The Spyder]

+1

ideally I'd tell them to get a T1 at both locations and pick up a pair of ASA5505's, but you could try to find a pair of pix501's or something too?

Cant get a T1, or anything other then DSL at their main location. Its a plant nursery, in the middle of no where.

 

[Ockie]

Cant get a T1, or anything other then DSL at their main location. Its a plant nursery, in the middle of no where.

If you can get DSL, you can get a T1....

 

[The Spyder]

This is the most insightful comment in this thread.

To the OP, you're only hurting yourself by putting yourself in this situation. You said yourself that you will get blamed when (not if) this goes down. Your ruining your reputation by trying to do a favor. You need to learn to set better expectations with the client.

I should clarify a few things.
1) There is no budget, but I am allowed to spend what ever it takes to get the job done in a timely manner.
2) There is no question I will be paid, these are one of the few people who have always paid me on time.
3) There is no chance for a T1, Fiber, or even 3g data at their main location. The only provider who gets more then 2 bars of service is Verizon.
4) The first thing I spec'd out were 2 ASA5505's, ended up being around $700 just in hardware.
5) Even if I go to a commercial product, I can still use the 745's. They are excellent workstations for either location, and being a Nursery, the conditions kill equipment ever 2 years it seems.

I have had no problems running Untangle or PFsense on cheap hardware. It does its job, is stable, and most importantly its freeware. Linksys routers that support VPN have let me down time after time.

These clients are family friends, I have worked with them since I was 15. I could give a damn what the 3rd party vendor blames my work for, I have held them accountable for all of theirs. Its only 2 people at that company that dislike me and I would never worry about them bad mouthing me, they live in another state. I can come back 10x fold on them. I stopped my client from suing them over the atrocity of a system they charged $46k for.



I realized today I can not move the server, maybe in the future, but the label printer is tied to the server and must be at the central site. They do want another printer, for this new location and I will have to figure that out. It seems when ever I call, they want $60/h for phone support just to answer basic questions. Oakie- I like the idea of central locating it, I think that is a great idea for the future.

I am calling the central locations telcom provider to see what we can do about getting a more reliable line. They have mentioned in the past that its the last 1000ft of cable on the poles that has not been replaced that causes 99% of their issues. A worker lives right where the new cable ends, her internet is perfect. I think I can finally convince them to replace it, even if my client has to pay for it.

I can go in to way to much detail, but the point is this client is doing this in the WORSE economic situation and with the help from family and friends. There is limited money to open this second location, but the land owners gave her free rent- suppliers donated plants - friends are painting the building right now. I have $15k to install this system, $12k being hardware costs from the POS company and a new workstation/printer/vpn hardware. The only up side is this new location is in the down town of one of the richest cities here in oregon. People are coming in with no sign up/ect buying plants and welcoming them. If its done in time (May is huge in the nursery business), this will be amazing for this business and literally save it.

My last question is:
Will 1.5mb DSL lines be enough to support 2 active RDP sessions?

 

[Deleted member 109755]

If you can get DSL, you can get a T1....

How very UNtrue.

 

[Deleted member 109755]

My last question is:
Will 1.5mb DSL lines be enough to support 2 active RDP sessions?

Yes.

If you can get DSL, you can get a T1....

How very UNtrue.

 

[YeOldeStonecat]

DSL should be fine, I have tons of clients on broadband...and when done correctly...it's as reliable as Ts. Honestly most of my broadband clients have more reliable connections than some of the crappy Ts we service...IMO T is over-priced and over-rated....they can wipe my butt with that useless SLA. We're finishing up flipping a restaurant chain in NYC "off of" their existing crummy Ts with Verizon that go down all the time, flipping them over to NYC RR which I have many clients on that's rock solid.


For whatever they have now, DSL or cable, have them invest the little bit of money to have brand new lines run in from the street...clean all the way to where the modem is.

 

[Deleted member 109755]

DSL should be fine, I have tons of clients on broadband...and when done correctly...it's as reliable as Ts. Honestly most of my broadband clients have more reliable connections than some of the crappy Ts we service...IMO T is over-priced and over-rated....they can wipe my butt with that useless SLA.

That is the dumbest statement I have ever heard. You get so much more with T lines than you do with standard issue DSL or Cable. QoS, CoS, point to point connections resulting in less latency. A better SLA. And when/if a transition of locations is done they can echo data to both locations so that you can correctly and maticulously (sp?) move your hardware with as little downtime as possible. I'm thinking you are not one of the most experienced network person I've ever spoken with. And show me a DSL line that can do what AT&T's MPLS T1's can. There's a reason T1's T3's, etc. are still around, because they're for people who need ENTERPRISE level systems, not cheap shit unreliable connections.

 

[k1pp3r]

My last question is:
Will 1.5mb DSL lines be enough to support 2 active RDP sessions?

Yes, but will your POS equipment support being run on RDP? Hand scanners and printers and such may not capture correctly through RDP.

 

[The Spyder]

Yes, but will your POS equipment support being run on RDP? Hand scanners and printers and such may not capture correctly through RDP.

I have 2 working that way right now, no major issues.

 

[The Spyder]

Good news today!

New lines from the street are being installed at the new location. The old location had new lines ran 3 years ago when they got DSL.
DSL at both location has static IP's now, the main location upgraded to a 3/3.
The new site wont have DSL till the 14th, giving me time.
New site has a 7/1.5 line.

I purchased both Opti 745's today. Excelent little boxes. Cant wait to use them.

A friend asked this- any reason why a linksys flashed DDWRT router at each site wont work?

 

[Berg0]

A friend asked this- any reason why a linksys flashed DDWRT router at each site wont work?

yes and no. I personally wouldn't feel comfortable supporting it. It's one thing to flash your routers firmware at home and screw with things, but not if money is involved. would be a bitch to have your POS terminals go down because of cheap consumer SOHO routers flashed with an unsupported firmware.

That being said, I've got nothing against DDWRT, it's awesome, and I've used it at home for a long time, but I'd just never use it in a business setting.

For your budget (if Cisco gear is still out of the question, but if 15k as you stated, why not?) go with the linksys RV042's. I've got a ton of them out there, and with few exceptions, have been rock solid.

 

[YeOldeStonecat]

That is the dumbest statement I have ever heard. You get so much more with T lines than you do with standard issue DSL or Cable. QoS, CoS, point to point connections resulting in less latency. A better SLA. And when/if a transition of locations is done they can echo data to both locations so that you can correctly and maticulously (sp?) move your hardware with as little downtime as possible. I'm thinking you are not one of the most experienced network person I've ever spoken with. And show me a DSL line that can do what AT&T's MPLS T1's can. There's a reason T1's T3's, etc. are still around, because they're for people who need ENTERPRISE level systems, not cheap shit unreliable connections.

I have quite a few clients on Ts, as well as my colleague, and I've seen the SLAs let them down. I have craploads of small business clients on business grade broadband, and I see how reliable those can be when done right. Maybe "when done right" that's why you don't see the reliability. I've been doing this for a long time...business grade broadband can do the job just fine.

Anyone ever stop to think about the budget for a "nursery"? A nursery isn't exactly ENTERPRISE level in requirements. You know, they're not high money making businesses....often things are done rather shoestring. Business is often seasonal too. 2x locations...paying 600+/month for a T...maybe less if they can by with a point to point frame or something....but still, that's a crazy cost for a small business. Versus 69-89/month or so for a biz grade broadband.

 

[YeOldeStonecat]

A friend asked this- any reason why a linksys flashed DDWRT router at each site wont work?

I mentioned that up in my first reply....think it's reply 12.

 

[Ockie]

How very UNtrue.