Best dual WAN load balancing + failover site to site VPN firewall?

M

minc3d

Gawd
Joined
Nov 27, 2004
Messages
758
Hey everyone,

I have a customer with two offices, one in Chicago and the other in New York, and each one has dual WAN connections currently. Their current firewalls in use can only do site to site VPN with dual WANs in failover mode, not load balancing.

We are looking to implement a new firewall VPN router at each site to be able to aggregate these dual WAN lines (about 50Mbps and 70Mbps connections on each end) to combine the bandwidth into one massive site to site VPN link. If one WAN goes down, the line just downsizes seamlessly onto one WAN link with no interference.

The only product on the market we have been able to find so far at a decent price is made by a company called Peplink, specifically their 710 model firewall:

http://www.peplink.com/products/balance/model-comparison/

We spoke to their reps and found that they have tech that can do everything we are looking for. We had a chat with Barracuda support too and they seem to think that a combo of BWB230a1 with a BFWX300a1 would get this done, but we would not have uplink failover on the WAN connections which is a real bummer. Plus the fact that they say we need two boxes really knocks their solution below the nice single box option from Peplink.

Question is: Does anyone have any other suggestions on hardware? We DONT want to go the ASA route from Cisco as both our staff and the IT staff at the customer do not have the knowledge of Cisco command line for administration - the solution has to have a GUI.

Any recommendations are welcome!
 
Stay far away from Barracuda Link Balancers. They are a pile of junk. We had 12meg Bonded T1, and 100Meg Comcast Business Class. If the Comcast ever went out for whatever reason, the T1 should have picked up, but there tech support could never figure out why it wasn't working. The Comcast when it did work, was only putting out 25Mbps through them, but when direct to modem, would give 50Mbps+. They also eat up a static IP just for themselves.

If you want site to site vpn + firewall in one, I have had great luck with the Cisco Meraki MX90. Dual WAN is super easy to setup, and VPN is even easier, with included support for VPN with non-meraki devices. It has support for link aggregation, though I don't know if it supports LAG over VPN. You could call their number and ask a few questions to find out though.
 
FWIW you can manage ASAs with ASDM. I rarely touch Cli on ASAs unless it's for basic routing and switching. Any vpn stuff I do in ASDM.
 
We considered pfsense but they want any solution to be rack mountable in a 1 or 2u form factor, with warranty support. Otherwise I think that would have been a good route.

And I appreciate the advice on Barracuda. Anyone with experience with Peplink products? They come off high recommendation from a few colleagues and other online posts. Supposedly the holy grail of doing all the items I'm looking for in a single appliance package.

peplink_balance.png
 
Routerboard RB1100AHx2

Hands down the best option for you.

PCC Multi-WAN Load Balancing & Failover with RouterOS howto.

Also has hardware accelerated AES encryption, perfect for IPSec encoded site-to-site VPN's. You can even bond your VPN's together between sites too, also with automatic link failure detection. Nothing like full speed encrypted VPN.

Absolute best part $309.

Honestly, anyone with a good networking background will be able to set up both routers and configure them after playing with them in a lab for a day or two.

Support is pretty good through Mikrotik, but you also have the option of hiring a mikrotik expert like Greg Sowell. If you have someone that can set up the routers are both ends as well as enable a VPN dial in he could set up the whole thing in a matter of hours for you.
 
Last edited:
You could buy a warrantied box(es) from a primary vendor for the hardware, and put pfsense on it with a support contract with them for the software. Still come out way cheaper than other tier-1 vendors.
 
I think you'll find that most devices don't really combine two WANs into one "super WAN" because it's not reliable.

Anyway ASAs only support failover (one active WAN interface) unless they've changed it since I last looked.
 
Last edited:
dave99 said:
You could buy a warrantied box(es) from a primary vendor for the hardware, and put pfsense on it with a support contract with them for the software. Still come out way cheaper than other tier-1 vendors.
Click to expand...

yup...
 
You must log in or register to reply here.
Back
Top