Best router with on board IPSec VPN server.

[HalfJawElite]

I'm currently in the market for a new router that supports remote IPSec VPN access to my home network. The router must support wireless (latest "n" standard is a plus) and must have gigabit links for LAN at least. I have been considering the following two routers but neither has an IPSec VPN server built in to the router OS:
ASUS RT-N66U
MikroTik RB2011UAS-2HnD-IN
As far as I can tell they both have PPTP server functionality and only IPSec pass-through. I would like a router that has the server ability built in to the OS so I won't have to run an additional system behind my network edge. I can also look into any small to medium size business routers if anyone suggests those instead, just as long as it supports a majority of the same features of the two routers I have listed for comparison.

 

[/usr/home]

Mikrotiks are great if you have networking knowledge. If you don't have much they can be a bit daunting. Personally, I use quite a few Mikrotiks on various networks.

 

[HalfJawElite]

Mikrotiks are great if you have networking knowledge. If you don't have much they can be a bit daunting. Personally, I use quite a few Mikrotiks on various networks.

I do have quite a bit of experience in networking and working with some managed switches and routers. Would you be able to tell me if the RB2011UAS-2HnD-IN has any built in IPSec VPN servers? I've only found comparable devices for home use that have pass-through and not directly on the border device. I'd rather not have to pass-through my IPSec authentication to another internal server, mostly because of the ports left open. The only other solution I can think of for routers with an IPSec authentication server built in to them would be to move to small business or integrated services routers which cost more.

 

[/usr/home]

They support router to router IPSec. Not sure if they support an IPSec connection with a computer or phone, but router to router works great.

Mikrotiks support PPTP server, STP server, IPSec, and openvpn (doesn't work well or at all ATM though if I remember correctly.)

 

[HalfJawElite]

They support router to router IPSec. Not sure if they support an IPSec connection with a computer or phone, but router to router works great.

Mikrotiks support PPTP server, STP server, IPSec, and openvpn (doesn't work well or at all ATM though if I remember correctly.)

So if I try to setup a VPN connection with IPSec for my devices to have remote access it won't work?

 

[/usr/home]

So if I try to setup a VPN connection with IPSec for my devices to have remote access it won't work?

Not sure. I've never tried it. I use a Cisco ASA for my VPN needs. Maybe google it a bit and check the Mikrotik forums.

 

[RocketTech]

pfSense

 

[HalfJawElite]

I think some of you guys are getting a little off topic or are misunderstanding my original question. I'm looking for a router with a BUILT-IN IPSec VPN server to handle authentication of devices or users attempting to gain remote access to my home network.

As I listed above the ASUS RT-N66U has a built-in PPTP server but NOT IPSec. I require IPSec for security and authentication reasons otherwise I would not have asked this question.

 

[RocketTech]

pfSense has built-in IPSEC.

 

[HalfJawElite]

Ok now my problem here is I need a device to install it to. From my knowledge pfSense is run as an OS behind the border device. Doesn't really solve my original question.

 

[HalfJawElite]

pfSense is also a router os NOT a device!

 

[/usr/home]

Did you look into Mikrotik and IPsec on PCs and mobile devices?

 

[HalfJawElite]

Did you look into Mikrotik and IPsec on PCs and mobile devices?

I believe I have solved my problem completely by not going with IPSec. I have located some pre-packaged virtual server appliances from OpenVPN to run on both my ESXi and Hyper-V servers. It seems IPSec has some issues with routing certain upd streams an therefore is rather flawed. For my Android devices I'll just have to install the client from the app store.

 

[/usr/home]

I'd love to use a Mikrotik for routing, but the VPN on my ASA is very slick. I could put it behind the router but then is have to do a bunch of internal routing because the VPN features only work in routed mode, not just transparent mode.

 

[PigLover]

I am curious why you are so set on having it all-in-one (Router-AP-VPN)? By doing it that way you might get it in one box and for a low cost, but you usually have to seriously compromise one or more of the functions you are combining. You also make it hard to change one part without having to muck around with all of it (e.g., when the next great WiFi standard comes out you have to replace the whole thing instead of just replacing the AP).

Personally, I think you'd be better served decomposing it.
- MicroTik Router
- Your favorite AP
- PFsense (PFsense might be a router - but MicroTik is a much better one).

If you are concerned about platforms, get the smallest/cheapest/lowest power box you can support ESXi or Hyper-V on and run PFsense and the software version of MicroTik (RouterOS) in VMs. Or - since you already run Hyper-V - run them as VMs in the box you already have.

 

[diizzy]

If its around 10 mbit or so I'm quite sure a TP-Link WDR4300 or similar hw would produce good enough results under OpenWRT.
//Danne

 

[HalfJawElite]

I am curious why you are so set on having it all-in-one (Router-AP-VPN)? By doing it that way you might get it in one box and for a low cost, but you usually have to seriously compromise one or more of the functions you are combining. You also make it hard to change one part without having to muck around with all of it (e.g., when the next great WiFi standard comes out you have to replace the whole thing instead of just replacing the AP).

Personally, I think you'd be better served decomposing it.
- MicroTik Router
- Your favorite AP
- PFsense (PFsense might be a router - but MicroTik is a much better one).

If you are concerned about platforms, get the smallest/cheapest/lowest power box you can support ESXi or Hyper-V on and run PFsense and the software version of MicroTik (RouterOS) in VMs. Or - since you already run Hyper-V - run them as VMs in the box you already have.

You make a very valid point!

Currently as it stands I'm a little confused as to how I'm going to go about doing this setup. I really need a SECURE VPN tunnel between my home network and various laptops and Android tablets for file download/upload and remote access.

As I stated I have BOTH ESXi and Hyper-V hyper-visors in my house. Both are entry level specs running on Intel Xeon E3 1230V2's with 32 gigs of RAM, so running a VPN in the VM is possible. My only predicament here is that I have a Bell Canada 2Wire 2701HG-G Gateway and setting up a box (either VM or physical router) behind it will be a little confusing for me.

I'm guessing the setup I need is really like this:
2701HG-G Gateway (routing, wireless, and IP address allocation) >> VPN solution (either VM or physical) >> LAN

I'd like to have to purchase as little hardware as possible and possibly test out the VM route since I have the horsepower.

Any other ideas on how to do this with as little costs as possible?

 

[/usr/home]

You'll want to bridge the 2wire or in newer firmwares you put the router's ip in the DMZ plus mode on the 2wire.

 

[HalfJawElite]

You'll want to bridge the 2wire or in newer firmwares you put the router's ip in the DMZ plus mode on the 2wire.

I believe there's a way to run the VPN solution from behind the routers firewall without placing it into a DMZ. I would rather not have to replace the router with another one. What I'd like to do in the ideal case is keep the 2Wire and just run a VPN of some sort behind it. I think this would involve port forwarding if I am correct but I am unsure of the exact specifics.

 

[/usr/home]

The 2wires aren't that great if you plan on doing more than basic stuff on it. For mom and Dad they are great but you want to look into maybe a PfSense box or VM or a Mikrotik or even an ASA. ASAs make awesome VPN devices.

 

[HalfJawElite]

The 2wires aren't that great if you plan on doing more than basic stuff on it. For mom and Dad they are great but you want to look into maybe a PfSense box or VM or a Mikrotik or even an ASA. ASAs make awesome VPN devices.

I'm unfamiliar with ASA. Are they just VPN devices or routers too?

 

[extide]

pfSense on some old hardware will be better than any consumer level embedded device.

 

[HalfJawElite]

I don't have any old hardware lying around, but possibly running it an a VM would be useful. I would just have to work out how to get it running behind an existing router. I only need a VPN solution not firewall as my 2Wire is doing a fine job already.

 

[extide]

I don't have any old hardware lying around, but possibly running it an a VM would be useful. I would just have to work out how to get it running behind an existing router. I only need a VPN solution not firewall as my 2Wire is doing a fine job already.

For OpenVPN it is as simple as a port forward. However I highly suggest letting pfSense service all of your routing needs.

 

[HalfJawElite]

I have multiple wireless devices on my network, not just wired. By placing my 2Wire in bridge mode I no longer have wireless access for devices in a pfSense setup.

 

[extide]

The 2Wire is also your wifi AP? Well, you would need to get a different device to service your wifi if you went with a pf-router config. However, you will probably like it better that way,

You CAN put the vpn server behind the firewall, you need a port forward from the outside, and then routes added to the actual router for each ip range on the VPN, and matching routes to your lan on the VPN clients.

 

[HalfJawElite]

Yes that sounds like exactly what I need.

 

[/usr/home]

ASAs are primarily firewalls, but they can route as well. I use mine as router/firewall and it also terminates any VPN connections. They have apps for iOS and OS X, Windows. and Linux. Not sure about Android. I then have a Unifi AP hanging off my switch for wifi. Works very well.

 

[HalfJawElite]

The 2Wire is also your wifi AP? Well, you would need to get a different device to service your wifi if you went with a pf-router config. However, you will probably like it better that way,

You CAN put the vpn server behind the firewall, you need a port forward from the outside, and then routes added to the actual router for each ip range on the VPN, and matching routes to your lan on the VPN clients.

So the VPN server will sit between the LAN and the router. Would you happen to know of any tutorials that pertain to this exact sort of setup? I have found various ones that cover the router and VPN on one device but not as the setup I require.