Firewall Recommendation

UncleDavid218

2[H]4U
Joined
Jan 16, 2006
Messages
2,734
Hi,

We currently run a PepLink Balance 210 router/firewall combo. It has been absolutely fantastic, but is limited in features for VPN (PPTP only) and that is becoming a problem as we grow. Also, the firewall features leave a lot to be desired.

Budget is $2k.

50-60 on site users.

15 remote users (though not full time remote).

I would like something with AD integration for VPN and content filtering. Right now that's about all I need, but perhaps later as we grow that will expand.

I have looked at SonicWall, Fortigate, Meraki, Cisco, and all of the others. I currently run an entirely Meraki MR16 network so something like the MX80 looks extremely appealing to me, but has received mixed reviews in the community.

I do currently run 2 WAN connections: 1 100x100 fiber line and backup 30x5 cable line. The PepLink can be put in "drop in mode" in front of the firewall so dual WAN capability is not absolutely necessary, but I'm also not opposed to selling the PepLink either. The principles of KISS tell me to get rid of the PepLink altogether.

Guide me....

Thanks,

David
 
Last edited:

MysticRyuujin

Limp Gawd
Joined
Oct 1, 2013
Messages
507
This guy looks promising:
Cisco RV320

It does support Active Directory and it has dual WAN.

It's the #2 ranked wired only router at smallnetbuilder.com
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,931
This guy looks promising:
Cisco RV320

It does support Active Directory and it has dual WAN.

It's the #2 ranked wired only router at smallnetbuilder.com

Good GOD no!

The RV series are 100% pieces of crap.


A Zyxel USG 300 would work. Disable all the subscriptions except the content filtering and it'll fly. If you enable AV and IDP you'll only see 80Mbps. Otherwise your fiber line will run at full speed. The VPN is crazy good and the support team will assist you with setting it up for the first 90 days. The Zyxel USG's run a custom BSD OS and are known to run for years without a restart. It also no problems load balancing (2) WAN lines and has AD integration.

http://www.zyxel.com/us/en/products_services/usg_2000_1000_300.shtml?t=p
 

Liger88

2[H]4U
Joined
Feb 14, 2012
Messages
2,657
Second the ZyXel line, although quite underpowered compared tot he competition these days for the price. Anything other than Firewalling takes a huge performance hit due to the sub-par processor. Like mentioned above it'll do everything you need and comes loaded with features you may find useful later down the road. The key with the USG Series is to go as big as you can, you'll need it to make up for the outdated hardware.

Sad thing is they are due to update the USG line any day now so you're in the wait game if you don't want to kick yourself. The new line (110, 310, and 1100 [firewall only]) are showing what will be in store for just about the same price you'd pay now for a inferior unit.

As a Cisco guy myself I don't take the RV line that serious, and not many others do. Much like what they did with Linksys and their own half-assed attempts to get into the lower-end market, Cisco just doesn't do it well at all. Performance numbers aside, there are so many more factors to consider. GUI's should be easy, with Cisco they are a disaster.
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
It's the contentfiltering on the Zyxel that kills it for me. It's been VERY problematic and finicky when I've utilized it. Otherwise great units. I'd look close at the Fortinet units also. Maybe a 60D/90D. Easy to use, a metric ton of puclic config examples and the easiest end user VPN setup I've seen yet.
 

Berg0

[H]ard|Gawd
Joined
May 16, 2005
Messages
1,038
for $2k mark you could get a Juniper SRX210, so long as you don't have OSX remote clients the dynamic ipsec VPN would work for you.
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
I'd suggest a Watchguard XTM330 or Fortigate Fortinet 80C, either will connect to Active Directory and both have Dual WAN capabilities (Watchguard will need the XTM Pro license upgrade, but then every interface [there are 7] can be configured for WAN or LAN or DMZ).

The Fortinet is a little harder to configure, but is super powerful. I love the vDom setup (think of it as Firewall Hypervisor).

But Watchguard's ease of configuration (both Web and client) as well as realtime traffic logging is hard to beat.
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,931
It's the contentfiltering on the Zyxel that kills it for me. It's been VERY problematic and finicky when I've utilized it. Otherwise great units. I'd look close at the Fortinet units also. Maybe a 60D/90D. Easy to use, a metric ton of puclic config examples and the easiest end user VPN setup I've seen yet.

Did you update your firmware to 3.3?
 

UncleDavid218

2[H]4U
Joined
Jan 16, 2006
Messages
2,734
Just to upadte this, I am demoing the following:

WatchGuard XTM 515
SonicWall NSA 2400
Meraki MX80

We'll see how it goes... I'm going to put them in production for 2 weeks at a time without alerting users, except those who require VPN access. I know these are a bit oversized but we expect (and are experiencing) rapid growth.
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
Make sure you test the Watchguard's WebUI and the System Manager. The WebUI is handy for quick jobs, but if you need to do something complicated or you want to look at the realtime traffic & bandwidth monitoring then you need the System Manager.

The XTM 515 is a great unit, if you're experiencing rapid growth it should cover you for quite some time.

Their support is mostly by online ticketing, but you can ask they call you. By phone, email, or ticketing they take care of any issue very quickly. If you can buy from someone who has a distributor like Ingram Micro or CPU Distributing, that'd help too. They generally have their own knowledgeable support groups and back door numbers to the support departments.
 
Top