SB Router/FW Recommendations

[big daddy fatsacks]

All, I have a small network which I am currently running an Asus RT-N16 with DD-WRT in front of. The network is split into 2 subnets behind the router with each firewalled from the other by the Asus.

                      |---> LAN1
Internet ---> Asus ---|
                      |---> LAN2

LAN1 and LAN2 cannot talk to each other. Additionally, I have OpenVPN set up on the Asus to allow VPN access to LAN1. I am about to start trying to configure a second OpenVPN instance which will allow access to LAN2, and the 2 VPNs should be completely separate with different users, etc.

I have had a lot of success hacking through DD-WRT to get this non-standard config working well even though most of it is done not through the GUI. However, as I go forward with adding the second VPN endpoint I realize that this is becoming more and more unsupportable. There is no set of DD-WRT FAQs I can rely on to get this back and running the way I have it easily unless I create a whole set of config documentation just for this device. It is based on a conglomoration of FAQs, DD-WRT forum postings, and a lot of personal troubleshooting and testing. Also, this is for a small business so I can't have some unsupportable setup no matter how much mileage I've gotten out of DD-WRT thus far.

I am currently looking at something like a Cisco 800 series or whatever the equivalent Juniper device would be. I have no real experience with either the Cisco or Juniper CLI, but am not afraid of a CLI (most of the time I find them easier than trying to screw around with some idiotically designed GUI). These are my key features:

• MUST support routing between multiple LANs behind the device
• MUST support multiple VPNs which connect users in to different LANs as I described above (I only need support for < 20 concurrent users/tunnels between both VPNs)
• The VPN MUST give users full access to LAN1/LAN2, not an SSL VPN which allows publishing of a folder or application- the users need to be ON my local network, accessing a virtual environment full of Windows and Linux machines using RDP, running security scans, administering boxes to test out defensive strategies, and general testing
• PREFER to have support for certificate-based VPNs as I've already gotten certs generated and distributed as part of the OpenVPN setup I have now
• MUST support at least my current connection which consistently tests at 30/25 down/up
• SHOULD support some standard logging config such as to a remote syslog server
• IDS is a nice to have, but not a requirement
• Wireless is a nice to have, but not a requirement

I'm open to recommendations, but anything along the lines of what I am currently running will get ignored. I need a standard config that can easily be backed up and restored, NOT a hacked to pieces DD-WRT router where I have to actually document every single nvramconfig item.

TIA,
bdfs

 

[big daddy fatsacks]

bump

 

[Jay_2]

Have a look at the draytek devices. I think the 2820 will do what you ask.

 

[Jgedeon]

Vyatta

 

[big daddy fatsacks]

Vyatta

any specific model?

btw, in terms of a budget- anything up to $1000 would be fine. from what i've looked at i don't think i should have to pay more than that, but if necessary anything up to $2000 would probably be considered.

 

[Jgedeon]

any specific model?

btw, in terms of a budget- anything up to $1000 would be fine. from what i've looked at i don't think i should have to pay more than that, but if necessary anything up to $2000 would probably be considered.

I wouldn't look into a model first. I would install it on spare hardware with a couple of nics and put it through it's paces to ensure that it works for you. IMO, it looks like it fits everything you were looking for.

 

[big daddy fatsacks]

Have a look at the draytek devices. I think the 2820 will do what you ask.

so it is capable of having 2 unique VPN setups or of being able to implement different routing rules based on the user? all these devices (i mean any vendor: cisco, draytek, etc) say is that they support X number of tunnels. but if there is only one VPN config i can use and all the X number of remote endpoints are connected via the same config it doesn't do me any good.

 

[Mackintire]

Zyxel USG 100 can easily do this all that. Zyxel USG 200 would be a better idea as it would give you room for expansion.

I would strongly recommend the Zyxel USG 200 over the draytek or Cisco 800.


You can get a Zyxel USG 200 + a HP Procurve 1810-24G and a 3pack of Ubiquiti Unifi's for under $1000

If you can build your own and have the skills to run it, I would suggest building a PFsense unit.

 

[big daddy fatsacks]

Zyxel USG 100 can easily do this all that. Zyxel USG 200 would be a better idea as it would give you room for expansion.

I would strongly recommend the Zyxel USG 200 over the draytek or Cisco 800.


You can get a Zyxel USG 200 + a HP Procurve 1810-24G and a 3pack of Ubiquiti Unifi's for under $1000

If you can build your own and have the skills to run it, I would suggest building a PFsense unit.

having the skills and having the time are 2 different problems. i've run openBSD with nothing but pf and CLI before as a core network device, but i'm looking for something i can set up, run a routine backup of the config, and then never think about it again. actually, pfsense or openBSD would come closer to that than what i have now, but i'd still prefer something i do not have to build.

thanks for the zyxel recommendation. that looks promising.

 

[Mackintire]

Other than the Object orentated interface which is a bit different, the Zyxel models 100-300 are better than the Sonicwall TZ series but still below the NSA series. The 1000 model, which is over your price range, competes with the Sonicwall NSA series. My experiance is that they are a better VPN device overall, with a lower TCO.


Keep in mind the USG series is NOT a complete UTM and that performance will drop as you turn features on. The USG 100 with everything turned on has a WAN to LAN throughput of 34Mbps. Using the Spam filtering only the WAN to LAN throughput is near 180Mbps. The unit does have a hardware VPN accellerator processor, so running 50 AES encrypted tunnels isn't even going to push the CPU past 10 percent.
Just make sure you use the latest firmware and CALL them if you need support.

 

[big daddy fatsacks]

great info. thanks. so for the two route scenario i described- how would i accomplish that with the zyxel? would i be configuring per-user routing so that some users get to both LAN1 and LAN2, or am i setting up essentially 2 different endpoints? also, it looks like the only difference with the UTM device line is that it adds web content filtering. Is that right?

 

[Mackintire]

Since the Zyxel supports multiple Vlans, and multiple DHCP servers internally. It should be as easy as making sure that each user is assigned a IP in either a scope covering one lan or the other, or one scope subnetted across two Vlans in which case that user would be auto-placed in one Vlan or another via subnetting. OR you could assign (2) groups of VPNs with different settings and different routing,

Finally you definately could use IPsec for one group and route that group to Lan 1 and L2TP for a second group and route them somewhere else. The device can perform static routes and supports Vlan tagging.....which brings up a 5th possibility.... Just use the Vlan tagging on the clients to route them to the correct location.

There are many possibilities, but If you are hesitant, purchase the unit from a reputable vender and work with Zyxel's support, you shouldn't have any worries.