Small/Medium Business VPN Router

USMCGrunt

2[H]4U
Joined
Mar 19, 2010
Messages
3,103
Looking for recommendations for a VPN router for a small to medium sized business. Need to be able to handle 50 IPsec client VPN tunnels with good throughput. I've got Cisco RV320 routers in place right now and while site-to-site VPNs go up and work great, I'm having a hell of a time getting client-to-gateway to even connect. I can't use Cisco's Easy VPN because it requires the Windows Firewall to be enabled and we use Symantec Endpoint Protection which disables Windows Firewall....not to mention that software is a giant pain in the ass to use as well. Windows' built-in VPN software just doesn't seem to want to cooperate otherwise I'd love to be able to use it.

I have a Cisco ASA 5505 that was donated to us that I'm toying with but its pretty far above my knowledge level, its only licensed for 5 concurrent IPsec tunnels, and seems to need Cisco's AnyConnect client which I can't get ahold of because of Cisco's strange hold on getting software without a contract.

I was looking at the Fortinet Fortiwifi 30D, unfortunately I can't find what licensing is needed for VPN use or if/what the annual licensing costs will be.
 
I hate Zyxel....I got a USG20W on recommendation for one of my sites and it's the biggest pain in the ass to setup simple things like port forwarding.
 
I'd look into ubiquiti, mikrotik or pfsense on the hardware of your choice (they have good options on the pfsense site or netgate.com) All of these can easily handle your requirements.
 
I'd say that UBNT and pfsense doesn't really fit under these requirements but oh well...
 
I'd say that UBNT and pfsense doesn't really fit under these requirements but oh well...

I would have to disagree, the pfsense SG-2440 for $499 includes support (4 incidents) and would handle those requirements with ease. You could even use LDAP authentication if you wanted too.

Heck, buy 2 and set up carp for a full HA setup.

I've found that a lot of SMB's love the licencing model pfsense uses. None, lol. Pay for the support, that's it. PfSense will also support virtualized installations. They don't support the hypervisor side but will support the software side. I have several clients that had pfsense installed on hardware with support contracts move to virtualized setups because of the additional hardware consolidation while still maintaining redundancy.

I even have one client that has a carp setup with one physcial & one virtual router. I'll be the first to tell you the performance is so good on both you can't tell which one is active.
 
Last edited:
Have fun running 50 tunnels on your Atom box...

Client-to-server tunnels are typically low bandwidth. We aren't talking 50 100mbit site-to-site connections here. Besides, we are talking IPSEC here, not OpenVPN. The key is that AES-NI actually works well on ipsec as long as you run AES-GCM which pfsense ipsec and windows ipsec support...

I mean come on, an atom n280 can do 65mbit throughput on ipsec...

Not to mention I would assume that we aren't dealing with a connection speed above 100mbit here since the RV320 is good for no more than 100mbit.
 
Last edited:
Have fun running 50 tunnels on your Atom box...

Those netgate boxes I linked aren't your grandpas atoms. With aes-ni/gcm supported in pfsense you can push quite a bit of traffic! With netmap-fwd inbound this hardware is about to get substantially faster at routing tasks as well. The C2758 can forward 1.683Mpps with netmap-fwd on pfsense! Check this post for details: https://blog.pfsense.org/?p=1866
 
"Need to be able to handle 50 IPsec client VPN tunnels with good throughput"
No idea what this actually means but I would guess that good means ~5mbit / connection or so.

Let get some facts straight here....
1. Netgate hardware is no different to any other hardware
2. What you're mentioning just got added -CURRENT (HEAD) and isn't going into pfsense anytime soon so that's going to be a long wait unless you're going to switch to FreeBSD.
IPSec (or any other type of connection for that matter) doesn't scale 1:1 (more connections, more overhead)
3. Don't overestimate stuff that gets "pfsense"-branding
https://github.com/ocochard/netbenc..._i350/fastforwarding-pf-ipfw/results/fbsd10.2

As much as I like the FreeBSD project it wont magically do wonders...
 
Is there any reason you couldn't run a software VPN server? I like to use SoftEther for client to site VPNs, then you have a large selection of protocols and authentication.
 
It's not very small and portable (yet) so very few are adapting it for embedded systems. I would love to try it myself but some things turns me off like bunding OpenSSL in their own repo. That seems to be fixed nowdays however...
 
This is for a smallish nonprofit whose desire is to move towards mobile computing. They've started buying laptops and have recently felt the pinch of a 100/4Mb internet connection. We'll be moving to a 100Mb symmetrical fiber connection in the near future with an immediate need for a dozen VPN clients and a maximum right around 50 though that number could float as high as about 65. When I meant good throughput, I meant the ability to open files relatively quickly and use inhouse, low bandwidth intense applications that spit out mostly text reports. Under the current network connection, it takes upwards of 30 seconds to open a file and those inhouse applications basically don't work....or the user is sitting there waiting 15-20 seconds between each mouse click, taking 5 minutes to do something remotely that takes about 30 seconds to do onsite.

A software VPN could be considered, I should have some NICs laying around and I'm retiring a few machines that have a Core2Duo inside, not sure the kind of throughput that can provide.
 
Since you have roadwarriors forget about IPsec, it's going to be a nightmare since it rarely works behind NAT. You want an SSL-based VPN which leaves you with OpenVPN and/or SoftEther if you're going the Open Source route. With that many clients you probably want to look at SoftEther which offers both OpenVPN compatibility, SSTP and it's own protocol and supposedly is faster than OpenVPN in all aspects. That said, going this route you'll need a C2D or better, not some dinky little Atom box especially since all is going to be handled off one core.

If you want to go this router you're most likely better off running a vanilla version of FreeBSD and/or OpenBSD.
 
That said, going this route you'll need a C2D or better, not some dinky little Atom box especially since all is going to be handled off one core.

What is your deal with atom? Haven't used Rangley before have you? It's a proven low power routing powerhouse. Now you are referring him to a Core2Duo? I understand it's for a non-profit so cost is an issue, but so warranty at that point. You dont go putting in a power sucking, used high maitanance set up at a non-profit unless you want to be there every other week. I don't know what your deal with pfsense or atom boxes are, but you need to get over it.

For 50 soft tunnels a c2558 or c2758 (if it is in the budget) will work just fine on a 100/100 connection. Don't believe me? Start looking around for some benchmarks and real world performance numbers, you will be surprised at what you find.
 
Since you have roadwarriors forget about IPsec, it's going to be a nightmare since it rarely works behind NAT. You want an SSL-based VPN which leaves you with OpenVPN and/or SoftEther if you're going the Open Source route. With that many clients you probably want to look at SoftEther which offers both OpenVPN compatibility, SSTP and it's own protocol and supposedly is faster than OpenVPN in all aspects. That said, going this route you'll need a C2D or better, not some dinky little Atom box especially since all is going to be handled off one core.

If you want to go this router you're most likely better off running a vanilla version of FreeBSD and/or OpenBSD.

I'm past the IPsec working behind NAT issues, I've gotten it up and running through a couple different home routers.
 
What is your deal with atom? Haven't used Rangley before have you? It's a proven low power routing powerhouse. Now you are referring him to a Core2Duo? I understand it's for a non-profit so cost is an issue, but so warranty at that point. You dont go putting in a power sucking, used high maitanance set up at a non-profit unless you want to be there every other week. I don't know what your deal with pfsense or atom boxes are, but you need to get over it.

For 50 soft tunnels a c2558 or c2758 (if it is in the budget) will work just fine on a 100/100 connection. Don't believe me? Start looking around for some benchmarks and real world performance numbers, you will be surprised at what you find.

I'll probably utilize that Core2Duo machine to cut my teeth on the interface and make sure I can get it running smoothly and then move towards a mITX platform. I played around on Newegg last night and managed to price one out for $357. Haswell Celeron Dual Core, thin mITX with dual LAN (x1 Intel, x1 Realtek), 2GB RAM (Cheaper than a 1GB module), and a dual band wireless NIC. Probably beefier than it needs to be though.
 
I'm a big fan of Fortinet and Checkpoint boxes in general. When client vpn is thrown in I usually go Fortinet due to their client. That said, I'm not sure I'd come in with a 30D. I'd go with at least a 60D. I've had to clean up too many messes caused by someone who undersold a solution. Remember your client is likely going to keep this a long time and it always better to sell more capacity up front than come back next year and tell your client they have to buy a new device. I can't help you with costs though. I would think your reseller should be able to provide those costs easily.

Also please be aware some applications just aren't VPN friendly. It will not matter what sort of VPN termination device you have. The underlying issue there is almost always latency.
 
Last edited:
I hate Zyxel....I got a USG20W on recommendation for one of my sites and it's the biggest pain in the ass to setup simple things like port forwarding.

Interesting. I have been slowly migrating my SMB clients to the USG series. Sure, they aren't as intuitive and simple as a consumer-level router, but that also makes them significantly more powerful once you know what you're doing. I'm generally not one to use support unless I really need to, but Zyxel's has been really quick and helpful the couple of times that I have contacted them to explain something. They certainly do take a little getting used to, though. I see it as a nice trade off between consumer crap and cisco cli.
 
Personally I would opt for a real router. The ASA 5505 is not a router. It is a dedicated firewall that can do ethernet routing.

However, if budget does not allow a new hardware solution, I like running OpenVPN Appliance. Its a prebuilt operating system you install in a virtual machine and is more than enough power for your VPN needs. I use it everyday for my cell phones and computers as well as my wife uses it too. I have used itbwoth customers on thier sites and since it uses the native hardware of your host it is as fast as the hardware ypu run it on. Mine is on a Xeon E5-1620 so its very very fast.

And free but you will have to buy a few licenses since only 2 are included for free but much cheaper than a new hardware device.
 
Last edited:
I'll probably utilize that Core2Duo machine to cut my teeth on the interface and make sure I can get it running smoothly and then move towards a mITX platform. I played around on Newegg last night and managed to price one out for $357. Haswell Celeron Dual Core, thin mITX with dual LAN (x1 Intel, x1 Realtek), 2GB RAM (Cheaper than a 1GB module), and a dual band wireless NIC. Probably beefier than it needs to be though.

ITX are neat and all, but are you actually limited for space? Throw a regular box in a closet wherever the WAN and switches are, you gain a lot more configuration choices.

Best bang/$: grab a lenovo T140 server or similar on sale, these kinds of SMB servers often ~$300 with an e3 xeon. Toss in an intel server nic or two, fleabay has duals/quads yanked from servers that are so cheap you can afford spares.

Gives you a lot more room to scale and is actually fairly power efficient. A real haswell core @ >3Ghz will be able to push plenty of packets, depending on modules etc you would already be set for anything up to gigabit internet.

Use separate dedicated APs for wifi, pfsense is only up to N and lacks a lot of features. (freebsd will always be years behind on wifi drivers, its just how things are)
For a nonprofit on a tight budget that might grow, the new ubnt unfi models are ideal IMO.
 
haha, oh man...you guys would have a shit fit if you saw how the network was physically positioned. Let's just say on my first walk through I had them shut a window because water from an AC unit was splashing down from the outside directly on top of the switch that runs half of one floor and all of another and connected to the switch that took care of the third. There are no wiring closets, there is next to no physical security, there is next to no disaster preparedness. When they were getting money (State hasn't passed a budget for this fiscal year), it was an 8-10 mil dollar operating budget that threw a shit fit about our 65k annual IT contract.

I'll look into a used T140 as well Aluminum, I haven't really dug into the used server equipment market for stuff, probably would be a great place to find some diamonds. I actually just retired the old e-mail server, Xeon 3220 in it...though its a monster with what looks like a one off Intel mobo design that I couldn't throw into a smaller case with a more efficient power supply.
 
So, once I get this setup, what's a good way to measure maximum throughput of the hardware, setup a separate physical network, create a tunnel and transfer a large file? Though then I'd need two identical pieces of hardware acting as the routers...or one that was guaranteed not to be a bottleneck...
 
stolen from slickdeals, $280 + whatever fleabay nics for a 3.2ghz quad haswell router

Screw those tiny/custom boxes unless you literally have nowhere to put a midtower.

http://slickdeals.net/f/8192191-del...b-ddr3-1tb-hdd-dvdrw-279-w-free-s-h-dell-back

"Dell Small Business has their Dell PowerEdge T20 Tower Server System for $638 - $239 discount in cart - $120 w/ coupon code 279T20ADVANTAGE = $279. Shipping is Free. Thanks RevOne

Specs

Intel Xeon E3-1225 v3 3.2GHz Quad Core CPU
4GB DDR3 Memory
1TB 7200RPM Hard Drive
DVDRW Drive"
 
stolen from slickdeals, $280 + whatever fleabay nics for a 3.2ghz quad haswell router

Screw those tiny/custom boxes unless you literally have nowhere to put a midtower.

http://slickdeals.net/f/8192191-del...b-ddr3-1tb-hdd-dvdrw-279-w-free-s-h-dell-back

"Dell Small Business has their Dell PowerEdge T20 Tower Server System for $638 - $239 discount in cart - $120 w/ coupon code 279T20ADVANTAGE = $279. Shipping is Free. Thanks RevOne

Specs

Intel Xeon E3-1225 v3 3.2GHz Quad Core CPU
4GB DDR3 Memory
1TB 7200RPM Hard Drive
DVDRW Drive"

Damn, just got around to checking the forums and saw this but the deal has already expired. I'd have jumped on it for my own box, lol. Thanks for the share though.
 
Since you have roadwarriors forget about IPsec, it's going to be a nightmare since it rarely works behind NAT.
I'm curious--what have you run into that typically breaks it? Port blocking? IP conflicts?
 
I'm curious--what have you run into that typically breaks it? Port blocking? IP conflicts?

Routers that don't support NAT traversal causes havoc on tunnels....but I haven't found one that causes issues, just read about it. Though it might be a high end 'security' feature, I've got a client with a WatchGuard XTM 515 and it only supports hair-pin NAT to a single endpoint from my understanding.
 
Gotcha, that makes sense. Yeah ipsec site-to-site definitely needs either nat-t or a dmz for the endpoint.
 
if i had 50 road warriors i wouldn't be having them connect to my edge device...

i'd set up a dedicated road warrior VPN... something like a softether or windows access server...

load it up on a VM, forward the appropriate ports, or put it in a DMZ, and done...
 
Last edited:
if i had 50 road warriors i wouldn't be having them connect to my edge device...

i'd set up a dedicated road warrior VPN... something like a softether or windows access server...

load it up on a VM, forward the appropriate ports, or put it in a DMZ, and done...

I've actually got enough resources available on a server to setup a 2012R2 VM...I guess I could use Windows' RRAS as a VM server...I've never worked with that role so I'd have to do some poking around either way.
 
I've actually got enough resources available on a server to setup a 2012R2 VM...I guess I could use Windows' RRAS as a VM server...I've never worked with that role so I'd have to do some poking around either way.

that's what i'd do... if i had that many users i wouldn't use the edge device... for site-to-sites, i think it makes sense... maybe it was just untangle's implementation of openvpn that got me thinking this way... whenever i wanted to add a road warrior it would take all of my site-to-sites down for a solid 30seconds to a minute... what a pain in the butt

with voip going over the VPN in some places, it got to the point where i couldn't add new clients during business hours...
 
that's what i'd do... if i had that many users i wouldn't use the edge device... for site-to-sites, i think it makes sense... maybe it was just untangle's implementation of openvpn that got me thinking this way... whenever i wanted to add a road warrior it would take all of my site-to-sites down for a solid 30seconds to a minute... what a pain in the butt

with voip going over the VPN in some places, it got to the point where i couldn't add new clients during business hours...
But you do realize that not all VPN concentrators work this way, right? In fact, I'd hedge a bet to say that most don't work this way.
 
But you do realize that not all VPN concentrators work this way, right? In fact, I'd hedge a bet to say that most don't work this way.

yea... this is why i said "maybe it was just untangle's implementation..."

separating your site-to-site and your road warrior infrastructure has other strengths as well...
 
Back
Top