VPN Router for small Business

[Operandi]

I'm looking for some recommendations for a router for small business environment. The router doesn't have to do much in terms of work load, just serve as the internet connection and support remote VPN access to an IP security system.

At any given time there isn't likely to be more than one VPN connection at time and all the clients will be Windows 7 Professional.

 

[Emulex]

a simple single-wan solution would be a DD-WRT router (like the buffalo airstation WZR-HP300GN) which comes with a licensed copy of DD-WRT.

It is super easy to setup a PPTP server. Essentially if the router is 192.168.1.1 you set the pptp server to 192.168.1.2 and set a range say 192.168.1.3 through 192.168.1.10 for VPN clients. DHCP would run from .100 to .254 but pptp doesn't use dhcp for ip allocation. there's a great walk-thru on how to set it up on dd-wrt website. i'd say it took me about 5 minutes to setup 5 accounts.


Or you can get PF-sense and throw it on a box with two network ports and rock out (i'm doing this except i'm with ESXi). PFsense has a really great commercial support system they can design, implement, cloud-backup (your config), and help operate the pf-sense firewall(s). You can run two pf-sense in CARP mode so in the event of a failure the other takes over - cost for ALL features enabled - $0.00 (plus hardware).

lastly - i know this isn't terribly popular as far as security - you could just change the RDP ports on each PC behind the firewall and punch a nat hole through - and let folks rdp in (yourgateway.com:3390,3391,3392 etc). This is the least secure but it works if you have a windows business class (professional and higher) machine.

If you use the model router -> SWITCH -> access point - you will find many low end consumer routers will function very reliably as long as they have stable firmware and decent amount of ram and you aren't running bittorent at work lol

 

[netsysadmin]

Cisco ASA5505 would be my choice.

John

 

[Operandi]

I suppose a simple DD-WRT router could work. I plan on having three separate VLANs (computers, IP cameras, and phones) but there won't really be much traffic between them so the router should have a pretty light work load.

Also can I use the router's wireless along with a few Wi-Fi access points or am I best disabling the on board Wi-Fi and relying on access points?

 

[drebo]

As always, I like the Juniper SRX100.

However, if your small business has a Windows Server, you can configure Routing and Remote Access and it'll give you an L2TP or PPTP VPN.

 

[Operandi]

The Juniper is for sure overkill.

Right now the IP camera server is running Windows 7 which is the machine we need VPN access too but I could switch it over to Windows Server as we are still evaluating software packages for the cameras. Perhaps that’s the best way to go?

 

[RadiclDreamer]

Cisco ASA5505 would be my choice.

John

Another vote for the ASA5505, it also has 2xPOE ports in case you want to add some AP or phones later on, albeit very few phones

 

[drebo]

The Juniper is for sure overkill.

Right now the IP camera server is running Windows 7 which is the machine we need VPN access too but I could switch it over to Windows Server as we are still evaluating software packages for the cameras. Perhaps that’s the best way to go?

Well, I wouldn't necessarily do that. You don't have another Windows Server system on premesis?

Have you considered something more simple, such as RDP or Logmein?

Also, the Juniper is less overkill than an ASA5505. It's cheaper

 

[Operandi]

Well, I wouldn't necessarily do that. You don't have another Windows Server system on premesis?

Have you considered something more simple, such as RDP or Logmein?

Also, the Juniper is less overkill than an ASA5505. It's cheaper

We do but they are part of corporate network and pretty much completely locked down and not even part of the same network.

What I'm working on is a standalone network for IP cameras, phones, and a few PCs. This network will be purchase and maintained in house. Is there something wrong with running a VPN server on the same machine as the IP camera server?

 

[Zargon]

Well, I wouldn't necessarily do that. You don't have another Windows Server system on premesis?

Have you considered something more simple, such as RDP or Logmein?

Also, the Juniper is less overkill than an ASA5505. It's cheaper

not really, just about the same price

 

[LokutusofBorg]

I am also looking into a device for a branch office to provide VPN access for home users, and a VPN tunnel to corp HQ. Is there anything in the general range of the Cisco there that's a bit more user-friendly? I'm not excited by the prospect of delving into learning how to configure a Cisco. Should that not scare me off?

 

[Zargon]

the ASA's has a java(ugh) based software client called ASDM thats more user friendly and using the CLI in IOS.

the 5505 should do the trick, you might want the security plus package that unlocks more VPN connections.

or look at the juniper, or the fortigate 60c

 

[theevilsharpie]

I've had bad experiences with the ASDM. Specifically, I've seen it fail due to Java updates, seen it crash a firewall several times just by browsing around the ASDM interface, and I've encountered a known issue with ASDM (I'm not sure if it was ever fixed) where the configuration in ASDM didn't actually match the configuration on the ASA. Yes, I'm serious about the last one.

The ASA is an absolutely horrible firewall that is completely uncompetitive with UTM's like FortiGate, SonicWALL, etc. on functionality (and hasn't been for years), and is completely uncompetitive with packet filters like pfSense, Netgear ProSafe, etc. on price. They aren't competitive with anyone on ease of use. I have no idea why people still buy them.

 

[Zargon]

I've had bad experiences with the ASDM. Specifically, I've seen it fail due to Java updates, seen it crash a firewall several times just by browsing around the ASDM interface, and I've encountered a known issue with ASDM (I'm not sure if it was ever fixed) where the configuration in ASDM didn't actually match the configuration on the ASA. Yes, I'm serious about the last one.

The ASA is an absolutely horrible firewall that is completely uncompetitive with UTM's like FortiGate, SonicWALL, etc. on functionality (and hasn't been for years), and is completely uncompetitive with packet filters like pfSense, Netgear ProSafe, etc. on price. They aren't competitive with anyone on ease of use. I have no idea why people still buy them.

did you miss the part where they say Cisco on them.

I will echo teh java issues, been there done that, I am happy with the 5505 I have in use, but I havent never asked it do much more than a ddwrt can do. its just been more reliable.

I am trying out the fortigate next, here in week or two

 

[Operandi]

What about Netgear Prosafe stuff?, particularly I was looking at this one, the latest firmware seems to fix the VPN issues some users had under Windows 7.
http://www.amazon.com/NETGEAR-Prosaf...695605&sr=1-19

I would like to keep costs down so I can put it into cameras, and other gear if possible. There won't be a ton of users on the router and I don't need a ton of throughput.