Link to home
Create AccountLog in
Avatar of Pawel_Kowalski
Pawel_Kowalski

asked on

Best router for site-to-site VPN

Hello,

We have a couple remote offices that I would like to connect our central office. For a remote office in town I had bought a Zyxel VFG6005N router as a cheap solution that works okay. However, I have had random problems with this router such as the settings getting wiped for no reason. So for this next installation which will be 300 miles out of town I would like something much more reliable as having to drive 300 miles if something goes wrong is not ideal.

Does anyone have a recommendation for a good router that will allow me to connect to our windows sbs 2011 VPN server (SSL VPN would be preferred but IPSec will also work) and allow users at the remote location to use local resources without having to do anything additional on their end?

Our budget for this is a bit more than the $100 we paid for the Zyxel but we would like to stay under $500 ($300 would be ideal) if at all possible. Wifi does not have to be built in as I could just buy an access point but it would be nice to have if it doesn't compromise the quality of the router itself.

Thank you in advance for any suggestions, hopefully I offered enough information but if I didn't please let me know.
Avatar of Nicolus
Nicolus

Look to these guys for a life-saving solution.

www. Untangle.com

But two Dell XE computers, load Untangle basic product on it, and your life will change!
I've used old PC's more than a few times with great success.  Like was mentioned you could use Untangle.  I use pfSense.  If you have some old PC's the only cost is the $20 or so for a 2nd network adapter in each of them.
I would recommend a sturdy Cisco 871 router. This router can handle the load and is reliable. You can find one at around $250 and if you want to add support & warranty (Smartnet) it should be around $75.

The 871 definitely supports IPSec. Not 100% sure about SSL, but I think it does too. If interested in this solution, I can do some more digging.

I guess this one would be around your ballpark.

Hope this helps!
Avatar of David Atkin
Before buying anything it would be worth double checking the bandwidth at those sites to make sure that it would work ok.  If the download/upload is poor at either end then there will be little point in doing it.

I've user Draytek 2820's in the past for VPN's.  They seem to be ok and work fine.

Another one I've configured is a SonicWall TZ210 - This is currently setup between the UK and AU.  Works a treat but we have to restart the VPN on occasion.  I would recommend the sonicwall.

I wouldn't recommend getting one with wi-fi built in anyway.  The last thing you want is users turning the router off and on because they are having wireless issues.

Also bare in mind that IP ranges will need to be different at both sites.

Site-to-Site VPN will be better than doing it through the SBS if you have lots of users on the same site.

Just to add to the previous comment as well.  Cisco's do tend to be rock solid but you need more knowledge to be able to configure it.

Hope that helps a little.
For a six-hundred mile round trip, I would also recommend getting an external modem and hooking it up to the console port.
Avatar of Pawel_Kowalski

ASKER

I would really prefer a hardware solution as opposed to software since software adds another layer which could be a problem to troubleshoot from 300 miles away. For untangle they have appliances on their site but they are fairly pricey, would I need 2 of these?

http://www.untangle.com/appliances/

The Cisco 871 looks interesting but it is no longer sold or supported, is there a replacement for this?

The SonicWall TZ210 looks good but from what I could find it sells for around $750 and has a lot of features we don't really need. Is there a lower cost version of this? Also, when you said you have to reset the VPN from time to time is that as simple as unplugging it and plugging it back in?

As far as hooking a modem up to the console port. We will have one Ethernet cable coming in which I will plug the router into (we are the mercy of someone else's network at this remote location). Can I connect a console to that and which router would that be?

Thank you all for you suggestions so far.

Edit: Forgot to mention bandwidth will not be a problem at this location. It was at my other one and the way I got around that was using terminal services.
Two for SITE-to-SITE...  One will act as the server, the other as the client.  The appiance is for those people who don't want to go through the (non-existant and imaginary) trouble of installing the software themselves.  The product is not a software that installs on Windows like an AV installation, but rather a whoe suite of products, that are free, and updated automatically (and as often as a threat publically posts itself)

You can go to dell.com/outlet and get a THREE-year fully warrantied refurb optiplex XE that will give you so many security features on top of an SSL based vpn solution.

Of course the product also has full-featured GUI based remote management capabilities built on a solid linux platform.  Again, FULLY GUI BASED.
My only concern with using a computer is that if something happens I need to be able to tell the people that are on site (who have little technical expertise) to power cycle the hardware. With a computer this isn't as simple as unplugging/plugging back in.

If I did go the computer route can I install the software on my existing SBS 2011 or would I get another computer to replace the current router in the main office? How would that affect my existing user VPN accounts from active directory? Will those still work? Finally, what is the cost of the software and do I need a license for each location?

Thanks again.
An 881 or 891 should be able to handle that.
I would second the pfSense route ---

   PFSense - http://www.pfsense.org/

    Soekris - http://soekris.com/products.html    << I am Currently using the 5501-60 in the 1RU Case.   (4 Ethernet expandable to 8)
                 http://soekris.com/products/net5501/net5501-60-board-rm-case.html  
                 http://soekris.com/products/lan1741-1.html

   Also, have some friends using this off the shelf version and they have good luck as well.

    NetGate - http://store.netgate.com/Netgate-FW-7535-1U-P1695C84.aspx   (6 Ethernet)
I would be another advocate of the Cisco Router.

The Cisco 891 would be fine for creating a Lan2Lan/Site-to-site connection and also supports the SSL VPN or Client VPN.
Heck, you could buy an older consumer-grade router, and install DD-WRT with OpenVPN server....

...if what you want is a customized setup that nobody else will ever be able to administer.
When you load software like pfsense or untangle or stuff like that you're basically creating the same thing as the appliance, just in a not-so-sexy chassis.  I've used old PC's, old Watchguard Fireboxes, new SuperMicro 1U servers, Dell PowerEdge servers, etc to run pfSense.  But if you're not comfortable doing that then certainly buy an appliance with it pre-loaded.  I was only suggesting you do it yourself to help you keep in budget.

For a site-to-site VPN I'd recommend connecting the LANs at each office instead of just connecting in to you SBS server.  But if your SBS server is the only network resource you need to reach then that will work fine.
ASKER CERTIFIED SOLUTION
Avatar of xperttech
xperttech
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SonicWall do a TZ105 which will be cheaper and has less features.  With regards to restarting the VPN, there is a little tick box on the VPN page, a powercycle of the device would do the same thing.  We believe it drops because of a wireless ISP going up and down constantly.

I would go against the software option.  As you said before it will add additional troubleshooting steps. A hardware option would just be a powercycle in most situations.

I also wouldn't use a consumer router.  There is a reason why businesses use business grade routers.

What router do you have at your main office?
Just so you have an idea...

The Sonicwall TZ105 is priced at $495 MSRP, but I found it in PriceGrabber as low as $266.00 today.

The Cisco 861 is priced at $450 MSRP but I found it in PriceGrabber as low as $267.73 today.

My understanding is that both routers support Wireless and can connect up to 5 VPN tunnels. Wireless here is the value-added feature.

My preference would be to go with Cisco any day of the week. Both devices are solid but Technical Support from Cisco is easier and faster to reach. This would come down just to your pure preference.

Ciscos are usually configured via command line (IOS) but they also have a graphics interface. Sonicwalls are the opposite, you usually configure them through a browser but can be configured via their command line too.

Trying to save a few bucks going with software solution, or a SOHO (non-commercial grade) solution will cost you several bucks and a few late-nights cracking your head. Save yourself some frustration making the right choice!

Cheers!

-XT
"My only concern with using a computer is that if something happens I need to be able to tell the people that are on site (who have little technical expertise) to power cycle the hardware. With a computer this isn't as simple as unplugging/plugging back in.

If I did go the computer route can I install the software on my existing SBS 2011 or would I get another computer to replace the current router in the main office? How would that affect my existing user VPN accounts from active directory? Will those still work? Finally, what is the cost of the software and do I need a license for each location?"

To respond to your concern of "unplugging/plugging back in" you can easily do this because, as it is still a pc, simply tell them to hold down the power button for 5 seconds and the pc is killed.  Second, as this is built on a linux core I have system running for over 3 years WITHOUT a reboot - and the system has updated itself over 50-60 times and in tradition to linux build all updates have been automatically applied without the need for a reboot.  But anyway, "unplugging/plugging back in" is as easy as a button.

You cannot install it on a SBS because this is not software... It is a independant OS + Operational modules.  So when you install it on a the DELL XE, or any of the other Small Form Factor, it wipes the drive, partitions it, loads stable drivers and makes your life sweet.

As far as licensing the open source edition (which includes OpenVPN) is FREE FREE FREE.
And with the open source solution you get Spam control, AV, Intrusion Prevention, and a BUTT-LOAD of other awsome things.
Nicolus:

This all sounds sweeeeeeeet but, are you sure there is no risk of data corruption or even drive damage if the computer (running Linux) is power-cycled while writes may be occurring?

And, what about Technical Support for the Open Source software and OS? In a moment of crisis I don't believe Pawel_Kowalski will not have the luxury of time to wait at Experts-Exchange forums to take their sweeeeeet time to respond while he eats his nails... even if there is professional Technical Support for these products, I'm sure they will be as low as $100 an hour or per incident. With a couple of incidents, he might have paid for a commercial-grade and certified solution that includes professional Technical Support.

I would only use this solution, and believe me I'm going to try this; AT HOME.

-XT