Spec me a small business VPN router

[Beerbaron]

Hi,

I am looking for a new router for one of our small offices. The features I'm after are:

• 10/100/1000 WAN

• VPN (for remote users). VPN access must support MAC OS if it requires software

• Needs to support ~30 users for remote user VPN

• If possible can be rack mounted but its not too important

• Ideally something small business in cost/configuration

Any recommendations?

Thanks.

- - - Updated - - -

I've just come across these. Generally not a huge fan of D-Link stuff by these seem to tick most boxes:

D-Link UK | DSR-1000N Wireless N Dual Band Unified Service Router

D-Link | DSR-500 Unified Services Router w/ WAN Failover

[BraderzTheDog]

Depends what you want you want in terms of features but here are a few.

High end: Checkpoint - either hardware appliance or can be installed on a virtual machine if you have spare blade servers lieing around.
Positives - easy to administer, very good gui, smartview tracker is fantastic tool for debugging, software blades, application awareness, can be distributed (manager & fw)
Negatives: - Licenses expensive, can be a pain to debug if you don't know linux

Mid range - Juniper SSG's or SRX - Hardware only based appliance, alot cheaper than checkpoint - huge range from SSG5 to SSG550 to suit all business needs.
Positives - good web based gui, cheap solution (can pick up an ssg20 for about £200), very solid platform, scalable & great vendor support
Negatives - Doesn't do much in the way of layer 7, cli language is VERY bispoke at least on SSG (SRX platform is more like cisco).

Low end - Cisco ASA 505 or Fortinet - Cheap solution can pick these up for about £300 - £400 new from vendor. Does what it says on the tin.
Positives - Cheap, well known and easy to deploy, alot of documentation especially Cisco (if you have a problem someone else somewhere will have had the same).
Negatives - Not much functionality other than a basic Firewall and VPN solution, this does mean less stuff to go wrong but still... Not a massively great product.

All of the above are firewalls, all can route packets will do the major routing protocols OSPF / RIP / EIGRP / BGP. All will give the ability to setup site to site and remote access VPN. Good solid products, I wouldn't use a router from personal experience.

Hope this helps.

[GSteer]

I don't classify D-Link as something I'd want running at any of my clients.

We're a reseller and use them pretty much exclusively over here, they work well, no silly VPN licensing & an OSX client is available.

You can do a unit comparison with their Product Matrix here: http://www.fortinet.com/sites/defaul...ductMatrix.pdf

We're currently testing a Cyberoam unit we've been approached about which is also the SMB segment, better reporting and individual user blocking features but I'm still cautious as they are relatively unheard of or proven to us.

[Beerbaron]

Thanks for the info.

Its not a client but one of our offices. Only really 3-4 users there plus a few servers so quite small. We are looking for something quick and easy to setup.

- - - Updated - - -

I don't classify D-Link as something I'd want running at any of my clients.

We're a reseller and use them pretty much exclusively over here, they work well, no silly VPN licensing & an OSX client is available.

You can do a unit comparison with their Product Matrix here: http://www.fortinet.com/sites/defaul...ductMatrix.pdf

We're currently testing a Cyberoam unit we've been approached about which is also the SMB segment, better reporting and individual user blocking features but I'm still cautious as they are relatively unheard of or proven to us.

What would you recommend from that product matrix?

[GSteer]

Just to clarify:

The sites only got 3-4 users and a couple of servers, but needs 30-40 VPN users that will connect ?

[Sparky]

• Needs to support ~30 users for remote user VPN

How many are going to be connected at the same time mate?

[Beerbaron]

there are only a few staff that work at the office. there are a couple of servers that people connect to when they are out and about working at clients/other offices. the current router has the option to add 32 VPN users which is full, although i doubt they are all used. all 32 wont connect at the same. there isnt the option to add more 32 users with it limited to 32 at the same time.

[GSteer]

Ahh.

Well with the Fortigates (and most other brands of similar level) you can do LDAP passthrough to your AD, so no need for different credentials and no limits.

So would 5-10 be connecting concurrently then ?

[Beerbaron]

no ad as its all mac with local accounts

[GSteer]

Looks like you could get away with a Fortigate 40C, but I'd suggest a 60. This is mainly as I've not had experience with the 40's as we don't use lower than the 60's ourselves.

You do get faster throughputs on the VPNs with the 60's/80's. Also depends on the cost of them in the UK. There are wifi varients of those models too if that

As an example we generally spec 60's for offices of around 10-25 people then move up to the 80's.

User Maximums:

Ok, so as per the latest firmware OS 5 it looks like all the desktop models with model numbers < 100 can have up to 500 local users.

Source: http://docs.fortinet.com/fgt/handboo...-values-50.pdf

More specific values for pre OS 5 can be seen at this link, which indicates anything greater than the 50 models have up to 100 local users available.

Source: http://docs.fortinet.com/fgt/handboo...ues-40-mr3.pdf

[Sparky]

If you want the correct product you need to work out how many remote workers are going to be connected at the same time (roughly).

What Firewall products do you use at other sites?

[Beerbaron]

I would guess at about 10 users. the current firewall used is the one on the Draytek router.

[Sparky]

I would guess at about 10 users. the current firewall used is the one on the Draytek router.

A couple of options mate.

TZ 210 Network Security Appliance Series - Dell SonicWALL, Inc.

NSA 220 Network Security Appliance Series - Dell SonicWALL, Inc.

10 connections at one time is high - are the people connecting always remote workers?

[GSteer]

Sonicwalls...nooo, run.

Personal preference but I really dislike their interfaces and charging a license per VPN client.

[Sparky]

Sonicwalls...nooo, run.

Personal preference but I really dislike their interfaces and charging a license per VPN client.

Eh? You mad?

Interface is easy and the VPN licensing depends on whether its SSL or the standard Global VPN client.

Much cheaper than Cisco etc. and you get enterprise features. Granted its more expensive that Drayteks etc. but you don’t get the security with Drayteks.