4

I work at a small company that has two offices, each with its own Business DSL connection to the Internet. In order to create a LAN between the two offices, my predecessor purchased and installed two Linksys WRV54G Wireless VPN Broadband Routers to provide a hardware solution to make the computers at both locations see each other and think they are on the same LAN.

Despite keeping up with every firmware update, I still finding myself driving to one office or the other (it's almost always the office I am not at) about once or twice a week to power-cycle its router to either get the wireless part working again for somebody's laptop, or to get the Internet gateway part working again. The VPN tunnel always seems to stay up, however.

I am looking to replace these WRV54Gs with something (perhaps multiple pieces of hardware) that can perform all the functions of the WRV54Gs, but that don't misbehave so much. It will be easy to just pick up a wireless access point off the shelf. It will be similarly easy to pick up a couple 8-port switches off the shelf. The real trouble is that I can't seem to find any hardware to do the VPN part. I want this to be completely hands-off the workstations, so it has to be a hardware solution.

What type of router can I use to work as an Internet gateway for our Business DSL connections, as well as be the endpoint of a VPN tunnel that, for lack of better terms, fools windows into thinking that the remote LAN is actually local?

eleven81
  • 417
  • 6
  • 13
  • 29
  • Do you have a budget limit? – Joseph Jun 24 '09 at 19:31
  • I'm not sure. I haven't even considered the cost yet. I just want to gain some direction. After I have all of the alternatives, I can then make my decision. Cost will be a factor, but only after functionality. – eleven81 Jun 24 '09 at 20:51

15 Answers15

13

You could use pfSense it has many features:

  • Firewall
  • Network Address Translation (NAT)
  • Redundancy
  • Load Balancing Reporting and Monitoring
  • RRD Graphs

    The RRD graphs in pfSense maintain historical information on the following.

    • CPU utilization
    • Total throughput
    • Firewall states
    • Individual throughput for all interfaces
    • Packets per second rates for all interfaces
    • WAN interface gateway(s) ping response times
    • Traffic shaper queues on systems with traffic shaping enable
  • VPN
    • IPsec
    • PPTP
    • OpenVPN
  • Dynamic DNS

    Through:

    • DynDNS
    • DHS
    • DyNS
    • easyDNS
    • No-IP
    • ODS.org
    • ZoneEdit
  • Captive Portal
  • DHCP Server and Relay

It has a nice, easy to use web-based configuration, just look at the screen-shots.

Best of all you can build it yourself with commodity hardware, and it's Open Source.

Brad Gilbert
  • 2,473
  • 2
  • 21
  • 19
  • 1
    I also recommend pfSense, so far the best firewall/router I have used on both small and medium businesses. Also easy to use and capable as mentioned above. – Luis Ventura Jun 25 '09 at 01:54
  • 2
    Pfsense rocks so much you can't even imagine how much until you test it :-) – Antoine Benkemoun Jun 25 '09 at 09:45
  • VPN was a confusing setup but I got it working at home on a low powered amd machine with 256 megs of ram - it has never crashed or caused problems on it's own. It's about 10,000 times better then my linksys routers which crashed all the time. – reconbot Jun 25 '09 at 18:21
  • 1
    +1 for pfSense. Depending on the requirements I typically recommend either pfSense or IPCop. – KPWINC Jun 26 '09 at 01:38
  • Another +1 for pfsense. Unlike a lot of VPN devices, it let's you choose between multiple types of VPN technologies. – David Jun 28 '09 at 01:58
11

If you aren't ready to purchase business grade routers (I am guessing they might be too expensive based on the previous usage of the WRV54G), I'd recommend a router that runs dd-wrt.

http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=dd-wrt&x=0&y=0

dd-wrt is a custom firmware which supports a lot of great features including VPN. I use them at home with a linksys WRT54GL which currently has an uptime of 60 days. dd-wrt uses OpenVPN which supports linking two offices. This solution is a little more manual and involved, but it is cheap and has been rock steady for me.

Bob
  • 2,917
  • 5
  • 28
  • 32
  • I've been using DD-WRT at home for a few years now, it's brilliant. – Mark Henderson Jun 26 '09 at 00:55
  • I use DD-WRT myself and haven't had any problems with it all. I had more problems with my DSL line until I got them to replace my modem and Optical Network Card servicing my line. – Jeremy Bouse Jun 30 '09 at 12:46
5

I would highly recommend you utilize Sonicwall TZ210 appliances to replace your Linksys WRV54Gs. The Sonicwall TZ210 has built-in Wireless N, 7 Ethernet Interfaces, as well easily support your Site-to-Site VPN configuration required between your two locations. I have personally used these unit as well as the older TZ170 & TZ180 appliances to execute your exact same requirements. The TZ210 also has the capability of handling both Client VPN Termination for Work@Home users, Reporting on Bandwidth Abuse, and UTM (Unified Threat Management).

jeffp711
  • 301
  • 1
  • 4
  • I would also recommend the Sonicwall. Rock solid and great set of features for the price. – Kevin Kuphal Jun 04 '09 at 18:02
  • 1
    +1 for Sonicwall. Excellent product. – Taras Chuhay Jun 25 '09 at 21:44
  • 1
    Only complaint I've had with Sonicwall is don't try to use the VPN for remote clients unless they run Windows. Mac and Linux are poorly supported if you even get someone to attempt to help you out. I ended up having to upgrade to a higher level firmware version at the suggestion that it would work better for Linux clients but it didn't so we dropped the Sonicwall completely. – Jeremy Bouse Jun 30 '09 at 12:45
  • We have many users on Mac that connect to our SonicWall VPN (4060 Pro). While Soicwall does support a Windows client our Mac users are very happy (happier than their windows counterparts) with VPN Tracker by Equinox. – Joshua Hunter Aug 01 '09 at 12:50
2

If you are willing to shell out the cash, a lot of Cisco routers can do this with a site-to-site VPN IPSEC tunnel. I know my 2800s do.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Better still get them second hand on eBay! – Jon Rhoades Jun 25 '09 at 12:29
  • Unfortunately Jon seems to be suggesting breaching the licensing terms of the IOS which runs upon them. Software licenses from Cisco are not legally transferable so you have to go through a relicensing process which often costs as much as buying the thing new :) Please also note you cannot get hardware/software support contracts on devices bought from the 'grey' market. – nixgeek Jun 28 '09 at 11:40
2

If you enable web-access (on the router) maybe you could powercycle by connecting via web-browser.

Also, I believe you can install DDWRT on the WRV54G.

cop1152
  • 2,626
  • 3
  • 21
  • 32
2

There are several option with different capabilities.

(In order of my preference.)

  • Cisco 1800 router. This is all good, just a few things to set up and you are ready to go. It is stable, but not the cheapest. (You can buy more devices instead of one, as someone suggested earlier.)
  • Mikrotik. Not as good as the first one, but it is easy to set up and quite stable. It is cheaper than Cisco, bit slower and not as much features.
  • Linksys anything. I do not recommend this. It is a bit better if you can use some OpenSource firmware, but even then it sucks. Not reliable, unstable. Other vendor like dlink smc .... are the same if not worse (they can be OK for home use, but as the load increases on the devices it will hang).
  • PC with some software. You can try this but in this case you have to set up and maintain everything (all software) if you are not familiar with this then you should not try. You can try some appliance like software, then it can be easier.
cstamas
  • 6,607
  • 24
  • 42
  • I think the 1800 is huge overkill for this solution though they will go forever it sounds like the OP might need a pro to set this up... – andymoe Jun 30 '09 at 03:39
  • You are right, that's why suggested Mikrotik. Which is cheaper and I use it myself at some places. But having Cisco is a good win, if the OP has budget for it. – cstamas Jun 30 '09 at 14:39
2

I like the Secure Computing SnapGear 300/310s (Now Owned by McAfee) for this scale of point to point VPN. You can find them online for under $300 each. They will handle your VPN and firewall needs perfectly and are easy to configure with a nice web interface. They are linux based and you have access to the IP Tables if you really want.

Also, if you are looking for a wireless access points to go with the firewall I would check out the Netgear WG104 for about $130. You could always get a combo "ProSafe" brand device from Netgear that can do the VPN and wireless but I really like the SnapGear and separate WAP a lot better. We have a dozen or so setups out in the field.

I also like this setup way better than any firewall from the SonicWall TZ Series - less restrictive licensing, less costly and much more intuitive interface.

andymoe
  • 67
  • 1
  • 8
1

Get some real security first off on your edge and have an inbound and outbound policy in place. For a small business with less than 10 hosts, a Cisco ASA 5505 or for cheaper and something thats EOS and coming near to EOL but great a Cisco Pix 501.

These devices can limit what is also going over your Lan2Lan VPN tunnels and also the internet when applying policies to the interfaces.

For excellent wireless reception and the dedicated device for that, A Cisco Aironet 1200 for indoor reception. You won't get anything better with a wireless AP/Root/Bridge than those Aironets. These AP also have features like SPF so wireless hosts can't talk to other wireless hosts. In addition, you can VLAN the wireless interface! Which means you can broadcast mutliple SSID with different security settings and segment your networks just like a switch. A great device and not terribly expensive if you look.

A Cisco Router would not be feasable because you are not doing heavy routing. The firewalls can do all the work since they are robust enough.

Jason B Shrout
  • 394
  • 2
  • 9
1

Maybe you can affort a SSG20 (or at least the SSG5 without wifi) from Juniper Networks with the Wireless option, Juniper make very good and secure products with high perfs. This would certainly be my choice having in the past worked with Juniper Netscreen products and now with SSG series.

Maxwell
  • 5,026
  • 1
  • 25
  • 31
1

Maybe it's just that model of router that is the issue.

I use the Linksys RV042 routers. I can't remember the last time I had to power cycle them (6 months plus atleast). I have 3 sites that connect back to a primary site all using RV042's.

The only time the VPN between the routers goes down is when one of the remote site's IP addresses changes. This is because the ISP for those sites does not offer static IP's for a decent price.

Part two of this is I have Logmein installed on all the computers on the remote sites. (there are desktops there) So when the router's IP address changes at the remote site, the internet still works. This means Logmein can still connect and I can still login to a deskop at the remote site, remotely. I then from this desktop login to the router since the internal IP is still the same, and reset the VPN. This happens maybe 2x year to me.

Also with using logmein I can remotely work on anyone's computer as long as its connected to the internet, even if the its not connected to the servers correctly or if the user is at home.

SpaceManSpiff
  • 2,547
  • 18
  • 19
1

I agree that Sonicwall is a great solution, but you can still have a look at other options like Fortinet FortiGate 60B or Vyatta 514.

You may also find this question useful.

Taras Chuhay
  • 645
  • 3
  • 9
1

I recommend the Snapgear SG300/SG310. They are a bit cheaper than the SonicWall units and they do IPSEC site to site very well. They also support PPTP VPNs so you don't have to install anything special on client PCs that need to remote in (SonicWall requires you have the SonicWall VPN client). The SG310 has more memory than the SG300 so it can run the newer 4.0 software.

That being said the SonicWall units are also very good, especially if you need an anti-virus solution. The enforce antivirus and gateway antivirus works very good and is much less of a pain than most other corporate antivirus software.

TonyB
  • 383
  • 2
  • 6
0

As recomended Sonicwall has some very nice appliances out there. But they tend to be on the high side of pricing.

But staying in the low end on the price range, Linksys makes some very nice business class devices. I've used the WRV200 in a few locations and it's worked flawlessly. I ahd one at my home for a while and I only ever needed to restart it once in 6 months for an ISP change.

This gives you your wireless, also give you VPN support and VLAN support. There is also a newer modal that has gigabit support with wired connections.

Tim Meers
  • 653
  • 6
  • 16
0

I have always found that the Netgear products seem to be more stable than the Linksys. They have a small business class that may be what you are looking for: Wireless VPN Firewalls

Joshua
  • 779
  • 1
  • 9
  • 18
0

I've used the NETGEAR WGR614L router with dd-wrt installed. Although I haven't used the VPN features of it I've found it to be much more stable then any other router running the default firmware.

Jared
  • 1,420
  • 2
  • 16
  • 22