What decent small-office level routers are there

Question

So let's say I have a network of less than 20 computers including a server that needs to be accessed externally. What router/firewall solutions would you recommend? It can be either hardware or software and would need to be able to do

NAT
Firewall
DMZ
Native VPN if possible
Some form of network bandwidth monitoring

Update: I've accepted the answer I liked but this question probably doesn't have a definitive answer, it would depend on your requirements. Please leave more suggestions with an explanation as to why it works well in your situation.

I suggest making this question a community wiki then. We can compile a big list. — Gareth, May 13 '09 at 02:30

score 8 · Answer 1 · answered May 01 '09 at 02:23

8

It sounds like a router/firewall Linux distribution would serve you just fine. http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions

answered May 01 '09 at 02:23

Jordan S. Jones

1,083
9
13

score 8 · Accepted Answer · answered May 01 '09 at 02:39

8

We've been using pfSense running on WRAP/ALIX boards from pcengines for quite a while. I like the pcengines boards because they are small and low power, but you can use any old PC. Cheap and been trouble-free.

answered May 01 '09 at 02:39

John McC

908
1
7
15

I second this. I've been running pfSense/monowall for over 3 years and find them to be way better than most commercial or free offerings. Where as m0n0wall is for embedded systems, pfsense is fully featured – jdiaz May 01 '09 at 04:07

score 7 · Answer 3 · answered May 01 '09 at 03:23

I would highly recommend the Cisco 5505 ASA firewall. WebVPN, DMZ, POE port and it's even got Intrusion Prevention with an SSC card. The ASDM interface is super simple to set up. You no longer have to understand CLI completely to set up a Cisco product. A 50 user ASA from CDW is around $600.

I also believe that with the latest release of the ASA software, they will support NetFlow which will give you bandwidth stats.

score 4 · Answer 4 · edited Jun 11 '20 at 10:02

I am a big fan of the Netgear ProSafe series.

Netgear FVS338 ProSafe VPN Firewall 50, 8 Gigabit ports, 1 WAN, $180
Netgear FVS318 ProSafe VPN Firewall 8, 8 10/100 ports, 1 WAN, $90
Netgear FVS114 ProSafe VPN Firewall 8, 4 10/100 ports, 1 WAN, $60

These devices are so inexpensive that you can literally buy two and just keep one lying around just in case.

The VPN configuration is the easiest I've seen. I can ship out an FVS114 to a non-technical remote employee and they can be up and running with a hardware VPN in minutes.

If you have the money for it, a Cisco ASA is the way to go, but if you're on a budget, these little puppies do the trick.

score 3 · Answer 5 · answered Jul 20 '09 at 02:38

If you don't want to spend much money take a look at DD-WRT or OpenWRT. Both are Linux based operating systems that if installed on a commercial router can make it preform like one worth ten times as much.

Both offer features or plugins that can do NAT, Firewall, DMZ, Native (open) VPN, Network Monitoring, and much more.

But they do not support all routers, be sure to look on their list of supported devices along with the notes for how to install it on your device.

score 2 · Answer 6 · answered May 01 '09 at 02:28

2

Software wise, a small linux box with 3 network cards (internal, external, DMZ) is all you need. I'd reccommend smoothwall if you don't have much experience with Linux.

If you want a hardware solution, then I'd recommend Linksys which will be more than capable of 20-30 PCs (depending on your net connection you may need a separate modem). If you're moving into the 50+ range or need rock solid stability, then a low-end Cisco router is your best bet. There are a number of entry-level units available for under $500

answered May 01 '09 at 02:28

saschabeaumont

2,794
22
14

Can the 3 cards be replaced with a single card and a small switch? – Joe Phillips May 01 '09 at 02:42
Well... you're playing with fire then. You want to isolate the networks, otherwise savvy or incompetent users could screw things up. Plus smoothwall is designed to work with three interfaces, you can't do any proper bandwidth monitoring otherwise. – saschabeaumont May 01 '09 at 02:51
1

If you want to use one card, you'd really want to run VLAN trunking on it. At which point you're using a managed switch, and it would have been cheaper and easier to just get three cards (or possibly even a dual- or quad-port card...) – derobert May 01 '09 at 03:38
@derobert good point, I didn't think about a managed switch. I still maintain it's cheaper/easier/safer to isolate the networks physically, VLAN trunking is overkill for 20 PC's ;) – saschabeaumont May 01 '09 at 04:47

score 1 · Answer 7 · answered May 27 '09 at 15:18

1

The Cisco 871w is a phenomeninal SOHO router that does everything you've required and more.

answered May 27 '09 at 15:18

Jim March

977
3
8
17

score 1 · Answer 8 · answered May 04 '09 at 23:49

1

Been running m0n0wall for over a year now and it has proven to be quite a good solution. Lightweight, live monitoring chart for bandwidth and QoS management, things which IPCop (which I was using previously) was missing.

answered May 04 '09 at 23:49

sheepbrew

227
2
3

score 0 · Answer 9 · answered May 27 '09 at 13:42

If you only need ethernet interfaces on the router a snapgear firewall (I use the SG560) would do the job. I know it can do points 1-4 on your list.

If you put a dsl modem in bridged mode on the wan side it can also initiate PPPoE sessions.

At it's core it is a linux box with a nice web gui. There is a telnet and ssh interface but that is completely undocumented. One gotcha with the Snapgear is that all changes are live and automatically saved. So you can't use a "reboot in 10" like you can on a cisco to get you out of trouble if you lock yourself out when working on the firewall rulesets.

score 0 · Answer 10 · answered May 01 '09 at 02:42

The Linux solutions mentioned here can certainly work fine if you are comfortable with them and in maintaining them. If you like out of the box solutions that are fairly affordable, I would go with SonicWall. They are easy to manage, fairly cost effective, and meet all of your needs. At about the same level is Zywall. It offers some more functionality, but the interface isn't as easy as SonicWall's. Support wise I would say both companies are on the same level, about average. For Linux based solutions, support can be had from numerous places. I would caution on the low end (Linksys) side for business applications for the size network you mention, in my experience their hardware is cheap, but you get what you pay for. Good luck!

score 0 · Answer 11 · answered Jul 20 '09 at 01:57

I've come to love Mikrotik routers for small scale office work - they are basically an embedded linux device with up to 9 network cards and the full power of iptables.

This is only a good choice if you are familiar with the basic of iptables; the GUI interface is a frontend to the linux features instead of being something designed for ease of use over functionality.

score 0 · Answer 12 · answered May 04 '09 at 23:45

0

Juniper Netscreen SSG5. Comes in wired and wireless flavours.

If you need ADSL, T1, E1 cards, the SSG20 has you covered. Also has a wireless option.

answered May 04 '09 at 23:45

score 0 · Answer 13 · answered May 08 '09 at 20:01

For hardware solutions I rely on Netopia. There Enterprise class routers are highly configurable, and are almost as easy to manage as Linksys (albeit via Telnet) and yet powerful enough to offer site-to-site connectors, multiple public ips, filter rules, etc.

They offer wired and wireless, with DSL modem and without. Check out the 3000 series...

What decent small-office level routers are there

13 Answers13