[geeks] Router / Firewall / Endpoint Thoughts & Ideas
Clem Cole
clemc at ccc.com
Wed Aug 18 09:02:21 CDT 2021
On Wed, Aug 18, 2021 at 6:39 AM Mark Benson <md.benson at gmail.com> wrote:
> Anyone recommend a robust SMB-class router with a comprehensive Firewall,
> the
> chops to handle our needs for 3-way WAN routing, (VoIP, Internet, and SaaS
> provider site-to-site VPN - I know - itb s a shit-show), VPN (Dial-In and
> Site-to-Site), onto 2 subnets internally (one for VoIP and one for general
> traffic) and all the usual features. Bonus points if it is available with a
> VSDL/Annex A modem.
>
YMMV ....
I would not try to find a single device. I have found that separates and
even things like OpenWRT/DD-WRT just could not hack it for my needs. I
researched this about a year ago (start of CV-19 lockdown). WiFi dead
spots were a big issue for me [MESH just does not work IMO]. Hence I
ended using Ubiquiti Network gear to do something similar to you and
have and am extremely happy [they call their scheme 'Unify']. I have a
friend in the computer security community that turned me on to this stuff.
In fact, I have put an almost identical setup into my Church earlier this
summer, and a good friend of mine who is a CS College prof, I just helped
to get it set up in his new place in Sweden. As he said, last night
[comment on the controller SW] this is really pretty slick.
Simply, I would put a secure GW between you and the Internet and then split
the other functions up from there. I have used Cisco 48 port 1G POE
switch downstream that I picked up for about $150. I use a USG-3P which
supports 1 or 2 WAN and either 1 or 2 LANs as the gateway. While the GW
will work without the controller, a key reason to go with this system is
their controller SW. I know one guy that just runs his GW using the
Cisco-like commands. But it is a PITA to configure and its clear, the
Ubiquiti is steering people away from that.
You can download and run the controller SW for free (it's a Java
application that runs as a Web Server) and executing it on a PC or a RPi if
you want. Either way you will communicate with Chrome or the like. I
started that way [running the controller SW on a RPi] but the guy that
recommended the system to me, mentioned the Key just was a bit less
seamless and better integrated. So I ended up spending the extra $100 and
getting one [the Cloud key is a custom Linux box with an LCD screen that
have that hosts their SW -- either way ]. I have to agree it just works.
FWIW: I have a number of VLANs defined and then use the Cisco to control
what traffic goes were. I also have 4 APs [3 UAP-AC-Pros in the building
and external UAP-AC-M-Pro] and one of their 8 port switches with 4 ports of
POE [US-8-60W] -- this you probably can do without if you have another POE
system [I bought it before I got the used Cisco].
In my case, I did all that because I tried to run the Ubiquti network in
parallel to my previous system which used DD-WRT and OpenWRT on different
routers and two different attempts at MESH hardware [which just really
never worked]
Besides, the ease of operation of this new system; one of the issues with
the OpenWRT/DD-WRT was keeping firmware updated. So one of the other
things I love about the 'Unify' scheme is that the Key is constantly
monitoring everything and lets me know. In fact you can set it up
automatically update the FW on the devices for you. From a security
standpoint,m this is great, as I really don't have the time to be an IT guy
and am too small to be able to hire someone.
FWIW: we use OpenVPN into the site and use some other remote services. We
have NFS and SMB on an internal NAS, but have never tried to export it. So
you should investigate that before you jump in. I suspect others have
tried and their community forum seem to be helpful.
Oh yeah, I have a 1G fiber [FiOS] connection and I have been pleased that I
can get full speed out of it. My CS Prof friend was amazed when he ran a
test and saw the same thing, which he had never seen before. My piecemeal
system was never that good. The best I got with it was about 750M. To be
fair, the Ubiquiti gear is newer than the older system, so I'm sure the
processors inside of the GW are much better than the processor in the older
DD-WRT box.
Hope this is helpful, and good luck.
a�'
More information about the geeks
mailing list