[geeks] Router / Firewall / Endpoint Thoughts & Ideas
Clem Cole
clemc at ccc.com
Wed Aug 18 09:05:58 CDT 2021
dyslexia-R-me
s/ less / more / -- sigh
On Wed, Aug 18, 2021 at 10:02 AM Clem Cole <clemc at ccc.com> wrote:
>
>
> On Wed, Aug 18, 2021 at 6:39 AM Mark Benson <md.benson at gmail.com> wrote:
>
>> Anyone recommend a robust SMB-class router with a comprehensive Firewall,
>> the
>> chops to handle our needs for 3-way WAN routing, (VoIP, Internet, and SaaS
>> provider site-to-site VPN - I know - itb s a shit-show), VPN (Dial-In and
>> Site-to-Site), onto 2 subnets internally (one for VoIP and one for general
>> traffic) and all the usual features. Bonus points if it is available with
>> a
>> VSDL/Annex A modem.
>>
>
> YMMV ....
>
> I would not try to find a single device. I have found that separates and
> even things like OpenWRT/DD-WRT just could not hack it for my needs. I
> researched this about a year ago (start of CV-19 lockdown). WiFi dead
> spots were a big issue for me [MESH just does not work IMO]. Hence I
> ended using Ubiquiti Network gear to do something similar to you and
> have and am extremely happy [they call their scheme 'Unify']. I have a
> friend in the computer security community that turned me on to this stuff.
> In fact, I have put an almost identical setup into my Church earlier this
> summer, and a good friend of mine who is a CS College prof, I just helped
> to get it set up in his new place in Sweden. As he said, last night
> [comment on the controller SW] this is really pretty slick.
>
> Simply, I would put a secure GW between you and the Internet and then
> split the other functions up from there. I have used Cisco 48 port 1G POE
> switch downstream that I picked up for about $150. I use a USG-3P which
> supports 1 or 2 WAN and either 1 or 2 LANs as the gateway. While the GW
> will work without the controller, a key reason to go with this system is
> their controller SW. I know one guy that just runs his GW using the
> Cisco-like commands. But it is a PITA to configure and its clear, the
> Ubiquiti is steering people away from that.
>
> You can download and run the controller SW for free (it's a Java
> application that runs as a Web Server) and executing it on a PC or a RPi if
> you want. Either way you will communicate with Chrome or the like. I
> started that way [running the controller SW on a RPi] but the guy that
> recommended the system to me, mentioned the Key just was a bit more
seamless
> and better integrated. So I ended up spending the extra $100 and getting
> one [the Cloud key is a custom Linux box with an LCD screen that have that
> hosts their SW -- either way ]. I have to agree it just works.
>
> FWIW: I have a number of VLANs defined and then use the Cisco to control
> what traffic goes were. I also have 4 APs [3 UAP-AC-Pros in the building
> and external UAP-AC-M-Pro] and one of their 8 port switches with 4 ports of
> POE [US-8-60W] -- this you probably can do without if you have another POE
> system [I bought it before I got the used Cisco].
>
> In my case, I did all that because I tried to run the Ubiquti network in
> parallel to my previous system which used DD-WRT and OpenWRT on different
> routers and two different attempts at MESH hardware [which just really
> never worked]
>
> Besides, the ease of operation of this new system; one of the issues with
> the OpenWRT/DD-WRT was keeping firmware updated. So one of the other
> things I love about the 'Unify' scheme is that the Key is constantly
> monitoring everything and lets me know. In fact you can set it up
> automatically update the FW on the devices for you. From a security
> standpoint,m this is great, as I really don't have the time to be an IT guy
> and am too small to be able to hire someone.
>
> FWIW: we use OpenVPN into the site and use some other remote services. We
> have NFS and SMB on an internal NAS, but have never tried to export it. So
> you should investigate that before you jump in. I suspect others have
> tried and their community forum seem to be helpful.
>
> Oh yeah, I have a 1G fiber [FiOS] connection and I have been pleased that
> I can get full speed out of it. My CS Prof friend was amazed when he ran a
> test and saw the same thing, which he had never seen before. My piecemeal
> system was never that good. The best I got with it was about 750M. To be
> fair, the Ubiquiti gear is newer than the older system, so I'm sure the
> processors inside of the GW are much better than the processor in the older
> DD-WRT box.
>
> Hope this is helpful, and good luck.
> a�'
>
a�'
More information about the geeks
mailing list