[SOLVED] Need a recommendation: business router

[DocGreen]

Can anyone recommend a small-business level router that can handle site-to-site VPN well? WIFI is preferable, but not necessary.

Client is a car dealer with multiple lots. I would like to have site-to-site VPNs from the remote lots back to the main office for access to the domain controller (for user authentication) and for access to the app server. Can anyone recommend a router that would handle this well without being too expensive? (They'll need 3 of them, after all)

Also, while we're here and since I've never set anyone up like this before... with a site-to-site VPN like this, computers at site B will be able to connect to the DC at site A and join the domain, correct?

 

[YeOldeStonecat]

We use PFSense on Netgates (rock solid), we also use (for out of the box simple ones) the Linksys LRT224 models do fine.
I use Untangle a lot and it does very well with VPN tunnels.

Yes computers at the remote sites will be able to sign into the domain...as long as you set things up correctly.
Example...

HQ. 192.168.10.0/24
DC at 192.168.10.10

Branch A 192.168.11.0/24
DHCP set to give 192.168.10.10 as the primary DNS

Branch B 192.168.12.0/24
DHCP set to give 192.168.10.10 as the primary DNS

 

[Nerm]

Would need more info on number of users, type of network use, etc to suggest exact products. However, I normally recommend Mikrotik routers for this type of application. Hard to beat for the price and very fast/reliable. I also never recommend putting wireless on the edge router. Using actual AP's for wifi access is almost always best.

Yes as stonecat mentioned if setup correctly the other offices could be made to seem as if they are sitting in the same building as the DC.

 

[YeOldeStonecat]

I also never recommend putting wireless on the edge router.
.

Totally agree. For a number of different reasons.
*Better performance...separates the wireless processing. Many wireless routers share the CPU..routing, wireless, perhaps add VPN. I wan't that CPU left focusing on just routing, and VPN. Or...some better VPN routers have a separate CPU to process the VPN.

 

[unclemarv]

Might be a little pricey, but the SonicWALL TZ devices are a good business option. Used to use the Netgear ProSafe routers and they were just fine if you don't need all the bells and whistles.

 

[TAPtech]

I like SonicWalls for those with the budget, and am really digging the new ZyXEL lineup for my smaller clients.

 

[fencepost]

The Mikrotik routers seem to do a decent job, though I haven't tested hard on throughput over VPNs. With an SSTP client VPN I've had some complaints from users that it was much slower than IPSEC (with ShrewSoft) to their old RV042, but for site-to-site you're likely to be using IPSEC anyways.

It's hard to beat the flexibility they give you as well - we just set up two offices each with dual Internet (Comcast & AT&T DSL/Uverse) plus a dedicated (Comcast Metro Ethernet) link between them, plus VLAN in the smaller office for the VOIP phones. There's still some work to do there to see about making failover automatic (right now it's "If Comcast goes down, disconnect the yellow cord") but that's something for downtime.

The drawback of the Mikrotiks is that they're complex. They do amazing things, but sometimes they do them by making changes here, here, there, over there and also down in that area down there. They're also not UTM devices - no web filtering, spam filtering, virus monitoring, etc.

But the price on the hardware is sure right.

 

[DocGreen]

Thanks for the input guys!

@Nerm the client has 3 PCs, 3 printers, and 1 server at the main office, and 2 PCs, 1 printer at each of the branches.

@YeOldeStonecat, thanks for the subnetting primer!
At this point I'm leaning towards a LRT214 and Ubiquiti AP at each location.

 

[Markverhyden]

Tossing in another piece of advice. If you have not already done this, make sure to discuss the situation with the app vendor. Talk to their tech support people, not sales.

 

[Nerm]

The Mikrotik routers seem to do a decent job, though I haven't tested hard on throughput over VPNs. With an SSTP client VPN I've had some complaints from users that it was much slower than IPSEC (with ShrewSoft) to their old RV042, but for site-to-site you're likely to be using IPSEC anyways.

It's hard to beat the flexibility they give you as well - we just set up two offices each with dual Internet (Comcast & AT&T DSL/Uverse) plus a dedicated (Comcast Metro Ethernet) link between them, plus VLAN in the smaller office for the VOIP phones. There's still some work to do there to see about making failover automatic (right now it's "If Comcast goes down, disconnect the yellow cord") but that's something for downtime.

The drawback of the Mikrotiks is that they're complex. They do amazing things, but sometimes they do them by making changes here, here, there, over there and also down in that area down there. They're also not UTM devices - no web filtering, spam filtering, virus monitoring, etc.

But the price on the hardware is sure right.

Dynamic link failover is actually quite easy on Mikrotik's.

Thanks for the input guys!
@Nerm the client has 3 PCs, 3 printers, and 1 server at the main office, and 2 PCs, 1 printer at each of the branches

Something like a $50 RB750GL would be able to handle that without even breaking a sweat.

EDIT: markverhyden made a good point. You want to make sure the WAN links this VPN is going across will be adequate for their needs.

 

[DocGreen]

Tossing in another piece of advice. If you have not already done this, make sure to discuss the situation with the app vendor. Talk to their tech support people, not sales.

That was the first thing I did. Their software works best hosted on an app server and served via RDP over VPN.

 

[fencepost]

Dynamic link failover is actually quite easy on Mikrotik's.

I was pretty sure it was, one of the guys I work with actually went through one of the 4-5 day courses on RouterOS. I just haven't set up the scripts, etc. for it yet, and I need to determine where the endpoint should be for monitoring the connections. The recent downtime they had was because "Oh, I cancelled that service" for the new 5 static IPs Comcast line that was linked to the Metro Ethernet account rather than cancelling the older dynamic service.

Fortunately I was remote so there was no chance of actually smacking someone upside the head.

 

[DocGreen]

Update: I went with a couple Linksys LRT214's, and after an ordeal with Comcast, was able to get the VPN working flawlessly. I'd definitely recommend these routers for similar applications. Thanks to everyone for the tips!

 

[HCHTech]

after an ordeal with Comcast

Let me guess, their stupid gateway devices that don't have a real bridge mode were the problem, right?

 

[DocGreen]

Let me guess, their stupid gateway devices that don't have a real bridge mode were the problem, right?

They do have real bridge mode... Comcast just doesn't like using it because they lose their ability to remote admin the device. Their "half-bridge" worked fine once they actually got it set right... first guy I got was a complete idiot and did something so wrong that it took 18 hours for them to fix.

 

[Markverhyden]

They do have real bridge mode... Comcast just doesn't like using it because they lose their ability to remote admin the device. Their "half-bridge" worked fine once they actually got it set right... first guy I got was a complete idiot and did something so wrong that it took 18 hours for them to fix.

They are horrible with this stuff. Sometimes I'll have to call back several times or request an escalation to get someone that knows with what they are doing.

 

[Nerm]

They do have real bridge mode... Comcast just doesn't like using it because they lose their ability to remote admin the device. Their "half-bridge" worked fine once they actually got it set right... first guy I got was a complete idiot and did something so wrong that it took 18 hours for them to fix.

Typical!

 

[YeOldeStonecat]

What model Comcast gateway? The ones they use in my area, I always setup the "public IP passthrough" mode myself to put on the WAN interface of my firewall. Never have to involve Comcast support for that.

 

[DocGreen]

What model Comcast gateway? The ones they use in my area, I always setup the "public IP passthrough" mode myself to put on the WAN interface of my firewall. Never have to involve Comcast support for that.

I don't have the info in front of me, but they're SMC networks (or something) 4-port gateways. Their GUI didn't have the option to set the bridge mode myself.

 

[YeOldeStonecat]

I don't have the info in front of me, but they're SMC networks (or something) 4-port gateways. Their GUI didn't have the option to set the bridge mode myself.

it's not called bridged mode....they used to be SMC here...most of mine are, but recently they started using Netgear gateways but the web admin looks the same.

You log in, 10.1.10.1,
cusadmin
highspeed

Click on the Firewall button on the left...
Click on Firewall Options tab towards the right...
Put a check in the box for "Disable Firewall for True Static IP Subnet Only"
And there's usually already a check in "Disable gateway smart packet inspection"...but if not...I put one there. Not related to the public IPs..it's just a filtering service that causes more problems than it prevents.
Click Apply button...done!

Now, go to "whatismyip.com"....jot down the IP it tells you you have. That should be the first IP address in the block of statics they gave you. Lets say that is 74.75.84.85. You can also confirm this by going to the gateways "status" section and looking at the WAN Internet IP Address. (which will be different from the WAN DHCP IP Address...that is the service address Comcast support uses).
You take the second IP of that block (or whatever order you want..the whole block is yours..you have something like 74.75.84.85-90)...and that is your routers primary public IP. So for your router, you'd assign the WAN port an IP such as 74.75.84.86...and you would make the gateway 74.75.84.85. The IP that the gateway has...will be the default/remote gateway that you use on your routers WAN connection.
And take the next IP..74.75.85.87, and if you use that..the gateway is still 74.75.84.85. So on and so forth for the whole block.

Leave DHCP on on the gateway. You can still use things plugged into it...VPN server, or phone system, or whatever...I often put Guest wireless networks directly onto the gateway, so they're on the 10.1.10.xxx range. And my own router does NAT and the main network is 10.0.0.x or 192.168.xxx.xxx.