Looking for Recommendations for 4 port, Gigabit Router with IPSEC VPN

[xendrome]

Hey Guys,

 

Having a problem finding a router with the following specs, int his price range.

 

Gigabit LAN/WAN ports - throughput for LAN to WAN to support 200Mbit.

IPSEC/IKE VPN capable 

Only need 4 ports, just uplinking to a Adtran 24port POE Gigabit L3 switch

Price max $150, and prefer something Amazon Prime.

 

Any suggestions? The ones I am finding all seem to have pretty bad reviews.

[sc302 Veteran]

try these:

 

https://www.amazon.com/Cisco-Systems-Gigabit-Router-RV320K9NA/dp/B00DGH08OC/ref=sr_1_1?ie=UTF8&qid=1473179540&sr=8-1&keywords=rv-320

https://www.amazon.com/Cisco-Dual-Gigabit-Router-RV042G-NA/dp/B008CWW6VY/ref=sr_1_2?ie=UTF8&qid=1473179612&sr=8-2&keywords=rv042

 

 

 

this is a bit more expensive but:

https://www.pfsense.org/products/

 

 

[xendrome]

1 minute ago, sc302 said:

try these:

 

https://www.amazon.com/Cisco-Systems-Gigabit-Router-RV320K9NA/dp/B00DGH08OC/ref=sr_1_1?ie=UTF8&qid=1473179540&sr=8-1&keywords=rv-320

https://www.amazon.com/Cisco-Dual-Gigabit-Router-RV042G-NA/dp/B008CWW6VY/ref=sr_1_2?ie=UTF8&qid=1473179612&sr=8-2&keywords=rv042

 

 

 

this is a bit more expensive but:

https://www.pfsense.org/products/

 

 

Yeah I was looking at those, but a bunch of reviews say the VPN is unstable. This one https://amzn.com/B008021NSI says it has 750Mbit Throughput for the Firewall and 50Mbit on the VPN, might try it. Any other ideas?

[+BudMan MVC]

VPN unstable how so?  I am on the pfsense forums like every single day, I have seen no such complaints..

 

If your looking for a low budget router.. How about the unifi edge router lite, or even the edgerouter -x which can get for like $49.. Pretty sure it should be able to do 200mbps without any issues.  Since they state 1mps even for the -x, the lite goes for like $99

 

I don't personally use ipsec vpn, but can tell you the openvpn on pfsense is rock freaking solid.  On it every single day like all day from my work network to my home network.

[sc302 Veteran]

build a pfsense box.

 

buy a used cisco asa (5506-x...5516 if you want 200 or more throughput), sonicwall, or watchdog...if you want quality that won't drop.

 

 

 

[+BudMan MVC]

^ yeah there are lots of people putting pfsense on older firewall hardware they pick up on ebay for a song, etc.

[xendrome]

3 hours ago, BudMan said:

VPN unstable how so?  I am on the pfsense forums like every single day, I have seen no such complaints..

 

If your looking for a low budget router.. How about the unifi edge router lite, or even the edgerouter -x which can get for like $49.. Pretty sure it should be able to do 200mbps without any issues.  Since they state 1mps even for the -x, the lite goes for like $99

 

I don't personally use ipsec vpn, but can tell you the openvpn on pfsense is rock freaking solid.  On it every single day like all day from my work network to my home network.

VPN unstable on those Cisco boxes above.

 

I'd like to stick with a regular over the counter box that requires about 3 minutes of config to setup and I'll keep a couple of spare on-site to drop in if one goes down. I will be using these at 3 different sites. I'm using ipsec because the other end-point is a Sonicwall TZ-600 and they are IPSEC site-to-site VPNs.

 

Will take a look at the unifi edge router lite, or even the edgerouter -x, what are the lan to wan throughputs on those?

[sc302 Veteran]

Do yourself a really big favor, stick with the same brand equipment.  Mixing brands often leads to frustration when it comes to vpn, esp when it comes to cisco and someone else.  If you have sonicwall on one end already, you should be looking at a sonicwall on the other side.  Support will be easier if you ever have to call, one can't point to the other if there is a failure in the chain.

[xendrome]

12 minutes ago, sc302 said:

Do yourself a really big favor, stick with the same brand equipment.  Mixing brands often leads to frustration when it comes to vpn, esp when it comes to cisco and someone else.  If you have sonicwall on one end already, you should be looking at a sonicwall on the other side.  Support will be easier if you ever have to call, one can't point to the other if there is a failure in the chain.

I've actually had good luck with - https://amzn.com/B00DBX9HPC but the throughput on LAN-to-WAN is limited to about 140Mbit, confirmed this at two different sites and via online reviews. Might try that EdgeRouter Lite and maybe this one also. https://amzn.com/B008021NSI I just don't need all of the GAV, CFS, IPS, etc that the Sonicwall offers at those sites.

[+BudMan MVC]

While agree with sc302 on brand from a support model, they can not point fingers when its all them   And while you think that ipsec is standard and anyone that says they are ipsec should be able to connect to any other device that is ipsec, have seen issues with how 1 company implements vs another, etc.  So using same brand at both ends would/should make your life easier.

 

I would look to the little er-x its designed to be just that remote location router.  Shoot you can even power the thing via poe and passthru do say your AP.. Very small footprint with little power draw and decent basic router/firewall functionality.  Pretty sure it would exactly fit the bill to what your looking for at a great price point and ability to have a couple on hand for spares, etc.

[sc302 Veteran]

You may not need all of the bells and whistles, but paying for a solution that you know works is usually cheaper in the long run vs trying different solutions that are initially cheaper.  time is money after all.  So you put ~100 into a solution that doesn't work for your needs, now you are looking at putting in another 100-150 that may not match your needs or cause other issues.  I don't know, a $600 sonicwall is looking pretty good to me.

[+BudMan MVC]

^ you speak the truth

[Scott Hellewell]

I have had very good luck with Mikrotik devices.  Depending on your exact requirements, there is probably one in your price range. I haven't used the first two I am linking below, but have used several of their devices.

 

https://www.amazon.com/Mikrotik-Routerboard-RB2011UiAS-2HnD--Port-Ethernet/dp/B00BGIXOHQ/ref=sr_1_1?ie=UTF8&qid=1473193521&sr=8-1&keywords=mikrotik+router

 

https://www.amazon.com/Mikrotik-CRS125-24G-1S-2HnD--Gigabit-manageable-Wireless/dp/B00HX3KNWC/ref=sr_1_10?s=pc&ie=UTF8&qid=1473193707&sr=1-10&keywords=mikrotik

 

This is the device I currently utilize, but it is a bit out of your price range. It has worked extremely well along with others I have used from them in the past.

 

https://www.amazon.com/MikroTik-Cloud-Core-Router-1016-12S-1S/dp/B00KVFQCOC/ref=sr_1_1?ie=UTF8&qid=1473195045&sr=8-1&keywords=CCR1016-12S-1S%2B

 

 

 

[DaveLegg Developer]

I would second Mikrotik, and was about the post the same link as Scott did in his post above.

 

Great devices, really reliable, easy to configure, and can handle IPSec really well. We have the RB3011UiAS in each of our datacenter cabs for linking the private network between the servers back to the office network for management, and the performance is really great.

 

The RB2011UiAS is essentially the same device, but with 5 gig, and 5 100mb ports, in place of the 3011's 10 gig ports, but if you only need 4 gig ports, sounds like it would be perfect for you.

[+John Teacake MVC]

Dreytek? Not sure on prices though

 

 

[xendrome]

On 9/6/2016 at 0:40 PM, BudMan said:

VPN unstable how so?  I am on the pfsense forums like every single day, I have seen no such complaints..

 

If your looking for a low budget router.. How about the unifi edge router lite, or even the edgerouter -x which can get for like $49.. Pretty sure it should be able to do 200mbps without any issues.  Since they state 1mps even for the -x, the lite goes for like $99

 

I don't personally use ipsec vpn, but can tell you the openvpn on pfsense is rock freaking solid.  On it every single day like all day from my work network to my home network.

Looks like the EdgeRouter Lite is working great for this situation, I've put 3 at different locations since this original post and the site-to-site IPSEC VPN is working great and they are giving full speed on the WAN.

[+BudMan MVC]

nice and can not beat that price

[StrikedOut]

I have been really impressed with the Unifi hardware. At the moment we are only using the AP AC Pro but the flexibility, performance ease of set up and range is superb.

 

Need to install at a new site? discover, change IP and a couple of clicks later and its updated, configured and picking up users.

 

Big thanks for Budman and SC302 for that one!

[+BudMan MVC]

Oh they are not perfect that is for sure..  But for the price point it is pretty slick stuff.  They are currently doing some stuff not a fan of with the firmware updates.  Seems the controller phones home and checks if new version.  If you have this set to auto update you could find yourself in trouble.

 

I also can not see anywhere what version it will be upgraded too, they did add ability to force a check vs having to restart the controller.  But how about simple version when I rollover the upgrade button   And I do believe each AP goes out to the internet to grab that version.  Seems wasteful for bandwidth, and what if my AP don't have internet access?

 

When they rolled out the chat feature.. That really I didn't like.. When they first rolled it out there wasn't even a way to disable it, etc.

 

But then again I am running alpha so stuff like this sure going to happen, when you see it you can ask about it, make suggestions, etc.  And they do seem to take them to heart.  They allowed for disable of chat like in next release.  And the manual check for update, was added next release after people found out it phoning home with no real easy way to force it other than wait or restart the cntrl, etc..

 

And they can seem to stay with a version numbering/beta/alpha/naming - now it seems they are going to the debian method of stable/testing/unstable.

 

And the gui dashboard is not very useful if your not using all their stuff.  If you just have their AP then the dashboard is just a bunch of errors really and a green circle for how many AP you have if they are all connected

 

The camera's are next on my list, if they work as good as the AP I will be very happy..

[StrikedOut]

Here in the UK they are ~£200 inc VAT, just bought 6 of them and will be buying another when I get the keys to our new site. Aesthetically, they are far better than some box with antennae and I have told oneor two people that they also have cameras integrated, just to see if they would believe me (they did!).

 

I think with any GUI, choice is key, like you said, what if there was a known bug? Sure they would work to fix it ASAP but in the mean time.......

 

Not seen the chat, will take a look at that not, to use as we use Skype but its something I shouldn't have missed!!!

 

Fortunately, the only reason I use the GUI for is to rename the device once it has been adopted and then to make sure all are connected every now and then or if I hear of issues and that I do from the mobile.

 

Because of some of our contracts, I may suggest the cameras too.

[+BudMan MVC]

what version of the controller are you using the current alpha is 5.3.3  I can not remember if the chat was introduced in 5.2 or 5.3?

[Circaflex]

chat was introduced in the 4 series, I had the chat feature on 4.8.20. I really like the new dash on 5.2.7, I might check out some of the beta and alpha FW's. Budman, is there an easier way to upgrade the firmware when it comes out? Currently, I backup my settings, uninstall the controller software and install the newest version which updates the AP. EDIT: looks like they introduced check for firmware update in the newest release, nice!

[sc302 Veteran]

you can backup and install on top of.  Never had an issue installing on top of provided it is in the default location. If you change location it is a bear and you are better off uninstalling and reinstalling. 

[Circaflex]

51 minutes ago, sc302 said:

you can backup and install on top of.  Never had an issue installing on top of provided it is in the default location. If you change location it is a bear and you are better off uninstalling and reinstalling. 

Good to know, thanks.

[+BudMan MVC]

Yeah I just upgrade right over with dpkg -i, never an issue.  My controller is VM so just take a snapshot before I do the upgrade.  Let it run for a while if all looks good then I delete the snapshot.  This is the one of the best things about running such things in VM.  You can always rollback to before you do something as long as you just take a snapshot before.  Which only takes seconds to do.

 

I don't ever having to rollback, but its a nice safety net just incase.

 

As to firmwares themselves, they have taken to rolling them out without update of the controller sometimes.  I know they went to from 3.7.10 to like 14, then real quick to .15 and now on 3.7.17 and .17 came out before they released 5.3.3