TIPS Best smb firewall/router?

[edisoninfo]

I know this is probably a loaded question, but it appears Cisco is moving out of the smb market and more into the mid-size and enterprise markets. What is a good router/firewall unit to use in the say $300 - $500 range? My immediate need is for around 60+ users and at least 2 IPSec vpn tunnels.

Random thoughts.....
Cisco is pushing the ASA5505 but that ends up being pricey when you add in the user counts. I prefer to stay away from the residential end of the spectrum such as Netgear or Belkin or whatever.

I know pfSense is very popular but I don't have time to build one of those and I need IPSec vpn tunnels.

Some are pushing Sonicwall, now owned by Dell, but I have read on here that they do not play well with SIP trunks.

How about Fortigate from Fortinet?

 

[krzykat]

https://doc.pfsense.org/index.php/IPsec_Tunnels

 

[phonebuff]

I know pfSense is very popular but I don't have time to build one of those and I need IPSec vpn tunnels.

You will not do better than a pfSense box.

If you don't want to assemble hardware. Might I suggest a NetGate ready to go.

Just add settings --
http://store.netgate.com/1U-IPSU-Netgate-ALIX-single-pfsense-P285.aspx

 

[atsak]

Fortigate is good and cheap in the limited feedback I've received from a couple clients, but I have never used them with SIP. I use Juniper SSG 5's and 20's (and 140 and 550M's when needed). They are so far perfect but a bit tricky to setup if you have a dynamic IP. If you are using static it's rock solid as they say around here. I have about 20SSG 5's out there which never need a "reboot" to fix things and are passing SIP traffic all day long. Juniper JTAC is as good as Cisco, though the language barrier can be a bit higher as most of the techs are very, very offshore.

Sonicwall have had trouble with SIP trunks but hbonath on this forum says he has them working well. I had the most problems with the low end devices over the years. I did actually have one of their higher end ones working fine at one point.

 

[MrBostn]

pfSense does IPsec tunnels. Consider this Supermicro It has Intel NICs (which is what you want) Also has IPMI for remote access in an emergency. Just add RAM and a hard drive

http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364

 

[islandtech]

Ubiquiti Edgerouter Lite - 3 gigabit ethernet ports (configurable) . I'm using it for a medical practice with 1 WAN, 1 Data LAN, 1PBX LAN
The data lan has a site to site IPSEC VPN. The pbx lan has 2 remote yealink phones at separate locations using openvpn.
Remote access to both lans through l2tp/ipsec. Only in service for 2 months with no issues

 

[It's all good]

pfsense, I use it all of the time. I have multiple clients with multiple IPSec tunnels at each location, all with IAX trunks over the VPN to dial their PIAF boxes by extension. pfsense has a very easy learning curve.

 

[edisoninfo]

OK. I'm going to give pfsense a try. I just ordered the unit suggested by phonebuff. My only concern is the throughput on the Netgates seems pretty low. Only 19mbs for the ipsec tunnels? I realize most of the cable services are 30x1 or 15x756k or something so I guess that might not matter? Comparing to the ASA5505 which lists something like 100mbs or whatever.

This particular install is a medical practice with a remote office. There are 5 computers there that all RDP into the main office all day. Does this Netgate have the guts to handle that?

 

[atsak]

RDP uses very little bandwidth. I don't think you need to be concerned.

 

[jehowe]

I've centered on Mikrotik lately and have been very happy. Learning curve for sure and not perfect, but it's feature set is outstanding and offers really fine grain QoS and packet control which has proven to work very well managing voice on a data network.

For SMB's I haven't found anything that works better or is more convenient in a package this small- http://routerboard.com/RB2011UAS-2HnD-IN

 

[Hyksos]

If you don't want to build a pfsense by hand and all.
http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
Cheaper than those netgate by a large margin...

Also:
http://dl.ubnt.com/Tolly212128UbiquitiEdgeRouterLitePricePerformanceVsMikroTik.pdf

 

[rjaiswal]

I have installed 2 edge router lite routers. One at my house, and one at client. Both have been up for 3 months. No hiccups.

Mine, at home, has openvpn on it, and is currently hosting a couple of yealink remote phones connected via openvpn. I also have another openvpn instance configured for just username and password auth.

Great little router. Very happy with it. And for the price, can't be beat.

 

[drmurdoch]

I'm looking for a Router/Firewall for my small office.
We have 7 wired and 5 wireless desktops.
And 6 Cellphones / Tablets using Wifi.

I'd like something that is good for VOIP (That being said we use MABELL lines).
My server doesn't have a rack, so it doesn't have to be
Believe it or not, I'm using a Linksys WRT54G ... but it's dying and needs to be unplugged frequently now

 

[rossiv]

I personally like the Ubiquiti EdgeRouter Lite + Unifi access points combo. I use the ERL as my primary router and it can push 1GB/s without even thinking about it. Also use the Unifi access points with the controller software. LOVE them. I don't have any of the Pro models, just one standard Unifi AP and a Unifi Dual-Band Outdoor AP.
Also using the ERL just fine with a few SIP phones behind it to a PIAF instance in the cloud.

 

[BeerCan]

I think that Alix board is a little to weak for crypto stuff (ipsec vpn etc). I would use it for soho or home use but keep it under 5 users but that IMO.
I do a bit of openvpn stuff on my sites so I like a little more beef. The supermicro like this would be better http://www.amazon.com/Supermicro-Su...qid=undefined&sr=8-1&keywords=supermicro+atom
The new atom's are really beefy and have aes-ni support in the cpu http://www.amazon.com/Supermicro-Ra...id=1409409908&sr=8-3&keywords=supermicro+atom

 

[paulnye]

I have been using the crazy inexpensive tplink dual wan routers on my PBXs for a couple of years now. Never had to reboot, never had SIP issues, very easy to work with and didnt want to use a whole computer to run pfsence.

 

[MacNix]

If you can get away from IPSec and look at OpenVPN, you might try Untangle.. (You can also do IPSec on Untangle but it's an add-on feature, whereas OpenVPN is free)...

Personally, I've been using Untangle's free stuff on low-end atom boxes for a few years... Have put them on lower end Pentiums without issue, and up to new stuff this year.. Total hardware cost is about $150-175, plus about 45-90 min of install & setup (including creating credentials and VPN client keys).

OpenVPN, numerous add-ons available (at a price), pretty good community support (in my opinion, far faster response, and usually more helpful/indepth than support on this site - and I say that with respect and thankfulness for the support found here - just comparing).... Most importantly.. well......it just works.

We have them on 2 continents currently, and have had little/no issues with them, aside from the occasional lightning blowout or other user-induced calamity. They have had a great backup/restore utility, so swap out is faster than even a cisco router (and at 1/8 the price!)... Ive never yet had one do an OS 'crash' or require a reinstallation, which is not something I can say of Cisco..

Go to Newegg, buy the lowest end box that'll take a second NIC (you'll want 1 or 2 extra NICs), give it a couple GB of RAM, slap the smallest SSD you can find (or boot it off a USB stick), go here and download the ISO and you're off to the races.. If you're in over $200, you've overspent... They have upgrades you can buy as well to do branding, restrictive access & bandwidth control, etc.

Oh, and they are GREAT with SIP. There's a couple tweaks in the Config>Networks>Bypass area, which allow you to fully pass SIP info quickly... As long as your router can get a static IP to the world, you'll have little/no issue getting SIP happy on the inside. The only issues I've experienced with them is when I can't get static IP on the outside AND I can't get the "outside world" router to pass SIP traffic or NAT properly... other than that, it's pretty painless..

Speed issues? none that I know of. I've got cable feed in one location where I did a test yesterday - had a 38ms latency to my SIP server site (rentpbx) from a client box inside the network. That site runs 3-5 sip calls concurrently ALL DAY LONG, in addition to large packet data drops - have never had quality issues other than what we've attributed to TimeWarner's pathetic data service (they refuse to set their cable amps to auto-adjust, so the signal quality fluctuates with the weather - and no, I'm not exaggerating)..

 

[miguel]

I have bought warp Voip firewall by far the best thing ever check it out, hope you get it if you have problems of being hacked!

http://www.pikatechnologies.com/english/view.asp?x=1294

Best regards.

MN