Author Topic: Need to replace Small Office VPN Firewall, recommendations for ease of use?  (Read 332 times)

0 Members and 1 Guest are viewing this topic.

Offline Jon_STopic starter

  • Contributor
  • Posts: 37
  • Country: gb
We have a Small Office security appliance that is now out of support (Zyxel USG60). This provided basic firewall features, IDS, 2 WAN connections, and an L2TP/IPSEC VPN for about 15 users (max simultaneous remote VPN users was usually 1).

The automatic failover for the two WANs always worked perfectly, but the VPN setup was a perpetual nightmare.

It eventually sort-of-worked, but frequently with an iOS or Android update the handshaking would need tweaking. Only limited selections of encryption/hashes were supported. The usual upshot was that some people's phones would work and some not, then a laptop wouldn't establish a tunnel etc...

I'm familiar with enterprise Cisco kit from a previous job, and that was mostly reliable and easy to configure/troubleshoot from the console.

Cisco would be out of budget, but is there a option anyone would recommend that would support two WAN connections, basic firewall capabilities, and a VPN for iOS, Android, and Windows clients that won't cause me to lose hair?


 

Offline Psi

  • Super Contributor
  • ***
  • Posts: 10414
  • Country: nz
If I was going to try set that up I would look into all the Webgui based linux router/vpn options.
(Where you throw a custom linux distro on some spare PC with two network cards and it acts as a router with full web GUI to set things up)

Like pfSense/Shorewall/Smoothwall etc..

But I've not looked into this stuff in 10 years so i'm probably not the one to listen to

The key thing for you is finding something that supports all the oddball VPN standards that exist across iOS, Android, and Windows clients.   Getting VPN to work with windows tends to be easy but getting the same VPN to work across a lot of different devices running different OS's can be quite annoying. Or it was when i last tried to do this.
« Last Edit: January 14, 2025, 10:13:53 am by Psi »
Greek letter 'Psi' (not Pounds per Square Inch)
 
The following users thanked this post: Jon_S

Offline Jon_STopic starter

  • Contributor
  • Posts: 37
  • Country: gb
Thank you very much for the comments. I have used IPCop and pfSense many years ago on my home network. I had discounted a DIY solution because of the lack of commercial support, but it looks like you can buy some devices with support now:

https://shop.netgate.com/collections/security-gateways/products/8200-max-pfsense
 

Offline nfmax

  • Super Contributor
  • ***
  • Posts: 1627
  • Country: gb
How about a FireBrick 2900? https://www.firebrick.co.uk/fb2900/

Does everything you mentioned and more, including full firewall. Excellent support, can automatically update its firmware if you choose. It’s what I use here, and I have recommended it to friends. Not cheap, but you get what you pay for
 
The following users thanked this post: Jon_S

Offline Jon_STopic starter

  • Contributor
  • Posts: 37
  • Country: gb
How about a FireBrick 2900? https://www.firebrick.co.uk/fb2900/

Does everything you mentioned and more, including full firewall. Excellent support, can automatically update its firmware if you choose. It’s what I use here, and I have recommended it to friends. Not cheap, but you get what you pay for

Looks like a very interesting device for a good price (and 5 year support!), and it would be nice to support a UK company. Doesn't look they do CVSS scores for security-related updates, I have asked the auditors if another control is possible for that.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf