EEVblog Electronics Community Forum
Products => Computers => Networking & Wireless => Topic started by: nctnico on October 01, 2021, 07:42:11 pm
-
I inherited some more tasks and one of them is getting VPN links up & running. I hope to offload this task ASAP but for now :'(
Anyway, the system is setup using a central VPN server running OpenVPN. What I would like to know is what is the absolute simplest router to add client networks. Currently routers from Mikrotik are being used and while these look great, they have way too many settings and way too many ways to shoot yourself in the foot. For example: I examined one of the configured routers and it turns out that some ports allow to get onto the network at the side which connects to internet.
What I'm looking for is a router which has 1 'WAN' port and 1 (or more; if it has an internal switch) VPN client ports but all client ports must adhere to the same security settings so connecting something to the other ports makes no difference. Any suggestions?
-
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
But my network knowledge is quite advanced so I understand it can be a bit much if you're not ready or interested to spend some time learning it to some level.
Mikrotik has Quick Set page in Winbox. There you can basically set up all of the stuff you need.
Start by reseting router to factory settings (if it is not a new one).
On that page you can set one port (by default Eth1) ot be wan port and it's ip config (for Internet).
Then you set local network subnet and if needed DHCP.
Enable NAT (now you have all internal traffic to WAN nated and firewalled)
And enable VPN acces.
That will enable basic username/password based VPN (for more advanced security you need to go deeper) and also give you DynamicDNS host name to connect to.
And that is it.
You can go now and take a look in details what it have set up and to get a feeling what is needed.
-
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
(..)
1+ Mikrotik.
That is TRUE and being a customized Linux all networking goodies are ready to deploy.
Their console interface is easy to adapt and hardware very affordable.
Best option besides very expensive CISCO stuff
Paul
-
In my opinion Mikrotik is simplest and cheapest equipment that isn't toy.
But my network knowledge is quite advanced so I understand it can be a bit much if you're not ready or interested to spend some time learning it to some level.
Well, I used to setup this kind of networking gear but lost interest in doing this sort of work a long time ago. Nowadays I want something that just works quickly & easy. I guess I have to dig a bit deeper into the Mikrotik then and see if there is a guided way to get it to do what I want (keys, routes, physical ports, firewall, etc). BTW: I don't need to setup a VPN server, I need to setup a VPN client in the form of a router which uses keys to access a (fixed IP) VPN server.
-
Check their site for demos or trials of new firmware kernels..
They used to have very good demos that can be tested inside any decent vm like qemu
I may be outdated on these but that used to be quite a good test before deploy new stuff
Paul
-
Another one to consider is draytek (https://www.draytek.co.uk/products/routers/business-routers), pretty good reputation, web interface is sane.
-
Also the Firebrick 2900 https://www.firebrick.co.uk/fb2900/ (https://www.firebrick.co.uk/fb2900/) - most probably wildly over-specified for your needs but provides full firewall facilities and top-notch support from the manufacturer
-
If they already have Mikrotik hardware that does what you need then fixing the open port/service problem and expanding with the same hardware is the right way to go. Purchase extra units and power supplies for redundancy as well. If you can't secure them or pin point and resolve vulnerabilities then you need someone with more expertise to help out.
Edit:
Most network guys will dump the config, if it has no plain text you can do it in the cli then compare to another router, also an open or routed port may be like that for a reason or even legacy. This is why documentation is important.
-
If they already have Mikrotik hardware that does what you need then fixing the open port/service problem and expanding with the same hardware is the right way to go. Purchase extra units and power supplies for redundancy as well. If you can't secure them or pin point and resolve vulnerabilities then you need someone with more expertise to help out.
I'm looking at it from a different angle: the configuration I need is not something very special so I shouldn't need to go through a lot of steps or have a lot of options to get the configuration going. In the end more steps & more options means more chances for things to go wrong. Also, using a standard configuration (either through a wizzard or by having limited options) means that all the hard work has been done already. No need to re-invent the wheel / waste time & money.
So all in all I'm going to look at the Mikrotik configuration tool to see if it can make the router do what I want without needing to dive deep into the configuration and have a look at the Drytek routers as well.
-
I understand your reasoning. It's just bad practice from a technical standpoint, experienced network engineers would not change standardized infrastructure if a config change or firmware update could resolve the problem. Does depend on the scale of the business and circumstances of course, if the hardware is outdated and eol it's justified but you would still typically also stay with the same vendor if proven reliable.
-
Microtik has some scary history with winbox, they were already popular at the time ... and their coding was trash at the time.
-
If you leave a public side service open, people will test it for you :D.
-
Simple & good VPN router? Never seen one. If you want a simple VPN solution have a look at wireguard.
-
If you leave a public side service open, people will test it for you :D.
If you create your own public side service protocol and do it poorly you have no one to blame but yourself, they should have just tunneled through SSH.