Good Router/Firewall for MultiWAN-VPN-Setup

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Stril

Member
Sep 26, 2017
191
12
18
41
Hi!

I am just looking for a new VPN-setup, but I do not find any product that really fits, what I need:

- High Stability on VPN if there is one "working" ISP on every Site with failover.
- Dual-WAN on "both sides" of the VPN
- HQ: Static IPs
- Branch Office: Dynamic IPs
- Centralized/Remote Management of the firewall rules (scripted or via software)
- Flexibility in Configuration, Scripts if possible

What I have tested:

- Bintec (Current Setup). Working fine, but no centralized management, nasty firewall, great routing.
- Fortigate: VPN-Tunnel must always be assigned to a WAN-Interface. So, there must be configured at least 4 tunnels on every site. No scripting
- PFSense/OPNSense: No remote management, no scripting
- Mikrotik: Crazy hard to configure with dynamic IPs (L2TP+EoIP+IPSEC), great in everything else, no central management, but remote-manageable

Can you give me a hint on what you would use?

Thank you!
Stril
 

Stril

Member
Sep 26, 2017
191
12
18
41
One additional thing:

If possible in any way: I would prefer a device that differs between "running-config" and "boot-config" and a nice CLI.
 

Mishka

Active Member
Apr 30, 2017
101
34
28
London, UK
Looked into a Draytek and then using ACS for remote management?

You can configure a draytek that is on a dynamic IP to dial out the VPN to the other site, could also configure it with DYNDNS style system so the main router can dial the branch offices.

They can handle multi WAN and multi VPN without issue, the multi WAN supporting fail over and load balancing kind of thing too.

Draytek 3xxx range probably best for the main office then 28xx range for branch office, the 3xxx range has 4 WAN ports whereas 28xx will have ADSL/Fibre or WAN via network cable.
 
Last edited:

Stril

Member
Sep 26, 2017
191
12
18
41
Hi!

Fortigates are nice, but they do not really fit my demands:
- VPN must be assigned to Interface
- No "startup-config"

I hope to find something else.

@VyOS: I will give it a try. Is it right, that there is NO GUI?
 
Jan 4, 2014
89
13
8
Hi!

I am just looking for a new VPN-setup, but I do not find any product that really fits, what I need:

- High Stability on VPN if there is one "working" ISP on every Site with failover.
- Dual-WAN on "both sides" of the VPN
- HQ: Static IPs
- Branch Office: Dynamic IPs
- Centralized/Remote Management of the firewall rules (scripted or via software)
- Flexibility in Configuration, Scripts if possible

What I have tested:

- Bintec (Current Setup). Working fine, but no centralized management, nasty firewall, great routing.
- Fortigate: VPN-Tunnel must always be assigned to a WAN-Interface. So, there must be configured at least 4 tunnels on every site. No scripting
- PFSense/OPNSense: No remote management, no scripting
- Mikrotik: Crazy hard to configure with dynamic IPs (L2TP+EoIP+IPSEC), great in everything else, no central management, but remote-manageable

Can you give me a hint on what you would use?

Thank you!
Stril
why not use route based tunnels, loopback interface and bgp/ospf ?
worked perfect for me

send from a mobile device, so typo's are to be expected
 
Jan 4, 2014
89
13
8
Hi!

Fortigates are nice, but they do not really fit my demands:
- VPN must be assigned to Interface
- No "startup-config"

I hope to find something else.

@VyOS: I will give it a try. Is it right, that there is NO GUI?
correct, you'll find that juniper/fortigate and vyos share a similar command structure and config structure

send from a mobile device, so typo's are to be expected
 

Stril

Member
Sep 26, 2017
191
12
18
41
Hi!

I never understood, how this works with route based-tunnels ans OSPF. How are phase-2-entries generated for every "pair" of subnets?