Good Router/Firewall for MultiWAN-VPN-Setup

Discussion in 'Networking' started by Stril, May 16, 2018.

  1. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    54
    Likes Received:
    3
    Hi!

    I am just looking for a new VPN-setup, but I do not find any product that really fits, what I need:

    - High Stability on VPN if there is one "working" ISP on every Site with failover.
    - Dual-WAN on "both sides" of the VPN
    - HQ: Static IPs
    - Branch Office: Dynamic IPs
    - Centralized/Remote Management of the firewall rules (scripted or via software)
    - Flexibility in Configuration, Scripts if possible

    What I have tested:

    - Bintec (Current Setup). Working fine, but no centralized management, nasty firewall, great routing.
    - Fortigate: VPN-Tunnel must always be assigned to a WAN-Interface. So, there must be configured at least 4 tunnels on every site. No scripting
    - PFSense/OPNSense: No remote management, no scripting
    - Mikrotik: Crazy hard to configure with dynamic IPs (L2TP+EoIP+IPSEC), great in everything else, no central management, but remote-manageable

    Can you give me a hint on what you would use?

    Thank you!
    Stril
     
    #1
  2. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    54
    Likes Received:
    3
    One additional thing:

    If possible in any way: I would prefer a device that differs between "running-config" and "boot-config" and a nice CLI.
     
    #2
  3. Zack Hehmann

    Zack Hehmann Member

    Joined:
    Feb 6, 2016
    Messages:
    52
    Likes Received:
    5
    Take a look at VyOS – an open source linux-based os for routers and firewalls

    Let me know what you think..?

    I think you can win this in GNS3 pretty easily as an appliance that you import. You could do a proof of concept and report your findings. I would love to see your results. It has a Cisco CLI feel and supposed to be efficient.

    Sent from my Pixel XL using Tapatalk
     
    #3
  4. Mishka

    Mishka Member

    Joined:
    Apr 30, 2017
    Messages:
    55
    Likes Received:
    6
    Looked into a Draytek and then using ACS for remote management?

    You can configure a draytek that is on a dynamic IP to dial out the VPN to the other site, could also configure it with DYNDNS style system so the main router can dial the branch offices.

    They can handle multi WAN and multi VPN without issue, the multi WAN supporting fail over and load balancing kind of thing too.

    Draytek 3xxx range probably best for the main office then 28xx range for branch office, the 3xxx range has 4 WAN ports whereas 28xx will have ADSL/Fibre or WAN via network cable.
     
    #4
    Last edited: May 17, 2018
  5. melk

    melk Meet me in the wired

    Joined:
    Nov 16, 2017
    Messages:
    31
    Likes Received:
    1
    I have 2x Fortigate 60D boxes available for sale, if you are interested
     
    #5
  6. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    54
    Likes Received:
    3
    Hi!

    Fortigates are nice, but they do not really fit my demands:
    - VPN must be assigned to Interface
    - No "startup-config"

    I hope to find something else.

    @VyOS: I will give it a try. Is it right, that there is NO GUI?
     
    #6
  7. audio catalyst

    Joined:
    Jan 4, 2014
    Messages:
    76
    Likes Received:
    11
    why not use route based tunnels, loopback interface and bgp/ospf ?
    worked perfect for me

    send from a mobile device, so typo's are to be expected
     
    #7
  8. audio catalyst

    Joined:
    Jan 4, 2014
    Messages:
    76
    Likes Received:
    11
    correct, you'll find that juniper/fortigate and vyos share a similar command structure and config structure

    send from a mobile device, so typo's are to be expected
     
    #8
  9. Stril

    Stril Member

    Joined:
    Sep 26, 2017
    Messages:
    54
    Likes Received:
    3
    Hi!

    I never understood, how this works with route based-tunnels ans OSPF. How are phase-2-entries generated for every "pair" of subnets?
     
    #9
  10. audio catalyst

    Joined:
    Jan 4, 2014
    Messages:
    76
    Likes Received:
    11
    here's a pretty good write up for cisco, but the same applies to other vendors :

    Comparing Cisco VPN Technologies – Policy Based vs Route Based VPNs

    send from a mobile device, so typo's are to be expected
     
    #10
Similar Threads: Router/Firewall MultiWAN-VPN-Setup
Forum Title Date
Networking Router/firewall with SFP+? Aug 28, 2016
Networking Software VS Hardware [Router/Firewall/Loadbalancer] Nov 14, 2013
Networking Create your own router/firewall/content filtering/protection for free Sep 25, 2013

Share This Page