SOHO network upgrade (dynamic VLANs, VPN), seeking advice (especially for router selection)

[pavel20]

Hello experts,
last few days I spent on Internet trying to find out what would be the best setup and equipment for my needs. I went through many discussions, reviews, studied manuals, ... and at the end I'm absolutely unsure especially about the router.

I have attached a diagram reflecting the broader view. The main points are:
- both home and office devices must have access to shared printers and servers
- home and office devices must be isolated but remain in the same segment (broadcast traffic in not an issue and there are handy services not functioning across LAN segments I want to preserve)
- secure access from WAN is needed (both client-to-gateway and later gateway-to-gateway)
- separate WiFi for authorized users (?MAC based AP access) and guests
- firewall is a must, at least +/-50 access rules (some office devices have limited Internet access)
- security and reliability is important
- reasonable budget
- 4 active users at a time can be expected
- not more than 3-5 concurrent VPN connections

Regarding switches I was thinking of SG200-8 but finally chose SG300-10 which allows dynamic VLANs based on MAC so office and home equipment can be kept in proper VLAN wherever it is plugged in. (I also found a few complaints that SG200-8 resets from time to time and loads default configuration with all ports "open" - this is not acceptable). I already ordered one SG300-10 for the office room.

Regarding AP I plan to use separate device(s) as WiFi can be switched off most of the time and it is easy to switch a standalone AP on just when needed (comparing to logging in to a WiFi Router and changing configuration). I own a TP-Link TL-WA801ND which could be reused.

My first idea was to buy Cisco equipment because of the brand (I thought Cisco = reliability) but read some critique about their SOHO products (including RV130 router which allows a usb modem as a backup Internet connection). I also found notes here in snbforums that VPN routers are not stable... So regarding router I am confused.

I would very much appreciate any help regarding router selection as well as comments about general setup.

Thank you for your time.

Pavel

 

[coxhaus]

I have a SG200-8 switch. This switch has been running solid for almost a year with no resets other than to upgrade the firmware a couple of times. It is being fed from a SG300-28 port switch layer 3. I think the layer 3 SG300-10 switch will be a better switch than the SG200-8 switch. I like using layer 3 in a switch. I have not done dynamic VLANs by MAC but I am interested in how well it works when you finish. I am not sure I want to track all my MAC addresses in my house but it sounds interesting. I run conventional tagged VLANs with three Cisco WAPs using 2 SSIDs, one for guests. It works very well without any outages other than firmware updates. I have a basic configuration under switches for a guest network using a Cisco SG300-28 switch doing it my way. I would think the configuration would work for the Cisco SG300-10 switch in layer 3 mode.

I am like you when it comes to routers. I need access lists or I won't even consider the router for my use in my home network. I too am not impressed with the new Cisco router offerings. Running a layer 3 switch allows you run any router since the layer switch is handling all the VLAN traffic any way. I am looking for a new toy to play with also. I hope you post what you find. I still run an old Cisco RV180 router. It may not be the best but it has access list support.

I am off to go fishing this weekend. I will catch up on Monday.

PS
I am not sure there is a fast enough router to buy right now. Most fast routers use hardware acceleration and if you use access lists I think you lose hardware acceleration so what we need is the next generation of routers with much faster processors.

 

[System Error Message]

For a router that can do what you want you either have a choice of x86 hardware or mikrotik PPC/TILE based routerboard. For x86 theres pfsense and a bunch of UTMs that you can use. All 3 choices have firewalls and which one to get depends on your budget and throughput you want.

Mikrotik RB1100AHx2, does up to 500Mb/s of PPTP VPN per core and 2Gb/s software NAT in total. Has IPSEC acceleration
CCR series does up to 2Gb/s of software NAT per core, 300Mb/s of PPTP VPN per core, and has encryption acceleration. It has weird load balancing across cores since traffic in a single connection cannot use more than 1 core (prevents 1 user from flooding the router). If you use PPPOE you can expect less throughput from both routers.

In terms of AP instead of using mac and access list consider using RADIUS since even TP-Link wifi routers support RADIUS using WPA2 enterprise. Mikrotik can act as a RADIUS server and im sure pfsense and the other options do have it as well.

All options i listed are reliable and reusing an AP is totally fine. You wont get extra reliability from using a non consumer AP but you can get extra security and features you dont normally get but it depends if you really need those extra features. In terms of router choices i listed they are all reliable and secure. Mikrotik RouterOS sometimes has bugs but always in the minor areas that you can do without. When going with x86 make sure you do not have realtek NIC as they require a lot more CPU. You've got the switches and you are reusing APs so that just leaves the router in your budget.

 

[pavel20]

Thank you for your replies. I read them shortly after posting.

During the weekend I did my homework to learn SG300 more in detail. The switch has (from my perspective) large set of security features and is able to assign VLAN dynamically based on MAC as well as RADIUS so I've started to test various configurations (in layer 2 mode as one subnet only for all the devices is convenient).

Mikrotik RB prices are higher than other routers I was considering, i.e. I'd pay the price if I can make use of it. My Internet connection is really slow (ADSL2+, possibly 4G LTE) so router throughput would not be a limit. What matters the most is security and VPN capabilities. I will need some time to see what the SG300 can take care of and what would be left for the new router.

 

[coxhaus]

Remember with the SG300 switch in layer 2 mode all will be lost when you switch to layer 3 mode.

 

[System Error Message]

Thank you for your replies. I read them shortly after posting.

During the weekend I did my homework to learn SG300 more in detail. The switch has (from my perspective) large set of security features and is able to assign VLAN dynamically based on MAC as well as RADIUS so I've started to test various configurations (in layer 2 mode as one subnet only for all the devices is convenient).

Mikrotik RB prices are higher than other routers I was considering, i.e. I'd pay the price if I can make use of it. My Internet connection is really slow (ADSL2+, possibly 4G LTE) so router throughput would not be a limit. What matters the most is security and VPN capabilities. I will need some time to see what the SG300 can take care of and what would be left for the new router.

If your internet is ADSL2 than you can use a MIPS based routerboard. They have one for $60 that uses 4W and with 5 gigabit ethernet ports.

There are lots of MIPS based routerboards, some have integrated wifi, usb and mini PCIe and SFP. A lot of people when asking for a router dont mention the throughputs they want so i assume its around 100Mb/s or a lot more especially if they mention they want multiple WANs. Usually you find people wanting to combine 2 or 3 gigabit ISPs.