What's new

What router for a small business

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rodmcban

New Around Here
I am helping a friend upgrade his IT gear.
He's operating a small HVAC business with 6 client PCs , 1 fileserver (QNAP, soon to morph into a Windows file server) and 2 network printers. Add to this 5 or 6 VOIP Cisco phones that use the network (don't ask me how they work, all that I know is that they get an IP address from the router and somehow do their job)
Everything is wired, their activity is email, calendar (gmail for business) and Office docs on the file server (editing and printing) .
He has a 5Mb internet connection (VDSL) which is plenty for his actual needs.
The current router is 5+ years old, and has shown signs of fatigue lately ( all config lost once or twice) so the time has come to change it.
Any recommendations ? VPN would be nice so I can connect from home and look at his stuff (theoretically I am in charge of his gear, in a friendly/casual manner) , otherwise I am open to all suggestions.
Thanks in advance,
RMcB
 
I am helping a friend upgrade his IT gear.
He's operating a small HVAC business with 6 client PCs , 1 fileserver (QNAP, soon to morph into a Windows file server) and 2 network printers. Add to this 5 or 6 VOIP Cisco phones that use the network (don't ask me how they work, all that I know is that they get an IP address from the router and somehow do their job)
Everything is wired, their activity is email, calendar (gmail for business) and Office docs on the file server (editing and printing) .
He has a 5Mb internet connection (VDSL) which is plenty for his actual needs.
The current router is 5+ years old, and has shown signs of fatigue lately ( all config lost once or twice) so the time has come to change it.
Any recommendations ? VPN would be nice so I can connect from home and look at his stuff (theoretically I am in charge of his gear, in a friendly/casual manner) , otherwise I am open to all suggestions.
Thanks in advance,
RMcB
RT-AC68U

Sent from my SM-G900F using Tapatalk
 
Dont listen to those single recommendations or consumer ones. For a business you need the right equipment or risk problems.
From what it seems you want VPN as well.
Firstly i need to know what your internet speed is. Do you want VPN at your internet speed? Do you need QoS?
If the answer is yes to any of the above 2 questions and you have a very fast internet speed than avoid consumer routers. If your internet speed is less than 100Mb/s than go for a prosumer router which is a higher end consumer router. Avoid so called VPN routers because they are unstable even the cisco RV series.

If your internet speed is less than 100Mb/s but you want to save money and dont need wifi you can reuse a PC for pfsense or get ubiquiti or mikrotik. These routers give you enterprise router functionality and reliability but without the cost. The drawback is that they are harder to use or slower than their enterprise equivalents in certain areas. You will need at least 600Mhz of MIPS for software based NAT at 100Mb/s and a lot lot faster to do VPN at that speed. MIPS will only do VPN at a few Mb/s, ARM A9 does a lot more but still less than 50Mb/s of VPN. Some have dual core MIPS/ ARM that can double the VPN throughput. ARM A9 will do software NAT up to 500Mb/s at 1.4Ghz dual core. Any faster especially for VPN and you're looking at PPC, TILE, or X86 cpu based routers.

For any business or even home for that matter its very important to design your network properly. Homes usually have very low requirements so its not an issue but a business or higher must have a well designed network to avoid constant problems. One of the things not many here know is that you can get a non consumer wired router like mikrotik/Ubiquiti and an AC wifi AP for less than an AC wifi router though the CPU in the router will not be as fast as the ARM A9 ones for the price. For example for a small business you could get a ubiquiti edgerouter 5 POE with a unifi AP and it can be powered and connected to the router with just 1 ethernet cable and 1 plug for the both of them. If the router has SFP and you have fibre optic internet you can get rid of your modem and use the SFP module instead.

As always make sure all your computer, electronic and networking equipment are plugged to a surge protector. Some surge protectors come with a warranty that covers equipment fried behind it up to a certain amount and some have rj11 protected ports for DSL and phones

UTMs are also something that you can use for their antivirus and other protective capabilities too. For a multi non techie user network i think that a network firewall and antivirus is a must.
 
'Friend', 'theoretically', 'casual'?

The RT-AC68U is a solid choice.

Set it and forget it.

5Mbps ISP connection sounds like a 5Mbps (down) and possibly 250Kbps (up). Not even worth to spend for a 'real' setup. Even if the 5Mbps was up and down.

The RT-AC68U will be an enormous upgrade from the 5 year old router (even when it was working properly).

I would not waste your time or your friends money on anything else.


Edit: Got the up and down speeds backwards. Fixed. :)
 
Last edited:
Dont listen to those single recommendations or consumer ones. For a business you need the right equipment or risk problems.
From what it seems you want VPN as well.
Firstly i need to know what your internet speed is. Do you want VPN at your internet speed? Do you need QoS?
If the answer is yes to any of the above 2 questions and you have a very fast internet speed than avoid consumer routers. If your internet speed is less than 100Mb/s than go for a prosumer router which is a higher end consumer router. Avoid so called VPN routers because they are unstable even the cisco RV series.

If your internet speed is less than 100Mb/s but you want to save money and dont need wifi you can reuse a PC for pfsense or get ubiquiti or mikrotik. These routers give you enterprise router functionality and reliability but without the cost. The drawback is that they are harder to use or slower than their enterprise equivalents in certain areas. You will need at least 600Mhz of MIPS for software based NAT at 100Mb/s and a lot lot faster to do VPN at that speed. MIPS will only do VPN at a few Mb/s, ARM A9 does a lot more but still less than 50Mb/s of VPN. Some have dual core MIPS/ ARM that can double the VPN throughput. ARM A9 will do software NAT up to 500Mb/s at 1.4Ghz dual core. Any faster especially for VPN and you're looking at PPC, TILE, or X86 cpu based routers.

For any business or even home for that matter its very important to design your network properly. Homes usually have very low requirements so its not an issue but a business or higher must have a well designed network to avoid constant problems. One of the things not many here know is that you can get a non consumer wired router like mikrotik/Ubiquiti and an AC wifi AP for less than an AC wifi router though the CPU in the router will not be as fast as the ARM A9 ones for the price. For example for a small business you could get a ubiquiti edgerouter 5 POE with a unifi AP and it can be powered and connected to the router with just 1 ethernet cable and 1 plug for the both of them. If the router has SFP and you have fibre optic internet you can get rid of your modem and use the SFP module instead.

As always make sure all your computer, electronic and networking equipment are plugged to a surge protector. Some surge protectors come with a warranty that covers equipment fried behind it up to a certain amount and some have rj11 protected ports for DSL and phones

UTMs are also something that you can use for their antivirus and other protective capabilities too. For a multi non techie user network i think that a network firewall and antivirus is a must.

...interesting... apparently you give a lot of explanations without any example...remind me some priest that speaks 2 hours without saying anything... me...i just wanted to help him with his low needs, which were explained in the first post.

Anyway...if you want a little bit more, use a mikrotik ccr1009 + ubiquiti unifi AP, but even in this configuration will be far more than your actual needs...


Sent from my iPad using Tapatalk
Mikrotik(for routing) + AC87U(for 5Ghz) + AC68U(for 2.4Ghz) + Cisco switch(for NAS link aggregation and VLans)
 
Easy there, killers... lol. First of all, I'd want to know how intentional are you and/or the owner in purchasing "business" gear for a business? It's not necessarily needed in many cases and I'd presume he/you would just be fine with throwing a consumer box in there and calling it a day. If so, fine. Grab an AC68U or R7000. If their software falls short, load AdvancedTomato, turn on fq_codel for QoS, setup OpenVPN for your remote needs, and you're done. You should never have to touch it again, albeit for config changes or the equipment burns out, whichever comes first. ;)

If your intent is on actual business-class gear, that's an entirely separate discussion, with a different set of solutions. Level and type of support and software capability largely determines which solution(s) you go with in that space. Too many options to just throw out there, and I sense it's probably unnecessary in this case.
 
First, thanks to all of you who took the time to reply.
Just so I can explain the terms "casual", "friendly" and "theoretical" , I have been compensated for years with beer, sushi and other restaurant food, the freedmo to use his tools and vehicles at anytime, and friendship.
I am his only IT guy at the moment, he never said no to whatever I recommended him to buy as long as the price remained reasonable. E.g. "thousands" for a router is not acceptable, but anything below 4 digits should be ok.

Let me also explain what I aim for when I mean "business":

1. Stability. The dang thing must be able to get the job done without quirks, dropped calls or other exotic fantasies. One reset a week and one total config loss a year are not acceptable. Expected lifetime is about 5 years.

2. I should be able to set it up myself. I administer databases for a living, I have a reasonable understanding of networks, eons ago I had an MCSE. I never set up a VPN but I have access to people who know what they are talking about and who i can ask for help if I'm in trouble. Still, as the main resource for this task is yours truly, if it goes beyond my understanding, it will be a no go. Therefore, anything that I should put up from scratch myself becomes a thank you but no thank you.

3. Improved security and VPN. After reading a bit seems like SSL VPN is the way to go as the main user of this feature ( the owner himself) will be using it to connect from home or from his vacation home abroad and do some work on his Word and XLS files. Security wise, we never had a break-in (that I know of) but as the threat appears to be growing I want to be safe for the next 5 years.

The 2 linked UTMs looked good might just be the kind of device I am looking for. The NetGear one is quite old but I imagine there must be a successor to it. The Zyxel scared me by the limit of 2 SSL VPN connections and also, call it subjective paranoia but the actual brand of the router is Zyxel and we had such bad experiences with it that i'm not sure I want to go that route again. In other words the Zyxel brand may be banned from that business for a few generations at least.

One more time, thanks to all who have answered.

RMcB
 
One more thing, the psychology here is as following:
I do understand that the Linksys/Asus/Something and other "consumer" routers are OK, probably perfect for what I need, but I want top move away from the plasticky looking gizmos. The "client" will be much happier and more impressed if I get him something more substantial, read metal casing, something inspiring trust (the guys work with hardware and know the difference). I tried to explain him that the software is as if not more important than the box, but I can see it in his eyes that my words really have no echo.
One more thing I'm trying to do is stop him from buying "toys" that the knowledgeable guy at BestBuy/Walmart/whatever told him are going to work great with his network and are going to be very useful.
It may be dumb but it is my reality...
 
Great additional feedback, rod. Very helpful in moving forward with relevant suggestions.

On your latest thoughts, not dumb at all. I wish more people would realize as much as you have. And yes, many times it's more the software than anything, but ironically enough I've noticed that the better-built gear usually comes with better-designed and more quality-controlled software to boot. Your mileage may vary, but that's just what I've noticed more often than not...

Considering your updated frame of mind, it might pay off very well to look into UTM options. It sucks that you had such an iffy experience with Zyxel, but there are still plenty of other options. Sites like CorporateArmor carry a bulk of them. Sophos's stuff seems to be a killer value. Something like an SG105, or 105w for wireless, coupled with the Red 10 remote gateway for your boss's residence(s). The office unit will be about $400-500 and the remote gateways about $200-300, plus recurring support/security licenses at $100-200 per year, but I think you'll find the real-world execution and support to be leagues beyond the consumer standalone stuff. Cisco Meraki is very similar in its approach, only a fair bit more pricey for roughly the same outcome.

If you can't sell that type of spend/approach to the owner, then you might be able to get away more standalone type gear, like Peplink. A bit less automated and not as UTM-focused, but they have solid support and some interesting stuff going on with their "PepVPN" product.

I know I may get blasted by others for recommending "pricey" or "overkill" stuff, but it's pretty apparent that your needs may warrant that kind of gear. Hopefully some of that helps. :)
 
Last edited:
One more time I appreciate the effort of sharing all this information.
Quite a few words that I don't understand and/or names I never heard before.
It is clear that there is quite a bit of learning in my near future, I'll spend the next few days/weeks trying to come up with a viable solution.
 
In that case i would suggest you use brand like Mikrotik, Ubiquiti, Proper Cisco, Juniper, UTMs, Pfsense.
For UTMs i suggest getting an x86 box and installing one on it for less licencing issues. Technically you could install both pfsense and a UTM onto the same x86 box using virtualisation and even add freeNAS. When it comes to reliability these options will do well. X86 stability mainly depends on the hardware you choose (becareful of the RAM you choose). For mikrotik i've noticed that if it crashes it will restart itself but that only happened when i overclocked it.

You still havent mentioned the internet speed. For encrypted VPNs theres openVPN, L2TP/IPSEC and SSTP. L2TP/IPSEC acceleration is available in a large number of hardware (this will be mentioned on the hardware datasheet). OpenVPN is a fast and secure choice while SSTP is the slowest. A number of x86 CPUs do have acceleration for encryption but you must check on the CPU page. You can build an x86 box yourself or just buy one already built with antennas already on it and just needing a miniPCIe/PCIe wifi card. The number of clients isnt a problem except for licensed ones but both mikrotik and ubiquiti dont have any licence restrictions in how many VPN tunnels or how many clients but they dont have support when you use them for something that makes them great as they'd want you to either hire a consultant or that no one on their forums is knowledgeable enough.

Peplink license depends on what you buy. Some of them only have some features and their speeds arent that great unless you pay for more expensive equipment.

So to not seem like a priest i will give you an example setup. you could set up an x86 box using a recent dual core i3 for running a UTM such as untanggle and/or pfsense. You can build the PC yourself and use a small case and perhaps cost you $300-$500 depending on what you use. You would obviously need multiple NICs. You can than either add a wireless NIC and an unmanaged/semi managed switch with 8 or 16 ports or get a wifi router/AP. The total cost i expect is going to be less than $1000 for a reliable system that will do gigabit NAT and really fast VPN speeds. Pfsense can be used to cache web traffic to further speed things up and maybe even cache commonly used things such as OS updates if you hijack the traffic smartly and cache what you can.

Another example that would be much faster in VPN and NAT than a consumer router would be using an RB1100AHx2 from mikrotik or a CCR1009. They would cost between $300-$500 and have enough ports that you do not need a switch. They feature managed layer 2 CPU and managed layer 2 switch and some CCRs feature SFP+ and SFP so you might not need a modem if you use something with an SFP module for internet. You will than need an AP for wireless and while this solution may be a bit cheaper it is missing out cache and antivirus. Mikrotik does have a web proxy capable of caching but in my experience it is not as good as pfsense's. Support would be lacking and skill needed to set it up. The hardware does seem fancy so dont worry about letting down your client.

For the choice of AP you can go with good consumer ones like netgear R7000, Linksys wrt1900AC, ASUS AC56U/68U/3200U or you can go with ones like ubiquiti unifi indoor AC AP, mikrotik RB911xxx series (meant for indoor), cisco wireless.

When using a managed switch or layer 2 firewall capability from mikrotik you can protect your network from the famous pineapple and similar hacks, For saving costs you can get 2nd hand HP, Junper and cisco switches that feature such protection (they have a minimum model for that sort of security). These switches will usually be more robust than non enterprise ones and if they do not have fans, getting a 2nd hand one is one way to know that the hardware already works without issues.

Whichever choice you use make sure to go with stable firmware or 3rd party firmware if you have to for stability. I think a network antivirus is something every network should have if they have multiple users but it depends on the budget. If you dont like zyxel the ASUS AC3200 has if you use it as a router. Other choices simply involve using an x86 based UTM or even installing the antivirus (may need a subscribed or professional one for this) to filter the network on the router.

In terms of my experiences i have not had any restarts with any equipment that i use other than to update firmware. If i dont update the firmware they will keep running fine for years. I use a combination of different networks and different brands and models such as an old TP-link coupled with a mikrotik RB450G at one house, CCR1036 with a CRS226 in my room with an ASUS AC3200 and AC68U. I've used a smart netgear switch before that didnt break down but i've upgraded to the CRS. Consumer routers that are supposed to be good work well when used only as APs.

If you go with certain routers you will be able to hijack any traffic you like and redirect it. This is useful if you want your own internal domains and want google chrome to follow or if you want devices to sync time locally and not with some faraway server. Things like a transparent proxy cache is done with this way too.
 
Yes, NETGEAR has been improving its UTM series. Worth a look

They also have VPN/SSL routers w/o packet/application scanning like the FVS336G-300 we just reviewed.
http://www.smallnetbuilder.com/lanw...00-prosafe-dual-wan-gigabit-firewall-reviewed

Linksys also has a few VPN routers
http://www.smallnetbuilder.com/lanw...49-linksys-lrt214-gigabit-vpn-router-reviewed
http://www.smallnetbuilder.com/lanw...s-lrt224-dual-wan-gigabit-vpn-router-reviewed

The LRTs will remind you of the Cisco RVs, since some of the same team developed them.

I would stay away from the Cisco RVs. Cisco seems to have lost interest in the Small Biz market.

I don't see the need to go for the "big iron" stuff, or rolling your own. Lots of $ for the big iron, plus service contracts. Rolling your own is fine, but you'll have a steep learning curve.

Make sure you put everything on a UPS. And if the router you end up with doesn't support VLANs, get a small smart/managed switch so that you can put the VoIP phones on their own VLAN.

If YeOldeStoneCat chimes in, definitely listen to him. He does this stuff for a living.
 
Having implemented a few Ubiquiti Edgrouters and Security Gateways lately I must say that Ubiquiti would be my choice for a network edge device at this time. I am also liking the new versions of their wireless controller software, and new AC WiFi access points coming shortly with killer prices. Jeez I sound like a ubiquiti rep... You would not go wrong with using Mikrotik either. The above posted Netgear would not be a bad choice but I think you could beat the price-point to features ratio by using the previously mentioned vendors. Skip the consumer grade plastic junk...
 
Interested to see what the OP decided to do, and select for gear...

On the UBNT front, I've been a bit leery of the ER-L and PoE "Achilles heel" flash storage. I wish they'd just suck it up and issue "v.2" of the hardware with either a better USB module or a just a damn soldered-on chip... For now I put spares on-site with configs loaded and ready to go. As a substitute for now, I've actually been thrilled with the ER-X; $60 for a couple hundred Mb/s of easily-configured codel-based QoS is a SWEET solution for SOHO clients. Might even work in this case, too.
 
Add to this 5 or 6 VOIP Cisco phones that use the network (don't ask me how they work, all that I know is that they get an IP address from the router and somehow do their job)

Before you change stuff you need to figure out the phones and what network programing was done. You don't want to change a device and lose some necessary phone support. Just my 2 cents.

I don't think anybody connects phones to a network and hope they work. There probably is support in some of the equipment like switches and routers for phones.
 
Last edited:
Consider Peplink.
Great products, rock solid, great UI and easy to manage remotely.
Might not win on "spec's" but does in technical support and customer service when needed.
By now I have over 40 installed without a single issue.
Even if you don't need the Dual WAN feature that every Peplink router has, its still a great choice!
 
Interested to see what direction the OP has gone on this project. If still undecided, I'd second Peplink again. They get beat on specs-per-dollar for sure, but their stuff is very user-friendly and reliable, and their support is substantially better than most SMB vendors.

If VPN is of high interest, I've done a few of the Sophos setups I mentioned earlier, with an SG series at the business and RED device(s) for remote locations -- makes for a pretty easily-deployed VPN with no configuring necessary at the remote site.
 
first question is what is the required or PRUDENT user access security method? LDAP? 802.1X?
Not just wifi password.
 
Since this is a small business, you might consider a Unified Threat Management (UTM) appliance. You get not only VPN, but also real-time packet inspection for malware and threats.

More $, but can be worth it for the additional security.

I strongly recommend a UTM firewall also...not just a plain NAT router.
I'm an IT guy for SMBs....been doing it for 20 years, and for almost 10 years now I've been a strong promoter of UTM firewalls instead of just plain NAT routers. Every day I see the benefit of them...every_day! Yes a little bit more money up front, but these days..with current malware, most of them being web based threats, and various crypto-ware....every layer of additional protection a business network has....helps. Having additional layers of antivirus, http inspectors, deep SPI, adware/malware blockers, to compliment the desktop/server antivirus...it all helps.

OP, if all you're doing is remote support...with todays vast selection of RMM tools...why a VPN? RMM tools allow easy peasy remote access and reporting and security AV and patch management and remote desktop support and all that stuff without the need for a VPN.

More expensive..yes. Yearly subscription usually...yes. BUT...I've seen the damage ...AND COST...when a business loses data. Or even downtime from a computer that gets a malware infection. The cost of "cleanup"...for just 1 computer...is usually more than the added cost of a UTM over a plain NAT router...so they quickly pay for themselves.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top