Router with dual wan failover-failback and policy-based VPN routing

[Toka]

Hello guys,

I've been redirected here from my Reddit thread to ask for your advice. I need a wi-fi router for my home. My primary internet connection is via EuroDOCSIS cable, projected speed is 300MBit/s with the ability to upgrade to 500MBit/s (which I probably won't do). I have a smart home with a lot of IoT devices managed by cloud, so I really need to sort out internet backup connection (via LTE sim card). That's the first requirement, seamless failover-failback internet connection.

I use VPN in most of my devices (ExpressVPN). Not just for privacy, but also for Netflix library. My TV is unable to set VPN, so I want a router with that capability. But I do not want to use VPN for every device. For example for my Playstation, which would increase latency. And on top of that, I want multiple VPN profiles, TV to use USA location, my phone and PC to use a different one, let's say UK.

Guys on Reddit recommended me Synology RT2600ac. I found another wi-fi router with that capability, and that's ASUS BRT-AC828. I also get the impression from that thread, that I can buy different ASUS router (recommended was RT-AC86U) and install custom firmware Merlin. Oh, and I also found that I could probably achieve this with wi-fi router Turris Omnia and OpenWRT. I don't know how much is Turris Omnia known outside of my country tho.

I'm completely new to networking even tho I'm quite a tech-savvy, so I take any additional advice based on your experiences. Thanks!

 

[Toka]

Guys anyone?

 

[Trip]

If you want reliable and self-manageable, definitely check out Peplink. They are pricier for sure and I'm not sure of their strength in the European market, but they are rock-solid for failover/failback. If you intend on connecting to cellular via USB modem, look at the Balance One Core (non-wifi model); if you want to use a SIM directly then a perhaps a MAX BR1. Just make sure to clear your chosen provider and hardware on their list of networks and modems.

I would then wire a separate all-in-one into the Peplink to handle wifi (running in AP mode only), or do a whole-house or business mesh wifi system if you need more range.

 

[umarmung]

Cannot get a Peplink, they only support WAN load balancing and failover, though it is very accessible and appears seamless!

The problem is that you have a nasty fusion of high bandwidth, business-like WAN requirement and consumer VPN.

Since there are likely no business VPN routers that have accessible interfaces and strong and continuing support for OpenVPN, you may as well forget about them.

That leaves open source and consumer firmware. They can do strong to very strong OpenVPN support, but almost always lacking in seamless WAN failover.

I do not believe either stock Asus or Asus Merlin have seamless WAN failover, though their OpenVPN support is very good.

So, whoever recommended you the Synology RT2600AC did you a massive favor, since it is accessible, supports WAN failover, USB modems, and OpenVPN client and server. It has one of the most powerful CPUs for a consumer router and excellent 4x4 WiFi. So, apart from possible corner issues, you will not get better from a consumer router for this feature set.

If neither user interface nor wireless router matters to you, Ubiquiti wired routers are a good option since they are relatively open (meaning OpenVPN support should always be available) and Ubiquiti is well-known for their separate WiFi products.

If you go down the custom router software option, do not bother with options that limit you. They basically need to be equivalent to directly running a PC with your own operating system, otherwise you'll just end up being limited or encounter issues because you want advanced features and high bandwidth. So, no less than a custom *nix or pfSense box makes sense long term with this option.

Try the Synology for now.

 

[Toka]

Peplink is unable to get in my country. And it looks like a business router. Actually, interface and wireless router maters to me. I got another suggestion to buy Mikrotik with RouterOS, but that's some command line bs. I really like the Synology, but I think that Asus has more experience in wireless routers. On the other hand, NAS server and other plugins for Synology router look like a great addition to my household, so I'm gonna follow your advice and try it.

 

[Trip]

Aha, sorry Toka, and yes @umarmung was correct, I didn't read thoroughly enough to process that you also wanted OpenVPN *and* wifi included on the same box. Ouch. That narrows things down quite a bit!

Last I researched, indeed multi-WAN feature set and stability wasn't very mature on the Asus products. Synology may have done better in coming up with smoother support in their firmware. But I have neither experience nor observation enough to confirm...

As far as Ubiquiti, MikroTik or any DIY OpenWRT boxes go... UBNT lacks an all-in-one platform completely, so if that's an absolute must, then they're out. For MikroTik, I don't think they have an all-in-one form factor with enough CPU power to hit the OpenVPN numbers you're looking for. That leaves a DIY OpenWRT build on an x86 box with the right wireless card(s) installed, then all setup per your needs -- most likely *not* a super friendly endeavor, and perhaps a fair bit pricier than expected (hardware depending, of course).

So yes, I'd probably give the Synology model a shot as well. Definitely report back and let us know how it goes...

 

[Toka]

That's ok I don't care about a price that much to be honest. Building my own server is way too much work and trouble than I'm willing to put on. Anyway I know my needs are super specific, that's why I asked here. I also read that ASUS dualWAN is wonky. Synology it is! I'll get it next week and I'll report back.

 

[coxhaus]

If it was me and I had a lot of smart home devices I would want a separate VLAN to segment off the smart devices so they only have access to the manufacture's site. No local access or internet access except for management and the registering site.

 

[umarmung]

Strong VLAN support in consumer routers is almost unheard of. Combined with all his other feature requests that would leave only Ubiquiti (likely without USB modem support) or custom router and you can forget about consumer accessibility.

 

[coxhaus]

Also the Cisco small business switches and routers. The Cisco SG300 switches do nice VLAN support. Don't know how adept he is. He would also need a wireless AP.

I just would not want my smart home devices exposed on my network and wireless.

 

[umarmung]

You'd still need a router that can support VLANs. Do any Cisco small business routers even support an OpenVPN client (they definitely support OpenVPN server, but I can find no mention of OpenVPN client/tunnel)?

 

[coxhaus]

Not sure as I don't run VPN. The SG300 switch in layer 3 mode will support the VLANs without router support. You can use any router and let the switch handle all the local routing for VLANs using layer 3 mode.

PS
Any router which will pass multiple networks.

 

[Toka]

Majority of IoT devices are connected to SmartThings hub, rest of it is connected to Philips Hue hub and few exceptions are Wi-Fi voice assistants and a vacuum cleaner. I hope that wi-fi + VPN is enough to protect smart devices. I don't want to deal with VLAN for now.

 

[coxhaus]

I am not sure how you are using VPN for smart devices?

Not a problem with VLAN. I just would not run without it. I would setup a VLAN and SSID for the smart devices so regular connections would not be in the same network nor would they have access.

 

[umarmung]

You don't absolutely need VLANs to segment a consumer network. You can do it with just a good ip firewall on the router or even a good managed switch with ACLs and even more tricks if you don't actually want the IoT to talk out but only be talked to.

Still, that Cisco SG300, especially the SG300-10MPP, looks amazing, if you can afford it. Wirespeed Gigabit even at 64-byte packets, fanless, SFP, enterprise VLAN, hardware ACLs, port + VLAN mirroring, aggregation, QoS, rate limiting, insane MBTF, easy web config (big deal for a Cisco), huge standard PoE+ budget etc... It's a prosumer or small business person's wet dream. I'm not surprised you like it.

 

[Toka]

Price is not a problem, but that Cisco router looks like for business, I still think this is overkill for my household.

Anyway, why would I need to have a separate network for IoT devices? Genuine question, I do not know, what are the advantages.

 

[umarmung]

IoT devices are notorious for:

• phoning home with device data, customer metadata or actual data about you
• being very badly secured. If you think many consumer routers are badly secured, IoT devices put them to shame
• almost never receiving updates, including badly needed security updates. Set it and forget it mentality by design convention
  
• being badly behaved, e.g. sending unexpected multicast traffic
• when Internet accessible, they can be used to spy on you directly, often without you knowing. Hello burglers! (*)
  
• when Internet accessible, they can be compromised and used in various ways by bad agents, including as part of a botnet to mount attacks or proxy criminal traffic. This can sometimes be done in such a way an ISP may not be able to tell without in-depth checks that it is not YOU that is sending this traffic ... Hello ransomware! (*)
• they can be abused for crypto-currency mining or sending spam email (note carefully I did not put "when Internet accessible")
• one bad IoT can infect others of the same type, related type or manufacturer, or on the same network
• can affect any connected systems that may not have anything whatsoever to do with that IoT device
• any changes can introduce more vulnerabilities or new traffic (when you last checked everything was fine, but did you check again? Are you relying on manual checking? How would you know what changed?)
• sending data in the clear, making it trivial to intercept
• etc.

(*) There are entire IoT search engines dedicated to the task of finding exploitable Internet addresses and devices. Shodan is a famous one that has been frequently in the news. You can even find real examples of people being spied upon on Youtube by random strangers!

Regardless of the best of intentions of a manufacturer, data sent to cloud systems can be hacked anywhere along the chain, including wherever they are stored in the manufacturer's databases. How would you know? People who work at that manufacturer or cloud provider may not even know or care. This is why some people keep away from cloud systems that cannot be run independently of the cloud.

It is another magnitude worse in industrial contexts or as IoT is used increasingly in our lives because they start to control physical systems. Any bad sensor data, data corruption, affected safety controls, or even devices kept too busy with something else, can lead to serious problems and physical accidents.

So, when us little guys occasionally mention we should probably at least try to think about what IoT we have in our networks, and isolate where we can, it is not like the usual hobby frills and it will become much worse in future ...

 

[coxhaus]

Some of the IoT devices need to go outside on the internet. Figure out the IP addresses they need to use. Create an ACL to lock your IoT device to only those outside IP addresses.

 

[Toka]

Sorry but I do not follow. How would VLAN protect IoT devices? It's just separate network from my PC and other stuff. So if my lights are hacked, it doesn't actually matter if they are on the same network or not. They could send data and act as botnet anyway. Btw, as I said, almost all of my IoT are connected to hubs and those hubs to a router. Philips rolls out updates quite often, Z-Wave and Zigbee is open source, so there is high incentive to patch out bugs. Besides, all IoT devices are behind my wireless router, I honestly do not know, how could someone outside take over my IoT devices. The only way I can think of is to get a virus into my PC and spoof my network. Last time I had a virus was in 2006.

And if I use OpenVPN directly in a router, all my traffic outside is encrypted even when IoT communication isn't, right?

 

[CaptainSTX]

And if I use OpenVPN directly in a router, all my traffic outside is encrypted even when IoT communication isn't, right?

Not unless you are running an end to end VPN and control both ends. If you are using a commercial VPN and running a client on your router your traffic is only encrypted from your router to the VPN provider's server where it is then dumped on the WWW unencrypted or at least the encryption your VPN client put on the traffic is gone. It still may have some protection if the site you are connecting to requires SSL.