@scottalanmiller said in Suggestions on a VPN Solution:

@Dashrender said in Suggestions on a VPN Solution:

@coliver said in Suggestions on a VPN Solution:

But I think the big one is that you don't want your firewall to handle switching. You should have an independent dedicated switch for that task.

What's the concern here? The ER-X specifically has a switch chip in it, where the ERL and ER8 don't. Granted I probably wouldn't use the ER-X in a 15+ user environment (though even then that's completely arbitrary and I should only care about bandwidth throughput, not number of users).

It's just not good practice to mash everything into an "all in one" device. You'd never want an AP in your router, and an AP is just a wireless switch. Keep your devices lean and purposeful.

Agreed!

I plan to go with the ERL at both sites, the main site already has a separate switch from the Netgear router, so it'll be a drop in replacement there. At the remote site, I will use the ERL with an 8 port gigabit switch and add in a ubiquiti AP for wireless. Keeps it simple and modular.

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

I had planned on it being used as a switch, the ER-8 was chosen mostly because it seems to be higher performing device than the ERL, and as such would possibly allow for more expansion and flexibility in the future for the main store.

This doesn't make sense like you think that it does.

• The ERL does a million pps, that's equivalent to a $3,000 Cisco enterprise router. You don't need more than that, your little shop can't even think of being able to use that. Paying for more is 100% wasted. There is just no way that you need anywhere near what this can provide. The ERL will handle so many branches, so many users.... you'll be building new buildings all over the place before you need to think of replacing that for speed reasons.
• The ER-X has the switch, not the ER8.
• The ER8 is an eight port router, this is "real gear", don't think of it in Netgear terms. Those are not switch ports.
• Wanting to use the router as a switch conflicts with your goal to overbuy and have so much power. Good practice is to have them be separate. There is a reason that only the entry level ERX includes a switch and the serious router options do not.

Perfect! That is the explanation I needed. ERL it is, and I had always planned on pairing the ERL with an 8 port gigabit dumb switch at the satellite location.

@JaredBusch said in Suggestions on a VPN Solution:

@jrc Seriously, you only want to look at an ERL. Your router should not be your switch also.

So buy a pair of ERL, upgrade the firmware to 1.9.1, run the first run wizard, create VPN tunnel.

I had planned on it being used as a switch, the ER-8 was chosen mostly because it seems to be higher performing device than the ERL, and as such would possibly allow for more expansion and flexibility in the future for the main store. Plus the price on them is not bad, $280 or so.

But I can see your point about just using the ERL and be done with it. So that may be the way we go when it comes down to it.

@JaredBusch said in Suggestions on a VPN Solution:

@scottalanmiller said in Suggestions on a VPN Solution:

VPN makes sense then, as awful as it is. Those kinds of applications are terrible over a VPN, not meant to talk to databases that way, normally.

That is an over broad assumption, but is generally a solid assumption.

If it is a locally installed application that just connects to the database at the main site, it will work great.

If it is a application launched form a shared drive, it will likely run like shit.

It is a locally installed application that connects to a DB at the main site (running on the SBS server).

Is there a comprehensive list of the differences between an ER8, ERL and ERLX somewhere? Ubiquities site is not too clear on this.

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

That's what I mean, though. No one makes a router that doesn't do that stuff. Not on the high end and not on the low end. I mean there literally might not be any product on the market that doesn't do that.

Sounds like their "custom application" was written long, long ago in a pre-Internet style? It's not a web front end?

It was, and poorly at that. And believe or not it was actually "updated" recently, but still no web front end at all. Plus it's mandatory for all franchise to use it.

Oh, this is not your customer's custom app, this is an app that they are forced to use from elsewhere.

Ahh, yes. Sorry when I said custom I meant for the franchise in general and not for the specific branch.

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

That's what I mean, though. No one makes a router that doesn't do that stuff. Not on the high end and not on the low end. I mean there literally might not be any product on the market that doesn't do that.

Sounds like their "custom application" was written long, long ago in a pre-Internet style? It's not a web front end?

It was, and poorly at that. And believe or not it was actually "updated" recently, but still no web front end at all. Plus it's mandatory for all franchise to use it.

@scottalanmiller said in Suggestions on a VPN Solution:

Given the number of workstations and the single server, why not use ZeroTier and go to something more advanced and flexible? Why deal with the complication of the site to site VPN when you could easily go to a full mesh?

That looks like something you setup on each client, which I think they would not be happy about. They do not take kindly to new ways of doing things, hell they'd still be running Windows XP and Server 2000 if I had not pushed very hard to get them moved to Windows 7.

The other issue is the corporate franchise entities IT department is staffed and run by people who actually know very little about IT. So the tech mandates that come from there are a joke at best. So having the VPN as transparent as possible will help me stave away the "we don't support that" mentality they have, which to them really means "we won't help you with anything we don't understand, even if it's not a factor in the issue you are having"

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

But they also need the ability to upload high resolution photos to the server. These are catalogued and used as a sort of before and after thing, which they archive for about 6 months after the job is done.

That would be a bad use case for a VPN. Moving to something like NextCloud would seem like a better system, even for the main office users.

Well we are not talking Gigabytes of data here. I'm talking maybe two dozen or so images over the day, in the 3 or 4 mb size range each.

The bigger need here is the ability for the clients at the satellite store to be able to communicate with the quoting software. Which is why VPN was my first thought.

@scottalanmiller said in Suggestions on a VPN Solution:

@jrc said in Suggestions on a VPN Solution:

Does the ERL do NAT/firewalling and what not? Or would it be a device that I would need to put behind a more robust NAT/Firewall solution?

Yes, everything does. You literally can't buy anything that doesn't do that.

Yes, good point, but I meant are the edge routers appropriate to use as the sole internet gateway, but given the name (Edge router) I am guessing this may be a silly question...

@scottalanmiller said in Suggestions on a VPN Solution:

What kind of data and traffic will go between the sites? What will the satellite be accessing from the main office?

They use a custom quoting software, near as I can tell it's more or less a standard database back end with a custom front end. But they also need the ability to upload high resolution photos to the server. These are catalogued and used as a sort of before and after thing, which they archive for about 6 months after the job is done.

Looking at the Edge routers I think this is the way to go. I am going to suggest we get a ERL for the satellite store and and ER-8 for the main store to replace the Netgear that is currently there and quite old.

Looks like the total cost for the two is under $400, which I think I can justify pretty easily.

@gjacobse said in Suggestions on a VPN Solution:

If you have nice LOS - Line of sight - you could also with with a Point to Point Bridge using the UBNT Bridge

Not a bad idea, but I think it is unlikely we will have a line of sight between the two.

Does the ERL do NAT/firewalling and what not? Or would it be a device that I would need to put behind a more robust NAT/Firewall solution?

Hi Guys,

I have a client who is in the process of opening a satellite store for his Maaco. The store will be just a few miles from his current shop. The plan is that this small store will be in a far more visible area and that they can evaluate and quote repairs and paint jobs for any cars that come in, and as such we need to connect it up, via a VPN to his current network.

Currently he has 5 workstations and a SBS2011 server, connected via a Comcast Business connection that has a static IP. The router her has currently is a Netgear something or the other (SOHO class, not off the shelf). The satellite store will also have a Comcast business network connection and hopefully a static IP. There will most likely be an additional 2 or 3 workstations there.

So here is my question, what would be the current recommended solution for this? I want to do edge to edge on the VPN, so I am wondering what hardware I would need to do this, are there some go-to routers/firewalls that people recommend?

And as usual the budget for this is the typical "as cheap as possible," which is always so much fun to work with.

@DustinB3403 said in Google accounts being signed out:

None of my devices have been effected by this.

I should mention that this affected my personal Google account, no issue with my work Google account (G Suite).

I had this issue happen to me on Friday evening, all my Chrome browsers on the machines I use (3 of them) were needing to be signed back in and my phone complained about it as well.

I logged in and notice no major changes in my account, still I went through and enabled 2FA (push notification and Google Authenticator) and then used lastpass to change my password to something VERY complex.

Hopefully this is enough to protect me from whatever the heck is going one.

Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.

As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.

This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.

@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):

It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.

Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.

This box is our firewall, heuristic content filtering, internet traffic logging (by user and by client) and UTM for around 3500 devices, so yeah I need the power and RAM for what it does. https://us.smoothwall.com/web-filtering/ for more info on all it does.

We rely on quite a few internet based service, and if this box goes down it is extremely disruptive. And the benefits I'd get from virtualizing are immense for this purpose. Being able to minimize my downtime via snapshots and/or migration between hosts of different hardware profiles are not things that I can easily dismiss. And then there is the fringe benefit of being able to export a snapshot, throw it onto a test server and then be able to thoroughly test updates and config changes is a pretty big too.

So I guess what I am trying to work out is are the tradeoffs worth it.

So I've had more than a few issue with Smoothwall and updates as well as reboots taking me nearly an hour to complete. So I am contemplating virtualizing Smoothwall on it's current hardware with Xenserver, it would be the only guest OS on the hardware, and would have 80%+ of the resources.

The idea here is that this would get me the ability to take a snapshot before an update, and if it goes belly up I could easily restore the snapshot in minutes as opposed to the hour+ it takes to do a new install and restore settings etc. On top that I get the ability to clone the smoothwall, move it off to a non-production server and test updates and other things when they come up. And it would also allow me to make periodic backups of the server and in the case of a complete hardware meltdown I could have a stand in up and running in minutes on any available hardware I had on hand.

My Smoothwall is on the edge of my network right now, the internet plugs right into one of it's interfaces, not sure if that makes a difference. Also, for the curious the hardware in question is a HP DL385 Gen8 server, with a single processor (8 cores) and 16Gb of RAM. If I go the virtualized route I'd double the RAM at minimum, and would consider adding another 8 core processor (so 16 cores in total).

So I am wondering:

1. Anyone else done something like this with their edge router?
2. What are some reasons NOT to do this?
3. Any idea on how hardened Xen server is? Would it be possible from someone or something to compromise the host since one of it's interfaces would be plugged directly onto the internet?
4. What do you guys think of this idea in general?