Help setting up a small business network

[erikvianna]

Hello, I'm new to these forums but hopefully I'll get some help.

I think I've failed badly all these years as an IT Administrator designing the network for our small business company.

First we had one WAN link with a Cisco VPN router and a high power wireless router for the workstation at the selling stations which was enough. This scheme failed badly, the Cisco router hardware started to fail and it a was hard diagnose because it a was lan x wan intermittent.

Secondly I thought I'd get rid of our switches, routers and APs and centralize everything on one machine. This was it, the Cisco WRVS4400N Router, gigabit ports, great 300mbps WiFi performance, VPN with kerberos authentication, a lot of manageability and after six months A HUGE HEADACHE, hardlocks with the latest firmware and finally it became a paper weight.

Last one was the TP-Link TL-ER604W for load balancing and dual wan - This one lacks a LOT of features, even the VPN functionality is highly limited and offers no ways to individually control bandwidth per protocol or QoS, it also gets slow over time and needs a hard reboot - Only good thing about this router is the WiFi, works good. The load balancing is very weak, it only works well as a fail-over, I've tried to stress our two 120mbps/150mbps links and most of the traffic was stuck in the first link. Trust me, I set it properly and I've played around all the settings of this router. TP-Link also offer some APP blocking features which is highly outdated and simply does not work.

So moving on.

I need:

- Load balancing
- Fail over
- Layer 7 Control
- Bandwidth control (Like setting up port 80/443 to 2048kbps max per IP for the X ip range)
- QoS for prioritizing database traffic such as 1433
- OpenVPN support
- Stability
- Headache free solution

I thought about going for a Uquibiti Edgerouter Max, leaving this TP-Link as an Access Point (we need the Wi-Fi for our selling workstation at storefront and barcode readers)

I already have a couple of Uquibiti Nanostations connecting two others local stores about 4 miles distant

Our network equipment is all plugged on a 2.5kva stabilized sine wave output energy back-up.

Thanks very much for any heads up, I really appreciate that, we lack professionals in this area and while my work is mostly with databases and administrating other stuff, I have to take care of this part as well.

 

[sfx2000]

One thing that would be helpful is the coverage footprint size (square feet/square meters) and how many walls (or even if it's open-space) - how many clients are attached to this LAN/WLAN...

If you can add the info, I think folks might be better able to make some suggestions..

 

[erikvianna]

Hello SFX2000, thanks and sorry for the lack of the crucial information! I tried editing my main post but it didn't let me so here we go:

The main WiFi AP/Router TP-Link TL-ER604W is responsible for an area of about 360sq.m mostly open space, think Wallmart or something like that, it's a huge petshop and our headquarters are located there so we got offices, market department and so on, there are also others APs connected to the network but most of the office computers are wired and the channel frequencies are carefully set up. It does a good enough job, the most distant workstation/thin client catches a pretty decent signal at 300Mbps rate.

Overall we've got about 80 to 120 users on a daily basis depending on the day.

I run a Windows Server 2012 R2 Active Directory Server and all our sales and commercial system goes through an online dedicated server MSSQL hosted elsewhere so having the Internet under control is essential. We have 7 other stores connected to the same database all sharing connectivity through VPN.

Most of our workstations are Windows 7 Enterprise.

The TP-Link TL-ER604W is no longer our main router, I've set up temporarily a pfSense box for our NAT needs since the end of the last year but it's kinda a temporary solution. It's a i5 desktop with 3 gigabit ethernet cards and a HP 24 port gigabit switch connected to it.

Funny enough I'm on a budget, I'm from Brazil and our country is disaster, or has always been, I don't know.

Honestly my job *was* designing databases for our POS systems, that's all.

I had to fire the last four professionals working with me because they had no clue what they were doing. And I'm alone, from sending workstations back to Dell to managing the network and cleaning the trash.

 

[sfx2000]

Couple of rules of thumb to consider...

802.11 b/g/n - 1500 sq ft and 25 devices per AP/Channel/Radio - more than that, you'll run into either range (open space) or congestion issues... while not a hard limit, it's a very good place to start...

Back of the napkin - since 360 square meters is about 3800 sq feet - and you have 80/120 users, on a daily basis, along with some assumptions, you'll need probably 2 or 3 AP's in 2.4GHz, which is likely good enough... don't need to go "high end" on the AP's, as long as they support B/G/N, you'll be fine, and many low-cost Router/AP's can be repurposed into AP's only (see the main site, couple of articles there on how to do that)

Consider keeping the pfSense box and 24 port switch online, and not replacing it, as pfSense is more scalable and probably more secure than any consumer based router.

Backhaul - you're ok with CAT5E, and if you need to pull more, find a telco guy, and pay him after hours...

Good luck!

 

[Cloud200]

A Ubiquiti ERL-3 is nowhere near powerful enough to load balance a 120mbps and 150mbps pair of links with QOS enabled.
An ER8-Pro can probably handle the load.
Layer 7 control . . . This has only just been implemented in the Edgemax firmware and may or may not work as well as you like.
Avoid Mikrotik as OpenVPN support is being dropped.


The only thing I know that will work for sure with OpenVPN and QOS at the speeds you require is an x86 box.
As @sfx2000 recommended, try keeping pfSense.
Alternative Distros are IpFire and Untangle.

As a tertiary option, look into splitting up OpenVPN and Routing/Firewall into two dedicated devices.

 

[erikvianna]

You guys have helped me a great deal and it has been kinda rare nowadays. It's hard to think alone.

I'll keep the PF Sense box, I'm also moving our servers/hub to a small rack which is currently kinda spread out messy desktops cases.

Here is my pfSense box:

Intel Core i5 4440
8GB Ram DDR3 2400 G.Skill (low latency, dual channel 4x2, also salvaged from some other desktop in the company)
Gigabyte H97N (dual on-board gigabit lan)
Intel Pro 1000 Dual Gigabit PCI-Express LAN Card (salvaged from a dell server I purchased from an auction)
Intel 60GB SSD (more salvaged parts, this one was brand new)
Some tiny & ugly ITX case, it's just as big as a router.

Still on the hardware side, 90% of our network is CAT6, shielded and grounded because I'm afraid of EMI due some high power equipment sitting above us, it's bad enough to flicker lights and it's on a completely different power line.

I am purchasing some TP-Link TL-WR1043ND v3 to set-up as APs, probably gonna run DD-WRT or stick with the original firmware if it's good enough, so far my experience with this router has been good as in, stable and reliable as cheap as it gets.

I'm also considering dropping OpenVPN altogether if I find a solution to connect through MSSQL through the Internet securely.

Thanks a lot!

Erik

 

[Cloud200]

The specs look a bit like overkill for the job . . . but it will work and quite fast to boot.
As per the shielded and grounded runs, make sure the ground is an isolated source. The only reason is you want it to be noise free else you are just throwing EMI into your cables probably worse than if they were not shielded at all.

As for the APs, think long and hard about skipping out on 5ghz support.

Personally I prefer WAPs that meet the following criteria:
Centralized management. Either from a controller, website, or master/slave setup.
POE powered. Always better to avoid outlets and centralize management to the MDF/IDF.
Dual band operation. 2ghz has the range but 5ghz helps avoid congestion along with spreading the load.