Wired VPN Router Suggestion

[J. Patrick Moran]

I am hoping to get a little help from the forum selecting a VPN router for my office.

I have a wired gigabit network with a Qnap TS-559-Pro II that I use as a file server. I want to be able to access the qnap from my home and on the road.

Special Considerations.

• Prefer a standalone appliance
• Under $500
• I need to be able remotely mount QNAP Volumes as a drive on both Mac and PC.
• Speed. I have Xfinity 150/40 and want to maximize.
• Prefer to use L2TP/IPsec unless there is a better way

Notes:

• I work with adobe creative suite, I need to mount the drive to keep all the files relationships from braking
• I don't want to use the QNAP as a VPN server
• Tried to use the My Airport Extreme, but could never get the necessary ports to open

 

[CaptainSTX]

I am hoping to get a little help from the forum selecting a VPN router for my office.

I have a wired gigabit network with a Qnap TS-559-Pro II that I use as a file server. I want to be able to access the qnap from my home and on the road.

Special Considerations.

• Prefer a standalone appliance
• Under $500
• I need to be able remotely mount QNAP Volumes as a drive on both Mac and PC.
• Speed. I have Xfinity 150/40 and want to maximize.
• Prefer to use L2TP/IPsec unless there is a better way

Notes:

• I work with adobe creative suite, I need to mount the drive to keep all the files relationships from braking
• I don't want to use the QNAP as a VPN server
• Tried to use the My Airport Extreme, but could never get the necessary ports to open

Your speed is going to be limited to your 40 Mbps upload speed.

Using Merlin's firmware on an AC1900P running at 1.4 Ghz should handle that with no problems and there are plenty of discussion lines on this forum to help you set it up if you run into any problems.

The only requirement that it doesn't meet is that you will be restricted to running either an PPTP or OpenVPN server.

 

[sfx2000]

I am hoping to get a little help from the forum selecting a VPN router for my office.

I have a wired gigabit network with a Qnap TS-559-Pro II that I use as a file server. I want to be able to access the qnap from my home and on the road.

Special Considerations.

• Prefer a standalone appliance
• Under $500
• I need to be able remotely mount QNAP Volumes as a drive on both Mac and PC.
• Speed. I have Xfinity 150/40 and want to maximize.
• Prefer to use L2TP/IPsec unless there is a better way

You might be a good candidate for a pfSense SG-2220....

https://store.pfsense.org/SG-2220/

Notes:

• I work with adobe creative suite, I need to mount the drive to keep all the files relationships from braking
• I don't want to use the QNAP as a VPN server
• Tried to use the My Airport Extreme, but could never get the necessary ports to open

Agreed - while the VPN services on the NAS are nice, it's a lot of stuff inside a complicated house of software there...

Opening ports on Airports - quite easy, but you need to understand the lingo/approach...

 

[sfx2000]

I have a wired gigabit network with a Qnap TS-559-Pro II that I use as a file server. I want to be able to access the qnap from my home and on the road.

FWIW - QNAP has several options for remote access - including their cloud stuff... there is a cut-off with different versions of QTS, but worth checking out...

Just checked - if you're not on QTS 4.2.5, you probably should be...

 

[Samir]

Your use case basically calls for any standard ipsec capable vpn router. Most will have l2tp capability as well if you don't want to have a ipsec tunnel nailed up between two endpoints 24x7.

You'll need to consider what type of realistic bandwidth you'll get across the link though. File transfers even across solid ipsec tunnels can still be iffy (I have 3 sites with ipsec tunnels between them and while file transfers work, I do try to avoid them due to the speed and potential issues).

But what I have found that works really well--especially if for some reason your connection does break--is remote desktop. I can vpn in and then connect to my desktop--all files transfers and whatnot are local at local speeds and the only data being transmitted across the link is the rdp screen updates. I've found that with the screen colors set to 16-bit, a 10Mbps link feels almost like it's local. For what you're doing, I think you should have enough bandwidth for 32-bit to feel like it's local. Something to consider...

 

[System Error Message]

you should avoid vpn routers under every circumstances.
With your speeds there are a few routers here that would help
ubiquiti routers (ERPRO or newer)
mikrotik routers (non MIPS based)
pfsense
linux/unix based server.
openwrt (make sure the hardware is fast enough)
There are some other x86 based routers that could help too.

 

[Samir]

you should avoid vpn routers under every circumstances.
With your speeds there are a few routers here that would help
ubiquiti routers (ERPRO or newer)
mikrotik routers (non MIPS based)
pfsense
linux/unix based server.
openwrt (make sure the hardware is fast enough)
There are some other x86 based routers that could help too.

Why would you say that? There's no way anyone is going to lug around a homebrew router or one that will need tinkering to get working each time they travel. There are dedicated products for these applications that do support vpn tunnels.

 

[System Error Message]

Why would you say that? There's no way anyone is going to lug around a homebrew router or one that will need tinkering to get working each time they travel. There are dedicated products for these applications that do support vpn tunnels.

there isnt much to lug around. For example the newer dual/quad MIPS based routers that both mikrotik and ubiquiti have. Ubiquiti have the ERL and ERPRO that use the same platform as vpn routers, only much much faster and without the same bugs/instabilities. So there are many compact choices to choose from.
Routers called vpn routers are terrible. As the OP said, he his current one is too slow, you wouldnt want to suggest him another slow router capable of vpn.

Besides some pfsense capable routers are also inexpensive and compact.

 

[Samir]

there isnt much to lug around. For example the newer dual/quad MIPS based routers that both mikrotik and ubiquiti have. Ubiquiti have the ERL and ERPRO that use the same platform as vpn routers, only much much faster and without the same bugs/instabilities. So there are many compact choices to choose from.
Routers called vpn routers are terrible. As the OP said, he his current one is too slow, you wouldnt want to suggest him another slow router capable of vpn.

Besides some pfsense capable routers are also inexpensive and compact.

But these are again things that require tinkering. What the OPs has worked out of the box from day one. There's a huge gap to cover between these two types of platforms if you're going from one to the other.

 

[System Error Message]

But these are again things that require tinkering. What the OPs has worked out of the box from day one. There's a huge gap to cover between these two types of platforms if you're going from one to the other.

But there isnt any decent router that calls itself a vpn router. If there was i'd have suggested it. The best to user friendly is pfsense and there are those small x86 boxes that can run pfsense and have around 4 ports. There are some in NUC size that have multiple ethernet ports and wifi as well. Its user friendly though not plug and play (though which ipsec/l2tp vpn is?) and pfsense is a lot more reliable than any of the firmwares on those vpn routers except for ubiquiti and has a lot faster hardware.

 

[CaptainSTX]

But there isnt any decent router that calls itself a vpn router. If there was i'd have suggested it. The best to user friendly is pfsense and there are those small x86 boxes that can run pfsense and have around 4 ports. There are some in NUC size that have multiple ethernet ports and wifi as well. Its user friendly though not plug and play (though which ipsec/l2tp vpn is?) and pfsense is a lot more reliable than any of the firmwares on those vpn routers except for ubiquiti and has a lot faster hardware.

Pfsense is a very powerful package but "easy", "user friendly" compared to what? I recently purchased a mini PC to run Pfsense to increase the throughput of my VPN client connection.

While you can purchase a SOHO router, take it out of the box, change the admin passwords and setup the WiFi and be surfing the WWW in minutes it is a much more involved setup for setting up Pfsense. For example after you download and install Pfsense you first need to run a console session to identify and configure all your WAN/LAN/OPT ports before you can connect it to your network and start a GUI session to finish the setup and only then after you have enabled the firewalls default rules can you connect to the WWW.

While getting the WAN & LAN port working wasn't to difficult, trying to get the OPT1 & OPT2 ports to function as normal LAN ports took considerable time. The set up functionality of various versions of Pfsense has evolved so searching the WEB, printed manuals will give you a general idea of how to accomplish certain things but the exact steps/ settings may not be the same as for the version of Pfsense you are running.

For anyone that is considering using Pfsense be sure that you have plenty of patience and time to get it working. The payoff is there if you need the extreme flexibility, firewall rules and network controll that Pfsense offers but for most people Merlin's firmware is going to more than enough. For anyone considering Pfsense by a manual first and see if you are willing to spend the time to set it up and when you get done will your network be anymore secure than what a good SOHO router provides.

 

[System Error Message]

same security for default rules, can have much better security. mikrotik is easy to set up but vpn is difficult to use.

rmerlim's firmware doesnt have ipsec/l2tp vpn server

 

[J. Patrick Moran]

Thanks for the feedback. I know there is a performance limitation on my upstream data, but it beats syncing multiple storage devices with the NAS. I may be able to purchase better upstream speed from xfinity.

Any thoughts on building my own?
if so suggested parts list?

 

[FatherLandDescendant]

You might be a good candidate for a pfSense SG-2220...

Thanks for the feedback. I know there is a performance limitation on my upstream data, but it beats syncing multiple storage devices with the NAS. I may be able to purchase better upstream speed from xfinity.

Any thoughts on building my own?
if so suggested parts list?

I've spent weeks off and on trying to figure out a parts list to build myself a cheap box that would run pfSense. With the announcement of them requiring the devices processor to handle AES-NI within the year I had to reconsider what direction I was going to take. I came to the conclusion that after pulling the required components in from different websites and paying the various shipping costs thereof (not to mention the time in weeks I was going to wait to have all the parts in hand) I was going to save myself around $25 +- not very much. And if I shopped through places like NewEgg and the like where I could get my components in a more reasonable time frame I was going to spend slightly more than buying a Netgate appliance. But then again I don't have access to business account pricing, I'm just an average Joe playing with pricey network toys

I've been looking at the units at Netgate and was considering the suggestion sfx2000 mentioned the SG-2220, I called Netgate today to ask a few questions before pulling the trigger. During that discussion I found that the SG-2220 is being replaced by the SG-2340. I was getting ready to spend the same amount of money on the 2220 to upgrade it to a 60G SSD that I ended up spending for the 2340 and I didn't need to upgrade any of the components, besides a 60G SSD is serious overkill for storage for a pfSense box. A 32G SSD is overkill from what I've been finding unless you want to keep some serious log files and even then there are other better options to keeping log files than storing them locally on the router.

I could have built my own, bought a micro-computer to put pfSense on, bought a 32G ssd and an 8G Ram stick and saved $25 +-, but I figured that buying a Netgate unit for a little more got me a device that is built specifically with the running of pfSense in mind AND it supported those who upkeep the OS.

https://www.netgate.com/products/sg-2340.html

Just my .02

 

[System Error Message]

AES-NI can be found with the revised 1st gen iseries and amd bulldozer architecture or newer. Basically 32nm intel lga1366 at minimum. However newer architectures have newer instruction sets that accelerate SSH and SSL which can be useful for openVPN other than the AES-NI.

At the speeds you want even a low end x86 will support those vpn speeds. The limitting factor is upload so theres a lot of options from intel atoms to AMD equivalents. Intel NICs however are suggested for pfsense in terms of both driver quality and performance. Realtek NICs arent recommended for the same reason not that they wont work, just would need more CPU and cannot support virtualisation (if you run pfsense virtually).

The SG seems to be recommended a lot and its decent for your speeds. You dont need an SSD for storage but it would significantly help boot times, you can do a SSD with hard drive combo storing the OS on SSD, logs, cache and things that change on the hard drive as you can use caching with transparent proxy config, its not necessary but if you have a lot of users it helps.

4GB of ram would be a start, 8GB if you plan to use caching and other UTM like features it provides. Just make sure what you choose even if it is in NUC format has at least 2 NICs (more if you have more layer 3 networks).

Not only do you need to setup vpn but also igmp proxy if you wish to forward layer 2. Some features that are made to only work on LAN mostly rely on layer 2 but if you want to map a drive than scanning wont work through vpn but ip addresses will. Dont port forward, just use vpn instead as port forwarding will expose your NAS. You will also need to understand routing a little bit, its easier to use a different subnet as the gateway for VPN rather than the same as devices will assume you're on LAN and use layer 2 rather than layer 3.

 

[CaptainSTX]

For approximately the same price delivered I purchased a mini PC from Qotom. It has an Intel I7 4500 processor 1.8/3.0 Ghz, 8 Gigs of Ram and 4 Intel Gig ports, HDMI, 2 USB 2 and 2 USB 3 ports. Came with Pfsense installed on SSD.

Running a VPN client on it I get download speeds of 150 Mbps. When I stress tested the processor by running 1 4K Netflix stream, 2 HD Netflix Streams, 1 Amazon Stream and 2 YouTube streams that in total were pulling 51 Mbps of data the processor never went over 26%. At idle the PC pulls 5 watts.

Just be sure the device you are buying has the processor speed to handle the applications you want to run on it.

 

[sfx2000]

I've been looking at the units at Netgate and was considering the suggestion sfx2000 mentioned the SG-2220, I called Netgate today to ask a few questions before pulling the trigger. During that discussion I found that the SG-2220 is being replaced by the SG-2340. I was getting ready to spend the same amount of money on the 2220 to upgrade it to a 60G SSD that I ended up spending for the 2340

The SG-2340 should be a good unit - ADI/Netgate does nice HW, but sometimes at a premium over the shenzen guys on Alibaba and Taobao - but when you get the unit, you'll see the quality...

Performance should be similar to the 2220, in some cases better...

 

[FatherLandDescendant]

Performance should be similar to the 2220, in some cases better...

Fellow I talked to said better with all that I want to do with it. The 2340s processor is an upgrade from the 2220, and the ssd is standard, unlike the 2220 which has 4GB eMMC with the option to add a 60GB ssd for an upgrade cost. Basically I got a better device, slightly smaller SSD, for the same money.

I'm really looking forward to digging into it, I even paid for 2nd day shipping hoping to have it by this weekend when I'll have the time to dedicate to checking it out.

 

[sfx2000]

The SG seems to be recommended a lot and its decent for your speeds. You dont need an SSD for storage but it would significantly help boot times, you can do a SSD with hard drive combo storing the OS on SSD, logs, cache and things that change on the hard drive as you can use caching with transparent proxy config, its not necessary but if you have a lot of users it helps.

4GB of ram would be a start, 8GB if you plan to use caching and other UTM like features it provides. Just make sure what you choose even if it is in NUC format has at least 2 NICs (more if you have more layer 3 networks).

My 2440 has 4GB RAM, and I do run a small mSATA drive, as the 2440 I have was an early model where the eMMC was only 4GB - and Samsung was pushing pricing really low on their 850Evo mSATA parts (like $45USD). I went with the mSATA SSD as I didn't want to eventually burn holes in the eMMC, thus extending the life of the unit.

If one is not running things like Snort, then the eMMC is fine, and pfSense does have options where /var and /tmp can be kept in RAM instead of writing to disk... warning here though is that this might impact some ipv6 stuff... (known bug, might be fixed these days)

Boot time between the mSATA and eMMC isn't that much different, and pfSense is pretty stable - basically the only time I reboot the router is when doing major updates...

Performance on these should be good enough for a 500Mbps symmetric connection without any problems - and that with some QoS treatment on top of things.

VPN performance is pretty consistent with 100Mbps observed on both L2TP/IPsec and OpenVPN - might be a bit faster, but last time I tested VPN was when I had a 100Mbps account profile with my ISP

With the Netgate/pfSense box - it's a firewall/GW router - for switching, you'll need an external switch - doesn't have to be too exotic here, even most modern 1Gbe dumb-switches honor VLAN tags these days from the GW - but if one is looking for a decent 8 port Gbe switch, consider Netgear's GS108T series here - they're managed, with some layer 3 support, and good layer 2 management capabilities....

 

[FatherLandDescendant]

consider Netgear's GS108T series here

God help you if you ever need customer support. Worst CS experience of my life and I'm no young pup I had an 8 port managed switch that I was having issues with and I called their CS NEVER again. They lost a customer for life, and I use to swear buy their products.

You want a good product, with great CS support go with LinkSys and don't look back