Barracuda NG Firewalls - Can They Replace My Barracuda 410 Web Filter?

scottalanmiller

@NetworkNerd said:

How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?

I'd say mediocre. They have a graphical interface but it isn't exactly a walk in the park. But it is easier than a Cisco CLI. The CLI on the VyOS on Ubiquiti is very similar to Cisco CLI, so the knowledge carries over. The GUI is always improving but is a bit confusing and not every single feature is exposed there.

travisdh1

@NetworkNerd said:

@scottalanmiller said:

One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.

I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.

How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?

Go download the management app and look for yourself, Ubiquity provides all the management software for free. EdgeMAX download page

scottalanmiller

A huge upside to Ubiquit is that you could get one for home and work with the same features and interface in your home environment so that you can mess around and test things without needing to do it on the product system. @anonymous has the baby Ubiquiti at home which is around $50. I have the older smallest one which is around $90 and we travel with it to use wherever we go.

stacksofplates

Another feature with Ubiquiti is the VPN connections are a breeze. If you have an ER on both ends you really only need to put in address, username, password, and type of connection and it figures it all out. Much easier than between Cisco and something else.

scottalanmiller

@johnhooks said:

Another feature with Ubiquiti is ...Much easier than ... Cisco....

FTFY

Alex Sage

Love Ubiquity!

JaredBusch

@NetworkNerd said:

@scottalanmiller said:

One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.

I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.

How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?

For the ER-X and ERL, you simply

1. pre-download the latest firmware
2. plug in power
3. plug in your laptop configured with 192.168.1.2 to eth0
4. pop the web browser to 192.168.1.1.
5. load the updated firmware
6. reboot
7. run the WAN+2LAN2 wizard to setup the router
8. plug your internet into eth0
   a. Reboot your cable modem if you have one of those because they lock to MAC address
9. plug your local switch into eth1
10. win

JaredBusch

@scottalanmiller said:

A huge upside to Ubiquit is that you could get one for home and work with the same features and interface in your home environment so that you can mess around and test things without needing to do it on the product system. @anonymous has the baby Ubiquiti at home which is around $50. I have the older smallest one which is around $90 and we travel with it to use wherever we go.

The ERX is the much better unit for a SOHO environment because of the built in switching chip.

The ERL is a 100% router. None of the ports have an onboard switch so if you bridge eth1 and eth2, you will lose performance there.

NetworkNerd

What do you use for client VPN connections to the EdgeRouters?

stacksofplates

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

The Windows clients work fine, L2TP.

NetworkNerd

@johnhooks said:

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

The Windows clients work fine, L2TP.

Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

scottalanmiller

You can use OpenVPN, too. For client connections.

JaredBusch

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

All my site to site links are currently OpenVPN but IPSEC can be offloaded and thus can get higher throughput than OpenVPN.

OpenVPN is limited to ~10mbps simply due to processing power of the ERL.

I have seen people post results of IPSEC tunnels properly offloaded getting more than 100mbps.

stacksofplates

@NetworkNerd said:

@johnhooks said:

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

The Windows clients work fine, L2TP.

Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

I just set up accounts in the ER. We only have a couple people using the VPN, so it was less work.

JaredBusch

@scottalanmiller said:

You can use OpenVPN, too. For client connections.

Not easily on either Windows or the ERL.

In the ERL L2TP is available in the GUI and is natively available to Windows.

OpenVPN requires third party software on Windows as well as requiring advanced command line setup on the ERL.

Once someone has experience with the ERL it is not very hard, but it is not basic.

Alex Sage

@JaredBusch said:

The ERX is the much better unit for a SOHO environment because of the built in switching chip.

Love my Edge Router X

NetworkNerd

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

JaredBusch

@NetworkNerd said:

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

Of course there are no artificial limits because there is no licensing.

There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

scottalanmiller

@NetworkNerd said:

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

No limits. Welcome to the glorious world of quality, enterprise, open source goodness. A vendor who works by making good products instead of slick marketing ads to management.

Not only will it work well, it will kick the crap out of the Cisco. If the Cisco can do it, the Ubiquiti can do much more. This is much more robust hardware.

scottalanmiller

@JaredBusch said:

There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

And I believe you have an ERL, the little unit, not the Pro which has a bit more memory and CPU, right? The horsepower on the ERP is a lot more, and it rackmounts.

Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.