Barracuda NG Firewalls - Can They Replace My Barracuda 410 Web Filter?

NetworkNerd

@johnhooks said:

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

The Windows clients work fine, L2TP.

Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

scottalanmiller

You can use OpenVPN, too. For client connections.

JaredBusch

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

All my site to site links are currently OpenVPN but IPSEC can be offloaded and thus can get higher throughput than OpenVPN.

OpenVPN is limited to ~10mbps simply due to processing power of the ERL.

I have seen people post results of IPSEC tunnels properly offloaded getting more than 100mbps.

stacksofplates

@NetworkNerd said:

@johnhooks said:

@NetworkNerd said:

What do you use for client VPN connections to the EdgeRouters?

The Windows clients work fine, L2TP.

Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

I just set up accounts in the ER. We only have a couple people using the VPN, so it was less work.

JaredBusch

@scottalanmiller said:

You can use OpenVPN, too. For client connections.

Not easily on either Windows or the ERL.

In the ERL L2TP is available in the GUI and is natively available to Windows.

OpenVPN requires third party software on Windows as well as requiring advanced command line setup on the ERL.

Once someone has experience with the ERL it is not very hard, but it is not basic.

Alex Sage

@JaredBusch said:

The ERX is the much better unit for a SOHO environment because of the built in switching chip.

Love my Edge Router X

NetworkNerd

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

JaredBusch

@NetworkNerd said:

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

Of course there are no artificial limits because there is no licensing.

There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

scottalanmiller

@NetworkNerd said:

There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

No limits. Welcome to the glorious world of quality, enterprise, open source goodness. A vendor who works by making good products instead of slick marketing ads to management.

Not only will it work well, it will kick the crap out of the Cisco. If the Cisco can do it, the Ubiquiti can do much more. This is much more robust hardware.

scottalanmiller

@JaredBusch said:

There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

And I believe you have an ERL, the little unit, not the Pro which has a bit more memory and CPU, right? The horsepower on the ERP is a lot more, and it rackmounts.

Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

JaredBusch

@scottalanmiller said:

Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

OpenVPN cannot be offloaded to a dedicated chip like IPSEC can. If you do not offload IPSEC the performance is similar.

JaredBusch

@scottalanmiller said:

@JaredBusch said:

There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

And I believe you have an ERL, the little unit, not the Pro which has a bit more memory and CPU, right? The horsepower on the ERP is a lot more, and it rackmounts.

Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

I would never buy the ER Pro for any SMB. I just do not see the need. I am sure there is a special case out there, but it will certainly not be normal.

I generally recommend the ER-PoE for SMB offices so that they can have their UAP powered by the router without needed to buy an entire PoE switch. Also is the fact that the basic UAP and UAP-AC-LITE are passive PoE and many PoE switches do not support that.

NetworkNerd

In addition to the Barracuda NG series, I am looking at one of the Sophos UTMs that include web application control. There's a newer model Cisco ASA that has this as well.

Each of those solutions is not cheap as we all know, so the ERL is certainly a contender here for a small office we're about to light up in the coming weeks. Does anyone here think an ERL would have trouble connecting back to by ASA 5510 at HQ using an IPSec tunnel? I believe we're using IKEv1 on the ASA 5510 and its ASA 5505 peers right now. For about $100 or a little less, I'd be willing to at least do some R and D and try it but wanted to know if anyone here had connected the ERL to a different OEM's device successfully.

scottalanmiller

I feel like someone has tested the Ubiquiti to Cisco ASA functionality but I can't remember who.

JaredBusch

Even Cisco has not screwed up IPSEC stands. It will work just fine.

If you want a test, I can do a screen share and we can connect up to one of mine to proof it.

NetworkNerd

Barracuda actually ended up being the most expensive option in the bunch. For potential UTM options, we have a Sophos XG Series firewall or a Meraki MX series. Both seemed to have an easy way to do content filtering that would cover our use case with Barracuda. The ERL is not off the table, of course.

Has anyone here had experience with the Meraki MX devices? I heard a rave review of them at a SpiceCorps the other day. The models we would need are not terribly expensive. I like the fact that there's no separate AD agent for Meraki AD integration (content filtering based on AD user and groups) and no separate VPN client software to install (can just use Windows).

scottalanmiller

@NetworkNerd said:

Has anyone here had experience with the Meraki MX devices?

Yeah... we've managed some. They are insanely expensive and, like most Cisco's that we've dealt with, lack a lot in terms of performance. Good usability but literally would never consider one. The cost is, quite literally, insane. They were reasonable once upon a time, but they aren't really reasonable devices to look at today. Seriously price one out, they are nuts. And if you stop paying, they turn off completely. Just bricks.

Dashrender

So if the OP wants to do web filtering and firewall services - what stuff should he buy?

scottalanmiller

@Dashrender said:

So if the OP wants to do web filtering and firewall services - what stuff should he buy?

Same thing that I keep saying... ERL and Squid.

Dashrender

@scottalanmiller said:

@Dashrender said:

So if the OP wants to do web filtering and firewall services - what stuff should he buy?

Same thing that I keep saying... ERL and Squid.

I just wanted you to post it again