ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Barracuda NG Firewalls - Can They Replace My Barracuda 410 Web Filter?

    IT Discussion
    barracuda cisco ubiquiti sophos firewall router utm unified threat management web filtering web proxy networking
    7
    39
    8.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NetworkNerdN
      NetworkNerd @stacksofplates
      last edited by

      @johnhooks said:

      @NetworkNerd said:

      What do you use for client VPN connections to the EdgeRouters?

      The Windows clients work fine, L2TP.

      Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

      stacksofplatesS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        You can use OpenVPN, too. For client connections.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @NetworkNerd
          last edited by

          @NetworkNerd said:

          What do you use for client VPN connections to the EdgeRouters?

          All my site to site links are currently OpenVPN but IPSEC can be offloaded and thus can get higher throughput than OpenVPN.

          OpenVPN is limited to ~10mbps simply due to processing power of the ERL.

          I have seen people post results of IPSEC tunnels properly offloaded getting more than 100mbps.

          1 Reply Last reply Reply Quote 0
          • stacksofplatesS
            stacksofplates @NetworkNerd
            last edited by

            @NetworkNerd said:

            @johnhooks said:

            @NetworkNerd said:

            What do you use for client VPN connections to the EdgeRouters?

            The Windows clients work fine, L2TP.

            Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.

            I just set up accounts in the ER. We only have a couple people using the VPN, so it was less work.

            1 Reply Last reply Reply Quote 2
            • JaredBuschJ
              JaredBusch @scottalanmiller
              last edited by JaredBusch

              @scottalanmiller said:

              You can use OpenVPN, too. For client connections.

              Not easily on either Windows or the ERL.

              In the ERL L2TP is available in the GUI and is natively available to Windows.

              OpenVPN requires third party software on Windows as well as requiring advanced command line setup on the ERL.

              Once someone has experience with the ERL it is not very hard, but it is not basic.

              1 Reply Last reply Reply Quote 0
              • A
                Alex Sage @JaredBusch
                last edited by

                @JaredBusch said:

                The ERX is the much better unit for a SOHO environment because of the built in switching chip.

                Love my Edge Router X 😄

                1 Reply Last reply Reply Quote 0
                • NetworkNerdN
                  NetworkNerd
                  last edited by NetworkNerd

                  There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

                  JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @NetworkNerd
                    last edited by

                    @NetworkNerd said:

                    There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

                    Of course there are no artificial limits because there is no licensing.

                    There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @NetworkNerd
                      last edited by

                      @NetworkNerd said:

                      There's no limit on VPN clients or VPN peers that I could see from the datasheets. Can someone confirm that for me, please? Would you put one of these at the hub of a hub and spoke like my setup (getting close to 10 remote peers) and expect it to perform well?

                      No limits. Welcome to the glorious world of quality, enterprise, open source goodness. A vendor who works by making good products instead of slick marketing ads to management.

                      Not only will it work well, it will kick the crap out of the Cisco. If the Cisco can do it, the Ubiquiti can do much more. This is much more robust hardware.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @JaredBusch
                        last edited by

                        @JaredBusch said:

                        There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

                        And I believe you have an ERL, the little unit, not the Pro which has a bit more memory and CPU, right? The horsepower on the ERP is a lot more, and it rackmounts.

                        Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

                        JaredBuschJ 2 Replies Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

                          OpenVPN cannot be offloaded to a dedicated chip like IPSEC can. If you do not offload IPSEC the performance is similar.

                          1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @JaredBusch said:

                            There may well be limits due to hardware, but I have about 15 OpenVPN tunnels connecting from my house to various client routers and colo routers, etc. So no idea what real world limits might exist.

                            And I believe you have an ERL, the little unit, not the Pro which has a bit more memory and CPU, right? The horsepower on the ERP is a lot more, and it rackmounts.

                            Plus OpenVPN uses a lot more overhead than IPSec. So moving to IPSec and/or the ERP would do a lot for the potential VPN connection ceiling.

                            I would never buy the ER Pro for any SMB. I just do not see the need. I am sure there is a special case out there, but it will certainly not be normal.

                            I generally recommend the ER-PoE for SMB offices so that they can have their UAP powered by the router without needed to buy an entire PoE switch. Also is the fact that the basic UAP and UAP-AC-LITE are passive PoE and many PoE switches do not support that.

                            1 Reply Last reply Reply Quote 1
                            • NetworkNerdN
                              NetworkNerd
                              last edited by

                              In addition to the Barracuda NG series, I am looking at one of the Sophos UTMs that include web application control. There's a newer model Cisco ASA that has this as well.

                              Each of those solutions is not cheap as we all know, so the ERL is certainly a contender here for a small office we're about to light up in the coming weeks. Does anyone here think an ERL would have trouble connecting back to by ASA 5510 at HQ using an IPSec tunnel? I believe we're using IKEv1 on the ASA 5510 and its ASA 5505 peers right now. For about $100 or a little less, I'd be willing to at least do some R and D and try it but wanted to know if anyone here had connected the ERL to a different OEM's device successfully.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                I feel like someone has tested the Ubiquiti to Cisco ASA functionality but I can't remember who.

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch
                                  last edited by

                                  Even Cisco has not screwed up IPSEC stands. It will work just fine.

                                  If you want a test, I can do a screen share and we can connect up to one of mine to proof it.

                                  1 Reply Last reply Reply Quote 3
                                  • NetworkNerdN
                                    NetworkNerd
                                    last edited by

                                    Barracuda actually ended up being the most expensive option in the bunch. For potential UTM options, we have a Sophos XG Series firewall or a Meraki MX series. Both seemed to have an easy way to do content filtering that would cover our use case with Barracuda. The ERL is not off the table, of course.

                                    Has anyone here had experience with the Meraki MX devices? I heard a rave review of them at a SpiceCorps the other day. The models we would need are not terribly expensive. I like the fact that there's no separate AD agent for Meraki AD integration (content filtering based on AD user and groups) and no separate VPN client software to install (can just use Windows).

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @NetworkNerd
                                      last edited by

                                      @NetworkNerd said:

                                      Has anyone here had experience with the Meraki MX devices?

                                      Yeah... we've managed some. They are insanely expensive and, like most Cisco's that we've dealt with, lack a lot in terms of performance. Good usability but literally would never consider one. The cost is, quite literally, insane. They were reasonable once upon a time, but they aren't really reasonable devices to look at today. Seriously price one out, they are nuts. And if you stop paying, they turn off completely. Just bricks.

                                      1 Reply Last reply Reply Quote 1
                                      • DashrenderD
                                        Dashrender
                                        last edited by

                                        So if the OP wants to do web filtering and firewall services - what stuff should he buy?

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          So if the OP wants to do web filtering and firewall services - what stuff should he buy?

                                          Same thing that I keep saying... ERL and Squid.

                                          DashrenderD 1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            @Dashrender said:

                                            So if the OP wants to do web filtering and firewall services - what stuff should he buy?

                                            Same thing that I keep saying... ERL and Squid.

                                            I just wanted you to post it again 🙂

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 2 / 2
                                            • First post
                                              Last post