Router/firewall recommendations for small branch office
-
@travisdh1 so I figured out he is working for an out of town MSP. I don't see their product line they support but I assume it's SOPHOS. Like I said before, if I'm going to deal with a local MSP I already have one in place aligned with the goals not only I but my director would have in mind since they actually come talk to you and plan before telling you they wanna rip out everything for a project that doesn't make any sense.
For those unaware, I work at a small non-profit. Our Saas app and basically finance app (Quickbooks) pretty much run the entire workload. 0 need for a VPN outside of goals that would align with IT directly. If we gonna do a VPN what sense would it make to do that without using our current NEW equipment before plunking down on another set of hardware? We are one cough away from another outbreak of COVID. We would be spending $ on a project no one in house would need since all our work already has been successfully deployed remotely for students and staff.
-
@krisleslie said in Router/firewall recommendations for small branch office:
@scottalanmiller there is suppose to be a new USG being made since I think they are switching the cpu/chipset over for the entire product line. But honestly, until reviews are back and tested I'm holding funds. Just turning on the traffic analysis makes me cringe since it's not able to handle it without losing too much speed.
Any idea when that is supposed to release?
We just use the Pro4 these days to address that. But a new chipset would be great.
-
@beta said in Router/firewall recommendations for small branch office:
We have PA subscriptions for antivirus/IPS/URL filtering etc. and since we plan to have a VPN between the 2 sites, I'm not sure if it would make sense to get those subscriptions again if we bought a 220 instead of just routing all the traffic to HQ.
You'll put a lot more traffic over the HQ WAN by routing branch office traffic destined for the internet that way.
Ideally you'd just want traffic over the VPN that is destined for some resource on the HQ LAN. It will give you superior bandwidth utilization.We have a customer who runs PA820s and they removed all their L3 routing in switches and routers and now route all their VLANs through the PA. You'll have more control over security that way. Doing the same at your branch office makes sense.
Since you have Palo Alto at HQ I would get the same brand for the branch office. Not because you absolutely have to, but because it's easier to manage and easier if you have a problem and need Palo Alto support to figure out the problem.
When it comes to URL filtering at the branch office there are other options, for instance Cloudflare Gateway.
Regarding VOIP I think it's better to just run the phones directly to the HQ PBX. 10 people is not enough to bother with a local PBX.
So in summary:
- A PA-220 at the branch office with whatever VLANs you need set up in it.
- Internet traffic goes to the internet.
- Traffic to HQ goes over the VPN link.
- IP phones connects directly to HQ over the VPN link.
-
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
-
@beta said in Router/firewall recommendations for small branch office:
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
We had a Cisco 20K solution here originally. I dumped that and replaced it with a Ubiquiti Unifi AP solution.
The controller is free software that runs on my VM host, but could just as easily run in a VPS like Vultr for $5/m. APs were $90 or so each, 15 of them, $1350 plus my time to install them (the previous 20K included their installation).I'm pretty sure Unifi APs weren't around when the Cisco's went in in 2007, but damn did we save a bundle this upgrade time around.
-
@beta said in Router/firewall recommendations for small branch office:
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.
-
@scottalanmiller said in Router/firewall recommendations for small branch office:
@beta said in Router/firewall recommendations for small branch office:
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.
What do you think of Palo Alto?
-
@IRJ said in Router/firewall recommendations for small branch office:
@scottalanmiller said in Router/firewall recommendations for small branch office:
@beta said in Router/firewall recommendations for small branch office:
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.
What do you think of Palo Alto?
For ACCESS POINTS? Zero experience. They are generally good products, and generally very expensive. But I never deal with them in a wifi context so they might be amazing or terrible. I didn't even know that they made wifi gear so that's my level of knowledge on it
-
@scottalanmiller said in Router/firewall recommendations for small branch office:
@IRJ said in Router/firewall recommendations for small branch office:
@scottalanmiller said in Router/firewall recommendations for small branch office:
@beta said in Router/firewall recommendations for small branch office:
I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.
Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.
What do you think of Palo Alto?
For ACCESS POINTS? Zero experience. They are generally good products, and generally very expensive. But I never deal with them in a wifi context so they might be amazing or terrible. I didn't even know that they made wifi gear so that's my level of knowledge on it
I believe they use Aruba for their APs
-
@krisleslie said in Router/firewall recommendations for small branch office:
@scottalanmiller there is suppose to be a new USG being made since I think they are switching the cpu/chipset over for the entire product line. But honestly, until reviews are back and tested I'm holding funds. Just turning on the traffic analysis makes me cringe since it's not able to handle it without losing too much speed.
Are you talking about the dream machine?
Edit: I just saw a reddit post about an update to the USG line so I'm guessing not.
-
@stacksofplates said in Router/firewall recommendations for small branch office:
Are you talking about the dream machine?
I sure hope not, that thing seems so dumb.
-
@stacksofplates said in Router/firewall recommendations for small branch office:
Edit: I just saw a reddit post about an update to the USG line so I'm guessing not.
I've been looking for some inside info on that, got a link?
-
I disagree with EdgeRouters. I think Mikrotik has better routing and switching performance.
Just my experience .
-
@bholler said in Router/firewall recommendations for small branch office:
I disagree with EdgeRouters. I think Mikrotik has better routing and switching performance.
Just my experience .
I like both, for sure. No issue with Mikrotik. But overall I'm generally preferring EdgeRouter for customers, I like the monitoring better and the hardware.
-
-
@Romo said in Router/firewall recommendations for small branch office:
@scottalanmiller https://community.ui.com/questions/Introducing-the-UniFi-Next-Gen-Gateway-Product-Line-Starting-with-UXG-Pro-/732dd4dd-10bf-463c-8622-382d77702872
Available in Early Access for $499, not had. This is the replacement for the Pro, no announce USG replacement yet. But this is a good start.
Moving from EdgeOS to UnifiOS and from MIPS to ARM.
-
@scottalanmiller said in Router/firewall recommendations for small branch office:
Moving from EdgeOS to UnifiOS
Having it be customized EdgeOS made the original USG a total piece of trash.
-
@JaredBusch said in Router/firewall recommendations for small branch office:
If you network is down to outside factors you donβt get in trouble for 911 calls not completing. That has never been a thing. POTS goes down all the time.
In theory POTS is more reliable for 911 address lookup. In reality if I'm calling 911 in an office it's likely going to be from my cell phone assuming service.
Nothing stops you from getting a SIM card modem backup for the PBX, or for IP using a SD-WAN solution that bridges in cellular networks to cover normal circuit outages.
-
@StorageNinja said in Router/firewall recommendations for small branch office:
In theory POTS is more reliable for 911 address lookup.
Completely not true. POTS is not any different, except the carrier does not let you specify the address for a phone number in a convenient portal. Instead it is your billing address unless you go outside of default.
But the carrier is simply updating the PSAP database, no different than what happens when you certify and address to a DID with your SIP provider.
-
@StorageNinja said in Router/firewall recommendations for small branch office:
Nothing stops you from getting a SIM card modem backup for the PBX, or for IP using a SD-WAN solution that bridges in cellular networks to cover normal circuit outages.
There are lots of mitigations that one can do. But they are not required by law.