Advice on firewall hardware

Networking & Firewalls
1

Dear Community,
as some maybe already know, I try to take care of the IT infrastructure of my brothers small landscaping company. I was tasked to setup create a “good” network. So I went full on Unifi. (there is a TL;DR at the end).

The setup was:
Side A (main office):
LTE Modem (150/20 Mbit/s - static IP) -> USG -> Unifi 24 Switch

Side B (remote site):
LTE Modem (40/10 Mbit/s - static IP) -> USG -> Unifi 8 Switch

I configured IPSec VPN Access for my brother and me. I also made a tunnel between the sites. On the remote site we have only one workstation and one printer.

I was not very happy with the connection time and so was my brother. Additonal I didn’t like the installation routine for IPSec in Windows 10. Therefore I switched the VPN Access to the Syonology OpenVPN.

Additional I had some problems on the remote site. I had to change the LTE Modem to a Mikrotik LTE6 Modem to get the full bandwidth. Managing the USG and switch without the controller (main side) was not the best experience. (Still have an issue but this will be an other thread).

After all these changes I thought I would be finished. By brother still complaint about problems to open en small Excel file from home. Then I saw a video from “how to test VPN encryption types with iperf” - I did the same and found out, that when I connect to the Synology VPN the speed drops down to 0,2 Mbit/s.

That was the point were I took my testing workstation set up pfsense and installed it at the main site. OpenVPN runs now as accepted.

But I like to have my test workstation back. Therefore I like to buy hardware for pfsense (even I just saw the untangle video :slight_smile:

TL;DR: I am thinking on buying following hardware for different sites:

  • Main site - LTE 150/20 Mbit/s - Services: Road Warrior VPN, Site-to-Site tunnel -> SG-2100
  • Remote site - LTE 40/10 Mbit/s - Services: Site-to-site tunnel -> SG-1100
  • For my home: SG-2100 (because of 4 LAN ports)

Do you thing they are sized correct? I am in Europe so I have shipping cost. Are there reseller in Europe?
Or should I go for other hardware?

Thank you.

2

Hi,

I think it looks good - but you might want to consider the SG-3100 to be ready for a speed upgrade to 1Gbps some time in the future.

Regarding getting the hw in Europe you can look at the partner locator: https://www.netgate.com/partners/locator.html

1 Like
3

If you look on the Netgate site they have the specs and expected speeds over VPN.

Of course speeds will vary depending on the encryption you use, there are so many settings on the server you would have to test them. I can say with OpenVPN on pfsense I get 90 - 95% of the line speed between sites and also from AirVPN.

4

Found a reseller in Europe thanks.

So you suggest
SG-3100 for main, SG-2100 for me and SG-1100 for remote site, right?

I was looking at the speeds on netgate website. Therefore I came up with my suggestions. I think the up speed of the main line will be more in use. So with a SG-2100 (iperf3 IPsec VPN: 118 Mbps, imix: IPsec VPN: 68 Mbps) I should be fine because it can handle 20 Mbps. But I am also happy to go with an SG-3100 (main side) when this is more appropriate.

5

Just reading this topic. I’m not sure if this is relevant, you probably went ahead with the purchase. But the Main Site 150/20 may get a fiber upgrade at some point. As time goes by and business grows, the upload speed of the main site (which determines the download speed at the other end) may become more relevant for downloading stuff.
Fiber typically has equal up/down speeds so a 200/200 is not at all exotic and you may opt for the SG-3100 to be ready for the future.

Best, Pete

6

Actually I bought 3 Qotom Mini PC Q710G4 (Intel Celeron J3455) and I am very happy with them.