I have a friend who has a business grade connection from his ISP. He has a Hybrid-Fibre connection from his Cable provider. It is a 100 Mbps Symmetrical connection with no cap ~$175/month.
His current router (Cisco E1200) is failing constantly and that is not an option as he runs a gaming community. He hosts the game server hence the business connection.
He requires a DMZ for the game server and the ability to use a VPN for his personal server. The rest of his machines on the network run as normal.
I am looking for Routers that would fit the bill without breaking the bank (as I am buying it). It should be as simple to manage as possible as he has become accustomed to the one-click setups that are common in consumer routers these days.
Here is a basic diagram I made of his basic network layout. If this is possible, please recommend a router and how it would be done in the Unifi WebUI. He needs Wifi as well.
Currently I am trying to decide between Ubiquity (love their APs) and Mikrotik.
What is the expected Packets per Second of performance I should expect to look for?
Ubiquity says their ER-4 EdgeRouter does 3.4 Million pps.
The ER-X does not say anything about PPS.
The ERLite‑3 says 1Million PPS.
Mikrotik has their routers as well but I can not find any clear guides/documentation on setting up a DMZ let alone the port forwarding.
Ideally, assuming the Router does not have an AP built in, I would for a <$200 price get a router and WAP as my friend already has a Cisco 2960 Switch. The WAP would connect to the Cisco switch.
I’ve been pretty happy with my ASUS RTN66U. Its been very capable even though I’ve relegated it to AP only duty these days. We use one here at work on a 50Mb symmetrical line without issue. We used to have 145 down, 7 up and it worked great then too.
This is its bigger brother. It has a pretty straight forward interface. It has options for custom firmwares if you’re into that kind of thing.
I use this guy at home and find it to be nice since it can be managed from anywhere. I can open up a port from work. Some might not like that idea, but I do.
It might be better to use somthing from ubiquiti since its mesh AP is pretty good. I’m not an expert though, I can only speak to what I have experience with.
After speaking with my friend, I am willing to go a bit above assuming I can get the hardware on Newegg.
I have been eyeing the Edgerouter 4 (ER4) combined with a Unifi AC WAP. Mikrotik is nice but their interface is a bit OP. Plus if you ask about DMZ, they tell you DMZ is not in their vocab. And then leave you to your own devices.
will do the job for 200Mbps even with traffic shaping, and you get wifi as a bonus.
It’s just 2 firewall rules, first to do any nat of traffic to any port to a destination ip (dnat/dstnat), second to accept forward packets on any port, same as with iptables. In the web interface you can set these under IP > Firewall .
If you meant actual DMZ / separate VLAN firewalled off the rest of the network, you can do that too.
VPN should be quick on it too, as long as you stick to ipsec, fast openvpn needs a lot of cpu which you’re unlikely to get with a cheap device.
I believe that, while good routers, the Mikrotiks have a steeper learning curve than the EdgeMax routers, and definitely steeper than Unifi.
That’s the newest model. All other models (including the ER-Pro) have lower pps. Still over a million though, so probably good enough unless there’s some complex firewall config involved.
Edit: there’s a 10GbE EdgeMax router that the above does not apply to.
In that case, I would stay away from EdgeMax and get a Unifi USG and a UAP‑AC‑LITE (that should be right on your budget).
There is an option to use the VOIP port on the USG as a second LAN (or you can just use a VLAN for the DMZ which is what appears to be happening in your diagram).
I can confirm that the USG sit-to-site VPN via OpenVPN works, as well as L2TP via ipsec. I can help out with those configs if needed.
Unifi has a much friendlier management UX compared to Mikrotik or EdgeMax, and the router/wireless management is integrated. Unifi definitely has some limitations by comparison, but your config doesn’t look complex enough for them to be an issue.
hmm. ok. He uses Safejumper for a VPN. It is a gaming community server setup. The server in the DMZ is the game server. The Server behind the VPN is the file backup server for admins. Apparently, his ISP told him that his business connection accounts for 92% of the traffic on the node for 30% of his city.
Im thinking he wants to have it on the router but only run traffic from the one server through it. So a VPN that is limited to a VLAN. most likely segment the network into VLANs while still allowing the personal computers on the network to communicate with both servers.
If it’s OpenVPN and it can authenticate with a key or password (not certificate), then Unifi can handle that. If it’s OpenVPN with a cert or it needs to tap into the Tor functionality listed on the SafeJumper site, then you can probably make it work on EdgeMax hardware by installing some Debian packages, but your best bet is probably pfsense.
That said, some questions about the server on the VPN.
What OS is it running? If it’s running Windows and he’s currently using the Safejumper application to do the VPN stuff and that’s working fine, then it will be a lot easier to just continue doing that instead of trying to configure it on the router.
Is he actually hosting services through the VPN? That gets more complicated, especially if Tor is involved…
yeah, he hosts services over SFTP and several other protocols on VPN on that server. Im not entirely sure what all protocols he runs over it currently. But he runs Windows server 2016. He has 2 2U Servers. I think one is a Dell and one is an HP DL380.
He has been using the safejumper software but he was lamenting earlier about how he wanted to run it through the router. His main thing he wants though is DMZ and port forwarding. He is fine with the Safejumper app. His community has people from all over the globe connecting to his network so he runs the VPN for security. the Game server sits in a DMZ for the same reason. Ive tried to get him to run VLANs but his complaint was " it’s too complicated". For someone who supposedly completed Cisco Academy, it should be a walk in the park.
Well if that’s the case, then he should definitely be able to deal with EdgeMax stuff. I was thinking he’s an amateur, but sounds like he’s maybe just a little lazy.
If he has another switch, he could split the dmz off on a different port on the router. Otherwise, VLANs are really his only option…
Yeah, I can’t tell from the Safejumper site exactly what’s going on there, so I have no idea how it could be configured on a router. You would need to reach out to them to get some documentation. I really don’t have experience manually configuring things to use Tor, and I don’t know how that would be used in conjunction with OpenVPN. It sounds like a huge headache to me. If he wants to be hands off about it, then I’d steer him towards just using the Safejumper software as he has been.
The one thing to keep in mind is that EdgeMax router functionality can be expanded because it’s just Debian. You can install packages and do whatever you like. Unifi is the same, but it reads it’s config out of a json file everytime it boots. Any changes you make will be overwritten. You can make some changes by manually editing the json file, but it’s kind of hacky and can get messed up by updates.
So Unifi will give you a better management UX and EdgeMax will give you more functionality. Up to you which is more appropriate…
Also, is pfsense off the table? I initially though it wasn’t being considered because it would be too complicated for the client, but if he has a CCNA or whatever, it should be a viable option.
The UAP-Lite is definitely the AP you want since you already like the Ubiquiti AP’s.
The USG is the Unifi option for the router. It is what I use for my home network.
The ER-X would be your EdgeMax option (considerable savings over the Unifi there).
Again, the only advantage of the Unifi router is the pretty management interface. You also need to run the Unifi Controller on something, but I assume you’re aware of that from using the Ubiquiti AP’s.
I can really only speak to the Ubiquiti side of things since I’ve spent next to no time on Cisco’s site.
I will, however, second @oO.o’s recommendations. Unifi is dead simple to set up (assuming you have a basic knowledge of networking concepts). Before last Fall, I’d never set up VLANs in Unifi prior to that and had it fully installed, set up and working within an hour with separate VLANs (and associated SSIDs) for: smart TVs/IoT, guests, and trusted devices (as well as appropriate port forwarding).
I installed 2 UAP-AC-Lites in my parent’s house last spring. Admittedly, one well-placed UAP-AC-Lite probably could have covered the entire house, but my mom has a thing for large, decorative mirrors (there’s at least one in almost every room) that create a number of dead spots. Then in the Fall, I replaced the existing router and put in a USG and their 60W Unifi switch. My dad just bought the devices as they each went on sale, and I installed them as he got them. If I remember correctly, it was about ~$60 for each of the APs and ~$90 for the switch and the router (so ~$300 total).
