Office networking brand mess / recommendations?

So, I look after the networking (and everything else) for 7 offices, most are small, with a larger central office, and one office wanting as high VPN bandwidth as possible back to central for NAS access. Each office has access to at least a 900/450Mbps WAN connection.

Currently using Meraki kit (MX64’s mostly), and an MX100 for the central office. Meraki’s SD-WAN secret sauce seems to have worked pretty well fo far, single plane of glass etc is nice.

One office (the one wanting high throughput back to central) is using all Unifi gear (with a UDM-Pro), and its working alright so far. This was recently migrated from an MX64 to trial Unify equipment.

I’m keen to move to a licence-less setup, or something that can handle future growth, with out costing the earth e.g. 4Gb internet (without costing NZ$ 15k+ per router).

I’m partial to the Unifi line; which might be the closest thing to Meraki’s admin interface; though there are some horror stories; and they don’t seem to be able to handle some medium/advanced things like multiple WAN ip’s etc, which is a shame.

Can anyone recommend anything for an over all network brand/model setup + one lone office wanting high speed access back to central?

Dark fibre is an option, but it’s prohibitively expensive in New Zealand. Otherwise a beefy site-to-site VPN setup perhaps?

Goals are:

  • mid level cost, ideally no ongoing licensing.
  • single pane of glass admin interface (or as close as possible)
  • reliable hardware/software.

Netgate (pFsense) routing & VPN + Unifi switching & WiFi perhaps?

Unifi at all the branch offices. Look into their wireless backhaul options too, instead of dark fiber. Cheap and effective, fairly easy to install.

Hi, you can deploy pfsense in failover pairs (or you can do the same with e.g. Alpine Linux, if you want to ditch the web ui and are ok with investing a bit more to get slightly more out of whatever hardware you choose).

either way you’ll be spending time troubleshooting IPsec - PITA (but link saturated vpn is possible).

Hardware wise - there’s nothing special about netgate, you might as well run pfsense or whatever in VMs on your regular high speed fancy ECC servers you may have on site. Otherwise, just buy regular server gear to run reliably

1 Like

Yeah, that’s what I’d end up doing. You don’t have the single pane of glass for your WAN edge, but it’s the best option really.

A full Unifi setup would probably work, but all sites would need to have public addresses or else the “Auto VPN” feature won’t work. You also can’t enable OSPF on manual IPSec tunnels for some silly reason.

If you bought Cisco gear on the gray market, you could do a DMVPN deployment with like ISR 900s at most sites then with a ASR1001-X at the hub and where you need the 1Gbps throughput. Probably overkill and over your budget, but DMVPN is fantastic at WAN edge transport.

1 Like