Seeking advice on best router to buy for a small with business

Seeking advice on best router to buy for a small with business.

Some Background first, I work for a small firm and additionally to my main job (operations manager) now I have become the de-facto IT because I’m the only one that understands about Computers and networking.

I’m pretty good with PC/laptop troubleshooting and got an OK understanding of the basics of networking as I use to work as tech support on the computer labs during my university years and also completed the Cisco CCNA v1.0 course in that time.

So now to the problem, we had been having problems with internet dropping out randomly for some weeks, I managed to pinpoint the problem to ISP provided router. My manager got hold of a new Dratek vigor2865Lac (got it given from a friend), it worked ok for a couple of months and then decided to play games by randomly dropping all ethernet connections but wifi connections were unaffected, it would act out for 1 day and be ok for 2 weeks, then rinse and repeat. Firmware update didn’t correct the issue but gave me bricked-unbrick headache for 3 days. Now we are on a backup router (older draytek 2860 borrowed from the same person), not impressed by this brand.

So, my plan is to do a proper upgrade of our network hardware, so much troubleshooting is eating time away from main job.

Current Setup:

35 Ethernet connections, going to two 24 port Switches both switches connected to a Draytek vigor router handling VLANs and WAN (ethernet connection coming from fiber ONT)

Our current needs:

• Connections:
  • Production: 12 that need to access internet and a local server
  • Admin Area: 7 that need to access internet, local server and cloud services.
  • Machinery: 10 CNC machines that only require access to local server.
• Need ability to have at least 3 separate VLANS:
  • VLAN1 for CNC machines (security risk, as they are running old OS like Win XP)
  • VLAN2 for Production team and its management
  • VLAN3 for rest of admin personnel which runs a separate business line.
• 5 network printers across our building, 1 in each VLAN plus 2 that need to be accessed from VLAN2 and VLAN 3 (large printers for drawings)
• 2 servers : VLAN1 and VLAN2 need to access them as they host the files for production
• I’m to be the admin and will have to read, learn and google how to make everything work.

Future needs:

• Ability to have remote VPN access to our local server or servers (access to :software license manager, custom web app run on our server) to accommodate work from home and access from some representatives we have in other countries.
• Add CCTV system with IP cameras.
• Scalability as needs changes.

After reading and going through some material on internet I have come down to two options below my impressions ( and I could be very wrong):

1: Ubiquiti setup

-UniFI UDM-SE Dream Machine SE

• 2x Ubiquiti U6 LITE AP

Pros

• Seems easy to manage and escalate.
• Looks like easy to add cameras to implement the CCTV

Cons

• Some tech reviewers say their VPN implementation is really poor and not recommended.
• Close environment (apple style)?

2: PFSense setup

• NetGate 2100 or 4100 base pfSense+
• 2x Ubiquiti U6 LITE AP

Pros

For what I have read they are secure and plenty of documentation and support in the web

Cons

• Steep learning curve.
• Will need additional hardware to implement a CCTV solution.

Now I would love to hear from you:

-what recommendations you have

-personal experiences you have with setups like these.

• going with ubiquity cameras / unifi protect for CCTV is it a good idea?, can you integrate 3rd party cameras?

Get a pfsense box, it’ll do just fine

I would vote for Ubiquiti. It works well and is easy to manage.

Even if you go the pfsense type route, I would avoid PFsense completely and use something like from Untangle/Arista or set up your own OPNSense computer. PF/Netgate is a really shady company and I have seen a dozen other people and myself included just who randomly post their opinions of it and all have had problems updating pfsense and it completely bricking requiring a full re-install from scratch. Add to that all their other issues and they are not a dependable solution. I have personally used PFsense for 2 years before I finally got so mad with it I switched to OPNsense that I ran for a couple years as well, and OPN was FAR more stable. I also used PFsense at my work for about 3 years and It got to the point I just stopped updating it after a year because I was too afraid to, so we ran with an unsecure router for a couple years due to that.

You could also look at Synology routers. They are pretty nice and would integrate well with a security camera and NVR system as well as their NAS systems for your company’s data needs. Look up videos or reviews on their RT6600AX router to see the interface.

It is too bad Netgear doesn’t have a router line for their new business/prosumer cloud controller based systems. They are pretty nice switches and APs and a controller as well. Just missing any router integration with that line of products though. Obviously, they make plenty of consumer routers so you could just use that, but it would be nice to have one integrated to the new product line in a way like Ubiquiti has their products.

This seem very biased, there are tons of posts out there where people are upset by how Ubiquiti handles releases and using some homegrown solution isn’t really an option unless you have time to handle any issues that ports.

Synology and Netgear are not in the same league, if you want clould and whatnot you’re much better off with Zyxels range unless you want to go for enterprise gear.

No vendor of that brand in New Zealand, closest is Australia and looks like they don’t have availability

No representative for Zyxels on New Zealand, and couldnt fine any prices for the ones on Australia.

pfSense on netgate hardware with unifi switch and wifi is the easy/lazy choice.

I like Tailscale, if you’re cheap or paranoid try headscale.

For CCTV, buy your own cameras (eventually), and hook them up through Frigate to just record onto whatever file storage you have.

Thanks, yeah the easy/lazy choise is really calling me heheheh.

never heard of Tailscale or headscale before will check them.

Don’t get the 2100 if you do pfSense, it’s kinda slow - laggy UI, openVPN takes like 6 seconds to connect… it’s meh at best.

It will route at ~500Mbps, but configuring it sucks ass.
And I just got 3 on (sucker) discount

I’ll try the other ones tommorow, maybe there Is something wrong with this one…

Noted, will stay away from the 2100.

Can you not feasibly put the CNC machines and the local server on an airgapped network instead of using VLANs?

How about something like the MikroTik CCR2004-1G-12S+2XS?
That’s a box which is dedicated to all the routing needs you might have and is loaded with SPF+ ports, so you can just connect a couple extra switches to it if you need to expand later on.

While you’ll have some learning to do, as with the pfsense box, you can easily put your CNC machines and such in a different vlan.
And set up a Wireguard VPN for that outside access you need.
Or just connect another couple PoE switches for those cameras down the line.

And MikroTik have consultants and distributors in both New Zealand and Australia. As that seems to something you want as well.

I like MikroTik for having a ready-made solution as opposed to having to build your own pfsense box. But they do give you all the options to tweak to your hearts content.
Yes, it’ll require some learning. But it seems that you’ll have to do that regardless of which option you pick

My vote, given the use case, and the need of the OP (need something to handle my use case, but my main job is another one …) to get going with as little fuss as possible,
goes to Ubiquity APs and switches (I am not sure your problem is entirely on the router side, did you check for loops between switches, do they have Spanning tree support?) and either a pfsense/opnsense box (steeper learning curve) or an ubiquity one (less configurability/more difficult to achieve a setip if it is not one the ubiquity UI is able to manage … e.g dual wan)

As for pfsense/opnsense, the pfsense guys are trying to bank on 15 years spent providing the only real Open source firewall option to about everyone and their cousins, and getting whole lot of hate for that … and they are a small company trying to play in the big league of the firewall appliances so some roughness is expected (not accepted, expected)
I am digressing, it will be on the OP to evaluate ease of use vs featureset and whether he wants to risk going with a custom opnsense when supporting a production environment

Same thing with the others, 2-3s for dashboard, ~2 seconds to got to firewall rules, even enabling SafeXcel crypto did nothing for OpenVPN - it takes 6-8 seconds to connect VS instant on my DIY Ryzen 2200G box.

I did run into trouble upgrading firmware to a new major version as well, but to be fair support request for recovery image was fulfilled within few minutes. I’ll see how it goes.

I’m curious, what’s shady about them?

I’m not sure, maybe is an option. I will need to get a more in depth knowledge of how is the workflow on production.
I know the operators create/review/update their Machining code on their PCs and as well access internet for personal use. Then the code is either send to the CNC machines (to a network shared folder) to start manufacturing or saved to the server in client project folders, same server has a licensing key service running for the coding software , and when design engineer worked from home he needed access to the license server and the coding files.

So I will need a way for the Operators PC to be able to dump the files into those shared folders ( one for each CNC mahcine)

Thanks, I hand thick about MicroTik, I will take a look into their products and solutions.

I don’t have knowledge of Wiregard VPN config or more complicated stuff, so with whatever solution I go I will have to learn.

Hi @MadMatt , no I haven’t check for loops, actually don’t know what is their meaning along with Spanning Tree (my Networking knowledge is basic).
The network infrastructure here is a common nightmare scenario as you see in IT meme Facebook groups. They started running assembled cables left and right, and if they were not long enough then put small switch and run a next cable from there, I have found this little switches and even really old “hubs” all around.

How can I check for loops? I have the logs from the Router.

How did you determine that the router was the issue?
When you had dropouts were you able to ping the router, but the wan side of was down?
Or did you lose connectivity to the lan side if the router (and DHCP and DNS)?

If you have daisy chains of unmanaged switches you are not going to be able to troubleshoot loops (when you have more than one cable connecting your set of switches)…
Spanning tree is a feature of managed switches that allows them to detect when a loop is formed between switches and prevent the while network to go belly up by disabling the ports that are causing the loop
That is a nice feature to have, until the switch drips the port that connects your network to your router …

The symptom was that all ethernet connections were dropped, you couldn’t ping the router via wired connection, but Wifi conenctions were working fine.
Thinking it was a device causing havoc, I started wireshak disconnected all cables from both switches and started adding them back 1 by 1 trying to see if anyone device would kill the network, this didn’t gave me any result and by the end of the troubleshooting issue seem fixed, all worked for a month and then issue repeated itself, with wireshark I was able to see that devices would keep doing requests: who has 192.168.x.x (router gateway) IP please tell x.x.x.x.
And you couldn’t ping the router, but via wifi all worked fine, ping, accessing the Web UI. I changed to a borrowed router and so far so good