KillerBob71

Prominent
Feb 13, 2022
4
0
510
So, I am looking for advice on a new network setup I am contemplating:

I have relatively fast internet (1000/100) and I right now use my ISP Modem as router. I have connected a LinkSys Velop WiFi Mesh system to it (in Bridge), as well as a few LAN switches, to connect my QNAP NAS, my ReadyNAS, two Mac Pros, printers, two Time Capsules, a HUE Bridge, and the Home Security system. It's a very flat network, all is part of the same subnet.

For security I am using the built-in firewall in the ISP modem, and I have it locked down, with no WAN-to-LAN, and only a few LAN-to-WAN openings.

I would like to clean this up; put the ISP Modem into Bridge, get a Router with built-in VPN and Firewall, perhaps eliminating a switch in my current setup. The biggest reason is that I would like to VPN into my NAS, as well as have some more control over the DHCP settings (my ISP is Shaw and the Blue Curve is pretty restrictive).

The options I am looking at are;
  • MikroTik RB3011UIAS-RM
  • Ubiquiti ER-6P EdgeRouter 6P
But I am very open to suggestions... My requirements are;
  • 6+ GigaBit ports
  • Built-in VPN (for accessing my NAS from outside - I do not want to run the crap QVPN service on my NAS)
  • High VPN throughput
  • High Firewall throughput
Can someone give me some suggestions on how to achieve this, and perhaps suggest a router or two I could use?

Thanks!
 
Last edited:
Solution
Fairly easy is a relative things. Both those devices are massively more complex than a consumer router. They are not actually hard you just have to read the instructions which many people don't want to do .

If it is for remote access then you can use what ever you like. If you can use IPSEC rather than open vpn it is much faster. OPENVPN runs a for of HTTPS but because it runs over TCP in most cases it has much less issues getting past a NAT. In your case the router running the VPN will have the public IP directly so it should be easy to make
IPSEC work......well you still have the client side to setup but it is simpler than the server.

I would not do it with DHCP I would white list the mac addresses. That would...
Both those vendors are a good choice but they can be complex to configure. Be sure to read the fine print for the VPN performance. Unlike a consumer router these actually tell you the encryption rates. Consumer routers are lucky to get 30mbps of vpn.

Incoming VPN is a little more flexible. If you are doing outbound vpn be sure the VPN and the router both support a common encryption. I am not sure if those use openvpn which is very common for vpn providers.

You will need to keep your velop and use them as AP for your wifi needs.
 

KillerBob71

Prominent
Feb 13, 2022
4
0
510
Thanks!

I am only going to be using VPN for my incoming traffic, i.e. when I am out'n'about I want to VPN into my router to access my NAS. In that instance though, I want it to be as fast as the 100Mbps I have in ISP upload speed... I am a photographer and most of my RAW files are 50-75MB.

In that I "only" want to set up DHCP with a bunch of reservations, Firewall so it is as safe as possible, and VPN for external access, both routers should be fairly easy to set up.
 
Fairly easy is a relative things. Both those devices are massively more complex than a consumer router. They are not actually hard you just have to read the instructions which many people don't want to do .

If it is for remote access then you can use what ever you like. If you can use IPSEC rather than open vpn it is much faster. OPENVPN runs a for of HTTPS but because it runs over TCP in most cases it has much less issues getting past a NAT. In your case the router running the VPN will have the public IP directly so it should be easy to make
IPSEC work......well you still have the client side to setup but it is simpler than the server.

I would not do it with DHCP I would white list the mac addresses. That would prevent someone from manually setting a ip address. When a device that is not white listed asks for a IP the request will be dropped before it even gets to the dhcp function.

In general you have a huge issue if you can not trust that unknown devices get hooked up on your lan. The way this is done commercially is to use 802.1x on ethernet as well as using enterprise mode on wifi. Both then use a radius server login to get access to the network.
 
  • Like
Reactions: KillerBob71
Solution

KillerBob71

Prominent
Feb 13, 2022
4
0
510
I have not had a Mikrotik at home myself, but I have several friends who are network technicians working with Mikrotik gear, and having watched the Mikrotik videos I feel OK about setting one up.