Organization of a secure gateway in the office, selection of equipment

A

Andrewww2013-05-17 19:22:29

linux

Andrewww, 2013-05-17 19:22:29

There is a small but very proud company. There are several remote branches in Russia and Ukraine. There is a goal to create a secure gateway with Internet access, which over time will acquire a VPN server for data exchange between branches. The size of the network at the head office is currently ~15 pc, it can grow up to ~50. The branches will have a maximum of ~20 jobs, now ~10.
So far, in the head office (and in the rest too), the Internet is controlled by a regular SOHO router, which, of course, is not a great solution. I want to make a normal gateway + proxy + openvpn server. Therefore, the question is how to calculate the load for choosing iron?
In terms of solution options, either install a piece of hardware from a microtic (I’m considering the RB711GA-5HnD option), or use the option with a linux machine where squid + iptables / ipfw + openvpn rises (again, from a security point of view, is it worth doing all this on one physical machine?). I have experience with Linux and Mikrotik, I also have experience with proxy and iptables, but less. So far, I like the Mikrotik option because of its compactness and consumption, as well as more convenient control, as for me.
Tell me, what do you see the pros / cons of these solutions, or maybe your vision of solving the problem? and also what to choose for iron?

Reply

Answer the question

In order to leave comments, you need to log in

6 answer(s)

B

BAV_Lug, 2013-05-17
@BAV_Lug

I just started reading your question and it immediately came to mind - Mikrotik. So, he is definitely. Only here you have that all customers will be on the waffle? The model you have chosen has only one lan. I would look at another model, for example RB751U-2HnD.

N

nochkin, 2013-05-17
@nochkin

This Mikrotik RB711GA-5HnD is rather weak for VPN and it will be very sad to spin there. For VPN, either specialized hardware or something more powerful is better.
You can, of course, leave this Mikrotik, and make the VPN as a separate server, but I'm not sure that Mikrotik will pull such a number of PCs with a full load.
If something very small close to the size of MikroTik is critical, then you can try something on Intel Atom or even VIA C7 (C7 has Padlock, which will help for OpenVPN).
If there is a little freedom in size, then I would put something on the i5 on the Mini-ITX.
If, after all, the VPN is not critical, and the clients do not download heavy torrents or the like, then those Mikrotiks will do.

R

rinx, 2013-05-17
@rinx

Take a normal server and install a gateway based on PfSense. You can build amazing things on it. All the necessary functionality is there. It is possible to configure VPN IpSec, you can put Squid as a package, set up channel balancing or work with a reserve channel. There is a lot of information on the net. But the solution is amazing!

2

2zaits, 2013-05-18
@2zaits

My experience is pfsence.
Now there is a setup on PIII :)
There is an office of about 100 users.
VPN tunnels with IPSec branches for remote employees openVPN
For wifi captive portal.
Moreover, pfsence can Ldap or Radius if you suddenly need it.
Before this setup, we lived on ms isa server.

D

Diam0n, 2013-05-19
@Diam0n

installed in the office (20+ machines) FreeBSD + ipfw + openvpn

S

sim-dev, 2016-02-17
@sim-dev

Of course, I'm not sure, but maybe my device will suit you: APKSh "Continent", what is it and what are the prospects for using it for peaceful purposes? ?