Advice on commercial-grade ADSL wireless router?

itm · 26 Mar 2011 at 11:00

My company has about 50 employees, and is currently served by a consumer-grade Netgear DG834 ADSL modem/router. I'm looking for a more robust replacement, and specifically one which offers the following:
- Wireless with very good range (particularly where walls and windows need to be passed through - we're divided over 2 floors of the building)
- Port redirection (e.g. forwarding incoming traffic on port 8080 to port 80 on specific LAN-side server)
- WPA2 Enterprise
- ADSL support
- (Optional) 3G support

Can anyone make any recommendations? Ideally something under £500

Duke · 26 Mar 2011 at 11:31

Have a look at Draytek.

#Chri5# · 26 Mar 2011 at 11:35

I'd go down a different route for that budget and number of users.

An ADSL Modem eg Vigor 120 for around £50, then a business class firewall appliance like a SonicWall TZ 200W. Wireless built-in, USB 3G dongle supported etc etc.

itm · 26 Mar 2011 at 11:55

#Chri5# said:
I'd go down a different route for that budget and number of users.

An ADSL Modem eg Vigor 120 for around £50, then a business class firewall appliance like a SonicWall TZ 200W. Wireless built-in, USB 3G dongle supported etc etc.

The TZ200W looks good but a little pricey. Not all of the security features would be of relevance to us either, as we're planning to put a Smoothwall VM behind it. I'm looking for something robust, excellent wireless range and with the port redirection feature.

#Chri5# · 26 Mar 2011 at 12:06

Fair enough.

Drayteks are good but I dislike parts of the UI. Perhaps look at dropping a stand-alone WAP in upstairs to provide better coverage.

derfderfley · 26 Mar 2011 at 18:07

If your planning on using a Smoothwall VM (as your firewall), why not keep the current netgear (turn the wireless off on the unit) and invest in a good quality Wireless N router and appropriate dongles/cards?

itm · 26 Mar 2011 at 20:57

derfderfley said:
If your planning on using a Smoothwall VM (as your firewall), why not keep the current netgear (turn the wireless off on the unit) and invest in a good quality Wireless N router and appropriate dongles/cards?

The Netgear hasn't been very robust - a lot of glitches and dropped packets. It also doesn't support port redirection - that's why I want to replace it. I was looking to replace it with something more appropriate for corporate use.
Maybe I should be looking for 2 devices - a new ADSL modem/router and a separate WAP? Draytek keeps getting mentioned as a good modem/router supplier - any particular model? What about a recommendation for a Wireless N device (i.e. one with really good range?)

bigredshark · 27 Mar 2011 at 15:23

itm said:
I was looking to replace it with something more appropriate for corporate use.

But you're going to put a smoothwall behind it - right.

In any event Cisco, there are various boxes which will do the job in their range, choose the features you need. Or a Juniper SSG if they still make the ADSL mini PIMs, should be around your budget and a seriously good box which does security properly and has reliable ADSL.

KIA · 28 Mar 2011 at 10:18

Take a look at the Check Point Safe@Office range.

Yamahahahahaha · 28 Mar 2011 at 10:26

Cisco 1941W + HWIC-1ADSL + HWIC-3G-HSPA with a couple (or a few) APs around the site?
Not in budget, but for 50 users it would be about right.

paradigm · 28 Mar 2011 at 13:30

Don't bother with Smoothwall, really, just don't.

Yamahahahahaha · 28 Mar 2011 at 14:35

Wasn't going to comment on the firewall but pfsense's 2.0 RC1 is a lot more powerful in every regard.
This is assuming you don't want to pay out for a proper appliance.

derfderfley · 28 Mar 2011 at 19:28

fluff said:
Take a look at the Check Point Safe@Office range.

No,no,no, just no! they are very overpriced for what you get.

The whole "edge" box thing only really makes sense as part of a distributed Firewall-1 install with a management server.

If you need a small cheap('ish) firewall from a big manufacture buy a Cisco ASA5505, or a Juniper SSG box (with the useful ADSL mini-pim if you need connectivity in the same box).
Or even go for a low end Checkpoint UTM-1 box, but please don't buy a Safe@Office. And btw, yes I do support Checkpoint products (FW1 & edge devices, alongside Cisco Firewalls) for a living, and I love the "proper" Firewall1 products, by far the best FW product on the market today (IMHO, YMMV).

But back to the point, I would in all honesty split the WiFi away from the router and Firewall.

I would also try and seek out a /29 IP allocation as it makes it easier to run your router and FW on separate public IP addresses, and allows room for expansion of services such as incoming citrix or RDP sessions, multiple web or mail servers. Makes it simpler to set up guest WiFi access (going out via a separate public IP, with it's own set of FW rules, allow outbound http/https, DNS requests, but block outbound smtp, inbound P2P protocols ect.)

It becomes easier to upgrade parts of you network infrastructure if the components are separate (same as upgrading HiFi equipment). And ultimately makes for a better solution.

Cost however is as always likely to be a limiting factor. A decent soho router is going to cost anywhere between £50 (draytech, zxyel) to £300+ (Cisco 857/ 887). A similar price range for wireless N router/AP and dongles/cards.

In the sort term, contact your ISP and ask for a /29 static IP allocation, tell them you intend to deploy a separate hardware firewall and intend to run mail/web/citrix from your site (that should be enough to justify a /29). Get your router and FW set up with the new addresses. Then start looking for a replacement ADSL router and a separate WiFi router/AP (look for a N router/AP preferably one capable of 300Mbps) and the cards/dongles you are going to need. And finally start seriously assessing your needs to see if you need/can justify a dedicated hardware FW with appropriate manufacturer or third party support contract.

RubinRemus · 30 Mar 2011 at 21:28

I would recommend the Cisco small business range, for a small network like that, on a fairly small budget.

You will get their proper IOS on (most of?) them, opening up a proper enterprise level of features, facilities and most importantly, security.
I don't know how familiar you are with Cisco, but generally speaking, they have a business model of supplying a suitable hardware device, possibly through add-in cards too, and then you'd purchase a specific version of their IOS to run on it, supplying the correct features required. Often, the IOS can be "upgraded" to "open up" extra subsets or features, as required.
Some models do not have expansion capabilities, so be caureful about future needs.

I have used a couple of 877W routers for a number of years now, as my main ADSL gateways. They are robust and do the job required.

Having said that, I would strongly support the suggestion already made about splitting the wifi in a business environment.
Whilst mine has never been a problem for my specific needs, it makes for better security sense to have wifi split from the LAN. Especially if you're going to have any guest access.

A lot of the SOHO range used to support a web based GUI too. I don't know about a lot of the current models.
This, whilst nowhere near as versatile as command line, does make for a much easier setup and maintainance option. This may be a consideration if you're planning on maintaining the devices yourselves, without an intimate knowledge of their IOS?

You'd probably benefit hugely by being a lot more specific

50 users - concurrent? How many mobile/wifi, how many tethered workstations?
VPN access required?
What type of traffic?
How many servers?
What existing switches do you have?

TBH, if you're squeezing 50 users through a DG834DG, anything would be better

If you want a similar "drop-in" replacement, easy to set up and manage, yet with powerful capabilities for its range/model I can certainly recommend the 877w models

Only downside is that they don't have expansion capabilities, but you have the option of having a hardware encryption VPN chip added inside, to take it away from software/cpu. Also, get the higher memory model, so fully featured versions of its IOS can run happily.

Hope this is of some help at least

Yamahahahahaha · 31 Mar 2011 at 12:11

If you're going for the 800 series, then an 887VA (or 887VA-M if you want Annex M ADSL2+) with discrete wireless APs would be good.
That should be closer to the £500 budget than what I originally suggested.

Edit: I don't know of any 3G solutions on the 887 series though.

Skidilliplop · 31 Mar 2011 at 13:59

I'd go the ethernet ADSL modem + dedicated firewall appliance route.
Thinking inside the box getting a modular Cisco and doing everything on that might make sense, but it assumes your infrastructure is going to remain that way.
Thinking outside the box with return on investment in mind, separating your 'CSU' type kit from your routing/NAT/security kit makes more sense as you can change the WAN technology used whenever you like (say VDSL becomes appealing for example) and you would be replacing a £50-70 modem rather than an expensive piece of networking hardware, thus keeping long term costs down by reduing the ongoing investment needed. Even a Cisco WIC card can cost a few hundred squids.
Presenting the WAN on Ethernet gives you better flexibility.

Yamahahahahaha · 31 Mar 2011 at 14:08

Skidilliplop said:
Thinking outside the box with return on investment in mind, separating your 'CSU' type kit from your routing/NAT/security kit makes more sense as you can change the WAN technology used whenever you like (say VDSL becomes appealing for example) and you would be replacing a £50-70 modem rather than an expensive piece of networking hardware, thus keeping long term costs down by reduing the ongoing investment needed. Even a Cisco WIC card can cost a few hundred squids.

The 887VA supports VDSL2 as well as Annex A (or M).

itm · 31 Mar 2011 at 14:09

Thanks for the input. To give more background:

- We have 50 concurrent users, of whom probably no more than 5-10 would use mobile/wifi concurrently
- There would be no tethered workstations
- We use Windows RAS for our VPN so have no VPN requirements of the router
- Our business-critical traffic is:
- Windows Terminal Services access to a hosted application
- VPN Printing service (printing from the remote application to a local printer)
- Remote MS Exchange mail server
- Other internet traffic is:
- RDP access to remote servers/databases by development/support staff
- Reporting access to remote database servers (about 250 report requests per day)
- General internet access
- We have about 12 servers - 2 Windows domain controllers, 3 file servers, CTI and Call Recording application servers, 2 database servers, plus a range of development and test servers
- Our existing switches are:
- 2 HP Procurves (one on each floor)
- 1 Netgear gigabit switch
- The Netgear WGR614 ADSL router.

While I have my reservations about the WGR614 as being suitable for business use, I'd been keen to know how/why an enterprise-class router would improve on it. Could anyone offer any insight into this?

To re-iterate - our main objective is to provide more robust (ADSL) internet access to our user base, as well as to provide secure wireless access to selected users.

KIA · 31 Mar 2011 at 14:10

derfderfley said:
No,no,no, just no! they are very overpriced for what you get.

Very easy for a novice to configure.

Skidilliplop · 31 Mar 2011 at 14:46

Yamahahahahaha said:
The 887VA supports VDSL2 as well as Annex A (or M).

OK bad example. Take VDSL and replace with High speed Cable or Leased line