Firewall recommendations (possibly) for RDP

MassiveJim · 7 Feb 2023 at 17:48

I have a need to setup a site to site VPN mainly for RDP sessions.
I am after an off the shelf solution, so opensense, pfsense etc are out.
I have just had a quick look and was quite surprised at the price of a basic firewall being ~£300

Do I even need dedicated firewalls for this?
I have in the past setup a site to site VPN using a Draytek router at one end and an Asus router at the other, but it wasn't for any serious use and I didn't ever really consider performance etc.

At present there are 2 users at the 2nd site with a need to either RDP into the main site or just connected their machines directly to the onsite server (network performance will dictate which)
Network speed at the 2nd site is not great, I need to run a speedtest but I think its 20/1 Mbps

Main site is still being setup so we don't know the speed yet but i'm hoping for at least 50/10

ChrisD. · 7 Feb 2023 at 17:56

Is this for work use? Do you need any support agreements in place with the vendor at all?

TBH for 2 users, just have them set up Wireguard to a server hosted behind the main sites existing router behind NAT. You can run it on a Pi if you want.

Caged · 7 Feb 2023 at 18:00

Use RD Web Gateway. Those are some ropey connections to be running IPsec tunnels over.

MassiveJim · 7 Feb 2023 at 21:58

ChrisD. said:
Is this for work use? Do you need any support agreements in place with the vendor at all?

TBH for 2 users, just have them set up Wireguard to a server hosted behind the main sites existing router behind NAT. You can run it on a Pi if you want.

yes it's for work use.
Will wire guard run on windows server ?
They have a windows server but it's direct installed on bare metal.

What kind of support would I need from the vendor of the firewalls? I'm wanting this to be a set and forget setup.
Although I am going to have to manage some expectations due to the Internet speed. That being said whenever I have remoted in with team viewer during the day it was a stable connection.

Caged · 8 Feb 2023 at 09:11

You can't really have set and forget with things that run software, who is responsible for keeping the firewalls up-to-date?

Deleted member 77746 · 8 Feb 2023 at 09:13

Do you know linux/ubuntu at all?

You could just install an Open VPN server and then forward the VPN port then instead of a site-site vpn just get them to connect to the remote site vpn.

I've had mine running over 2 years now and it's never been down.

MassiveJim · 8 Feb 2023 at 10:37

GaryTheSnail said:
Do you know linux/ubuntu at all?

You could just install an Open VPN server and then forward the VPN port then instead of a site-site vpn just get them to connect to the remote site vpn.

I've had mine running over 2 years now and it's never been down.

Not well enough to start learning it now, hence the reason for stating this needs to be an off the shelf solution.

What is the difference between a dedicated firewall and a router with vpn/firewall capabilities built in ?
I am familiar with draytek routers, so I am leaning towards those at the minute.
Obviously I realise that the dedicated firewall will have better firewall capabilities and the router is able to perform routing, but having looked at a dedicated firewall recently for the first time it seems the firewall doesn't really do anything that a decent router can do.

MassiveJim · 8 Feb 2023 at 10:42

Caged said:
You can't really have set and forget with things that run software, who is responsible for keeping the firewalls up-to-date?

me.

Deleted member 77746 · 8 Feb 2023 at 10:47

MassiveJim said:
What is the difference between a dedicated firewall and a router with vpn/firewall capabilities built in ?

They both will do the job of a firewall to stop outside getting in but the difference is :
Some dedi firewalls have a lot more feature sets and more things you can do.

I do site-site vpn configs using drayteks if the customer want's that solution and we haven't had any issues what so ever with site-site. If you use Draytek you could use their built in VPN and then on Site 2 just install the client on the devices that need to connect to the other site to RDP e.t.c.

What's the bandwidth up/down on both sites?

You might be over thinking requirements here. If it's 2 users a Draytek router at "Primary-Site" will be perfectly fine.

MassiveJim · 8 Feb 2023 at 12:17

GaryTheSnail said:
They both will do the job of a firewall to stop outside getting in but the difference is :
Some dedi firewalls have a lot more feature sets and more things you can do.

I do site-site vpn configs using drayteks if the customer want's that solution and we haven't had any issues what so ever with site-site. If you use Draytek you could use their built in VPN and then on Site 2 just install the client on the devices that need to connect to the other site to RDP e.t.c.

What's the bandwidth up/down on both sites?

You might be over thinking requirements here. If it's 2 users a Draytek router at "Primary-Site" will be perfectly fine.

Main site is soon to become secondary site - speed is 10/1
2nd site soon to become main - I am hoping will get 50/10 based on where it is and knowing roughly what that area normally achieves.
Requirement is purely for 2 desktop machines, does the Draytek VPN client need manually connecting every time the computer is booted ?
If so a draytek router at both sites would be preferable to keep the connection alive without user intervention

Deleted member 77746 · 8 Feb 2023 at 16:41

MassiveJim said:
does the Draytek VPN client need manually connecting every time the computer is booted ?

Yeh, it's just a client.