Looking for tips/advice for a hardware firewall/VPN for a small to medium size nonprofit
Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!
Hey Tildenauts,
I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.
The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.
From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.
Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?
Thanks in advance!
I ran networking teams and projects for years, from small 5 person sites to campus plants with 50,000 users. I need to go to bed, so I'm just going to drop quick thoughts on things to look at and why;
Meraki: deployed meraki to probably 30 remote sites. The nice thing is you can get all your needs met and managed on one platform from firewall to wap, to portable home vpn, with vlan tagging and want balancing and all that good stuff. And it's slick and solid and can grow with you. It does have a subscription, but you are basically paying for a network engineer in a box, and this will make it easy for you or others to help them, which is worth something. Also, try and haggle if you are buying through a channel partner. I got up to 56% off MSRP hardware and 72% of subscription for nonprofits. Larger, so volume was helping me.
Ubiquity gateway products. Used these a lot at set it and forget it sites, but am not familiar with the latest hardware. They aren't quite as Fischer price easy as meraki, but not hard, and solid and cheap enough to just keep spare parts on hand. Not a bad option.
Protectli hardware with your choice of software. I run a bunch of these now for extended family, with a mix of Artista firewall (formerly untangle) but have been shifting to OPNsense. This would be the most work, and I'm not sure there is much upside for you over ubiquity gateways. I use these paired with ubiquity WAPs and a unify controller hosted in AWS, dynamic DNS with a lambda function that updates security group rules to ensure the sites can access the wireless controller.
Everything else I have experience with is not relevant, e.g. palo alto firewalls, junipers, etc.
Best of luck, happy to answer questions in the morning with coffee. ☕
Edit: just confirming all of these have sizes that support the 100 user mark and can support wire guard or open VPN. Have used both with all, and works great and easy with proper config.
Sounds like Ubiquity is worth checking out, thanks
I've set up a few Ubiquity products and while they have a small number of odd idiosyncrasies, over all they should be very well suited to your use case. All the basics are easily configured and they support both OpenVPN and Wireguard natively, which makes setting up remote work a breeze.
I can recommend them.
Do you have a particular ubiquity appliance you'd recommend for this case?
Not @Landhund who have excellent suggestions, but I'm back with coffee and took a look at the latest ubiquiti hardware. I would definitely recommend the Dream Machine Pro. For the cost of the Dream Wall, you could by two Pro's running with shadow mode for redundancy, and a POE switch.
I know non-profits don't like spending money, but if their Internet goes down and they really on it for on site and remote work, that effectively stops their entire workforce. For the cost of a high end laptop, they can have a resilient ubiquiti border/core/WiFi deployment that will just work for years to come, no subscription, and solid performance.
So my suggested bare ones would be
That would come to probably $1,200 taxes, plus some cables.
From there you can add in high availability etc, based on budget, needs, growth.
No one ever thinks they need HA until they are down for 7 hours at a critical time...
As it happens they already have a Unifi switch/wifi, the Dream Machine Pro looks ideal, I'm leaning in that direction. Pro Max is overkill I'm thinking?
Thanks to both you and @Landhund
Max is overkill. For the money 2 pros in high availability would be better than one max.
If they have a standard server rack you probably won't go wrong with a basic Dream Machine Pro. It does basically everything you want and should have more that enough performance. You could also have a look a the Dream Wall, we used one of them for a small off-site office since it combines a firewall and WiFi-accesspoint and we could skip the small server rack.
This reminded me that the sysadmin subreddit has a recurring thread that they call "Am I getting fucked Friday" where you can ask others about pricing. This appears to be the latest thread, from last week.
Not sure if these are as active anymore, I haven't been on Reddit regularly in a long time.
Have a look at Mikrotik. Their router software doesn't have any ridiculous perpetual licensing subscriptions and comes fully featured with everything unlocked. I have one and have been very happy with it.
For the vpn side, have you considered tailscale? It does require a small mental shift for how they treat their vpn, but it gives some huge advantages. They will never need to upgrade their router to support more vpn users. Even adding a new office location becomes trivial. The software is way more user friendly than any vpn I have had the displeasure of using. The only con is that, for businesses, there is a subscription fee.
Fortinet may be another option comparable to paloalto in quality with less of a learning curve (IMO). They sell switches and other devices that can be managed through the firewall for relatively low cost (relative to Palo). Their VPN client is fine for business users (TLS or ipsec tunnels but no Wireguard). Fairly predictable and easy to maintain equipment. These days, IMO, they are a big step up from the Sonicwalls of yesteryear in regards to stability and administrative stress levels. Their switching products (forriswirch) have no place in a datacenter but are fine for top of rack or user access switches. Edit Cisco pushes everything hard when it comes to sales... Not sure about Meraki but their normal TAC has become borderline unusable and account managers seem to have a high churn rate. I.e.; I'm trying to say their support is lacking.
Thanks I'll take a look at Fortinet. Not surprising support isn't great at Cisco's size and age, thanks for the tip.
Just as a data point - we have a Fortinet setup at our work and we have had nothing but issues. We constantly have to power cycle the hardware because the network connectivity drops (VPN can be accessed, but no connection to the other devices on the network - not sure if this is a problem with our VPN access point or the Fortinet switch).
The client is very buggy on Linux. I usually connect first thing in the morning and the connection gets made, some packets get sent to the corporate network, but no packets are received back. The client freezes and crashes and the only way to fix it is to reboot the machine. The CLI is annoying to use (it doesn't seem to respect the flags that it says it accepts), but I haven't had any bad connections with it yet. They also have their own app for 2FA and it's not great. Slow to get push notifications and my VPN connection usually times out before I even get the approval notification. I can't say I've been very happy with it lol