Need a solid business-class router [Archive] - Glock Talk

PDA

View Full Version : Need a solid business-class router


Drjones
10-28-2010, 17:59
As titled, need a good, solid, dead-reliable router for a small business. They run WinServer 2008, MS Exchange 2007 and need VPN capability.

1 server, 5 users.

Internet connection is Surewest fiber; no modem.

Help!!!

IndyGunFreak
10-28-2010, 18:26
Surely CISCO has something?

kc8ykd
10-28-2010, 18:44
is it just an ethernet drop they give the client? is there a router provided by southwest currently?

also, what kind of budget do you have to work with?

cisco and juniper provide some nice solutions for small businesses. also, the juneos is quite a bit nicer than cisco's ios, in my opinion, but i'm not sure if they use it in their real small routers.

one last thing, are you looking for the router to also provide vpn termination, or is your windows 2008 server going to handle that ?

Drjones
10-29-2010, 11:59
is it just an ethernet drop they give the client? is there a router provided by southwest currently?

also, what kind of budget do you have to work with?

cisco and juniper provide some nice solutions for small businesses. also, the juneos is quite a bit nicer than cisco's ios, in my opinion, but i'm not sure if they use it in their real small routers.

one last thing, are you looking for the router to also provide vpn termination, or is your windows 2008 server going to handle that ?


Yep, just an ethernet drop from Surewest - no modem or router provided by them.

I did find & buy a Cisco WRVS4400N from Fry's .....any thoughts on that one?

Budget, would obviously like to keep it as low as possible (several hundred bucks?) but just need to get something RELIABLE.

As for VPN termination - what's most common and reliable; to have the server handle it, or the router? Currently, we're just having the server do it.

srhoades
10-29-2010, 13:41
I would go with a Sonicwall. Similar features as a Cisco, cheaper, and not as hard to configure.

kc8ykd
10-29-2010, 13:49
that router gets some pretty iffy reviews on newegg and amazon.

i don't have much experience with smaller routers like that, but i'd be concerned about overloading the cpu on it.

the cpu on smaller router like that can be overwhelmed by trying to get them to do too much at the same time, like trying to handle lots and lots of nat connections, too many packets across the backplane, trying to inspect lots and lots packets, and a few other things.

it looks like that router will also terminate vpn connections, but i'd be concerned about how fast those vpn connections would be. without a cpu that will do some real math, there can be a fairly low limit to what kind of bandwidth it will deliver for the vpn. in your scenario, i'd probably leave it to the win2008 server to terminate and be very spcific about the traffic that's allowed to that machine through the firewall, probably restricting incoming connections down to the /24's the clients would be coming from (assuming they'd be using it from home and not on the road).

i come from the isp side, engineering specifically, so i don't know what's more common in the lower-end consumer market as far as what people use to terminate their vpn connections.

we used a linux box, with nice hardware, to terminate ~100 simultaneous connections and just punched a whole through the firewall it was closest to.


when i said cisco earlier, i really meant cisco proper and not linksys (i should start making that distinction i guess).

personally i'd probably use one of the 800 series or maybe the 1900 series depending on specific customer requirements, but those seem to be a bit above what the client's budget is. but, those are what i'd consider 'business class' routers for small business (well, even the 2900 and 3600, depending on the circumstances).

the vpn capabilities in those model lines generally have hardware acceleration, basically a daughter card that does floating point math just to handle the vpn stuff. this would be useful in instances where the router was going to be terminating the vpn connections.

Drjones
10-29-2010, 16:54
kc8ykd:

I'm a huge Amazonian (?) and saw those, but I also noticed that all the bad reviews were also several years old....the newer ones are more positive.

Let me be more specific about the problem we are having:

The VPN connection is sporadic. Sometimes it will work, sometimes it will throw out an "Error 800."

For example: Just now, I tried connecting to the clients' VPN and it gave me Error 800....tried 60 seconds later and it worked like a charm.

Any ideas what could be causing a sporadic VPN like that?

kc8ykd
10-30-2010, 00:46
well, the most i can determine is that error 800 means that the client couldn't establish a connection to the vpn server for some reason.

there's lots and lots of things that could cause that, but unfortunately, i can't rule any of them out without having intimate knowledge of how the network, server and vpn client are setup.

i can however, point you to some possibilities.

unable to establish a connection could mean that the vpn client was unable to talk to the vpn server for some reason.

this could be the result of:
an intermittent fault in the internet connection of the server.
an intermittent fault in the switch the server is connected to.
an intermittent fault in the cabling between the server and the switch.
a router that is intermittently overloaded and unable to process packets.
a router that is intermittently failing.

or, the vpn session was unable to be established due to a problem with the vpn server, which could be a result of:
a server that's intermittently running out of client licenses.
a dhcp server that's intermittently running out of assignable ip addresses.

those are the ones i can think of off the top of my head, but i'm sure there are more.

the last 2 should be fairly easy to investigate by inspecting the event log on the server for any error message.

the rest will take some work.

first, when you get that error 800 message, you should immediately confirm that your computer can talk to the server by trying to telnet to the server on port 1723, if you get a response then that means the problem most likely lies on the server itself. (this assumes that the server is not pingable from the internet due to firewall rules)

if you cannot telnet to that port, you should start looking at the router and it's connection to the internet. that ethernet drop to the customer isn't magic, there's a router or bridge on their premises somewhere that converts that fiberoptic connection to ethernet. that equipment needs to be checked to ensure that the connection to the internet isn't having problems of some sort, from a flapping connection to crc and framing errors and the like. (this may require the isp's involvement to check the stats on the gear if you don't have access to it)

then, the connection between that bridge/router and the ethernet drop needs to be checked to ensure that connection isn't experiencing errors on it.

also, you should check to see what, if any nat or firewall rules exist on the isp's side of that ethernet connection. i hate to think those computers and server were all just hanging out on the internets without any firewall, or even NAT in between them and the rest of the world until you added the linksys router. if that's the case, i would start checking them for worms and rootkits and hacks, especially that win2k8 server.

you should also make sure that they aren't maxing out that internet connection at the office. something somewhere should keep statistical data on the percentage of the link being used. you may be able to correlate high bandwidth usage times to failures of the remote vpn clients to connect. the isp may have to setup monitoring of the link to generate this data. or, of the linksys has any kind of snmp facilities, you could monitor it using the windows 2008 server with something like MRTG (http://oss.oetiker.ch/mrtg/) or Cacti (http://www.cacti.net/).


if the intermittent connection problems started after introducing the linksys router, then i would check to ensure the router isn't being overloaded due to an excessive amount of traffic or packets going across it or that it can't handle the amount of NAT translations being requested of it. if either of these conditions exist, i would say an upgrade in router hardware is required.

Drjones
10-30-2010, 12:37
Wow, thanks for the great suggestions, kc8ykd

I've passed those on to my tech....just got a response that he's tried most of the stuff on that list.

Ok, just got an email also from the offc. manager....apparently everything was working fine on their old server; the VPN went to hell after the switch to the new one.

A little background on that: this client had a different IT guy they were using and they recently let him go because they got tired of his BS. The last straw was how poorly he handled the transition to a new server; he got them to buy a new Dell Server running Server 2008 - previously they had a Dell box running Server 2003. Anyhow, the transition took him around a week, and the office was down for much of that time.

They got fed up with him and called us.

Hope that helps....

kc8ykd
10-31-2010, 10:45
if the problems started after moving to the new server, then that would point to the software on the server, or the server itself as being the source of the problems.

i'd double check those event logs to see if they're reporting any errors.

also, double check the speed and duplex settings of the nic on the server to make sure they match whatever it's connecting to.

Drjones
11-01-2010, 14:57
Well, we solved it. The problem is that nothing had been configured properly from the start. The other guy was a total moron.

My technician spent a little time today reconfiguring all the VPN/remote access settings from scratch and now it works like a charm. Something relating to GRE had not been set right, so that was contributing to it...

Thank you so very much for all your help!!!

kc8ykd
11-01-2010, 15:58
ya, i guess i assumed the original guy setup the firewalling right, to allow GRE (protocol 47) through. GRE is the 'guts' of VPN.

glad you guys got it working :cool:

Drjones
11-02-2010, 14:10
ya, i guess i assumed the original guy setup the firewalling right, to allow GRE (protocol 47) through. GRE is the 'guts' of VPN.

glad you guys got it working :cool:


Yes, going forward, whatever the next problem is that arises, we'll just assume it's because it wasn't set up correctly in the first place rather than try to troubleshoot it, assuming it is otherwise OK. :upeyes:

It just sucks that they paid this other guy so much before finally showing him the door....

kc8ykd
11-02-2010, 14:38
when coming into a scenario like that, gotta check all the basics first, is it plugged in, is the wiring right, is the software configured correctly, etc, etc... assume nothing was installed properly and go from there.

in my experience working with 'consultants' working for customers of mine, i basically had to treat them like they didn't know anything and walk them through the entire process.

in the beginning, i made the mistake of assuming that people with CCNA and MCSE behind their names actually knew what they were talking about. i found out that most didn't, but there were a special few that actually did, and they were a real pleasure to work with. (we didn't do referrals to consultants officially, but when i found someone that was good, they went into my special book of 'good guys' and i might happen to mention their name and contact info if a customer asked for help finding a consultant...)