big daddy fatsacks
2[H]4U
- Joined
- Aug 10, 2001
- Messages
- 2,312
All, I have a small network which I am currently running an Asus RT-N16 with DD-WRT in front of. The network is split into 2 subnets behind the router with each firewalled from the other by the Asus.
LAN1 and LAN2 cannot talk to each other. Additionally, I have OpenVPN set up on the Asus to allow VPN access to LAN1. I am about to start trying to configure a second OpenVPN instance which will allow access to LAN2, and the 2 VPNs should be completely separate with different users, etc.
I have had a lot of success hacking through DD-WRT to get this non-standard config working well even though most of it is done not through the GUI. However, as I go forward with adding the second VPN endpoint I realize that this is becoming more and more unsupportable. There is no set of DD-WRT FAQs I can rely on to get this back and running the way I have it easily unless I create a whole set of config documentation just for this device. It is based on a conglomoration of FAQs, DD-WRT forum postings, and a lot of personal troubleshooting and testing. Also, this is for a small business so I can't have some unsupportable setup no matter how much mileage I've gotten out of DD-WRT thus far.
I am currently looking at something like a Cisco 800 series or whatever the equivalent Juniper device would be. I have no real experience with either the Cisco or Juniper CLI, but am not afraid of a CLI (most of the time I find them easier than trying to screw around with some idiotically designed GUI). These are my key features:
I'm open to recommendations, but anything along the lines of what I am currently running will get ignored. I need a standard config that can easily be backed up and restored, NOT a hacked to pieces DD-WRT router where I have to actually document every single nvramconfig item.
TIA,
bdfs
Code:
|---> LAN1
Internet ---> Asus ---|
|---> LAN2
LAN1 and LAN2 cannot talk to each other. Additionally, I have OpenVPN set up on the Asus to allow VPN access to LAN1. I am about to start trying to configure a second OpenVPN instance which will allow access to LAN2, and the 2 VPNs should be completely separate with different users, etc.
I have had a lot of success hacking through DD-WRT to get this non-standard config working well even though most of it is done not through the GUI. However, as I go forward with adding the second VPN endpoint I realize that this is becoming more and more unsupportable. There is no set of DD-WRT FAQs I can rely on to get this back and running the way I have it easily unless I create a whole set of config documentation just for this device. It is based on a conglomoration of FAQs, DD-WRT forum postings, and a lot of personal troubleshooting and testing. Also, this is for a small business so I can't have some unsupportable setup no matter how much mileage I've gotten out of DD-WRT thus far.
I am currently looking at something like a Cisco 800 series or whatever the equivalent Juniper device would be. I have no real experience with either the Cisco or Juniper CLI, but am not afraid of a CLI (most of the time I find them easier than trying to screw around with some idiotically designed GUI). These are my key features:
- MUST support routing between multiple LANs behind the device
- MUST support multiple VPNs which connect users in to different LANs as I described above (I only need support for < 20 concurrent users/tunnels between both VPNs)
- The VPN MUST give users full access to LAN1/LAN2, not an SSL VPN which allows publishing of a folder or application- the users need to be ON my local network, accessing a virtual environment full of Windows and Linux machines using RDP, running security scans, administering boxes to test out defensive strategies, and general testing
- PREFER to have support for certificate-based VPNs as I've already gotten certs generated and distributed as part of the OpenVPN setup I have now
- MUST support at least my current connection which consistently tests at 30/25 down/up
- SHOULD support some standard logging config such as to a remote syslog server
- IDS is a nice to have, but not a requirement
- Wireless is a nice to have, but not a requirement
I'm open to recommendations, but anything along the lines of what I am currently running will get ignored. I need a standard config that can easily be backed up and restored, NOT a hacked to pieces DD-WRT router where I have to actually document every single nvramconfig item.
TIA,
bdfs