Router/firewall recommendations for small branch office



  • Hello all!

    We currently have a 100 person central office with a Cisco 2901 router to do our core routing functions between VLANs and a Palo Alto PA820 sitting in front of that to do firewall duties.

    We now need to open a small branch office to move some of our staff that work here (I'm thinking it is going to be only around 10 people or so).

    I'm wondering what are your current recommendations for small branch office setups?

    I'm also wondering if I should stick to the separate router/firewall setup or have 1 appliance do it all.

    I know Palo Alto makes a smaller unit, the 220, that looks interesting.

    We have PA subscriptions for antivirus/IPS/URL filtering etc. and since we plan to have a VPN between the 2 sites, I'm not sure if it would make sense to get those subscriptions again if we bought a 220 instead of just routing all the traffic to HQ.

    We are also looking at putting a Shoretel voice switch at this branch to connect back to our Shoretel HQ server for phones, so I'm looking for something that plays nice with VOIP.

    Any recommendations? Thanks!



  • @beta said in Router/firewall recommendations for small branch office:

    I'm also wondering if I should stick to the separate router/firewall setup or have 1 appliance do it all.

    Router/FW are synonymous today. You can't effectively buy them separately, especially in the SMB range. Every device sold is both.



  • PA is good, but it's expensive and you really have to need its features for it to make sense.

    We use Unifi and EdgeRouters and they've been the best.



  • Scott, the 3rd party guy now wants to talk about doing site to site vpn on Sophos hardware. We still at 3 offices. Any point or benefit to even doing this? Keep in mind only 5-7 people in the entire company need to remote into anything which they effectively can do now. Honestly this "3rd party" is becoming more of a sales guy for untested solutions to lace his pockets.

    LOL my first thought was, dummy we already have edge routers in place, we can use that to do site to site but there is almost no benefit at our size unless its just to have the sites talking to each other. I can do that with Zero Tier (just not pretty with AD).



  • @krisleslie said in Router/firewall recommendations for small branch office:

    Scott, the 3rd party guy now wants to talk about doing site to site vpn on Sophos hardware. We still at 3 offices. Any point or benefit to even doing this?

    Zero. Just a huge waste of money. Dollars to donuts that guy also, coincidentally, sells Sophos ๐Ÿ˜‰



  • @krisleslie said in Router/firewall recommendations for small branch office:

    LOL my first thought was, dummy we already have edge routers in place, we can use that to do site to site but there is almost no benefit at our size unless its just to have the sites talking to each other.

    Site to site is fine, but use what you have for it and avoid Sophos, and it can be beneficial for AD or management. NOthing wrong with that.



  • @krisleslie said in Router/firewall recommendations for small branch office:

    Keep in mind only 5-7 people in the entire company need to remote into anything which they effectively can do now.

    Could be worth it for just two people, if they really used it heavily.



  • @beta said in Router/firewall recommendations for small branch office:

    We are also looking at putting a Shoretel voice switch at this branch to connect back to our Shoretel HQ server for phones, so I'm looking for something that plays nice with VOIP.

    Man, your Shortel guy wants to get rich off you - If you phones are IP, you should be able to fairly easily setup 10 phones in a remote location and connect to the phone system over site to site VPN. No need to have the onsite Shoretel switch (now, you do need to consider 911 for that new location).



  • @Dashrender I actually haven't talked to my Shoretel guy yet ha. I just figured this would be best because then I could get some trunks for the branch office and they could have phone service/911 if the VPN was ever down.

    If I run everything over VPN, how would you suggest handling 911?



  • @beta said in Router/firewall recommendations for small branch office:

    If I run everything over VPN, how would you suggest handling 911?

    Well, if the VPN is down, that almost certainly means that the Internet is down or the phone system is down... if those are down, you still don't have 911 service. At some point, infrastructure has to fail and 911 goes down with it. That's always the case, no matter what you do. Don't look at it as a "what if" but as a total picture.

    Of course, as a total picture, this is why we don't normally 1) use VPNs or 2) run our phone systems in house because of these kinds of complications, costs, and risks. It's a generally bad phone system design, and it's designed that way to create risks, to increase costs, to sell otherwise unneeded equipment where more modern and more enterprise systems simply avoid the complications and are less likely to fail with none of the extra cost.



  • @beta said in Router/firewall recommendations for small branch office:

    @Dashrender I actually haven't talked to my Shoretel guy yet ha. I just figured this would be best because then I could get some trunks for the branch office and they could have phone service/911 if the VPN was ever down.

    If I run everything over VPN, how would you suggest handling 911?

    If you network is down to outside factors you donโ€™t get in trouble for 911 calls not completing. That has never been a thing. POTS goes down all the time.



  • @JaredBusch said in Router/firewall recommendations for small branch office:

    @beta said in Router/firewall recommendations for small branch office:

    @Dashrender I actually haven't talked to my Shoretel guy yet ha. I just figured this would be best because then I could get some trunks for the branch office and they could have phone service/911 if the VPN was ever down.

    If I run everything over VPN, how would you suggest handling 911?

    If you network is down to outside factors you donโ€™t get in trouble for 911 calls not completing. That has never been a thing. POTS goes down all the time.

    Interesting - while I definitely understand what you're saying - I'm surprised there aren't stupid laws that wouldn't allow this kind of outage to be acceptable - kinda like how faxes were given a pass.



  • @krisleslie said in Router/firewall recommendations for small branch office:

    Scott, the 3rd party guy now wants to talk about doing site to site vpn on Sophos hardware. We still at 3 offices. Any point or benefit to even doing this? Keep in mind only 5-7 people in the entire company need to remote into anything which they effectively can do now. Honestly this "3rd party" is becoming more of a sales guy for untested solutions to lace his pockets.

    LOL my first thought was, dummy we already have edge routers in place, we can use that to do site to site but there is almost no benefit at our size unless its just to have the sites talking to each other. I can do that with Zero Tier (just not pretty with AD).

    I guarantee that 3rd party guy is getting a kickback for selling Sophos gear. It's how every single shop I've worked at has operated. Every single one of the big name vendors operate this way.

    Just stick with Ubiquiti where you're not paying the backsheesh.



  • I've deployed Sophos UTM and XG in a few places and it works as advertised. Nothing spectacular. Firewall is "weird" IMO on how the rules get set up. The main reason was for the web filtering. If I could replace that functionality with FOSS I definitely would. I usually install Ubiquiti ERL (residential and business) where no filtering is required and have had excellent results. I have not used a USG or equivalent.



  • @brandon220 said in Router/firewall recommendations for small branch office:

    I've deployed Sophos UTM and XG in a few places and it works as advertised. Nothing spectacular. Firewall is "weird" IMO on how the rules get set up. The main reason was for the web filtering. If I could replace that functionality with FOSS I definitely would. I usually install Ubiquiti ERL (residential and business) where no filtering is required and have had excellent results. I have not used a USG or equivalent.

    USG just added filtering. But that's all I know. Is it good? Does it work? No idea.



  • @travisdh1 see here is the thing, I actually have a relationship with a local MSP. "IF" I were to take on projects I don't want to deal with, I would rather deal with them. This contractor is not of my suggestion, he is just a guy that happened to be the son of one of our managers, who is no longer employed here. Case in point, if I say let's do a,b,c, if I blink and go to sleep, I come into an office where x,y,z is done with no sign-off or explanation or feedback. It's largely a leadership and an internal political problem I'm dealing with. One month things are good or relatively good and next time you look some outlandish project comes with no one knowing where it started from.

    Just for an idea of my trust level for him, it's only in the direction of him installing cabling and hardware and basic administration. He has botched every installation of AD nor didn't know what virtualization was. However after he botched a site to site vpn setup prior 3 times which he actually never reported to me nor my management, it let me know were dealing with someone who worries about getting hours and checks not getting work done, also not being accountable. I'm not a network engineer (yet). But I can pretty much handle what was been thrown our way or find someone (read MSP) that can. So for him to not even start by using what we have in place showed me these are marketing tactics (thanks @scottalanmiller for teaching me their ways years ago lol) are being used to force his way into something and we pay for it and then he will roll around with fat check.

    The only logical benefit I see would be connecting our servers and for AD, but keep in mind, in the proposal his "goof-ups" for AD aren't mentioned. I'm not an AD god, but even I know if you put the wrong dns settings in, you break AD. For the most part, 95% of our staff and students use SaaS apps or services to accomplish work and training. That 5% is like really just for the people in IT and finance and 1 small team for a project. We use Intuit Quickbooks. Honestly because I hate QB, I'm considering just moving to a hosted plan and take it off-prem. File servers are really only being used by IT for software distribution and backup. We do run a few servers for RDP usage but the people that need to use it, are IN office and can remote in.



  • @travisdh1 said in Router/firewall recommendations for small branch office:

    stick with Ubiquiti where you're not paying the backshe

    The problem is he either was fired or let go from his previous job. So he eventually got a new job. I don't "know" if he works for Sophos because honestly in Alabama they really don't have a huge presence since any small to medium businesses I know don't even touch their stuff. I know Sophos well. I also got a taste of them about 10 years ago and decided to never go back also!



  • @scottalanmiller there is suppose to be a new USG being made since I think they are switching the cpu/chipset over for the entire product line. But honestly, until reviews are back and tested I'm holding funds. Just turning on the traffic analysis makes me cringe since it's not able to handle it without losing too much speed.



  • @travisdh1 so I figured out he is working for an out of town MSP. I don't see their product line they support but I assume it's SOPHOS. Like I said before, if I'm going to deal with a local MSP I already have one in place aligned with the goals not only I but my director would have in mind since they actually come talk to you and plan before telling you they wanna rip out everything for a project that doesn't make any sense.

    For those unaware, I work at a small non-profit. Our Saas app and basically finance app (Quickbooks) pretty much run the entire workload. 0 need for a VPN outside of goals that would align with IT directly. If we gonna do a VPN what sense would it make to do that without using our current NEW equipment before plunking down on another set of hardware? We are one cough away from another outbreak of COVID. We would be spending $ on a project no one in house would need since all our work already has been successfully deployed remotely for students and staff.



  • @krisleslie said in Router/firewall recommendations for small branch office:

    @scottalanmiller there is suppose to be a new USG being made since I think they are switching the cpu/chipset over for the entire product line. But honestly, until reviews are back and tested I'm holding funds. Just turning on the traffic analysis makes me cringe since it's not able to handle it without losing too much speed.

    Any idea when that is supposed to release?

    We just use the Pro4 these days to address that. But a new chipset would be great.



  • @beta said in Router/firewall recommendations for small branch office:

    We have PA subscriptions for antivirus/IPS/URL filtering etc. and since we plan to have a VPN between the 2 sites, I'm not sure if it would make sense to get those subscriptions again if we bought a 220 instead of just routing all the traffic to HQ.

    You'll put a lot more traffic over the HQ WAN by routing branch office traffic destined for the internet that way.
    Ideally you'd just want traffic over the VPN that is destined for some resource on the HQ LAN. It will give you superior bandwidth utilization.

    We have a customer who runs PA820s and they removed all their L3 routing in switches and routers and now route all their VLANs through the PA. You'll have more control over security that way. Doing the same at your branch office makes sense.

    Since you have Palo Alto at HQ I would get the same brand for the branch office. Not because you absolutely have to, but because it's easier to manage and easier if you have a problem and need Palo Alto support to figure out the problem.

    When it comes to URL filtering at the branch office there are other options, for instance Cloudflare Gateway.

    Regarding VOIP I think it's better to just run the phones directly to the HQ PBX. 10 people is not enough to bother with a local PBX.

    So in summary:

    • A PA-220 at the branch office with whatever VLANs you need set up in it.
    • Internet traffic goes to the internet.
    • Traffic to HQ goes over the VPN link.
    • IP phones connects directly to HQ over the VPN link.


  • I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.



  • @beta said in Router/firewall recommendations for small branch office:

    I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.

    We had a Cisco 20K solution here originally. I dumped that and replaced it with a Ubiquiti Unifi AP solution.
    The controller is free software that runs on my VM host, but could just as easily run in a VPS like Vultr for $5/m. APs were $90 or so each, 15 of them, $1350 plus my time to install them (the previous 20K included their installation).

    I'm pretty sure Unifi APs weren't around when the Cisco's went in in 2007, but damn did we save a bundle this upgrade time around.



  • @beta said in Router/firewall recommendations for small branch office:

    I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.

    Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.



  • @scottalanmiller said in Router/firewall recommendations for small branch office:

    @beta said in Router/firewall recommendations for small branch office:

    I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.

    Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.

    What do you think of Palo Alto?



  • @IRJ said in Router/firewall recommendations for small branch office:

    @scottalanmiller said in Router/firewall recommendations for small branch office:

    @beta said in Router/firewall recommendations for small branch office:

    I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.

    Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.

    What do you think of Palo Alto?

    For ACCESS POINTS? Zero experience. They are generally good products, and generally very expensive. But I never deal with them in a wifi context so they might be amazing or terrible. I didn't even know that they made wifi gear so that's my level of knowledge on it ๐Ÿ˜‰



  • @scottalanmiller said in Router/firewall recommendations for small branch office:

    @IRJ said in Router/firewall recommendations for small branch office:

    @scottalanmiller said in Router/firewall recommendations for small branch office:

    @beta said in Router/firewall recommendations for small branch office:

    I forgot to ask, who do you guys like for Wireless Access Points? We'll probably need to add a few of those too. Currently our main facility is covered with Cisco APs and a 5508 controller. I don't think we're going to need that many APs for this location obviously.

    Ubiquiti Unifi. Blows the Ciscos out of the water at a fraction of the cost. They are so much better, and so much cheaper, that we generally replace existing Cisco units with them because the cost of configuring Ciscos alone is enough higher to on its own cover the cost of the upgrade.

    What do you think of Palo Alto?

    For ACCESS POINTS? Zero experience. They are generally good products, and generally very expensive. But I never deal with them in a wifi context so they might be amazing or terrible. I didn't even know that they made wifi gear so that's my level of knowledge on it ๐Ÿ˜‰

    I believe they use Aruba for their APs



  • @krisleslie said in Router/firewall recommendations for small branch office:

    @scottalanmiller there is suppose to be a new USG being made since I think they are switching the cpu/chipset over for the entire product line. But honestly, until reviews are back and tested I'm holding funds. Just turning on the traffic analysis makes me cringe since it's not able to handle it without losing too much speed.

    Are you talking about the dream machine?

    Edit: I just saw a reddit post about an update to the USG line so I'm guessing not.



  • @stacksofplates said in Router/firewall recommendations for small branch office:

    Are you talking about the dream machine?

    I sure hope not, that thing seems so dumb.



  • @stacksofplates said in Router/firewall recommendations for small branch office:

    Edit: I just saw a reddit post about an update to the USG line so I'm guessing not.

    I've been looking for some inside info on that, got a link?


Log in to reply