Firewall for small Windows network



  • Got a site coming online, only 3 Windows devices consisting of 1 Windows 2012R2 RDS server, 1 2012R2 Windows server purely for storage and 1 W10 PC.

    Need a firewall of some description.

    Is Untangle any good? Don't know anything about it, but have read it's not too bad.

    I was thinking of running it as a guest on Hyper-V on one of the servers. Anyone done this, will it work as a guest on a 2012R2 Hyper-V server?

    I'm open to any suggestions.

    Thanks for any help.



  • I would recommend an Edgerouter X - Only £50 in the uk and it works brilliant:
    https://www.ui.com/edgemax/edgerouter-x/



  • Agreed - the Edgerouter is perfect for this.



  • I think it's easier using a dedicated firewall than a VM. Otherwise it's easy to lock yourself out since the VM is hosted on the machine you are doing admin work on.

    For instance when upgrading the hypervisor, somethings goes wrong. Now you have no way to access anything anymore.



  • @siringo said in Firewall for small Windows network:

    Is Untangle any good? Don't know anything about it, but have read it's not too bad.

    In absolute terms, it's fine. In market terms, I can't think of any situation where you'd realistically even consider it.

    Software firewalls rarely make sense, and when they do, you want one built for that, not a general purpose OS being set up in a firewall role.



  • I agree with everyone, I never deploy software firewalls. Hardware is so cheap, so well maintained, so easy to deal with, and so much more secure.



  • If you are looking to deploy APs for wireless as well, I'd just go with a USG from Unifi and a UAP Lite. You'll need to setup a controller for it, two options - setup a $5/m vultr instance that you have to maintain, or just buy a cloud key and publish it through Ubiquiti's system for anywhere access. it's about $100 but it's a one time fee.



  • @Dashrender said in Firewall for small Windows network:

    If you are looking to deploy APs for wireless as well, I'd just go with a USG from Unifi and a UAP Lite. You'll need to setup a controller for it, two options - setup a $5/m vultr instance that you have to maintain, or just buy a cloud key and publish it through Ubiquiti's system for anywhere access. it's about $100 but it's a one time fee.

    But it's also a physical device on the network, so you have to power it, maintain it, protect it, it only handles one site, and they only maintain the hardware for so long.

    I'd argue that anyone in a situation where a cloud key seems reasonable, it's not reasonable to be managing a network that size on its own.



  • I totally missed the question on Untangle,...

    Having set up, managed, and left two different locations with them running,... and having more than fifteen years to learn more I’ll say this...

    Go with the Edgerouter.



  • @scottalanmiller said in Firewall for small Windows network:

    @Dashrender said in Firewall for small Windows network:

    If you are looking to deploy APs for wireless as well, I'd just go with a USG from Unifi and a UAP Lite. You'll need to setup a controller for it, two options - setup a $5/m vultr instance that you have to maintain, or just buy a cloud key and publish it through Ubiquiti's system for anywhere access. it's about $100 but it's a one time fee.

    But it's also a physical device on the network, so you have to power it, maintain it, protect it, it only handles one site, and they only maintain the hardware for so long.

    I'd argue that anyone in a situation where a cloud key seems reasonable, it's not reasonable to be managing a network that size on its own.

    It sounds like the OP is a MSP or MSP like for this client, so perhaps they already have a controller (though the question about Untangle tells me it's unlikely)...

    I guess you're telling that company that they need to hire IT to do this, and suck it up and pay... because it's simply the cost of doing business.



  • @Dashrender said in Firewall for small Windows network:

    I guess you're telling that company that they need to hire IT to do this, and suck it up and pay... because it's simply the cost of doing business.

    One way or another, someone doing IT work is managing things. Doing it in house means that IT is going to be more costly if they are so small that the controller would be desired. So I'm saying to spend IT dollars wisely, rather than buying hardware that requires someone coming in local to manage.



  • @scottalanmiller said in Firewall for small Windows network:

    @Dashrender said in Firewall for small Windows network:

    I guess you're telling that company that they need to hire IT to do this, and suck it up and pay... because it's simply the cost of doing business.

    One way or another, someone doing IT work is managing things. Doing it in house means that IT is going to be more costly if they are so small that the controller would be desired. So I'm saying to spend IT dollars wisely, rather than buying hardware that requires someone coming in local to manage.

    If Unifi had an auto update feature, buying a cloud key would be (at least to me money wise) a no brainer... but because it doesn't.. it means someone must manage/update it. If you have no person who can fit this into their monthly tasks, then sure I understand outsourcing it completely, but this is pretty expensive outsourcing... $60 hosting vultr, plus an assumed 15 min billable (smallest likely increment allowed) monthly at what $100/hr, so $25/m. So min annual cost is $360 assuming no issues of course... maybe you can't get this accomplished by an internal person for that?



  • @Dashrender said in Firewall for small Windows network:

    If you have no person who can fit this into their monthly tasks, then sure I understand outsourcing it completely, but this is pretty expensive outsourcing.

    That's a FREEBIE item for our customers. Literally free. Why do you see that as expensive? I'm confused.



  • @Dashrender said in Firewall for small Windows network:

    $60 hosting vultr, plus an assumed 15 min billable (smallest likely increment allowed) monthly at what $100/hr, so $25/m. So min annual cost is $360 assuming no issues of course... maybe you can't get this accomplished by an internal person for that?

    No, the min cost is zero. You are right on the cost, if you were dealing with someone in house doing a one off. But why would you do that? My entire point is that when you are this small, having any infrastructure all for yourself is too costly to do.



  • @gjacobse said in Firewall for small Windows network:

    I totally missed the question on Untangle,...

    Having set up, managed, and left two different locations with them running,... and having more than fifteen years to learn more I’ll say this...

    Go with the Edgerouter.

    Thanks everyone for the help, it's greatly appreciated. Looks like a hardware solution is the go here. I'll ditch the untangle idea, I must say I'm pleased about that.



  • @siringo said in Firewall for small Windows network:

    @gjacobse said in Firewall for small Windows network:

    I totally missed the question on Untangle,...

    Having set up, managed, and left two different locations with them running,... and having more than fifteen years to learn more I’ll say this...

    Go with the Edgerouter.

    Thanks everyone for the help, it's greatly appreciated. Looks like a hardware solution is the go here. I'll ditch the untangle idea, I must say I'm pleased about that.

    If going software, I like VyOS. Mostly just for labs, though. Totally hardware is the way to go when you have the option.



  • @scottalanmiller said in Firewall for small Windows network:

    @Dashrender said in Firewall for small Windows network:

    $60 hosting vultr, plus an assumed 15 min billable (smallest likely increment allowed) monthly at what $100/hr, so $25/m. So min annual cost is $360 assuming no issues of course... maybe you can't get this accomplished by an internal person for that?

    No, the min cost is zero. You are right on the cost, if you were dealing with someone in house doing a one off. But why would you do that? My entire point is that when you are this small, having any infrastructure all for yourself is too costly to do.

    I guess I'm confused - So this client contacts you NTG for this - you charge them what? Just the cost of hardware (or they buy themselves), you charge them an install fee and that's all? from there on out it's free? i.e. you pay the hosting cost (sure ok, no problem, you already have a controller, adding more sites/devices to it is likely no big deal), but what about the monthly updates? you don't charge for those? and by updates i mean pushing the button that pushed out the update to the devices, not the controller, you've already absorbed that. I mean, maybe you do, in the hopes/expectation that you will have other business from them and that clicking the button takes such a small amount of time that you don't worry about billing it specifically??



  • @Dashrender said in Firewall for small Windows network:

    I guess I'm confused - So this client contacts you NTG for this - you charge them what? Just the cost of hardware (or they buy themselves), you charge them an install fee and that's all? from there on out it's free?

    We don't sell anything, so we don't charge them for hardware. We charge them for work that we do. We do not charge for the use of the Unifi platform since it is a pre-existing cost that is already covered and their portion of it would be less than the cost of the overhead to charge them.

    So any NTG customer just gets it for free. We even have residential customers who take advantage of this. It would be completely absurd to charge more than, say $.25 a month for that service, and pretty absurd to make a line item so small.



  • @Dashrender said in Firewall for small Windows network:

    i.e. you pay the hosting cost (sure ok, no problem, you already have a controller, adding more sites/devices to it is likely no big deal), but what about the monthly updates? you don't charge for those? and by updates i mean pushing the button that pushed out the update to the devices, not the controller, you've already absorbed that. I mean, maybe you do, in the hopes/expectation that you will have other business from them and that clicking the button takes such a small amount of time that you don't worry about billing it specifically??

    We would charge for work being done if they want us doing manual work, of course. This is very straightforward... we bill for our time, we don't bill for the Unifi controller. And since updates are automated from the controller, there's no need for us to be pushing buttons.



  • @scottalanmiller said in Firewall for small Windows network:

    And since updates are automated from the controller, there's no need for us to be pushing buttons.

    You enable automatic firmware updates in the UniFi controller? Yeah, no thanks.

    I'll hit the rolling update button manually after I test the latest firmware.



  • @JaredBusch said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    And since updates are automated from the controller, there's no need for us to be pushing buttons.

    You enable automatic firmware updates in the UniFi controller? Yeah, no thanks.

    I'll hit the rolling update button manually after I test the latest firmware.

    We do too, but for customers who want US to do that for them, we charge. But of course, they are free to do it themselves as well.

    It's just that we host the controller for free.



  • But, for a customer so small that they have no IT, and they don't want to pay for us to do updates, they can choose to enable automatic updates, for free, and it updates like any auto updating device would. Better than skipping it.



  • @scottalanmiller said in Firewall for small Windows network:

    But, for a customer so small that they have no IT, and they don't want to pay for us to do updates, they can choose to enable automatic updates, for free, and it updates like any auto updating device would. Better than skipping it.

    It has been a long time since I looked at the setting, but I thought that was a controller level setting and not a site level setting.

    If it is site, level, that does make it simple



  • @JaredBusch said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    But, for a customer so small that they have no IT, and they don't want to pay for us to do updates, they can choose to enable automatic updates, for free, and it updates like any auto updating device would. Better than skipping it.

    It has been a long time since I looked at the setting, but I thought that was a controller level setting and not a site level setting.

    If it is site, level, that does make it simple

    You made me panic. But just checked and verified, it's per site now. Pheww.

    LOL



  • @scottalanmiller said in Firewall for small Windows network:

    @JaredBusch said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    But, for a customer so small that they have no IT, and they don't want to pay for us to do updates, they can choose to enable automatic updates, for free, and it updates like any auto updating device would. Better than skipping it.

    It has been a long time since I looked at the setting, but I thought that was a controller level setting and not a site level setting.

    If it is site, level, that does make it simple

    You made me panic. But just checked and verified, it's per site now. Pheww.

    LOL

    I've been running a controller as long as you, and can remember when there were few site specific settings.



  • @JaredBusch said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    @JaredBusch said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    But, for a customer so small that they have no IT, and they don't want to pay for us to do updates, they can choose to enable automatic updates, for free, and it updates like any auto updating device would. Better than skipping it.

    It has been a long time since I looked at the setting, but I thought that was a controller level setting and not a site level setting.

    If it is site, level, that does make it simple

    You made me panic. But just checked and verified, it's per site now. Pheww.

    LOL

    I've been running a controller as long as you, and can remember when there were few site specific settings.

    Me too. But thankfully almost everything is site specific now.



  • @scottalanmiller said in Firewall for small Windows network:

    We do too, but for customers who want US to do that for them, we charge. But of course, they are free to do it themselves as well.

    It's just that we host the controller for free.

    But just above you stated that your customers get Unifi for free?

    We do not charge for the use of the Unifi platform since it is a pre-existing cost that is already covered and their portion of it would be less than the cost of the overhead to charge them.



  • @hobbit666 said in Firewall for small Windows network:

    But just above you stated that your customers get Unifi for free?

    Right, and I repeated it below. So I said it more than once, LOL.

    ????



  • @hobbit666 said in Firewall for small Windows network:

    @scottalanmiller said in Firewall for small Windows network:

    We do too, but for customers who want US to do that for them, we charge. But of course, they are free to do it themselves as well.

    It's just that we host the controller for free.

    But just above you stated that your customers get Unifi for free?

    We do not charge for the use of the Unifi platform since it is a pre-existing cost that is already covered and their portion of it would be less than the cost of the overhead to charge them.

    Right, he said they don't charge just to have the equipment in their Unifi Controller. After that the customer has to decide between 3 options, manage themselves, enable auto updates or pay NTG to do updates after testing new firmware.


Log in to reply