VPN Router Recommendations - Synology RT2600ac

Discussion in 'Mac OS X Server, Xserve, and Networking' started by techwarrior, Apr 20, 2018.

Tags:
  1. techwarrior macrumors 65816

    techwarrior

    Joined:
    Jul 30, 2009
    Location:
    Colorado
    #1
    Hey McRumors community, need a little help choosing a VPN Router.

    Use Case: I live 60 miles from my employer's office where I maintain several VoIP labs. One of the labs that i will be using more in the future is on a network that is accessible via VPN. I have an account on the office VPN for both remote access using OpenVPN client on my Mac, as well as an account for a Site-to-Site. I would like to be able to work from home more, so searching for a viable VPN Router solution. Improving home WiFi would be a secondary goal.

    My home network is Airport based, with Comcast ISP. I get one IP address to share.

    I am searching for a solution that will allow me to:
    • Route general network traffic through the Comcast network (bypass the VPN Tunnel).
    • Route lab traffic through the VPN Tunnel.
    I was looking at Synlogy RT2600ac, which I think might be able to do the trick, but I am not fully up to speed on VPN concepts, so hoping to get input from some experts.

    If I setup a Site-to-site tunnel, how can I route traffic from the VoIP phones (and my Mac when doing lab testing) over the tunnel, but all all other traffic to bypass the tunnel?

    In the Site-to-Site setup screens, the Local and Remote site Private Subnets are defined. Does this in effect create a policy in which only traffic from my local subnet that is destined for the remote private subnet will use the tunnel? If so, then it seems easy-peasy to accomplish my goals with this router.
     
  2. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    Location:
    No longer logging into MR
    #2
    While it may require CLI configuration, I would recommend an Ubiquiti EdgeRouter. After their latest firmware on my EdgeRouter Lite, the device is fast and rock solid. It can also route different traffic via different routes. The ERL is $100.
     
  3. DJLC macrumors 6502a

    DJLC

    Joined:
    Jul 17, 2005
    Location:
    Mooresville, NC
    #3
    I've been using pfSense lately on an old desktop w/ dual Ethernet ports. Works very well for what I need — putting most of my network traffic thru a VPN for privacy without sacrificing speed.

    It would be relatively trivial to set up pfSense NAT rules that direct your lab network traffic over the VPN and other traffic over the regular WAN (provided the lab network subnet doesn't overlap w/ your home network subnet). Alternatively, you could give the phones static internal IPs and set up rules to direct ALL traffic from those devices over the VPN. I suspect the same would be true on the Ubiquiti EdgeRouter and the Synology both; however, I have no direct experience with either of those products.
     
  4. campyguy, Apr 23, 2018
    Last edited: Apr 23, 2018

    campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #4
    RT2600ac and FortiNet FortiGate owner chiming in (I'm the company owner, too... - offering this bit as I'm not an "IT guy"), using site-to-site VPN pretty much daily without the need for an IT person. QED, rather, easy peasy in Bruce Campbell-speak. Synology lists dozens of VPN help files that IMO are easy to follow and their tech support has been very helpful as well - the setup config for the FortiGate 50E I use is published here, FYI. Zero issues with my RT2600ac units (3 of them...).

    I use Comcast BCI at 3 of my field offices, Comcast residential at my home office, and an ATT Netgear Nighthawk on the road (Ethernet out, plug it into an RT2600ac while out in the field). I pay for a second IP address at my home office location - $10 per month - and use an Arris SB8200 modem with its second Ethernet/IP port dedicated to my business-related matters.
     
  5. techwarrior thread starter macrumors 65816

    techwarrior

    Joined:
    Jul 30, 2009
    Location:
    Colorado
    #5
    That may be an option (2nd IP), but the detail I am trying to determine is how the RT2600ac will handle traffic. Will all traffic use the tunnel, or only traffic destined for the Remote Site private network? I got a response from Synology, but it was still not clear.

    I assume that if my home LAN IP address range is 192.168.0.0/24 and the Remote Site private LAN is 10.64.0.0/16, my router's route table would look like:

    Destination NetMask Gateway Interface

    0.0.0.0 0.0.0.0 192.168.0.1 wan
    10.64.0.0 255.255.0.0 192.168.0.1 tun1

    Meaning, all traffic with a destination of 10.64.0.0/16 would use the VPN tunnel, all other traffic would go through the Comcast default route. Is that how the RT2600 would handle my traffic?

    I really don't want to put all my personal traffic through the work network, it would presumably slow my general traffic as the VPN device on the company side limits throughput somewhat.
     
  6. campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #6
    Regarding separating traffic, Synology's routers ship with an OS - SRM for Synology Router Management. One of the packages that can be installed is a free VPN Plus (it needs a license, but one is included for up to 20 client access); the VPN package offers an IAP @$10 per perpetual Site-to-Site VPN client/license - that's what I have installed on my router at my home office and at my main office. On my router, I set up a wired static route for the two Macs I use to connect to the office, and simply disconnect the ethernet cable when it's time for personal usage - I don't even think about it. The boss can't yell at me since I'm the boss... SRM isn't the easiest router OS to manage but it suits my needs perfectly, OTOH...

    A "simpler" means to get to what you're seeking, assuming you're using one computer for personal and business usage, is to use the solution I use for some of my employees who may need to work from home on occasion. I purchased several routers and had them preconfigured for one reason - to connect to a personal/home router via a wired connection; these "work" routers are configured to provide an encrypted channel (VPN) to our workstations and/or servers. Simply connect the VPN Router's WAN interface to the home/personal router. All of the "work" traffic should be encrypted by the VPN tunnel, no home traffic would have access to work traffic. The encrypted packets are routed through your home router. Your employer may be more comfortable with this type of arrangement. The units I purchased are Netgear units flashed with the Sabai OS (Netgear WNR3500L - they're inexpensive); my employees simply check them out and in. Sabai offers several units - link - with no affiliation on my end, all pretty much PnP. I disabled the wireless feature to make sure that only the wired connection is used, but that's just me. My GF (who runs her own business) uses a Netgear from FlashRouters; She totes it around when she's on the road. Basically, it's Work Computer --> VPN Router --> Home Router --> Internet - QED! I think I spent about $150 each on the Sabai Netgear routers, zero issues since Day 1.
     
  7. hobowankenobi, Apr 23, 2018
    Last edited: Apr 23, 2018

    hobowankenobi macrumors 6502a

    Joined:
    Aug 27, 2015
    Location:
    on the land line mr. smith.
    #7

    I set one up for an SMB, and it has been rock solid and everybody has been happy with it. No VPN in use though....so I can't speak to that.

    Have you looked at the package download page for VPN Plus Server?
     

Share This Page