My office network is using 2 ISP each 200mbps. One of the ISP is using BGP for public IP. Currently I use 2 CCR, 1 for each ISP. The BGP-CCR are connected to DMZ. The non-BGP-CCR, have NAT and firewall configured and connected directly to one of the ISP the BGP-CCR and to local network (around 2k wireless and wired clients). Well, the theme here is "as cheap as possible". Before using CCR, we've been using pfsense box as router GW until we add BGP to the mix and the hardware cannot handle it (I think it was aroung 80% CPU usage and slow network).
I've been trying to add site-to-site VPN to the mix and maximized the firewall. When I tried it on CCR, somehow the network feels a bit slugish. Tried L7 layer filter on CCR, and the whole network slows down. I've been looking for an alternatives that can be used with existing spare hardware.
I tried VyOS on spare hardware and combined those 2 CCR role into one box in test network with 4 network interface (WAN, BGP, LAN, DMZ). I haven't try to replace the CCR directly on main network though, so I have no idea if it will be able to handle the load. I have some setup that I have been considering.
- BGP, NAT, routing, firewall, VPN in VyOS
- BGP, NAT, routing, VPN in VyOS then add OPNSense for firewall
- BGP, NAT, routing in VyOS, OPNSense for firewall and VPN
- Other Idea?
What do you think is the best sane option?
No comments:
Post a Comment