Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need hardware for a Site to Site VPN

    Scheduled Pinned Locked Moved
    Official Netgate® Hardware
    3
    5
    511
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mUnChiE
      last edited by mUnChiE

      Have a business mission critical app that is currently running on 15 year old Cisco routers with T1s.

      I’m going to switch them over to a VPN site to site tunnel using pfSense. Main site where servers are will have two 1G Internet circuits for redundancy. The two branch sites will eventually have two Internet circuits as well. Each branch will connect to the main site. The branches currently have single 100M circuits. I plan to use IPSec, any issues with that? Network traffic is mainly applications connecting to a Oracle DB.

      Any recommendations on which Netgate hardware I should go with? Needs to have dual WAN capabilities. Once running, I’ll import config into a backup device that’s sits on a shelf in case of hardware failure. These devices will only run IPSec with wide open firewalls on LAN/VPN. There are other firewalls doing filtering.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @mUnChiE
        last edited by

        @munchie A 6100 or maybe 8200:
        https://forum.netgate.com/topic/177442/netgate-6100-with-2gb-symmetric-connection

        If you’re going to have a backup, realize pfSense can do high availability with seamless cutover. Well except maybe not IPSec: https://docs.netgate.com/pfsense/en/latest/highavailability/ipsec.html
        But it will sync config and states in real time. Plus you can update the backup, then failover, update the primary, and fail back, without dropping connections.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Reply Quote 0
        • M
          mUnChiE @SteveITS
          last edited by

          @steveits The HA function is nifty. But in my experience, a lightning strike or surge takes out my equipment, so I'd rather have one on a shelf as an emergency. An employee can easily swap it out.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @mUnChiE
            last edited by

            @munchie said in Need hardware for a Site to Site VPN:

            @steveits The HA function is nifty. But in my experience, a lightning strike or surge takes out my equipment, so I'd rather have one on a shelf as an emergency. An employee can easily swap it out.

            All true. :) If someone's on site, I suppose...we have HA in our data center but always have some sort of spare for us/our clients. Just have to save config files religiously. We do after every change.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              If availability is more important to you than throughput you might consider having something like a pair of always up OpenVPN tunnels with one server on each WAN.
              Depending on how the connections are used you could failover/loadbalance the gateways or use some dynamic routing across them.

              You could do the same with Route base IPSec (VTI). Or Wireguard for that matter.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post