[aklug] Re: OT(?): Remote Access VPN

The more I thought about it, the more I realized that it's time to upgrade.

Since I will be paying the ~$40 for shipment from Europe, if anyone wants
combine shipping with me, speak up in the next 48 hours or so and I'll add
your order to mine.

I'm buying direct from PC Engines. Net hardware cost is $177.40 (plus
$26.10 if you want the Atheros-based a/b/g/n wireless stuff = $203.50).
You would pay your actual hardware cost plus (1/n)% of the shipping, based
on n people on the order.

Ignoring the shipping+handling below, this is what we'd be getting:

QtyDescriptionPriceTotalHTS codeOriginWeight1APU.1D4 system board 4GB
USD145.00USD145.008471.5000TW235g1Enclosure 3 LAN, black, USBUSD10.00
USD10.008473.3000CN241g1AC adapter 12V US plug for IT equipmentUSD4.40
USD4.408504.4040CN150g1SSD M-Sata 16GB MLC PhisonUSD18.00USD18.008523.5100TW
10g1Compex WLE200NX miniPCI express cardUSD19.00USD19.008517.7000CN10g2Cable
I-PEX -> reverse SMAUSD1.50USD3.008544.2020TW10g2Antenna reverse SMA dual
bandUSD2.05USD4.108517.7000TW56g Shipping + handling USD40.80 *Total*
*USD244.30*712g

I tried a 10-box order and a 30-box order, and the shipping went up $2, but
whatever the actual shipping is, I'll pass that along at the 1/n rate as
well.

The assembly and software install is easy -- I'm basically doing this:

https://mateh.id.au/2014/09/build-awesome-apu-based-pfsense-router/

To address some of JP's valid points, I'll explore using inexpensive USB
drives to handle write-heavy activity.

I'm not too concerned about using specialized hardware. If you back up you
config, you can swap in a refurbished PC temporarily. pfSense knows when
its hardware has changed, and will guide you through picking which of the
new NICs are LAN vs WAN. It's very easy to restore your production setup
quickly on just about any hardware. And the power draw is much lower than
on a refurbished PC. The only real drawback is the Realtek NICs. I'd
prefer Intel or Chelsio. From my reading, as long as you're not pushing
close to the max (600 or 700Mb/s), things should be just fine.

I'm also not concerned about it being FOSS -- it's well integrated by some
people who have been doing it for a long time, and designed to work well
with a wide range of gear.

Let me know off list if you want to combine shipping with me -- say, by
midnight Thursday night.

And if we all go to lunch when the order gets here, you can each buy 1/n of
my lunch. ;)

Royce

On Tue, Oct 20, 2015 at 1:57 PM, JP <jp@jptechnical.com> wrote:

> Where do you sleep Damien? :-D
>
> A commercial solution is perfectly viable as an option, whatever you need
> for the application. Just don't drink the Cisco koolaid.
>
> ___ _______
> | | |
> | | _ |
> | | |_| |
> ___| | ___|
> | | |
> |_______|___|
>
> *JP (Jesse Perry)*
> voice/txt: 907-748-2200
> email: jp@jptechnical.com
> web: http://jptechnical.com
> support: helpdesk@jptechnical.com
>
>
> On Tue, Oct 20, 2015 at 1:40 PM, Damien Hull <dhull@section9.us> wrote:
>
>> I'll jump in here and add my 2 cents. Which is about all I have left.
>>
>> 1. Don't use the Windows server as the VPN end point
>> 2. In a small office situation you should use the gateway/firewall for
>> this.
>> 3. You can authenticate through RADIUS which ties into AD. This is a role
>> in Server 2008
>> 4. I would recommend an off the shelf solution rather than rolling your
>> own.
>>
>> I'm in the middle of deploying Meraki MX80's. May not be the right
>> solution for you but they seem to be working well for us. Dropping in
>> Firewall number 2 this Friday. I'm deploying a total of 4. Might be adding
>> number 5 if we get another office.
>>
>> And I know someone will kill me in my sleep for recommending something
>> other than an opensource solution. I do have opensource solutions on my
>> network. Just not the firewall.
>>
>> That's my 2 cents.
>>
>>
>> On Tue, Oct 20, 2015 at 11:18 AM, Christopher Howard <
>> christopher.howard.asi@gmail.com> wrote:
>>
>>> Hey guys... so I took up a job at a small business which is basically a
>>> Windows shop (hey, gotta eat...) and I wanted to set up a simple Remote
>>> Access VPN so the boss could access the network files while abroad. They've
>>> got a WS2008 running their AD and DHCP on the intranet (but it isn't the
>>> gateway). So, my first thought was to see if it had built in VPN
>>> functionality. It does, but I ran into some trouble -- apparently in WS2008
>>> the remote access VPN functionality is tied into the IP routing
>>> functionality (which were aren't using). So, when I activated the RRAS,
>>> there was some strange conflict with DHCP and it instantly disconnected
>>> everyone's access to the network storage shares! Fortunately, I was able to
>>> reverse things before causing too much pandemonium, but obviously now I'm a
>>> bit nervous...
>>>
>>> So, now I am trying to figure out if it is worth monkeying around with
>>> this some more to get it working, or if I should look at some other
>>> approach. Maybe just put a small Linux box on the network and run a FOSS
>>> VPN server from it? (I'm imagining complications down the road trying to
>>> get user authentication tied into the AD system if we eventually get
>>> multiple users.) I looked on our gateway router but didn't see any kind of
>>> VPN functionality.
>>>
>>> Any sage advice from the seasoned admins?
>>>
>>> ---
>>> This email has been checked for viruses by Avast antivirus software.
>>> https://www.avast.com/antivirus
>>>
>>> ---------
>>> To unsubscribe, send email to <aklug-request@aklug.org>
>>> with 'unsubscribe' in the message body.
>>>
>>>
>>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Oct 20 22:38:28 2015