Best router for a small hosting?

[pandacraft]

Hey i m new to networking but i run a small hosting in the netherlands. And i need advice because we are planning on getting a small core router for out network.

It needs to be able to make vlans, route multiple ip blocks / allow them to be used inside the network, and 10gbe networking so 2 sfp+ ports.

[pandacraft]

I was personally thingking to go with the udem pro from unify to begin with and get something else when we get bigger.

[LAwLz]

It depends on what your requirements are and what it will be used for.

I assume you mean you are thinking of the UDM-Pro? That's not really a router so it might not be what you're after. 

 

The UDP-Pro is not really a pro offering, it's more of a hobby/enthusiast/SMB thing. But it might be enough.

[Dujith]

52 minutes ago, pandacraft said:

I was personally thingking to go with the udem pro from unify to begin with and get something else when we get bigger.

The dream machine is pretty limited, you can do alot from ssh but it will be wiped if you ever use the web interface.

Better get an edgerouter or a mikrotik for that matter. It will however require you know what you are doing.

[pandacraft]

it will be used as the main gateway to our hosting network so it needs to be able to handle 10gbit if needed we have right now a switch with our 10gbit uplink but we need a router or a device that is rackmountable and can do some firewall rules but also vlans and hcp etc

[Dujith]

2 minutes ago, LAwLz said:

I assume you mean you are thinking of the UDM-Pro? That's not really a router so it might not be what you're after. 

In all fairness it is a router, just very limited when you want to do per ip routing or anything other then basic loadbalancing / switchover

[pandacraft]

the udm pro lookeds great for what i need but the udm pro isnt really a datacenter router thats kinda the problem

[pandacraft]

and we need to be able to isolate dedicated customers and eventually aswell colocation cumstomers so they cant enter our main network / talk to our main servers

[LAwLz]

27 minutes ago, Dujith said:

In all fairness it is a router, just very limited when you want to do per ip routing or anything other then basic loadbalancing / switchover

Well it can do routing in the same sense as for example Cisco's L2 switches can do routing. Pretty sure it doesn't even have routed ports.

But like I said, I am not sure OP even needs a router. Something like the UDM might be fine.

 

 

25 minutes ago, pandacraft said:

the udm pro lookeds great for what i need but the udm pro isnt really a datacenter router thats kinda the problem

Since you're looking at the UDM to begin with I assume it's a small business and a limited budget. Chances are "proper" datacenter devices are far out of your budget, unless you're buying second hand but at that point you got the same issues as with Ubiquiti, for example a lack of proper enterprise support.

 

What does the network look like, what will be it be used for, how big needs do you have on reliability, etc. Those are some of the questions that needs to be answered before I feel comfortable recommending specific products.

 

 

  

23 minutes ago, pandacraft said:

and we need to be able to isolate dedicated customers and eventually aswell colocation cumstomers so they cant enter our main network / talk to our main servers

Is this for an MSP type of business? If you want a firewall with some limited routing capabilities then I think a Fortigate would probably be a safer bet than the Ubiquiti. They aren't terribly expensive, supports HA even on the lower end models and on the higher end models you get support for VDOMs as well, which are virtual firewalls, which are great if you want further isolation between customers. Plus you can get support. They aren't as user friendly as Ubiquiti though, but "plug-n-play" and "enterprise secuirty" generally don't go hand in hand.

 

 

[pandacraft]

15 minutes ago, LAwLz said:

What does the network look like, what will be it be used for, how big needs do you have on reliability, etc. Those are some of the questions that needs to be answered before I feel comfortable recommending specific products.

now we have 2 main servers (nodes) and 2 dedicated servers rented to poeple and a simple hp switch with a few sfp+ ports so its small

[pandacraft]

and another reqiurement is it needs to be a 1 u unit

[LAwLz]

21 minutes ago, pandacraft said:

now we have 2 main servers (nodes) and 2 dedicated servers rented to poeple and a simple hp switch with a few sfp+ ports so its small

Not sure what kind of servers the "2 main servers" are but it sounds like it's a very small network. In that case you probably don't need much. Maybe the UDM is enough.

But I would still recommend looking into a small Fortigate instead.

 

[pandacraft]

i looked at some fortigate and they are all over 1k that support 10gbe and more then 1 unit

[pandacraft]

1 hour ago, LAwLz said:

Not sure what kind of servers the "2 main servers" are but it sounds like it's a very small network

we have 2 main nodes for the hosting for shared hosting etc and then 3 dedicated serversthat poeple can rent.

[LAwLz]

5 hours ago, pandacraft said:

i looked at some fortigate and they are all over 1k that support 10gbe and more then 1 unit

If that's outside your price range then yeah, the Ubiquiti is probably your best bet.

Please bear in mind that list prices are usually not what you want to look at for enterprise stuff. For example the company I work for is a platinum partner with Fortigate (as well as several others like Cisco) and we typically get about 50% off when ordering products from them. Then we add a bit to make a profit for ourselves and the price to the customer is something like 70% of the list price. So that 1K firewall might end up costing like 700 if you go through a reseller. 

 

But it is probably overkill for your needs. 

 

I am not sure how the Dream machine works but it might only have one 10Gbps port that you can use. It says on the data sheet that it has one 10Gbps LAN port and one 10Gbps WAN port. So that's something to keep in mind.

I also can't find any performance numbers for things like stateful firewall throughput so I am not sure how well it will perform. Typically, you don't want your heavy traffic (in this case the 10Gbps links) going through the firewall at all. 

 

Also, something else I would like to add is that if you got needs for 10Gbps then you probably don't want to be running that through a firewall like the Fortigate or Dream Machine. 

[pandacraft]

we already have a 10gbit switch there so the ports wont be a problem but our budget for a router is 400 euros atm but the dream machine is the only router that can handle 10gbe that i could find in that price range.

[pandacraft]

but how would i allow in the udm pro the public ips we have for our services?

[LAwLz]

17 hours ago, pandacraft said:

we already have a 10gbit switch there so the ports wont be a problem but our budget for a router is 400 euros atm but the dream machine is the only router that can handle 10gbe that i could find in that price range.

I am not sure the Dream Machine can handle 10Gbps. It depends on what you are going to do with it. For example if you enable IPS then it tops out at 850Mbps.

 

I can't find any numbers on what it will do with a mix of NAT and regular stateful firewalling though so who knows what it will perform like.

 

 

16 hours ago, pandacraft said:

but how would i allow in the udm pro the public ips we have for our services?

Depends on what the network looks like, but you will most likely have to NAT the servers out on the Internet, and then make firewall rules that allows traffic in to those addresses.

Like I've said several times, it highly depends on what the network looks like, what your traffic patterns look like, what features you are going to use or not use, and so on. There are a million factors and without having a clear understanding of your needs and your network, it is pretty much impossible to help you.

We just don't have enough information to answer your questions accurate.

[pandacraft]

the udm pro can handle 8gbit without problems with ips or ids on idk what its called so wont be a problem

[LAwLz]

5 hours ago, pandacraft said:

the udm pro can handle 8gbit without problems with ips or ids on idk what its called so wont be a problem

It can't handle 8Gbps with IPS on.

Ubiquiti themselves claim 3.5Gbps, but that's probably in idea scenarios and real world performance will be lower. Some people on their community forum are posting ~700Mbps figures with it on.

 

Again, I can't find any stateful firewalling numbers but judging by the UI it feels like it is not really designed to be used as an enterprise firewall with lots of different rules. 

[pandacraft]

i was thinking about a server with 2 sfp+ ports and then pfsense or opnsense would that work good?

[LAwLz]

On 3/10/2021 at 6:35 PM, pandacraft said:

i was thinking about a server with 2 sfp+ ports and then pfsense or opnsense would that work good?

If you're comfortable with that then sure. It's not as user friendly as the Dream Machine, and it will probably cost quite a bit, but it should have most if not all features you want and perform well, depending on what hardware you got.

[pandacraft]

i went with a dell r620 for pfsense but now i have a small problem how do i allow my servers to have their public ips configured as static and the pfsense allows it? rn i have no internet assoon i set the static public ips on the servers

[LAwLz]

10 minutes ago, pandacraft said:

i went with a dell r620 for pfsense but now i have a small problem how do i allow my servers to have their public ips configured as static and the pfsense allows it? rn i have no internet assoon i set the static public ips on the servers

What do you mean exactly?

A network diagram would be helpful.

 

Usually you put the servers on an inside network and then use NAT.

So for example your servers might have the IP 10.1.1.100, and then NAT them to let's say 30.1.1.100 (if that's an IP you own).

[pandacraft]

i do not have a network diagram yet

but on server1 i have the public ip 185.117.**.*** rn

but when i hang the server behind pfsense i cant use that ip anymore becouse then i dont get internet acces but i need that to work again