My current network setup consists of the ISP supplied Gateway/Wi-Fi/Router combo and a Netgear JGS524PE 24 port Gigabit PoE switch. I like this minimal setup but I don't believe it is secure enough. I'm looking for a VPN router that has the ability to block all WAN traffic to my cameras. I am leaning towards a Ubiquiti EdgeRouter (X or Lite?) but it seems like it might be difficult to configure. Also, I think I would need to get an AP since I probably wont be able to use the ISP Gateway's Wi-Fi. Any easier to configure alternatives or suggestions?
Need Router Recommendation
- Thread starter zeoclang
- Start date
hmjgriffon
Known around here
looks like the edge lite would be more than enough, didn't see what is has for vpn but it does say it has it.
Edgerouter lite does not come with native OpenVPN. And it's a PITA to set up for a novice. Check out the Ubiquiti forum on what is required using CLI.
Pfsense and OpenVPN. Ubiquiti Networks Unifi 802.11ac Dual-Radio PRO Access Point (UAP-AC-PRO-US) for your Wireless. NETGEAR ProSAFE GS728TPP 24-Port Gigabit PoE+ Smart Managed Switch 384w (GS728TPP) for 24 port PoE+ switch.
I have rules in pfsense firewall to block all outbound packets from my ip cams.
Sent from my iPhone using Tapatalk Pro
I have rules in pfsense firewall to block all outbound packets from my ip cams.
Sent from my iPhone using Tapatalk Pro
If you decide to go with the edgerouter lite i have one for sale in the classifieds 
WTS - Ubiquiti Edgerouter Lite ERLITE-3
WTS - Ubiquiti Edgerouter Lite ERLITE-3
hmjgriffon
Known around here
almost went with pfsense myself but ended up doing openBSD lol which is basically the same thing but no web interface to admin it.
What made you switch from the ERLITE-3 to the USG?If you decide to go with the edgerouter lite i have one for sale in the classifieds
WTS - Ubiquiti Edgerouter Lite ERLITE-3
Most decent home routers can have DD-WRT or Tomato firmware flashed on them and either of those provide an OpenVPN server and client. Myself, I use an Asus RT-AC68U with Tomato and it can actually run two OpenVPN servers, two OpenVPN clients, a PPTP server and client, and a third option called Tinc. The one thing I don't like about Tomato firmware is it doesn't grant low level access to firewall rules. To block cameras and stuff from accessing the internet, I have to add each of their IP addresses individually to a list in the Access Restriction page. I can't add an IP range.
...
...
Last edited:
hmjgriffon
Known around here
Most decent home routers can have DD-WRT or Tomato firmware flashed on them and either of those provide an OpenVPN server and client. Myself, I use an Asus RT-AC68U with Tomato and it can actually run two OpenVPN servers, two OpenVPN clients, a PPTP server and client, and a third option called Tinc. The one thing I don't like about Tomato firmware is it doesn't grant low level access to firewall rules. To block cameras and stuff from accessing the internet, I have to add each of their IP addresses individually to a list in the Access Restriction page. I can't add an IP range.
...
so you have openvpn working on there? I bailed and built my own firewall because openvpn on tomato stopped working with the android app. tomato and dd-wrt also were not getting updated for shit and were full of holes, at least on the hardware I have, they now run as wireless AP's only.
Main reason is because it integrates with my unifi switch and AP. All of the traffic data and configuration you can do with the unifi controller does not work with the edgerouter. The USG gives me everything I needed that i couldn't do with my airport. From what I've read the hardware may be identical but the software is different between the two.
I spent the last hour or so reading up on the USG. This forum is going to cost me so much money... lol
I had been wanting the ERLite-3 because I saw a cli config where it could do WAN failover (and you could restrict which devices get out to the Internet when it's failed over). My home alarm system reports over Internet only, so I eventually want to get a cellular backup device to fail over to. FreedomPOP offers 200mb/month cellular data for free, so if the router could restrict everything but the alarm when the main Internet fails, that'd be perfect.
Didn't think the USG could do a config like that (when I first looked at them). But it looks like you can take a cli config that works on the ERLite-3 to run on the USG with some finagling. That's kind of awesome!
Last edited:
wantafastz28
Getting comfortable
Thanks for the great suggestions. I researched every one thoroughly and they all seem like great devices once setup correctly. Here are my thoughts on them:
EdgeRouter - Hardest to configure due to needing to use the CLI, would need to purchase an AP
pfSense - Medium difficulty, the SG-1000 is somewhat expensive, would still have to purchase an AP
Asus Router - Easy, installing Tomato doesn't seem too difficult
I think I will get the Asus RT-AC56U. It supports Tomato by Shibby and AdvancedTomato. Asus has a $20 rebate available right now which brings the price of it down to $75. Since I don't need the faster wireless speeds in the higher end models, the RT-AC56U seems like the economical choice.
EdgeRouter - Hardest to configure due to needing to use the CLI, would need to purchase an AP
pfSense - Medium difficulty, the SG-1000 is somewhat expensive, would still have to purchase an AP
Asus Router - Easy, installing Tomato doesn't seem too difficult
I think I will get the Asus RT-AC56U. It supports Tomato by Shibby and AdvancedTomato. Asus has a $20 rebate available right now which brings the price of it down to $75. Since I don't need the faster wireless speeds in the higher end models, the RT-AC56U seems like the economical choice.
hmjgriffon
Known around here
I suggest verifying with someone who has one with tomato that OpenVPN actually works with the mobile apps right now, because it damn sure broke for me and that's when I ended up building my own damn firewall. Also I haven't kept up with those projects, make sure they are getting security patches and updates, if you care about that because I was running it for a long time knowing it was full of holes but when my VPN broke that was the last straw, just hate to see you come in here pissed off because VPN isn't working.
I have an ERX, with a linksys router in ap mode. the vpn server is on the blue iris pc and the cameras are connected to the router through a PoE switch. ERX setup wasn't as easy as setting up a typical home router but there is a wizard and it's not like I had to to everything manually. DDNS was a breeze though.
I probably should put the cams on a vlan and bridge the pc to it instead of leaving the cams on the same network as everything else.
Configuring an OpenVPN server manually is cumbersome on a PC. A CLI can make it even more cumbersome if depending your level of comfort. Never had any trouble once it was setup though. Certificate based connections (no user/pass) are relatively easy to work with.
I probably should put the cams on a vlan and bridge the pc to it instead of leaving the cams on the same network as everything else.
Configuring an OpenVPN server manually is cumbersome on a PC. A CLI can make it even more cumbersome if depending your level of comfort. Never had any trouble once it was setup though. Certificate based connections (no user/pass) are relatively easy to work with.
hmjgriffon
Known around here
Yep, I've got all the certs in the .ovpn file, alls I have to do is import it into any openvpn client and off to the races!
If you want a slightly better AC1900 router, get the TM-AC1900 from Amazon.com for $79.99 and hack it to Merlin or DD-WRT or Asus-WRT firmware. It's the exact same hardware as the top-rated RT-AC68U router, and once you tweak the firmware, it's a fantastic consumer-grade router.
As an Amazon Associate IPCamTalk earns from qualifying purchases.
cainrand
Getting the hang of it
I use Untangle Firewall - it is an Open Source based operating system. They have a free version but for a full function home use version it is like $50 per year.
It lets you use just about any computer tower as your Router/Firewall/VPN Server, etc.
You will have to install a PCI Network Interface Controller.
I have two 4 port NICs installed giving me capability of 8 separate networks. I keep my security cams on their own network, my personal computers, printers on their own network, etc.
Screenshot of what the installed App panel looks like. Lot of great features here. For WiFi I just added an old Cisco E3000 to the switch.
It lets you use just about any computer tower as your Router/Firewall/VPN Server, etc.
You will have to install a PCI Network Interface Controller.
I have two 4 port NICs installed giving me capability of 8 separate networks. I keep my security cams on their own network, my personal computers, printers on their own network, etc.
Screenshot of what the installed App panel looks like. Lot of great features here. For WiFi I just added an old Cisco E3000 to the switch.
