My internet terminates in a little cupboard, and the current router is a bit warm for that area, I'm a bit concerned. Needs to have 1 ethernet WAN, 4-5 PoE LAN. Bonus points if it can serve as VPN server as well but not strictly required. Needs to be passive cooled and not get too hot. Internet connection is 500mbps and I plan to use every bit of it at times so needs to be capable of this. OK if it gets a bit warmer when I'm smashing the internet but otherwise would be good if it wasn't too hot at all other times. Besides Ubiquiti and Mikrotik, what are my options? Any recommendations? TIA
I think there are very few routers that have PoE ports i dony knoe of any really. You will need a seperate switch. PoE switches are a dime a dozen these days, just pick one. That leave router few options around take your pick. At 500mbit be careful of performance readings as its with everything switched off. And if you want VPN to run at 500mbit then you need something beefy indeed with hardware encryption support
ubiquiti and mikrotik are the only ones I can think of, and neither do proper 802.3af or .3at anyway. Many of ubiquiti's switches do, but the edgeos routers are all just 24volt passive pass through for their lower grade APs, not proper PoE. Mikrotik's stuff's same deal, except only on one port, as far as I've seen. If it's not 802.3af or at it's not really worth having, it's just pumping amps down your twisted pair and hoping the thing at the other end can hack them
I'd split the capabilities to their respective devices, it then removes a lot of restrictions. 500mbps throughput is quite a lot for routing which is why the smaller end of town consumer devices do as much offloading as possible, Ubiquiti, Asus the list goes on. The trouble with offloading is that it removes the traffic from the path of any ancillary services, Ubiquiti's USG will do routing for a 400/400 service without breaking a sweat, as soon as you want to turn on any of the intrusion prevention services, that throughout will drop to 80mbps, for example a 2005 cisco ASA 5520 with an AIM-SSP40 by comparison will deliver 450mbps of IPS capabilities. If you don't care for IPS, and just want to route as fast as possible, throw in a cheap USG and get a seperate 8 port POE capable switch. Bonus points for doing a unifi whole of design. VPN ciphers are a little bit interesting on the Ubiquiti gear, from memory you can't define your own order and whilst it supports some NG encryption flavours it doesn't always play well with friends. If VPN is a priority feature, look to something like pfsense on a dual port Intel NUC type device.
Watchguard firewalls, most of the smaller models (The T Line) have 1 POE Port, VPN, and depending on the model will do 500Mbps... Not exactly cheap but ticks some/most of the boxes. Why do you need 4-5 POE Ports?
Sorry I should have been a bit clearer. I'd like internet routing to use as much of the 500mbps as it can, for browsing/downloading/general use. VPN isn't critical but it's acceptable if VPN throughput is significantly less, if VPN server capabilities is there. Don't need any extra services like IPS, not hosting any services/servers on my network either. The PoE is for CCTV, and given the size of the cupboard having a single device is preferable, hence the router/switch/PoE all in one being the ideal outcome. Switching throughput requirement is low, most of the traffic on the LAN is just CCTV to the NVR. Currently looking at the Cisco 1111-4P and 8P as an option, which theoretically fits the bill I think... just gotta check the thermal side of things and double check the real world performance on its WAN port. I work for a reseller so wouldn't be paying RRP, thankfully. Edit: for a similar price, the Draytek Vigor2952P also appears to meet the requirements. If they were similar price and features I'd go Cisco only because I'm way more comfortable with their support process, and know my way around their CLI so no biggie for configuration
Mikrotik claims to have 802.3af/at support as well as support for passive POE on their hEX PoE. https://mikrotik.com/product/RB960PGS
Almost choked on my coffee, thanks for the laugh re: 500Mbps 'firewalled' throughput on a 1111-4P. The 1100 series isn't really a firewall and can't push much encrypted throughput even with the $$$$ licenses. Perhaps a mid range Fortigate? How many CCTV cameras? why not just get some injectors?
As mentioned above, I don't need VPN throughput to be great, 10-20mbps is fine just for remote access bits and pieces not anything large like file transfers or backup sync.
Do you want a router or do you want a firewall? Then buy appropriate unit Firewall and VPN is mediocre at best and horrific at worst on IOS/IOS-XE, will get spanked by any serious FW vendor (Forti etc.) in addition to having no GUI or reporting or any real app-ID / NGFW type functions. Good luck doing URL filtering or SSL decryption or threat prevention or identifying spoofed traffic. Cert based SSL VPN etc. whilst configurable is tricky in IOS CLI, the list goes on. OFC you can always pony up for Umbrella etc. OTOH its a router, it does POE, built-in wifi/4G options, and if you're famiilar with IOS then yeah nice and safe and easy in that respect. I've done my fair share of DMVPN or routing over GRE over IPSEC or VTI based black magic in the past so yeah if I was doing some kind of routed VPN I'd love to do it on a nice familiar reliable platform. HOWEVER My personal recommendation from what you've listed is the appropriately specced Fortigate. It will do everything FW you can ever want in your scenario, and its actually more or less a real router, right down to most of the BGP nerd knobs and VRFs. And if you want to do real firewalling you can. Its pretty much the best swiss army knife out there IMO and they also have all-in-one models with Wifi and POE and USB 4G as well. The Wifi is actually not terrible as its acquired from Meru so its literally the old Meru stuff rebranded (not sure how far its developed under the covers but the acquisition wasn't that long ago).
I'm seeing fortigates used more and more as a cheap router as their dynamic routing is solid and wayyyy cheaper than Cisco for the same job. The 60E-DSL is a great all-rounder too; throw it at a site with whatever connectivity at 100Mbps or below and you're golden.
From the routing point of view, I would go with pfSense hands down, it can handle everything and the kitchen sink. The entry level one (SG3100) would cap out around 500mbits, so you may need the SG 5100. It'll support all manner of VPNs, Guest networking etc etc. You can even try it out (the software part is free) in a VM or on an old box before committing. Some of their larger devices have PoE, but because they're built for ruggardness and reliability they may not fit depending on the size of your cupboard
