Namely that they deliberately under-produced them so they'd be out of stock and thus seen as more desirable, and then suddenly just discontinued their production for no apparent reason.
Thanks. I like the look of those a lot. It's a good deal cheaper than a similar Netgate device (my go to since they own PFSense). Only real area it looks like it would have notably worse performance would be VPN since it lacks AES acceleration. But so long as that isn't being used it should be around the same speed as the 4 core atoms Netgate uses.
I may think about one for home. I'll probably stick with my Edgerouter Lite since those Cavium chips just get lower latency than you can get in pure software at this point, but I am a bigger fan of PFSense than EdgeOS for sure.
You have any companies that make a setup you like for it? I'm always shopping for new places to get low power/embedded type network devices.
Moving to a better router? DD-WRT isn't as updated as it should be these days and has slow performance. Modern consumer routers are fast because they use packet acceleration tech built in to their chips. DD-WRT doesn't know how to do that (at least not that I've ever seen).
So what I recommend for geek types is go to three devices: Modem -> router -> wireless. You can repurpose your existing router as a WAP, or get a purpose built WAP. Either way, you don't do routing on it. Then get a purpose built router.
My top recommendation is a Ubiquiti EdgeRouter Lite. About $100 for a little wired 3-port device that'll pass a gig of traffic with low latency since it has packet acceleration and knows how to use it. It's a bit on the complex side and you can't do all setup through the GUI (IPv6 requires commandline work) but it is powerful, and they are pretty good at updating it. Runs a customized version of VyOS and provides you with access to all the low level stuff. You can compile your own shit for it if you like (is MIPS64 though).
If that isn't to your taste my second choice is PFSense. You can run that on anything x86 but the devices they sell on their site, made by Netgate, are great choices. Its more expensive to hit a gigabit speed because it runs all in software, and that also means its latency is higher. However that said I like the interface better and it is an exceedingly powerful and flexible firewall. It's updated regularly, you can buy professional support, and since it is software you can run it on anything, including a VM. Runs BSD underneath and you can get access to the low level if you want to mess with it.
Third choice would be a something like a Cisco RV340 or maybe RV320. It's the same general hardware as the EdgrRouter Lite, a Cavium Octeon processor which is MIPS64+packet processing, but with Cisco's OS whacked on. Easier to use overall, though not as flexible. Cisco tends to be ok with security updates. They use a slower CPU and less RAM so you aren't going to get a full gig, but they are pretty fast and are nice and low latency. Not too bad price wise either, like $150 for the RV320.
Oh ok, gotcha. In that case, I'd go for Private Internet Access. Their privacy rules are very good (in all cases we have to take the company's own statement on it), price is good, performance seems to be good, and it uses open standards for VPN connections. It also isn't like some where they are located in some minor island nation you've never heard of, they are in the US.
It's what I use and what my instructor at SANS recommended to someone else this week who asked the same question.
If you wanted to filter all systems though it you'd just need a router/fw that did it, again PFSense would do. It uses OpenVPN by default (can do IPSec as well) and PFSense supports that. Your internal systems talk to PFSense, have PFSense VPN to PIA and then set your routing to do 0.0.0.0 over the VPN. Make sure outbound rules are properly configured so traffic is only allowed over VPN interface and you've got an automatic, transparent, system where all systems will communicate via the VPN. You can always change rules if needed to permit direct communication.
If you don't want a network box you can set up your OSes to auto-dial PIA on start. For Windows this is best accomplished with the inbuilt IPSec VPN client, on Linux OpenVPN works nicely (though either can do both). Again you set local firewall/routing rules to prohibit traffic over the local net and require the VPN to be up. Then just treat it like dialup from the old days.
So give PIA a look, they seem to do well.
It is getting hard to work in the world with no 'net access. The governments want to use it themselves for many reasons, including just entertainment for the party elite. So, cut that off and they are brought down to the level of their citizens, and that they don't like.
Sanctions can work when they can actually effect the powerful. If you can do something that makes their life worse, that has an effect on them, then they care. This is something that has the potential to do that.
No silver bullet, but nothing is.
With IPSec you can set up all kinds of policies as to what can communicate with what and you can, if you wish, encrypt all traffic, even over the local LAN. Be warned: It can get complex and you are going to need PKI set up if you want to have any realistic hope of managing it in an enterprise. However you can set things up so that all traffic is encrypted on the wires for all communications, and so that devices can only communicate with other devices of your choosing.
So for a simple setup you could have a firewall (PFSense if you want a cheap one) that talks to whatever your VPN/Proxy is. Then set IPSec policies so that all your computers talk only to it. All traffic will pass only through the PFSense (even internal traffic) and it'll all be encrypted (if you specify that). You set the firewall/routing rules on the PFSense and you can force all outbound traffic over the VPN, and decide what can talk to what inside.
That's a simplistic setup, and the firewall will be a bottleneck, but that's a simple startup. You then can do things like have system to system IPSec communication, more firewall, additional routing controls (on systems or the network) etc etc.
I don't want to be young again, I just don't want to get any older.