Shared line connection - firewall and VPN setup

[gbaps]

Evening All

Can anyone please advise on the below for best setup for a secure connection?

We have a small office, 6 permanent office staff with 2-3 extra occasional users when near the office.

When moving to new premises, the broadband provider made an error informing us they could provide fibre broadband for our internet and VOIP phone service. It turned out that the available phone lines could not even give us light web browsing let alone access for cloud based Microsoft365 access with DropBox and VOIP services etc.

Long story short, with poor mobile signal we settled for 2 x 4G routers, 1 for VOIP phones and 1 for 6+ staff internet (100GB per month which we normally reach a day or 2 before end of month. We struggle with large file downloads and Windows 10 updates drain our data even when limiting which machines do updates.

On our estate a neighbour has invested in 500Meg up/down service and will share with a couple of the other businesses. We should hopefully receive 100Meg up/down. Yesterday we had the link (CAT5/6) fitted and its ready for us to connect.

We have an IP address, subnet mask & gateway issued and I have ordered a Draytek 2862vac router/firewall for us to combine our internet & VOIP phone service needs.

Questions: How can I set the Draytek so that our traffic is secured for our office link? with firewall settings??
Could I set the Draytek to be always on VPN so no snooping can occur and all our users traffic to the outside world/browsing is through VPN- is this possible?

Notes: We have no onsite servers to connect to from home workers, just the need to keep our traffic from being intercepted. All our mail is M365 exchange based, DropBox andapps are cloud based services.
I know the throughput of this router via VPN is 60Meg.

Thanks in advance

Gary

[Infrasonic]

I'd suggest you log onto the user forums and see what they think.
Draytek's have a lot of settings options beyond that of most ISP supplied modem/routers, you'll need model specific advice from experienced network sysadmin types.

As a general point I'd be looking at having split VPN /non VPN traffic options available, not everything likes VPN's and not all traffic needs it (unless you work for GCHQ/MI5/6 ). Also bear in mind the VPN bandwidth limit is best case (theoretical not real world) and being split amongst multiple users.

[gbaps]

I'd suggest you log onto the user forums and see what they think.
Draytek's have a lot of settings options beyond that of most ISP supplied modem/routers, you'll need model specific advice from experienced network sysadmin types.

As a general point I'd be looking at having split VPN /non VPN traffic options available, not everything likes VPN's and not all traffic needs it (unless you work for GCHQ/MI5/6 ). Also bear in mind the VPN bandwidth limit is best case (theoretical not real world) and being split amongst multiple users.

Thanks Infrasonic, I'll check the Draytek forums. The concern was not knowing how the shared link coming to us is handled and what (in theory) the neighbour could 'see' of our traffic passing through his connection.

Good point on split VPN/non VPN, hadn't thought of the things that might be affected and not GCHQ etc.

I will post an update for the thread if I get an answer from the forums, cheers.

[Infrasonic]

https://en.wikipedia.org/wiki/Virtual_LAN

[Infrasonic]

If you can't do everything you want just with the Draytek (unlikely), have a look at using multiple routers (a good use for old ones as long as the advanced settings are accessible via admin and they do DMZ/Bridging et al).
Loads of tutorials on YouTube.
https://www.youtube.com/watch?v=uVBP30nd6_Q

Steve Gibson's guide to using multiple routers for a secure network.
Java is finally leaving the browser, Google's February Nexus Android update, the ongoing encryption debate, and Steve talks about how to set up a secure network for all your devices with no less than three dumb routers.

Cont.

[gbaps]

Hi All

Just to close off the thread, I posted on the Draytek forum but although a few views there was no thoughts on setup.
My guess is there are probably too many variables for our setup for giving newbie users a starting point.

I did speak to the independent IT company who setup the neighbours kit and provided the cabling between buildings and it seems they are 'in charge' of provisioning. I have asked them to quote for some endpoint security as below.

It seems the neighbour and us have our own segments of the shared line each in our own VLAN's - so no ability to see each others networks. The IT company said that as long as passwords are changed on the Draytek, they are pretty good out of the box with regards to firewall. They said the use of a decent endpoint security software was another recommendation - i.e. AV/firewall protection etc. on each PC.

Although we don't have the internet line terminating directly in our premises, unless I can understand intrusion detection/firewall configuration as a professional user, I think the IT company help and AV/firewall software is the best we can do to the incoming connection.

Thanks to Infrasonic for the links, I need to listen and read a lot more to understand at a deeper level.

BTW speed is consistently over 200Mb download so all PC's and VOIP phones now happy on the one connection.

Cheers

Gary