Our Recommendations for SOHO, Branch, and Campus Router-Firewalls, 2023-2024
Somewhere between the crappy router that Comcast rents to you for $15 per month and a full-blown enterprise stack of Cisco/Palo Alto/Juniper appliances, lies the Small Office/Home Office (SOHO), “branch” and “campus” market sector. If your organization is small to medium sized, has some specific security and network policy requirements, the occasional VPN or NAT, for example, check out our current recommendations below.
We have always been big Ubiquiti fans here, which is our recommended entry point. For organizations that are exploring upgrading their firewalls, we also tend to focus on vendors that scale up well, hence Meraki and FortiGate making an appearance on this list. The following are not listed in any order of preference, but from least to most expensive and with an honorable mention at the end.
A Note on Service Contracts – Most higher end network vendors will require some sort of paid service contract. This can be a good and a bad thing. It generally includes support directly from the vendor for set up and configuration questions, as well as troubleshooting support when things don’t go as planned. It also usually includes support in the case of hardware failure, often times with next day replacement included. For a smaller organization, this may not be a requirement, but for a larger organization, it may factor heavily into disaster recovery (MTO and MTTR) planning.
#1 – Ubiquiti Dream Machine Pro/SE
Ubiquiti has some great offerings for the SOHO market. We’ve been recommending and using their APs for years now and have generally had good experiences. Released in early 2020, the UDM-Pro model has the UniFi and Network Controller App built in, offering an all-in-one appliance for the UniFi ecosystem (previously you needed to set up the APs and other features with the network app installed on a laptop or cloud key). A couple years later in 2022, the UDM-SE was released, adding in PoE and bright white link lights!
All in all, it’s a great product for those looking for some additional network/security functionality for less than $500 out the door. Still in the “prosumer” realm, we would only recommend this appliance to a smaller organization with relatively few network needs and client counts under a couple hundred.
Standout Features
- Network Controller Application Built in (and Full Integration with Ubiquiti Wireless APs)
- Cloud/Remote Access
- Decent Network Granularity (Segmentation via VLANs, Firewall and Application Policing) and Features (Including a workable VPN Server)
- Easy Guest Network Set Up and Features (Guest WiFi, Captive Portals, etc)
- Inexpensive and no Licensing Fees
Downsides
- No Hardware Redundancy/High Availability, as of yet
- Software Releases can be Disruptive and/or Buggy
- Threat Protection Relies on Open Source Technology
- Lacks Full Enterprise Security, Functionality, and Scale
Cost
- UDM-Pro msrp $379, UDM-SE msrp $499. Under $500
Learn more about UniFi Cloud Gateways here.
#2 – Fortinet FortiGate Series
Fortinet has come on the market offering some great firewall appliances and services with a real emphasis on security. Their highly scalable FortiGate series appliances are a good fit for a small branch/SOHO environments as well as a larger enterprise looking for robust and granular networking and security features. If your organization is looking for end to end network security at a relatively good price point, check out Fortinet.
Unlike Ubiquiti, but similar to Meraki and other Enterprise vendors, Fortinet does not sell directly to the public and you will need to go through a partner for sales inquires.
Standout Features
- Full Scale Granularity and Advanced Network Features (SD-WAN, High Availability, Routing)
- Emphasis on Advanced Security and Threat Protection
- High Performance
Downsides
- Must Purchase Through Vendors and Maintain Service Contract
- May not Integrate with Existing Infrastructure Easily (Switching, Wireless)
Entry Level Cost
- FortiGate 40F with 1 Year of Basic Support can be found for about $500-600. Ongoing Support can run $100 or more per year based on Subscribed Features. All in all, you are looking at about $500 to $1000 for the appliance and first few of years of service.
Read more about Fortinet FortiGate Firewalls here.
#3 – Cisco Meraki MX Series
Cisco Meraki has an intuitive, cloud based, dashboard that makes it easy to configure, manage, and get insight into your network. For robustness, reliability, and ease of use, it’s probably the best in its class. It’s also the most expensive. A favorite in small branch and campus environments, it has robust and easy to use features like site to site VPN, SD-WAN, and NGFW security. While these are feature rich and have most everything you might need in a SOHO environment, one downside is that they are locked down at the local level. Think similar to the Apple design model, everything is easy to use and works well, but when a feature or insight is missing, there is generally no recourse, even with support.
We know first hand that a number of large name organizations and retailers rely on Cisco Meraki for their branch and campus needs.
Standout Features
- Cloud Based Control Plane
- Ease of Use
- Good Interoperability with other Cisco Products, Including Meraki Switches and Wireless APs
- Scalability
Downsides
- Cost
- Some Features Missing and Somewhat Locked Down at the Local Level
- Licensing Required for any Type of Access or Configuration Changes
Entry Level Cost
- MX67 Appliance Plus 1 Year of Basic Support will come in just under $1000, with licensing continuing around ~$200 or more per year depending on subscribed services. Expect to pay about $1000 to $1500 for the appliance and the first few of years of service.
Learn more about Cisco Meraki Appliances here.
#4 – pfSense, Honorable Mention
pfSense is an open source software with a ton of network and security features. In partnership with Netgate, they also produce hardware appliances with pfSense software pre-installed, and offer service and support as well. While technically pfSenese is probably the most feature rich and least expensive (ie open source=free), it’s not the easiest to set up, use, and manage. Unless you have a real enthusiast in the ranks, we generally find that it’s easier for an organization to use an off the shelf vendor with full support than it is to stand up a pfSense box.
Learn more about pfSense here.
Way cool! Some very valid points! I appreciate you writing this article and also the rest of
the site is very good.