Recommendations for router with decent firewall - maybe DrayTek?

[LinuxPhil]

Hi all,

First question, so I'll try to give plenty of background.

I've recently upgraded to a FTTC broadband (VDSL) connection at home, with nominal speeds of 80/20Mbps. The ISP provides a Huawei HG635 DSL modem router which works well enough but is limited in terms of flexibility of the firewall options.

I've come from using an old Netgear DG834PN on ADSL which had the ability to add iptables-style rules to both inbound and outbound traffic, and it is this type of flexibility I am seeking.

My priorities above all else are:

1. Stability of the product - a stable connection is essential

2. A flexible firewall that allows the addition of inbound and outbound iptables style rules - I don't need anything super complicated here, just the basic ability to add both inbound and outbound rules (my old netgear product did this fine). Logging of firewall rule matches is also useful/desirable.

3. Firewall throughput, must not limit my 74Mbps connection speeds

4. Price - budget is not unlimited here and I do like value for money

What's not overly important:

1. Wireless - 802.11b/g would be fine, n would be nice, AC an unneccessary luxury, but none is ultimately needed as I have wireless APs available I can easily plug in. Wireless seems to be the main selling point / feature of the current range of consumer products.

2. VPN, content filtering, QoS and other more esoteric security features.

So my initial thoughts were that I'd just pick up any old Netgear ProSafe firewall router on ebay for very little money and plug that into the ISP modem - then I discovered these old devices are all bandwidth limited and would cripple my 74Mbps download speeds. Even more recent products with Gigabit ports seem incapable of handling more that around 25Mbps firewall throughput.

Would I be correct to assume that if a SME Firewall router is incapable of handling modern fibre speeds, then the cheap consumer router products presumably are not doing any spi firewalling in order to be able to achieve the throughputs they do at that price point (my ISP provided Huawei HG635 as a case in point)

Researching newer products that fitted the bill lead me to the Netgear ProSafe FVS813G, of which the latest model does have a specified firewall throughput of 300Mbps. However, the reviews for this product are not good in terms of stability and that concerns me so it's off the list.

So most of my previous experience is with Netgear products and the product that seems to fit the bill is off the shortlist, so time to look elsewhere?

Next up I come across the DrayTek Vigor 2860 range (quoted firewall throughput of 300Mbps), a business orientated range of VDSL routers known for their stability and security features, so seems to fit the bill perfectly, allowing simple plugin replacement of my ISP provided modem router. I have no experience of this range of products - the reviews seem good, any personal recommendations or thoughts on their reputation?

At this point I'd welcome other recommendations for products to consider as I'm simply not familiar with the latest range of Asus, D-Link, TP-Link, Linksys, Netgear modem/router products.

My final option is the possibility of a home build (e.g, mini-IPX with dual LAN and Celeron N3150) running Linux and/or a firewall distro. I've been a Linux user for over 20 years and am completely comfortable using iptables. A self build project could come in at a similar price point to the DrayTek router whilst offering significantly better performance and flexibility albeit at the price of being a more complicated and and somewhat less practical solution. This solution scores high on value for money but the simplicity of a plugin replacement of my modem/router device also has some appeal.

So at the moment I have many options to consider - an integrated modem/router as a direct replacement for my ISP provided device, a dedicated firewall router device to use alongside the ISP modem, or a self build project.

 

[sfx2000]

https://store.pfsense.org/SG-2440/

 

[System Error Message]

the best firewalls are the configurable ones, this means going with x86. Both mikrotik and ubiquiti cannot help you here as they lack the signature detection capability of UTMs and firewalls despite their configurability. Pfsense isnt the only one, you can just go with a linux server like ubuntu or even openSUSE and install the needed programs but you will have a lot of configuration from securing the OS to configuring the problems which has the benefit of having the performance and features you want. There are a few linux based distributions geared towards firewalls that are meant for x86 so you may want to take a look, dont be shy of the ones that require a subscription if they are effective as long as they are software based rather than an entire product of both hardware and software which would limit performance.

This means going through effort and pain but is worth it if you want a really good firewall unlike the turn-key ones.

 

[Michael3421]

You may want to consider a Peplink Surf SOHO. Flexible firewall rules, very stable. I get over 74Mbps on mine. Cost is roughly $200. Does three types of VPN: PPTP, L2TP/IPsec and their own proprietary VPN for site to site connections. Head and shoulders over a consumer router. For a long writeup with pros/cons see
http://routersecurity.org/pepwavesurfsofo.php

 

[sfx2000]

There are a few linux based distributions geared towards firewalls that are meant for x86 so you may want to take a look, dont be shy of the ones that require a subscription if they are effective as long as they are software based rather than an entire product of both hardware and software which would limit performance.

@RMerlin mentioned one for linux - Shorewall if I recall correctly...

SophosUTM is also kind of interesting...

 

[System Error Message]

You may want to consider a Peplink Surf SOHO. Flexible firewall rules, very stable. I get over 74Mbps on mine. Cost is roughly $200. Does three types of VPN: PPTP, L2TP/IPsec and their own proprietary VPN for site to site connections. Head and shoulders over a consumer router. For a long writeup with pros/cons see
http://routersecurity.org/pepwavesurfsofo.php

Peplinks are both software and hardware based so while they may have a throughput of 74Mb/s or more they do not perform VPN at that speed. Peplink's strength is when you have multiple WANs/links that you want to combine them easily. I dont think even draytek supports the vpn speeds you want at your pricepoint. I would take draytek over peplink if it is vdsl as draytek have modems too with good firewall but like peplink they are turn-key or not very configurable as other options.

Netgear hardware is good but their firmware sucks which is why you tend to see negative reviews.

The best option really is x86 and you can find some networking orientated OS that would not be difficult or painful to configure so its more of searching for an OS you want to use which has the features you want. Performance just comes down to CPU and what NICs you have (intel server NICs are preferred even older 2nd hand ones). When you're browsing for the hardware you can reuse older ones or if you're buying a new one look for the datasheet of the CPU. The naming schemes can be confusing so the datasheet says which CPU it has. Avoid the celerons (see datasheet if its a celeron or not not the model) as they have a lot of features removed that they can be worse than atoms as they would lack many hardware acceleration features that even intel atoms now have including hardware AES encryption, cache sizes and other optional features. Intel atoms are great if you dont need to run a real time GUI based OS. Even AMD has comparable CPUs so as long as you disable the hardware you dont need and use intel NICs you can use AMD just avoid the celeron equivalent of AMD.

Using a x86 based firewall would be the fastest and most flexible solution as not only are there firewall geared OS but depending on the OS you pick you can configure even more security yourself like what i do with mikrotik but mikrotik and other similes lack UTM capabilities such as network antivirus, signature detections and other features which you can easily install on x86.

 

[RMerlin]

Shorewall is great and highly flexible, but it's very technical as well, since everything is configured through config files. Some prior knowledge of iptables is highly recommended.

Otherwise, one of the various firewall distros might work better, as they offer web interfaces.

 

[Michael3421]

Ars Technica had a couple articles recently about building your own router. Cost is higher than a consumer router, and requires a networking and/or Linux background, but the performance is said to be great.

http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/

 

[Somersetlife]

You guys are where I'm at
Cost v benefit

My current thinking is
1) Dell optiplex with Intel duel/ quad gigabit lan 2ghz min processor
2) fit PC 5 year warranty and Linux router os
3) my server is a HP media smart ex490 with linux & home brew vga cable- new server and virtual machine the router.

My server is 60w max according to spec, I looked at old enterprise server and pfsense compatible enterprise routers- conclusion new hardware more reliable and less energy use.

Currently mulling Fitpc cost v build my own as gigabyte do duel lan boards for 24/7 use- but don't support Linux.

Jetway motherboards are too expensive for mediocre spec and 1 year warranty.


Fitpc RMA to Israel doesn't appeal, maybe 3 year component warranty with easy local swap out better.

I'm not sure if Intel consumer grade gigabit nic can team in single per pcie slot as duel cards are expensive- maybe atx board and 4 Intel gigabit nic way forward if teaming an option.

Your thoughts appreciated as consumer SOHO routers don't cut it, isp spec ones choke on large internal file transfers and the more expensive soho routers last 12 to 18 months on average- I'm spending £150 a year on gear.

I don't mind time to build, config and test hardware, I'm however not interested in unknown Chinese mini PC with dubious bios, warranty etc.

 

[LinuxPhil]

I thought I'd update the community on the product I settled on - a Ubiquiti EdgeRouter Lite. To say I'm really pleased and impressed with my purchase would be an understatement.

In the end I narrowed my search to the following:

1. Cheap Chinese dual nic Celeron-based mini-pc with a linux install
2. Various router firewall boxes such as Cisco RV320, Linksys LRT224, Netgear FVS318G or FVS336G, ZyXel ZyWall 110.

The cheap Chinese DIY box was probably my first choice, although at around £150 it wasn't that cheap and rather difficult to return under warranty if needed.

Many of the various router firewall boxes above either had bad reviews that put me off or were just too expensive for home use.

Then I discovered the Ubiquiti EdgeRouter Lite, which claims near gigabit performance and costs under $100, although pricing in the UK is nearer £100. Reviews were generally very good (there is a vibrant community), performance looked excellent and the price was better than anything else out there. So it ticked all my boxes and I went ahead with a purchase.

SNB reviewed it here: http://www.smallnetbuilder.com/lanwan/lanwan-reviews/32012-first-look-ubiquiti-edgerouter-lite

For those not familiar with the product (I certainly wasn't), I'll outline some of the pros and cons below:

Pros

Performance - this box has a Cavium CN5020 dual core processor running at 500MHz with hardware offloading of packet routing. It Runs EdgeOS, based on Vyatta which in turn is a fork of debian linux. Performance is quoted at near gigabit and my 80/20Mbit fibre connection certainly doesn't stretch it's capabilities.

Stability - early days yet, but 1 week in and it just works.

Cost - cheaper than anything else on the market with comparable levels of performance, if you can live with the cons.

Active development / Vibrant community - despite being released 4 years ago, the developers continue to develop and enhance the product through real software development updates and are in turn supported by a vibrant community.

Configurability - 3 gigabit ports, can be configured in 1xWAN, 2xLAN, or 2xWAN, 1xLAN for balanced WAN or failover.

Cons

Not a switch. This product only has 3 ports and will need to be paired with a separate switch. These are cheap and plug'n'play so I don't see this as a huge issue.

No wireless, so maybe pairing with a wireless access point with 4 port switch would be ideal for many users.

CLI - This could have been an issue for some users in the past, but certainly isn't any more. When originally released, most things had to be configured through the command line interface (CLI). However, as mentioned in the Pros, continual software development means that it is possible to configure most typical setups in the GUI on the latest 1.8.5 firmware release. There are tabs for Dashboard with stats for each interface, a Traffic Analysis tab with DPI packet inspection breaking down usage for individual hosts into application classes/categories, Routing for setting up static routes etc, Firewall/NAT for setting up various SPI firewall, port-forwarding and NAT rules for the various interfaces, Services to configure DHCP, DNS and PPPoE servers, VPN (PPTP and IPSec), QoS where one can easily limit upload/download bandwidth for any given interface. I have yet to find a task I have not been able to set up / accomplish through the GUI.


I have mine configured as 1xWAN and 2xLAN. I have separate LANs for my Son's gaming Windows PC and the rest of the house (all Linux boxes and/or wireless android phones/tablets). Others might like to segregate their home network from wireless guest access, for example.

Having my Son on a separate LAN interface allows me to use the QoS Smart Queue feature (new to version 1.7.0) to set a limit on the bandwidth available to that interface. The numbers are slightly arbitrary, but I set 10/5Mbit, went to speedtest.net which then showed 9Mbit and 4.5Mbit throughput giving him sufficient bandwidth to watch online videos and for online gaming whilst leaving plenty of bandwidth available for everyone else. Couldn't have been easier

The main purpose of this box was for it's firewall capabilities, and being based on Linux, this is all achieved through iptables. Port forwarding was easily configured in the Firewall/NAT tab of the GUI. By default the GUI automatically adds the necessary destination-NAT and firewall rules and just works for most users, but for those wanting more fine grained control they can manually set destination-NAT and firewall rules themselves. Firewall rules can be set for inbound, outbound or local (destined for the router itself) traffic on each individual interface. Most common iptables features are available in the GUI, such as being able to match on interface, IP address, MAC address, port, protocol state (new, established, related, invalid), and date/time.

Being able to match on time allowed me to set up time restrictions on the Eth2 interface my Son uses so the Internet magically stops working at bedtime and doesn't come back on before 7am. I set up similar rules for his tablet based on it's IP address. Similar features might be found under Parental Controls on consumer products.

The firewall also uses IPSet to create hashed sets of large numbers of IP addresses or netblock ranges. This allows huge numbers of entries from block lists etc to be processed very efficiently by the firewall without having to cycle through 1000's of individual rules matching an IP address, all using hardware offloading and thus maintaining excellent throughput performance.

I haven't used the VPN features as these are of no importance to me.

Overall this is a proper fully configurable firewall that is easily configured by end users through the GUI. If you are familiar with Linux/iptables you will feel immediately at home. If you want even more control you can use the CLI and script things until your heart's content (or use a script that some community member has already developed). The product is well built with great software that is still being actively developed. The price-performance beats anything else available, and if you can live with the fact it's not a consumer product and will likely need pairing with a WAP / switch then it comes very highly recommended.

 

[System Error Message]

Its a good thing you didnt go with (2) because those vpn boxes are terrible nowadays. They use the same CPU as the ERL but clocked much lower and some in single core configs. I've seen some recent ones with much better clocks but they still run the single or dual core configs so are very outdated especially if price is taken into consideration (still slower than my relatively useless ERPRO). I say mine as useless because i couldnt get the UTM features i needed installed or even working on it which makes it pointless because it than loses much of its advantage over mikrotik.

The speed claims of ubiquiti are highly inaccurate. The ERL is capable of up to 1.3Gb/s of NAT with hardware acceleration if run in the leanest of configs (no PPPOE, etc). For your speeds of 80/20 the ERL will do fine if you need QoS and firewall and other things on it.

Please refer to my example configs for mikrotik relating to security, i even posted a config concept in the ubiquiti forums which i formed from months of experience and superior logic (superior because people still think that my configs arent entirely correct but you are all welcome to go through the logic flow). http://community.ubnt.com/t5/EdgeMAX/Emerging-Threats-Blacklist/m-p/1600545#M115534 . Sure there are much more improvements you could make to the ruleset but you have to consider your uses and what you run.

The ERL has hardware acceleration for VPN but only for PPTP and IPSEC so expect terrible openVPN performance.

draytek is great if you want to load balance multiple DSL ISPs.

Just so you know speed claims by ubiquiti is only relevant if you plan to use it as a layer 3 switch. Mikrotik has much better speed claims so i use the lowest one as expected throughput with software NAT which is much closer to what you really get. A lot of wirespeed tests you see on youtube are also of the same config where they use it as a layer 3 switch with nothing else configured but many consumers dont have a clue what really is going on. Sometimes i think ubiquiti is using the misinformation as marketing for people to think their products are fast and cheap and other manufacturers not having the quality and speed.

 

[sfx2000]

I thought I'd update the community on the product I settled on - a Ubiquiti EdgeRouter Lite. To say I'm really pleased and impressed with my purchase would be an understatement.

In the end I narrowed my search to the following:

1. Cheap Chinese dual nic Celeron-based mini-pc with a linux install
2. Various router firewall boxes such as Cisco RV320, Linksys LRT224, Netgear FVS318G or FVS336G, ZyXel ZyWall 110.

The cheap Chinese DIY box was probably my first choice, although at around £150 it wasn't that cheap and rather difficult to return under warranty if needed.

Many of the various router firewall boxes above either had bad reviews that put me off or were just too expensive for home use.

Then I discovered the Ubiquiti EdgeRouter Lite, which claims near gigabit performance and costs under $100, although pricing in the UK is nearer £100. Reviews were generally very good (there is a vibrant community), performance looked excellent and the price was better than anything else out there. So it ticked all my boxes and I went ahead with a purchase.

Sounds like you made a good choice... and thanks for the added comments...

EdgeRouter's don't get much appreciation from the general community (tends to be focused on all-in-one consumer Router/AP's, and that's ok) - as SEM suggests, there are different options - Microtik is one (remember, RouterOS is not just one platform) and then the pfSense boxes... along with VyOS, ShoreWall, SophosUTM, and others...

It's a different tier - and welcome to it...

 

[System Error Message]

the edgerouter is an all in one excluding wifi and modem. You can install a limited set of things on it.

 

[LinuxPhil]

Its a good thing you didnt go with (2) because those vpn boxes are terrible nowadays. They use the same CPU as the ERL but clocked much lower and some in single core configs. I've seen some recent ones with much better clocks but they still run the single or dual core configs so are very outdated especially if price is taken into consideration (still slower than my relatively useless ERPRO). I say mine as useless because i couldnt get the UTM features i needed installed or even working on it which makes it pointless because it than loses much of its advantage over mikrotik.

I'm wondering where the next generation of products are that will support gigabit speeds, but I suppose until gigabit speeds are commonplace there will not be much call for the products. But still, when I buy a piece of hardware I like to think there is at least a little bit of future-proofing built in rather than it only just meets my needs for today.

The speed claims of ubiquiti are highly inaccurate. The ERL is capable of up to 1.3Gb/s of NAT with hardware acceleration if run in the leanest of configs (no PPPOE, etc). For your speeds of 80/20 the ERL will do fine if you need QoS and firewall and other things on it.

Well, I'm hoping to be able to test those claims for myself shortly. By the way, connections using PPPoE client is hardware offloaded now so shouldn't suffer much of a performance hit, and if you were referring to PPPoE server, then this is an end point so would never be eligible for hardware offloading as this traffic is not routed but is destined for the PPPoE server end point.

The fastest I'm able to transfer data across my internal network at present is around 800Mb/s (~100MB/s), so anything above that and the EdgeRouter isn't going to be the limiting factor. I only need NAT and a relatively simple set of firewall rules, all things which are offloaded to hardware for acceleration. It will be interesting to see if the EdgeRouter can approach and/or exceed the limits of my testing capacity. It would be nice to know if the device will be capable of handling the 300-500Mb/s speeds BT are talking about for their next generation fibre, or even the 900Mb/s speeds of TalkTalk's Ultra Fast Optic trial in York.

 

[System Error Message]

I'm wondering where the next generation of products are that will support gigabit speeds, but I suppose until gigabit speeds are commonplace there will not be much call for the products. But still, when I buy a piece of hardware I like to think there is at least a little bit of future-proofing built in rather than it only just meets my needs for today.



Well, I'm hoping to be able to test those claims for myself shortly. By the way, connections using PPPoE client is hardware offloaded now so shouldn't suffer much of a performance hit, and if you were referring to PPPoE server, then this is an end point so would never be eligible for hardware offloading as this traffic is not routed but is destined for the PPPoE server end point.

The fastest I'm able to transfer data across my internal network at present is around 800Mb/s (~100MB/s), so anything above that and the EdgeRouter isn't going to be the limiting factor. I only need NAT and a relatively simple set of firewall rules, all things which are offloaded to hardware for acceleration. It will be interesting to see if the EdgeRouter can approach and/or exceed the limits of my testing capacity. It would be nice to know if the device will be capable of handling the 300-500Mb/s speeds BT are talking about for their next generation fibre, or even the 900Mb/s speeds of TalkTalk's Ultra Fast Optic trial in York.

if there is 1Gb/s fibre optic symmetrical you will need 2Gb/s to max it out. The throughput you need for internet is download + upload so for BT infinity 2 you need 100Mb/s of forwarding. So if talktalk's fibre optics are 900Mb/s symmetrical than the ERL wont keep up for maxing it out as the ERL has been tested up to 1.3Gb/s using NAT with hardware offload and no other configs.

When you add configs, things that cannot be hardware accelerated your throughput will be around 200Mb/s

 

[LinuxPhil]

if there is 1Gb/s fibre optic symmetrical you will need 2Gb/s to max it out. The throughput you need for internet is download + upload so for BT infinity 2 you need 100Mb/s of forwarding. So if talktalk's fibre optics are 900Mb/s symmetrical than the ERL wont keep up for maxing it out as the ERL has been tested up to 1.3Gb/s using NAT with hardware offload and no other configs.

I've no idea if these residential services are symmetrical, I highly doubt it, but it's a fair point. However, I simply don't use my bandwidth in that way. The only time I tend to max out my bandwidth is when uploading/downloading a single large file such as an iso, and I'm very unlikely to be uploading and downloading something very large at the same time. All other (of my) use cases at the moment don't come close to stressing an 80Mb/s connection, let alone 800Mb/s, but who would have thought 10 years ago that we would be streaming high def content to numerous devices throughout the house.

 

[LinuxPhil]

if there is 1Gb/s fibre optic symmetrical you will need 2Gb/s to max it out. The throughput you need for internet is download + upload so for BT infinity 2 you need 100Mb/s of forwarding. So if talktalk's fibre optics are 900Mb/s symmetrical than the ERL wont keep up for maxing it out as the ERL has been tested up to 1.3Gb/s using NAT with hardware offload and no other configs.

When you add configs, things that cannot be hardware accelerated your throughput will be around 200Mb/s

I've now had a chance to perform some simple benchmarks on the performance of the EdgeRouter Lite. I was able to find some performance tests for various VPN setups, but nothing for a simple SOHO routing/firewall setup.

I started by benchmarking my network to get a baseline performance figure. Two quad core Linux systems on the same subnet connected via a Netgear ProSafe gigabit switch gave speeds of ~940Mbit/sec as tested with iperf:

[phil@rhel7 ~]$ iperf -i 1 -c 192.168.0.1
------------------------------------------------------------
Client connecting to 192.168.0.1, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.0.7 port 54566 connected with 192.168.0.1 port 5001
[ ID] Interval  Transfer  Bandwidth
[  3]  0.0- 1.0 sec  113 MBytes  949 Mbits/sec
[  3]  1.0- 2.0 sec  112 MBytes  942 Mbits/sec
[  3]  2.0- 3.0 sec  112 MBytes  941 Mbits/sec
[  3]  3.0- 4.0 sec  112 MBytes  943 Mbits/sec
[  3]  4.0- 5.0 sec  112 MBytes  942 Mbits/sec
[  3]  5.0- 6.0 sec  112 MBytes  942 Mbits/sec
[  3]  6.0- 7.0 sec  112 MBytes  942 Mbits/sec
[  3]  7.0- 8.0 sec  112 MBytes  943 Mbits/sec
[  3]  8.0- 9.0 sec  112 MBytes  942 Mbits/sec
[  3]  9.0-10.0 sec  113 MBytes  945 Mbits/sec
[  3]  0.0-10.0 sec  1.10 GBytes  942 Mbits/sec

I then used iperf to test performance for traffic passing through the router using my standard configs for daily use which consist of NAT, some port forwarding and a small number of firewall rules. Firewall rules included some time based rules and SPI rules. Hardware offloading was enabled. Including the firewall rules for forwarded ports, I have around 25 rules in total for both inbound and outbound traffic. This could represent a typical setup for many SOHO users for day to day internet usage excluding VPN.

# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 192.168.0.1 port 5001 connected with 192.168.1.5 port 53374
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  1.09 GBytes    937 Mbits/sec
[  5] local 192.168.0.1 port 5001 connected with 192.168.1.5 port 53378
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  1.09 GBytes    937 Mbits/sec
[  4] local 192.168.0.1 port 5001 connected with 192.168.1.5 port 53380
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-60.0 sec  6.52 GBytes    933 Mbits/sec
[  5] local 192.168.0.1 port 5001 connected with 192.168.1.5 port 53382
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-120.0 sec  13.1 GBytes    938 Mbits/sec

As shown above, the EdgeRouter Lite handled the load with minimal drop in performance compared to my baseline gigabit network speeds. Thus I conclude I'm not able to fully test the performance of the device as my gigabit network is most likely the limiting factor, so plenty of headroom there for future fibre broadband speed upgrades. This is in agreement with your statement that previous tests showed 1.3Gb/s performance for a simple NAT configuration. I can now conclude that gigabit speeds are retained with the addition of simple firewall rule sets.

The EdgeRouter Lite is a dual core device and when maxed out above, one of the cores was running at ~70-80% with the second core running idle. I didn't think to run any tests in parallel to see if I could load the second core, nor to test with hardware offloading disabled.

Overall I'm extremely pleased with the performance.

 

[System Error Message]

Symmetrical meaning upload and download. Try performing a symmetrical upload and download test (limit to 900Mb/s per direction) and you will find that it maxes out at 1.3Gb/s not because of CPU. Hardware offload doesnt use the CPU much and is limited by other factors.

 

[LinuxPhil]

Symmetrical meaning upload and download. Try performing a symmetrical upload and download test (limit to 900Mb/s per direction) and you will find that it maxes out at 1.3Gb/s not because of CPU. Hardware offload doesnt use the CPU much and is limited by other factors.

Thanks, that's a good idea for testing purposes.

Interestingly, a quick test of my network performance shows I can only achieve 1.6Gb/s symmetrically between two quad core servers through a gigabit network switch so 1.3Gb/s would still be an impressive result in my book.

In the real world, 1.3Gb/s would be fantastic, even with a 1Gb/s symmetrical service. I'd be highly unlikely to ever be uploading and downloading huge amounts at the same time, so even if the the downloads were maxing out at 1Gb/s, there would still be 300Mb/s upload bandwidth available which, put in context, is nearly 4 times my current download bandwidth!

 

[System Error Message]

Thanks, that's a good idea for testing purposes.

Interestingly, a quick test of my network performance shows I can only achieve 1.6Gb/s symmetrically between two quad core servers through a gigabit network switch so 1.3Gb/s would still be an impressive result in my book.

In the real world, 1.3Gb/s would be fantastic, even with a 1Gb/s symmetrical service. I'd be highly unlikely to ever be uploading and downloading huge amounts at the same time, so even if the the downloads were maxing out at 1Gb/s, there would still be 300Mb/s upload bandwidth available which, put in context, is nearly 4 times my current download bandwidth!

Thats what they all say. For some like myself i consider upload just as important. It means i can have local vpn server and local stuff. For businesses they need upload.

The issue here is that ubiquiti claims wirespeed but their wirespeed claims dont apply to their main customer base. For wirespeed NAT the ERL would have to forward 3Gb/s in total. The ERL is also an over glorified router as you can do the same with a consumer router.

For something like the mikrotik CCR, wirespeed NAT is possible without any sort of acceleration.

When you start using the other features that the ERL has or other things it can do you might end up changing your tone such as if you want to use the UTM capabilities you can install on it.

As soon as you add overheads like PPPOE speeds will drop significantly.