Router Virtualization

[paraplu]

Hi there,

I am currently consolidating many of my server -services in a single VMware ESXi box with underlying Intel 7300T (Kaby Lake 3.5GHz, 35W TDP), 32GB memory, and M2 fast SSD. Including router function..

Main requirement is to have to best possible external VPN speed within a single VPN session. Preferable with 10+ Gbps speed between the VM's using the same hypervisor.

I have already tried the following in a prioritized VM, on ESXi 6.5:

1. plain Linux (Ubuntu): gave up as it becomes to messy to maintain VPN, VLANS, PPPOE, Multicast etc through CLI.
2. Mikrotik RouterOS: gave up as it seems not stable not giving me 500/500 mbps throughput rather 100mbps. AND have to pay extra for a license.
3. Pfsense: tried, seems to work, but eventually skipped, as this is not based on Linux. I want Linux only.
4. VYOS. Currently running. Seems to work fine so far but a bit dated.

Anyone with experience on VM-based routers for 500+ Mbps routing, please share your experience.

 

[sfx2000]

Maybe Sophos UTM?

There is some consensus that virtualizing a router might not be a good idea - which flies in the face of various cloud providers using OpenStack and the like..

 

[paraplu]

Maybe Sophos UTM?

There is some consensus that virtualizing a router might not be a good idea - which flies in the face of various cloud providers using OpenStack and the like..

Sophos is limited to 50 IP addresses only, not an option for me.

So far I do not see a disadvantage for virtualizing a router. I still can access the router if its down, and latency/throughput impact seems to have no effect with latest ESXi and modern hardware.

Getting 14gbps speed between VM's, according to iperf.

 

[sfx2000]

So far I do not see a disadvantage for virtualizing a router. I still can access the router if its down, and latency/throughput impact seems to have no effect with latest ESXi and modern hardware.

For a router specifically on the intranet - I would agree...

Most of the arguments are against the gateway aspects, not internal routers...

The gateway is the first line of defense - and they're not perfect, so if the GW is compromised, the hypervisor along with other guests could be compromised as a result.

This is likely why not to go down the path of virtualizing the GW router...

 

[RacerRon]

Sophos UTM home free has a 50 ip limit. The newer Sophos XG home free edition is unlimited ip but limits hardware to 2 compute cores and 6 gig ram.

Sent from my Pixel using Tapatalk

 

[System Error Message]

if you are doing multiple VMs on a single machine and running iperf, very likely the performance will be limited by ram performance and cpu cache speeds. The layer 2 and 3 cache speeds for both intel iseries and amd arent really as fast though. If you run memtest it will tell you the cache and ram speeds.

 

[paraplu]

if you are doing multiple VMs on a single machine and running iperf, very likely the performance will be limited by ram performance and cpu cache speeds. The layer 2 and 3 cache speeds for both intel iseries and amd arent really as fast though. If you run memtest it will tell you the cache and ram speeds.

Hmm. My current throughput of 14Gbps between VM's is not bad, not bad at all. Are you implying that this can be improved?

 

[paraplu]

Sophos UTM home free has a 50 ip limit. The newer Sophos XG home free edition is unlimited ip but limits hardware to 2 compute cores and 6 gig ram.

Sent from my Pixel using Tapatalk

Thanks for that hint as I was not aware. Sophos XG is on my list for trying.

 

[System Error Message]

Hmm. My current throughput of 14Gbps between VM's is not bad, not bad at all. Are you implying that this can be improved?

it can be improved. 14Gb/s is almost 2GB/s. virtualisation has a lot of overhead in ram throughput so if you get your ram to run much faster that can help improve performance. CPU usage can be pegged at 100% but cpu usage includes waiting as well.

Even in network, network throughput is also dependent on ram throughput too. Some very fast systems are limited by routing performance because of the memory speed rather than CPU, such as the mikrotik 1072 which has 72 cores or a specialised architecture used in firewalls and designed to take the burden off the CPU. Faster ram improves the performance as long as there is CPU to spare.