Edgerouter 4 performance

Edgerouter 4 performance DEFAULT

Top critical review

All critical reviews›

2.0 out of 5 starsLOSES its marbles if I make tiny configuration changes to VPN, via GUI

Reviewed in the United States on April 1, 2019

Updated Dec 20, 2019.
I'm throwing in the towel, after nine months of use as an IPSec VPN endpoint. The problem is I've wasted too much time repairing configurations that EVAPORATE, if I make a slight change via GUI. This lack of quality control is infuriating, and has persisted despite firmware updates. I use Cisco routers (SOHO) and never had THIS problem, with them.

UPDATE OCT 20, 2019
Ever since upgrading the firmware to v2.0.1, months ago, the "lost marbles" problem disappeared. Yes, we've had power outages and this router comes back up OK. In fact, I've had to crowbar it occasionally, for losing its VPN (IPSec) marbles, and RE-POWERING IT ("cold boot") made that VPNs come back up. Woopie doo. It does what it's supposed to do, keep its "marbles."
But it's driving me nuts, just because the user interface is so different from all the other routers I've ever used, including Cisco, Netgear, DLink, TPLink. This router has a face only an egghead could love. I waste so much time, I'm thinking of going back to the Devil I Know Better, a Cisco RV340. Which is exactly full circle; I returned an RV340 for its own diabolical quirks... e.g., licenses that are impossible to get, beyond 2 IPSec VPNs And all that Cisco arrogance.

Updated April 7: I have installed firmware 2.0.1, dated 29 March, and after that I also took the system down softly, using the "shut down" button on the "system" GUI page. The ER-4 went down. A while later, I cycled power to the box and it all came up with "all its marbles," to my delight. THEN I crowbarred the box, cycling power without going through the soft shutdown procedure. The system again came up with all its marbles intact. Hooray! Hooray 2.0.1 ???

April 1 observation, of ER-4, using firmware version 1.10.9: This router performs well, as an IPSec VPN endpoint. But it goes into never never land if the power goes out and back on. That is intolerable, and what's worse is that I can't figure out how to fix that: the manual is silent, and the peer forums dance around this. Can anyone at Ubiquiti tell us all what to do? Indeed, I can use the Command Line Interface and that's a nice feature, in a reasonably-priced small business router VPN endpoint.

Sours: https://www.amazon.com/gp/aw/reviews/B078PGCGN2

Since ~ 2012, UBNT has had their series gigabit capable routers, known as the EdgeRouter line.  There’s been a few generations of these over the years, focusing on either price or performance points.  It can be confusing when trying to find the best one to suit your needs, so lets do an overview of the different models and what they each bring to the table.

All of the ERs have pretty much the same software features, so we won’t go into too much detail on software unless its an important distinction.

First Generation (Cavium)
EdgeRouter Lite

This is the original EdgeRouter model – inexpensive (sub-$120 USD), capable of near wirespeed routing with its hardware offloading and accelerated IPSec VPN.  Has three gigabit ethernet ports, and can do various routing protocols such as BGP, OSPF, RIP, etc.

There are two versions of these – the original plastic ones and the newer metal case ones.  The original plastic ones have known issues with the DRAM and flash drives.

Old, but if you can find one cheap (either metal case, or a plastic one with the USB flash drive replaced), they make a great inexpensive CPE – however their CPU is pretty slow and anemic making for poor performance with OpenVPN, QoS, and other CPU bound uses.

EdgeRouter 5 POE

Basically an ERL with an integrated switch and passive 24v and 48v POE support (not 802.11af/at).  These can power an older Unifi AP that supports 24v passive, or some AirMax type devices.

Has same performance limitations as the ERL.

EdgeRouter 8

Rack mounted ER, faster CPU, and 8 gigabit copper ethernet ports.  Better performance with CPU bound applications/services such as OpenVPN and QoS.  Has all of the same software and offload capabilities as the ERL.

EdgeRouter Pro 8

Another rack mounted ER with a step up in performance from the ER8.  Has two SFP ports and six copper ethernet ports (two are shared).  Was top of the line performer for routing until EdgeRouter Infinity was released.

Although a solid performer, the ER8 and ERP8 are both outclassed by the newer ER4/6/12/Infinity models.  If you can find them inexpensively, they make a good router for sub-gigabit connections.

“1.5” Generation (MediaTek)
EdgeRouter X

This little router has a great price/performance ratio – for under $60 USD you get a 5 port router (built in switch) that is able to be powered over 24v passive poe, and is capable of outputting 24v passive for some Unifi APs.  Performance is almost equal to the ERL in many cases, with it performing better for some tasks like OpenVPN.

It does however have some limitations – offloading can be hit or miss performance wise, especially with the 2.0 firmware.  There is a single gigabit link between the internal switch and the CPU, which limits the theoretical max routing performance.  It also lacks a serial port, making it a pain to recover if you lock yourself out.

These units tend to be my ‘go-to’ for customers needing an inexpensive router while leaving room for future growth.

EdgeRouter X SFP

An ERX with an added SFP port and 24v passive POE on all five copper gigabit ports.

EdgeRouter 10X (new!)

An ERX with double the RAM, double the flash storage, and double the ports!  The 10 port integrated switch make this router a nice router/switch combo, perfect for small offices and home users.

This device somewhat straddles the older ERX and the newer ER4/6/12/Infinity line – not as good performance as the 2nd generation of ERs, but an improvement over the original ERX.

The serial port has been readded, and this device can only run the new EdgeOS 2.x software.

2nd Generation (Cavium)
EdgeRouter Infinity (AKA ER-8-XG)

UBNT’s first 10G router – 8 SFP+ ports and one gigabit copper.  16 CPU cores, 16GB of DDR4 RAM, and up to 80Gbps throughput.  This beast of a router was the first in the newest generation of routers, and packs quite a bit of performance in 1U.  It has dual PSUs.

The internal SFP+ banks can be quirky – they are split into two banks of 4.  If you want to run 1G SFP modules in some, you have to switch one bank (either 1-4 or 4-8) to being for 1G only.

For ~ $1850 USD, it’s not a bad price if you need > 1G performance.

EdgeRouter 4/6P/12/12P

UBNT’s newest line of routers – these are in the same CPU family as the Infinity, but are focused on 1G performance and price point.  Since they all have the same general performance, we’ll just point out the differences in what each offers hardware wise:

  • ER4 – Base model, 3 gigabit copper ports, 1 SFP port
  • ER6P – 5 gigabit copper ports, 1 SFP port.  24v passive POE on copper ports
  • ER12 – 10 gigabit copper ports (integrated switch), 2 SFP ports, 24v passive POE pass-through
  • ER12P – 10 gigabit copper ports (integrated switch), 2 SFP ports, 24v passive POE on copper ports

These units are optional rack mount, with a bracket kit available.  They are passively cooled, small form factor, in a durable metal case.

Like this:

LikeLoading...

Categories:Ubiquiti

Sours: https://boisetech.org/2019/10/15/overview-of-the-ubiquiti-edgerouter-products/
  1. Real flame fuel
  2. Layered rose svg
  3. Pro mark percussion
  4. Bible scripture stickers

Ubiquiti Unifi Security Gateway (USG) Vs Edgerouter 4/Lite

Ubiquiti manufactures networking products (routers, switches, wireless etc) that can serve in a broad range of implementation cases, from Home networks up to large Enterprise environments.

comparison of Ubiquity Routers

As an Amazon Associate I earn from qualifying purchases.

The USG (UniFi Security Gateway) and EdgeRouter devices are two product lines that target a similar market – I would say the SOHO and SMB enterprise market (although there are higher-end models that can be used in larger corporate networks) – so these two product series are very often the subject of comparison among professionals and users.

In this article I will describe and compare three “entry-level” models namely the USG-3 Security Gateway, the new EdgeRouter 4 and finally the EdgeRouter Lite.

These 3 models are at the lower-end of the spectrum in the product series but they include some networking/security features and hardware specs that are usually found in enterprise-grade networking equipment.

Before diving deeper into the details of each device, let’s first see a high-level side-by-side comparison of the three routers.

Table of Contents

Comparison Table

Most User Friendly
Ubiquiti Unifi Security Gateway (USG)
Most Powerful
Ubiquiti EdgeRouter 4
Ubiquiti Networks Networks Edgerouter Lite 3-Port Router
1 Million pps
(packets per second)
3.4 Million pps
(packets per second)
1 Million pps
(packets per second)
3 Gigabit
(1 or 2 WAN
1 or 2 LAN)
3 Gigabit +
1 SFP (for fiber)
UniFi Controller
Command Line Interface (CLI)
Web GUI
Graphical GUI (UNMS)
Command Line Interface (CLI)
Web GUI
Graphical GUI (UNMS)
Command Line Interface (CLI)
Routing Protocols Supported
Static, BGP/OSPF (only though CLI)
Static, OSPF/OSPF3, RIP, BGP (with IPv6), MPLS
Static, OSPF/OSPF3, RIP, BGP (with IPv6), MPLS
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.
Supported with degradation in throughput *
Most User Friendly
Ubiquiti Unifi Security Gateway (USG)
1 Million pps
(packets per second)
3 Gigabit
(1 or 2 WAN
1 or 2 LAN)
UniFi Controller
Command Line Interface (CLI)
Routing Protocols Supported
Static, BGP/OSPF (only though CLI)
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.
Supported with degradation in throughput *
Most Powerful
Ubiquiti EdgeRouter 4
3.4 Million pps
(packets per second)
3 Gigabit +
1 SFP (for fiber)
Web GUI
Graphical GUI (UNMS)
Command Line Interface (CLI)
Routing Protocols Supported
Static, OSPF/OSPF3, RIP, BGP (with IPv6), MPLS
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.
Ubiquiti Networks Networks Edgerouter Lite 3-Port Router
1 Million pps
(packets per second)
Web GUI
Graphical GUI (UNMS)
Command Line Interface (CLI)
Routing Protocols Supported
Static, OSPF/OSPF3, RIP, BGP (with IPv6), MPLS
IPSec, OpenVPN, PPTP, L2TP
Both Site-to-Site and Remote Access VPNs supported.
Stateful Firewall, ACL-based, Zone-based, Deep Packet Inspection (DPI) for Application inspection.

Last update on 2021-10-19 at 15:37 / Affiliate links / Images from Amazon Product Advertising API

* NOTE about IDS/IPS:

  • If you enable IDS/IPS on USG device, the maximum throughput will drop to 85 Mbps according to Ubiquity. People in forums mention speeds up to 100-110 Mbps with the IPS/IDS enabled.
  • Also, because of limited RAM on the USG, only a limited selection of IDS/IPS categories can be enabled (11 out of 41).

My Quick Recommendations

If you don’t have the time to read the whole article and want to get a quick recommendation and summary of each Ubiquity model, here is what I think about each device:

USG

The USG is most suitable in the following cases:
  • If you have other UniFi devices in your network (or are planning to buy products in the UniFi series) such as Unifi wireless Access Points, switches etc, then the USG is a great choice to integrate with the rest of the network and manage everything centrally with the UniFi Controller software.
  • If you are replacing a consumer router in your home network or small office, generally I would say the USG model is a better replacement compared to an EdgeRouter. It’s easier to manage and configure and provides much more speed and throughput compared to regular consumer routers.

Check Price and Reviews at Amazon

EdgeRouter 4

The EdgeRouter-4 is most suitable in the following cases:
  • Being the most powerful router gateway in this article, it can easily handle a lot of traffic and WAN links of 1 Gigabit (being Fiber, PPPoE etc) without any problem.
  • Great for Medium to Large Enterprise networks or even Home networks with Gigabit ISP speed.
  • If you are experienced in networking and firewall/security concepts, the ER-4 is excellent choice because it provides flexibility in configuration of advanced features on the management UI.
  • Granularity of control since everything can be configured with the Web UI and CLI.

Check Price and Reviews at Amazon

EdgeRouter Lite

The EdgeRouter Lite is most suitable in the following cases:
  • The ER-Lite is exactly the same hardware as USG.
  • It does not integrate with UniFi Controller for management but it offers its own Web GUI for management which is more powerful and full-fledged compared to Unifi controller.
  • If you want the control and advanced features of EdgeRouters but have a limited budget, ER-Lite is a good choice.

Check Price and Reviews at Amazon

Unifi Security Gateway (USG) Brief Review

Sale
Ubiquiti Unifi Security Gateway (USG)
Ubiquiti Unifi Security Gateway (USG)
  • 3 Gigabit Ethernet ports, CLI management for advanced users
  • 1 million packets per second for 64-byte packets
  • 3 Gbps total line rate for packets 512 bytes or larger

Last update on 2021-10-19 at 15:37 / Affiliate links / Images from Amazon Product Advertising API

The “UniFi” group of products fall into the SDN (Software Defined Networking) philosophy whereby the whole network and devices are centrally controlled, configured and monitored by a software management application.

USG is the entry level router/firewall product in this series. The other options include USG Pro 4 and USG XG-8 which are much more powerful in terms of hardware performance.

Hardware Specs

As you can see at the processing specs of the USG (CPU, RAM), these numbers are quite good for such a small device, however when you start enabling some “heavy” software features (such as Deep Packet Inspection, IPS/IDS etc) then the performance will drop significantly as we will see later on.

With 1 Million pps (on 64 Bytes packets) and approaching the line rate of 3 Gbps with larger packets, its speed throughput is quite impressive and can easily handle traffic demands of small to medium networks (or even enterprise level environments).

The physical interfaces of the device include the following ports:

  • 1 Dedicated Gigabit WAN port (10/100/1000 Mbps).
  • 1 Dedicated Gigabit LAN port (10/100/1000 Mbps).
  • 1 Gigabit port that can be configured as either a second LAN or WAN.

Don’t let the number of LAN ports fool you because you can always split a single LAN port into multiple VLANs thus creating many Layer 3 subnets. This is useful if you want to segment the internal LAN into different networks (e.g server subnet, user subnet etc).

Important Note about Hardware Specs

As far as hardware is concerned, the Ubiquity USG (square box device) is the same as the EdgeRouter Lite. This shows also in the comparison table above. If you look at CPU, RAM, Layer 3 Performance and ports you will quickly see that USG and EdgeRouter Lite use exactly the same hardware.

Management

All of the “UniFi” models (including the USG we are discussing here) are managed and configured using the UniFi Controller management software which provides a centralized management platform.

The Management aspect is probably the biggest difference between UniFi USG and the EdgeRouter models, not only the ones we are comparing in this article but also all EdgeRouter devices.  

Here are the Management options for USG:

  1. On-site Management Station with Unifi Controller
  2. Off-site (cloud) Management with Unifi Cloud Controller
  3. UniFi Cloud Key

The first option above is free. You can download the Unifi Network Controller software, install it on your local computer (Windows etc), connect the local computer on the same Layer 2 network as USG and that’s it.

The second management option (Cloud Controller) is a paid service and you can manage your Unifi devices from the cloud.

The Third option above is the best in my opinion. The Unifi Cloud Key is actually a Linux PC on a stick which runs a local instance of the UniFi Controller software and also provides you with access to the cloud management platform. So essentially it offers a hybrid management approach of both local and cloud access.

NOTE: You can configure some advanced settings of USG using the Command Line Interface (CLI) although this is not recommended by the vendor.

Software

USG is running on EdgeOS software which is a fork of Vyatta’s OS (now owned by Brocade). The same operating system is powering the EdgeRouter devices as well.

Although you can connect with SSH to a USG device and start configuring things with the CLI, the changes will not be permanent because they will be overwritten by the UniFi Controller management software.

In order to make persistent changes to the configuration of USG (e.g advanced routing configuration, advanced QoS, policy routing etc) you must make the changes in a json file (config.gateway.json) which sits in the controller filesystem and allows custom changes to the configuration that are not available in the GUI interface.

Regarding software features, the USG has the same networking and security capabilities as the EdgeRouter and even more. It supports for example IPS/IDS (Intrusion Prevention/Detection System) which is a security mechanism to inspect the content of the traffic for identifying attacks.

With IPS/IDS you can enable certain attack categories (which are basically known signatures of attacks). The USG3 supports a subset of IPS categories and if you enable them the maximum throughput will drop to around 85 Mbps according to the vendor.

Another advantage mentioned in forums about USG, is that Site-to-Site VPN on USG is much easier to configure in the GUI (if you have another site with a USG) compared to Edgerouter.

To summarize, the USG supports all the software capabilities of the EdgeRouter but you have to configure it via the GUI unless you want to mess with CLI. 

However, the GUI via the Unifi Controller allows basic settings to be configured (a subset of all the possible settings) which is great for people who are not networking gurus. For more advanced configuration you must SSH to the device and configure the advanced settings with CLI by changing the custom json file (hard to do).

Check Price and Reviews of USG at Amazon

EdgeRouter (ER 4 / Lite) Brief Review

Ubiquiti EdgeRouter 4
Ubiquiti EdgeRouter 4
  • (3) 10/100/1000 Mbps Ethernet ports, (1) RJ45 Serial and (1) SFP port
  • Max power consumption: 13 Watts
  • Desk, wall and rack mount options

Last update on 2021-10-19 at 13:12 / Affiliate links / Images from Amazon Product Advertising API

In this section I will discuss the EdgeRouter (both version 4 and Lite) and see how they compare with USG.

Unlike the UniFi gateway line which includes only 3 models, there are several models in the EdgeRouter product series. Some of these models (at the time of this writing) are:

  • ER-X
  • ER-X SFP
  • ER Lite
  • ER 4
  • ER-8 XG
  • ER 6P
  • Etc

Hardware Specs

As we have mentioned in the USG review section, the ER-Lite is exactly the same hardware as the USG, so in this paragraph I will discuss the ER-4 only.

Looking at the specs, it’s obviously a more powerful device with double the CPU and RAM performance compared to USG. Moreover, packet performance (Layer 3 throughput) is 3x times better with 3.4 Million pps (on 64-bytes packets).  

The physical interfaces of EdgeRouter 4 include the following ports:

  • 3x Gigabit ports (10/100/1000 Mbps).
  • 1x Gigabit SFP port (for connecting to optical fiber cable)

The physical interfaces can be connected anywhere you like, i.e WAN, LAN, dual-WAN etc.

Moreover, each physical interface can be split into VLANs, thus supporting multiple Layer3 subnet networks (useful when segmenting an internal LAN into different firewall zones, creating a DMZ firewall zone to connect public servers etc).

If you don’t enable DPI or QoS, the EdgeRouter 4 can easily handle a Gigabit WAN link at full 1Gbps speed without dropping a bit. If you enable QoS the speed throughput drops to about 500 Mbps according to a user who actually tested this on his own network.

The above speed (500 Mbps with QoS enabled) is still impressive and certainly much bigger than regular consumer grade routers. 

Obviously, the EdgeRouter 4 can be easily used in larger offices or enterprise networks and can handle the traffic sent to it at the fraction of the cost of buying a router from another brand (plus, it works also as a firewall as well).

Management

All EdgeRouter devices are mainly managed by individually connecting to them via a Web GUI interface. However, there are other options as well as shown below:

  • Web GUI (manage each device with your web browser)
  • Management Software GUI (UNMS – Ubiquity Network Management System)
  • Command Line Interface (CLI)

As I have said before, the Management is one of the main differences between USG and EdgeRouter. For the latter, there is no central management software (like the Unifi Controller) that can configure and monitor all of the devices in the network.

However, the Web GUI of EdgeRouter is capable to configure almost ALL settings and features of ER, even the advanced settings (unlike the Unifi controller which supports configuration of mostly the basic features of USG but not all advanced settings).

Software

Running on EdgeOS, the EdgeRouter supports all of the networking and security features you can find in higher-end enterprise devices. This is actually like getting both an enterprise class router and stateful firewall on the same box.

Compared to USG, the only difference in features is that ER models do not support IPS/IDS like the USG. If you really need to have such a functionality in your network, you can always use an open source IDS software (like snort for example) and just send traffic to it for inspection (with a mirroring port/VLAN).

Although you can use CLI access (with SSH) to configure anything you want, almost all features (both basic and advanced) can be configured with the Web UI. Users that are advanced in networking and security love this capability. On the other hand, people that are not networking gurus will find the Web UI overwhelming.

Check Price and Reviews of EdgeRouter at Amazon

USG Vs EdgeRouter 4 / Lite

I’m sure that from the reviews above someone can extract the main similarities and differences between these products from Ubiquity. Let me summarize them below:

  • What sets the USG device apart is its ability to be integrated with the UniFi Controller and the whole UniFi ecosystem. If you have other UniFi devices in your network (or are planning to purchase such devices) like UniFi WiFi Access Points, Switches etc, then the USG is a better choice because it will be managed centrally from the same controller software.
  • If you are not a power-networking user and want a more user-friendly and easier way to configure your device, then USG is easier to manage and configure compared to EdgeRouter. However, keep in mind that the controller management software of USG offers only a subset of all the features actually supported by the device.
  • If you want more flexibility and control in setting up your device and you know what you are doing in terms of networking and security, then EdgeRouters are a better choice and offer all configuration options (both basic and advanced) in the same Web GUI.
  • If you want sheer power and performance, then EdgeRouter 4 is the way to go compared to USG.
  • If you just want to install one router in a SOHO or SMB network with firewall features and advanced networking and you don’t want central management etc, then EdgeRouter Lite is a great choice.

Filed Under: General Networking, Product Reviews

Sours: https://www.networkstraining.com/ubiquiti-usg-vs-edgerouter/
Ubiquiti EdgeRouter 4 Unboxing \u0026 Configuration

Ubiquiti EdgeRouter IPsec performance

ubiquiti-logoI’ve been working on setting up a lab environment for myself and decided to pick up a couple of Ubiquiti’s EdgeRouter 4 routers to act as my core routing devices, along with an EdgeRouter X to act as my out-of-band router. These new devices, along with an EdgeRouter Lite loaned to me for this article by Dom at LoveServers, puts me in a reasonably good position to do some performance testing between these different models of EdgeMAX routers. I thought a good place to start would be to compare how well these different models perform in terms of IPsec throughput and overall CPU usage at the same time.

Part of my lab setup will involve provisioning a couple of IPsec tunnels between the lab and my home network. So whilst this article will mainly focus on IPsec, I will be including some general observations/comparisons between the devices too which may be informative to some people.

Methodology

According to Ubiquiti’s data sheets, the EdgeRouter 4 should be the beefier device, so it seemed logical to use the pair I have to establish a base number which I can compare the other two models against. The physical layout I’ve used for the testing is pretty straightforward in that it’s two Dell R210ii servers directly attached to a router each, with another link between the two routers, as illustrated below.physical-layoutThe routers themselves are initially at the factory default settings other than rudimentary interface configs, some static routes, hardware offloading (more on that later) and the configuration components needed to establish an encrypted GRE tunnel using IPsec. Unfortunately, as I am limited by the overall performance for just one of the EdgeRouter 4’s, I wont really know if the throughput is capped by encryption or decryption performance; So for the purposes of this test, I will assume the value I establish will be the same each way for the EdgeRouter 4. I may explore this in the future once I have something that can push more data than these devices are capable of, which should allow me to measure them independently.

However, as these devices should, in theory, out-perform the other models, I should be able to discern encryption and decryption throughput separately for the EdgeRouter Lite and EdgeRouter X

I referenced this article from Ubiquiti’s support center which, at the time of writing, details both the encryption and hashing algorithms that are supported by the different offload engines contained within my test devices – specifically for firmware v1.10.5.

I thus settled on these settings for the bulk of my testing which are supported by both the Cavium (ER4 and ERL) and MediaTek (ERX) offload engines. Each device was rebooted when any change to its hardware offload settings were made, just to ensure it loaded correctly.

Phase 1 – Internet Key ExchangePhase 2 – Encapsulating Security Payload
Key Exchange: IKEv2
Encryption Algo: AES256
Hash Algo: SHA1
Diffie-Hellman Group: 14 (2048 bit)
Lifetime: 86400
Mode: Tunnel
Encryption Algo: AES128
Hash Algo: SHA1
Perfect Forward Secrecy: Enabled
Lifetime: 3600
Establishing a Baseline

For each of the tests, regardless of router configuration, I will be useing iperf to measure throughput between servers and will keep the settings at basically default – run via TCP, for 30s and display output every 1s (In CSV format so I can compile the results).

edgerouter-raw-throughput-graphAs for measuring CPU usage, I popped a script in /tmp on both routers being tested that would calculate CPU usage based on  and output to console with a timestamp so I could correlate between tests.

Once I had the initial test plan sorted out, I made sure that all relevant hardware offloading was enabled and started by measuring if the devices can actually forward traffic at 1 Gbps. This was a simple test using iperf from Server 1 over to Server 2 via the routers, without any IPsec or GRE configuration in place. Just pure packet forwarding via static routes.

The routers are ordered from left to right; Most expensive to least expensive. EdgeRouter 4, EdgeRouter Lite and EdgRouter X respectively and thankfully, it seems that all routers are more than capable of forwarding packets at basically line rate (See image to the left).

 

edgerouter-raw-throughput-cpu-graphWhilst I expected nothing less, I wanted to make sure that they were capable of actually forwarding packets at gigabit speeds – I’ve seen some routers that do a lot worse! What is more interesting about this first test seems to lie with the CPU usage of the devices whilst pushing packets.

Both the EdgeRouter 4 and EdgeRouter Lite use SoC’s from Cavium and use a “not insignificant” amount of CPU when just routing, whereas the EdgeRouter X uses a MediaTek based SoC which hardly makes a dent.

From observing what’s going on from the PoV of the device, most of the usage on the Cavium based devices appears to comes from soft interrupts so, I’d expect this is simply down to the different manufacturers hardware offloading methods which probably explains the surprisingly low CPU usage for the EdgeRouter X.

Whilst this is certainly an interesting point to see this early on, I would be curious as to how the CPU in the X performs with other tasks that cant really be offloaded as easily. I may test this in more detail based on a more traditional home/office type test with QoS and ACLs etc or even some dynamic routing enabled to try to tax the CPU a bit more.

For now however, that’s out of scope of this article.

Initial Testing

At the time of writing this, there wasn’t really much in the way of documented figures for IPsec performance on the EdgeRouter 4 that I could find, so I figured – I have the kit, lets test it!

edgerouter4-phase2-aes-performanceThe initial test was to measure throughput between two EdgeRouter 4s, and use that as a base to compare with the older models as they’re also quite popular. As mentioned previously; I am testing between just these two devices and I cant tell if the performance I see in my results is due to hitting a ceiling on encryption or decryption, so for the remainder of this article I will assume both figures are the same for the ER4.

Whilst the testing was done using the IPsec configuration outlined earlier, I did also test using AES256 for both Phase 1 and 2. As you might expect, throughput was a little less when using AES256 due to the increase in computation required. I decided to stick with AES128 as the primary choice for the remainder of the tests.

AES256 is a better choice, generally speaking for encryption, however the added compute required didn’t seem worth it to me in conjunction with the relatively short key lifetime’s, AES128 should be secure enough for my purposes.

I did also dabble with MD5 as the hashing algorithm, but in all of my tests it performed worse than SHA1 – I simply chalk this up to the offload engine being optimised for SHA1 vs MD5.

If you’re looking for guidance on what configuration to use for IPsec, a good read is the NCSC guidelines for IPsec along with this page which explains why you might choose one type over the other.

As you can see, the EdgeRouter 4 performs pretty well in this test. CPU usage for both tests were around the 50% mark.

Initial Observations

Something I did note during my tests but couldn’t quite explain is that sometimes, throughput between the EdgeRouter 4s would drop by about 100 Mbps along with a CPU usage drop from 50% utilization, down to 35-40%. I haven’t been able to figure this one out definitively however I am guessing its a side-effect of the interaction between the CPU and its co-processor for offloading – possibly something to do with power states. It would only manifest every 1 in 10 tests or so and apply consistently for that flow.

Because I was consistently getting around 440-450 Mbps however, I went with an average of those results as the value for the ER4.

edgerouter4-different-offload-settingsAnother curious observation came about when playing around with the different hardware offload modes. For all of the tests I compiled results with all hardware offloading enabled – but out of interest, I decided to disable ALL hardware offloading EXCEPT for the IPsec module and in all cases I got better throughput (about 5% more) out of the EdgeRouter 4 with a consistent 50% CPU usage, like before.

To me, this result is somewhat unexpected. I would have thought that offloading as much as possible to the offload engine would give better results but that does not appear to be the case.

I am only speculating but I think this may be to do with packets going back and forth from the co-processor unit in the Cavium chip. For example, A packet may come into the device for forwarding – get offloaded and then need to come back out of the offload engine to be processed further before being GRE encapsulated (and offloaded) and then ultimately encrypted (again, IPsec offloaded)?

 

I am curious to see how this behaviour would affect overall performance of the device when its doing other CPU related tasks and not just IPsec encryption. However that’s out of scope for this article.

Testing the EdgeRouter Lite

Now that we have some figures for the EdgeRouter 4, I can move on to testing one of the other models. The logic here is that the EdgeRouter 4 is the more capable device by far, so by putting one of the (in theory) less powerful devices in place of one of the EdgeRouter 4s, the result I get would be capped by the performance of that device, and thus we measure its performance.

Using this logic, I can push traffic through the EdgeRouter Lite as the first hop, thus testing its encryption performance, and vice versa, having the EdgeRouter Lite as the last hop, testing its decryption performance.edgerouter-lite-ipsec-performanceThe EdgeRouter Lite clearly suffers with its weaker CPU here – It was pretty much maxed out through the testing. This would probably perform OK if you don’t have a lot of bandwidth to play with, but doesn’t seem to do well much past 100 Mbit.

As observed with the ER4, curiously I see higher throughput through the EdgeRouter Lite with all but IPsec offloading disabled (about 10-12% improvement) whilst CPU usage is about the same.

Testing the EdgeRouter X

Given the result observed earlier for the raw throughput test of the EdgeRouter X, I was very interested to see how this one would turn out. This particular model of EdgeRouter is based on a different SoC manufacturer than the other two devices (MediaTek, vs Cavium respectively) so has a different hardware offload engine. This even more apparent in the configuration of the router and how you enable hardware offloading.

For the Cavium devices, we have a choice to enable specific features as/where needed (Forwarding has to be offloaded for any of the others to work, except for IPsec)

Whereas for the EdgeRouter X’s MediaTek system, we simply have the choice of

So, using the same IPsec configuration settings for the EdgeRouter 4 and EdgeRouter Lite tests (detailed above), this router performed surprisingly well – Better than I had initially expected.edgerouter-x-ipsec-performanceThere’s a noticeable improvement in throughput and CPU usage on the ERX over the ERL which is quite surprising given the price point of the two models.

Interestingly however, unlike the two Cavium devices, the EdgeRouter X loses encryption performance with all other offloading disabled but gains some on decryption. Whilst the other two devices CPU usage remained pretty consistent, there is a noticeable change on the ERX for all offload vs IPsec only offloading. edgerouter-x-different-offload-performanceThis just reinforces the fact that not all offload engines are equal – even within devices under the same brand. That being said however the EdgeRouter X seems to be a very capable device and I do look forward to a time when I can compare it to the EdgeRouter Lite in a more “real-world” scenario.

Bandwidth-capped Test

The above tests do well to illustrate how well each model of router perform when unrestricted and allowed to try to push as much as they possibly can. I opted to do one final test and limit bandwidth to 100Mbit. I decided to do this on each server by forcing their NICs to 100M FDX. The aim of this test is to illustrate how each routers compare to each other when given the same workload.edgerouter-100mbit-capped-performanceAll of the routers managed line rate (100M) and as the above shows, really reinforces how much better the EdgeRouter X is at handling IPsec over the EdgeRouter Lite. Interestingly in the capped test, the ERL used more CPU on decryption which is the opposite to earlier when it was pushing as much as it possibly can.

Conclusion

I originally set out to determine what throughput I could expect from these various devices at each end of an IPsec tunnel to allow for a more informed decision as to how to structure my network. The EdgeRouter 4 is pretty much what I expected it to be – in that it’s a very capable device and looks like it will be more then capable as a core router for my use case.

Despite the image this article paints for the EdgeRouter Lite, it is still a very capable device. It’s a router that’s aimed at home or small office users and the likelihood they have an internet connection that requires higher IPsec throughput is pretty low. Whilst the device itself isnt the cheapest around, the features it comes with certainly make it an attractive prospect for more advanced users who want to get more out of their Router than something like a BT Home Hub.

The EdgeRouter X on the other hand is a truly intriguing device! On the face of things it looks like it should perform better than the Lite at most things – however I will likely be comparing these in a more direct fashion in the future. Whilst the EdgeRouter X does indeed perform well, It will not be suitable as a drop-in replacement for the Lite for all situations – namely where dealing with high packet counts are required. The EdgeRouter Lite is rated at 1 million Packets-Per-Second (PPS) at 64 bytes in size whereas the EdgeRouter X is only rated for 260,000.

With that being said though, the EdgeRouter X is still a very good candidate for enthusiast users or light deployments – especially given its PoE passthrough feature.

I will leave you with a final graph that shows each router’s IPsec throughput side-by-side to highlight the differences between them. It’ll be interesting to see if Ubiquiti can improve on these numbers in the future through software updates, or if the limitations are purely with the offloading hardware.

Related

Sours: https://www.simonmott.co.uk/2018/08/ubiquiti-edgerouter-ipsec-performance/

4 performance edgerouter

I turn to her, and our lips merge in a passionate kiss. Our languages are intertwined. We suck hard. I feel like Zhenya, unbuttoning his pants and taking out my dick, is already jerking him off.

Edgerouter 4 First Time Setup

It seemed that if you press on it, it will explode. Then I felt very good and I was overwhelmed by already forgotten spasms in the crotch: everything went inside me, my ass began to tremble and convulsively. Squeeze the old man's penis. During anal sex with Boris after these spasms, my partner immediately finished and stopped.

Similar news:

I'm closer to the door, I go up. Everything is pleasant in my head spinning. Opening the door. There is a guy. Pretty cute.



3969 3970 3971 3972 3973