What's new

getting gig symmetrical WAN connection and need to upgrade router.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

superjet

Regular Contributor
Right now my DHCP/NAT/gateway is an older Asus N66u. Judging by the router chart that might not be the best router going forward once my gig connection is set up. Looking at the throughput charts all the highest WAN to LAN and LAN to WAN routers are fairly expensive wireless routers. I have AC wireless with an apple time capsule (and understand that's far from the fastest AC device at this point) but was wondering if there was a somewhat affordable wired router that outperformed the wireless big dogs when it comes to wired WAN to LAN and the reverse using hardware NAT. I'm also okay with getting a >$200 wireless router if those are the absolute best for throughput. I'm looking for something to do DHCP for the few devices without static IPs on my network, hardware based NAT or if someone convinces me there's a software option that does >940mbps NAT and be the gateway to my home network.

EDIT: The majority of my devices are connected via a wired gig connection right now but I do have a few devices that have AC wireless that arent always connected via a cable.
 
There are multiple routers that can do that but you actually need 2Gb/s of throughput and no consumer router can give you that even with hardware NAT. See the LAN-WAN simultaneous because you have 1 Gb/s download and 1 Gb/s upload which means 2Gb/s total throughput.

You can use pfsense on a mini PC using an intel atom or on a full one. make sure it doesnt use realtek NICs because of CPU usage.
You can use a mikrotik routerboard such as the RB850Gx2, RB1100AHx2 or CCR1009. They require skill to configure but have gigabit software NAT throughput and hardware acceleration for IPSEC and will outperform even the cisco RV with VPN. Each PPC core at 1Ghz does 500Mb/s of PPTP and each tile core does 300Mb/s but IPSEC may be faster with hardware acceleration.
Theres also cisco but they are very expensive for that sort of throughput.

If you dont need the features you can go with hardware NAT in which there is even the ASUS AC56U, TP-links and so on. Look at the features and throughput you need and select the best router you can afford from the charts.

Mikrotik routerboards do have hardware NAT now but i only quote their software NAT speeds.
 
There are multiple routers that can do that but you actually need 2Gb/s of throughput and no consumer router can give you that even with hardware NAT. See the LAN-WAN simultaneous because you have 1 Gb/s download and 1 Gb/s upload which means 2Gb/s total throughput.

You can use pfsense on a mini PC using an intel atom or on a full one. make sure it doesnt use realtek NICs because of CPU usage.
You can use a mikrotik routerboard such as the RB850Gx2, RB1100AHx2 or CCR1009. They require skill to configure but have gigabit software NAT throughput and hardware acceleration for IPSEC and will outperform even the cisco RV with VPN. Each PPC core at 1Ghz does 500Mb/s of PPTP and each tile core does 300Mb/s but IPSEC may be faster with hardware acceleration.
Theres also cisco but they are very expensive for that sort of throughput.

If you dont need the features you can go with hardware NAT in which there is even the ASUS AC56U, TP-links and so on. Look at the features and throughput you need and select the best router you can afford from the charts.

Mikrotik routerboards do have hardware NAT now but i only quote their software NAT speeds.

Thank you for the reply. I realized that after I posted and was looking at the simultaneous throughput. It looks like 1500-1600 is the highest on any current consumer router. I've always wanted to do the pfsense thing but the mikrotik stuff caught my eye last night. I've got a week or three before the install so a while to get something figured out. Thank you for the input, I'll look more into pricing a pfsense setup with a nice intel NIC.
 
Also perhaps worth taking a look is UBNT's EdgeRouter series -- most notably the Lite and PoE-5 models in your case. They both list 3 Gb/s line-rate Layer 3, so I presume they'd be capable of 2 Gb/s aggregate on the WAN link. $99 and $175, respectively, are relative to Mikrotik in terms of value. I find the product overall a bit more approachable/polished for the "prosumer" than RouterOS (not better, just different). Version 1.7 of the firmware is finally at the point where most everything is accessible from the GUI, with everything else available via command line of course.

I know @System Error Message doesn't quite favor UBNT as he does 'Tik, but they're nevertheless a worthwhile consideration, in the right use case.

Otherwise, I'd second pFsense in a MiniITX with a few Intel NICs. Solid DIY way to go.
 
Also perhaps worth taking a look is UBNT's EdgeRouter series -- most notably the Lite and PoE-5 models in your case. They both list 3 Gb/s line-rate Layer 3, so I presume they'd be capable of 2 Gb/s aggregate on the WAN link. $99 and $175, respectively, are relative to Mikrotik in terms of value. I find the product overall a bit more approachable/polished for the "prosumer" than RouterOS (not better, just different). Version 1.7 of the firmware is finally at the point where most everything is accessible from the GUI, with everything else available via command line of course.

I know @System Error Message doesn't quite favor UBNT as he does 'Tik, but they're nevertheless a worthwhile consideration, in the right use case.

Otherwise, I'd second pFsense in a MiniITX with a few Intel NICs. Solid DIY way to go.
on the contrary i do like UBNT however their hardware just cant keep up with mikrotik performance in software NAT. i just dont like the edgerouter lite. The edgerouter POE-5 uses the same hardware as the edgerouter lite but is less buggy.

The issue with the ubiquiti edgerouters is that their "line rate" is hardware NAT and doesnt always work. Its the same with mikrotik's hardware NAT, it doesnt always work too that is why i look at the software NAT performance instead. I have hardware NAT enabled on my mikrotik router but statistics wise no traffic was considered for hardware NAT.

All these brands(UBNT and mikrotik) list their routing performance, not NAT performance. Both are different. Layer 3 routing is just like a layer 2 switch but using layer 3 so layer 2 features arent passed over. The internet uses layer 3 routing and many of their customers are small ISPs so to them layer 3 routing is important.

Between mikrotik and pfsense take a look at mikrotik's demo at demo.mt.lv which lets you see how easy or hard it is to configure first. PFsense gives you some interesting features like deep inspection which you must tick whereas in mikrotik deep inspection must be manually configured via rules. Mikrotik may be harder but has better QoS.
 
@System Error Message
The OP never stated that software routing was a requirement.
Nothing they stated would require the power of a CCR1009 or better.

As long as something does DHCP, DNS, Firewall rules, and the Hardware NAT offload is not disabled from those things . . . it is perfectly fine for a SOHO gigabit link.

If you are dead set on PFsense, then read up heavily on the benefits of clock speed vs cores if you don't want to get overkill for no good reason.
 
@System Error Message
The OP never stated that software routing was a requirement.
Nothing they stated would require the power of a CCR1009 or better.

As long as something does DHCP, DNS, Firewall rules, and the Hardware NAT offload is not disabled from those things . . . it is perfectly fine for a SOHO gigabit link.

If you are dead set on PFsense, then read up heavily on the benefits of clock speed vs cores if you don't want to get overkill for no good reason.

this would be interesting - pfSense SG-4860 - they are a bit spendy, but it's fully supported...
 
@System Error Message
The OP never stated that software routing was a requirement.
Nothing they stated would require the power of a CCR1009 or better.

As long as something does DHCP, DNS, Firewall rules, and the Hardware NAT offload is not disabled from those things . . . it is perfectly fine for a SOHO gigabit link.

If you are dead set on PFsense, then read up heavily on the benefits of clock speed vs cores if you don't want to get overkill for no good reason.
The OP didnt state software routing but i stated it because the routers that can do full 2Gb/s forwarding or more which arent consumer ones dont do hardware NAT under many conditions such as when using PPPOE. This applies to both Ubiquiti and mikrotik. Pfsense doesnt have hardware NAT, only depends on NIC and CPU. It is quite difficult to get hardware NAT working properly on both brands.
 
I would not say it is difficult at all to get hardware NAT working with Ubiquiti.
As of v1.6.0 EdgeOS now supports hw offload for:
  • IPv4 forwarding
  • IPv4 vlan
  • IPv4 PPPoE
  • IPv6 forwarding
  • IPv6 vlan
  • IPv6 PPPoE
As for mikrotik, I have not used their routers in situations where I could enable offload. Thus I cannot honestly comment on them.

General rule of thumb is when doing QOS, offload breaks.
For a home gigabit line . . . doing QOS is like trying to put a traffic cop on the autobahn.

Edit:
I have a 500/500 line at home and use the ER-3. It works perfectly fine although I have preemptively replaced the USB drive with an SLC one. The OP just needs to stay away from the ER-X and ER-X-SFP since IP offload does not work on those two models.
 
I would not say it is difficult at all to get hardware NAT working with Ubiquiti.
As of v1.6.0 EdgeOS now supports hw offload for:
  • IPv4 forwarding
  • IPv4 vlan
  • IPv4 PPPoE
  • IPv6 forwarding
  • IPv6 vlan
  • IPv6 PPPoE
As for mikrotik, I have not used their routers in situations where I could enable offload. Thus I cannot honestly comment on them.

General rule of thumb is when doing QOS, offload breaks.
For a home gigabit line . . . doing QOS is like trying to put a traffic cop on the autobahn.

Edit:
I have a 500/500 line at home and use the ER-3. It works perfectly fine although I have preemptively replaced the USB drive with an SLC one. The OP just needs to stay away from the ER-X and ER-X-SFP since IP offload does not work on those two models.

You will need QoS when someone starts download updates from microsoft or when using torrents. torrents for example can easily use up the whole line. The offload says for forwarding not NAT.

Mikrotik has 2 different types of offload called fastpath and fasttrack. Fastpath is hardware acceleration over the CPU for layer 2 and layer 3 routing (both IPV4 and IPV6) and has the same rules that the configuration must be basic (not for NAT, firewall, QoS,etc). Fasttrack works with NAT and some features but will skip QoS and firewall rules after the packet has gone into fasttrack.

However looking at speeds the edgerouter lite and POE-5 cannot do 2Gb/s of NAT. Heres a link to the test
https://blog.linitx.com/ubiquiti-edgerouter-performance-testing/
The RB1100AHx2 does however do 2Gb/s of NAT and can do a bit more so the 850gx2 will do 1Gb/s or more of NAT. Whats more these PPC CPUs will do 500Mb/s of PPTP and 300Mb/s of IPSEC at 1Ghz per core meaning per tunnel.

So if you need firewall, QoS, VPN mikrotik will be a much much better choice than ubiquiti but if you dont need all that stuff ubiquiti may be cheaper. Mikrotik offers features at a good performance.

Im not against ubiquiti but many here have reported the edgerouter lite being buggy and having issues. Since all the ubiquiti edgemax starting from ERL and above all use the same CPU, you can take a baseline of performance when comparing CPU clocks since having 2 nice looking MIPS at 500Mhz isnt enough to max out your connection, You will need at least double the frequency to get near line rate. That means you'll really be looking at the recommendations i have suggested but the CCR1009's NAT performance far outpaces the best ubiquiti can offer which would be about 18Gb/s if you use CPU connected ports.
 
If I could get Google's GIG connection I would need in a router, access lists. I use them all the time. My thinking is I would have to use a software based PC for routing for a cheap solution. What routers still play if you add access list?
 
If I could get Google's GIG connection I would need in a router, access lists. I use them all the time. My thinking is I would have to use a software based PC for routing for a cheap solution. What routers still play if you add access list?
Its why i usually suggest the RB1100AHx2 and CCR1009 since they can take a lot of configs before they start to slow down.

What sort of access list do you use because i see this in managed switches.
 
I block IPs by IP and class. I block protocols. I block high level ports.

PS
After several pages of blocks it usually slows down the smaller routers. I have not seen any layer 3 switches which I can afford which will do this.

You would need a routing module like what Cisco sells for their bigger layer 3 switches. EXPENSIVE.
 
Last edited:
I block IPs by IP and class. I block protocols. I block high level ports.

PS
After several pages of blocks it usually slows down the smaller routers. I have not seen any layer 3 switches which I can afford which will do this.
I would recommend the CCR1009 because it does a really fine job blocking lots of bad traffic while still being able to give you gigabit throughput. People use it with hundreds of simple rules, users and still get lots of throughput.

On switches that would normally be used to block mac addresses.

If you search the mikrotik forum you'll see many users giving examples of loading thousands of generated rules while serving hundreds of users at the same time with the CCR1036. The CCR1009 has a quarter of the CPU power of the CCR1036. With many drop rules it wont slow down however with mikrotik routerOS you can put your ACLs in the address list as a single name with various definitions (but using the same name) and use a single firewall rule to block them at each chain (forward, input and output). This significantly reduces your CPU requirements.

If you go to demo.mt.lv go to IP--- firewall and take a look at address list. While the demo wont let you change anything each address list definition accepts an IP or IP network.
You than go to firewall and create a rule in each chain, in advanced select the source/destination address depending on chain and go to action and select drop. RouterOS also lets you select protocols and ports in the firewall.
 
I would recommend the CCR1009 because it does a really fine job blocking lots of bad traffic while still being able to give you gigabit throughput. People use it with hundreds of simple rules, users and still get lots of throughput.

On switches that would normally be used to block mac addresses.

If you search the mikrotik forum you'll see many users giving examples of loading thousands of generated rules while serving hundreds of users at the same time with the CCR1036. The CCR1009 has a quarter of the CPU power of the CCR1036. With many drop rules it wont slow down however with mikrotik routerOS you can put your ACLs in the address list as a single name with various definitions (but using the same name) and use a single firewall rule to block them at each chain (forward, input and output). This significantly reduces your CPU requirements.

If you go to demo.mt.lv go to IP--- firewall and take a look at address list. While the demo wont let you change anything each address list definition accepts an IP or IP network.
You than go to firewall and create a rule in each chain, in advanced select the source/destination address depending on chain and go to action and select drop. RouterOS also lets you select protocols and ports in the firewall.

I don't block anything by MAC.

I went demo.mt.lv. I only got one screen. I tried changing to IP and selecting firewall and service but neither one would bring up the screen. It may not work with Windows 10 and Edge which is what I am running.
PS
I assume this is a router not a switch. The one screen I get looks more like a router.
 
I don't block anything by MAC.

I went demo.mt.lv. I only got one screen. I tried changing to IP and selecting firewall and service but neither one would bring up the screen. It may not work with Windows 10 and Edge which is what I am running.
PS
I assume this is a router not a switch. The one screen I get looks more like a router.
It is a router. Despite the web rendering issues for some OS or browsers it does have its trusty winbox application which is much nicer than using the web GUI although you cannot use the demo from winbox. You might need to wait a bit because sometimes webGUI takes longer. It is a demo of one of their low cost MIPS based routers. All their routerboards and OS for x86 uses the same routerOS so they all have the same features except for virtualisation and switch chip features and some hardware features like serial and LCD.

Some screenshots. The letter D means dynamic meaning it is added automatically since i have different firewall rules that add things to different lists. you can use this to for example add any IP address that connects to your network to a list and do stuff with it.
ppBrhG7.png

0C3crl6.png

MowCmCF.png
 
Last edited:
Thank you all for the replies. Here's what I've tentatively decided to go with:


Mikrotik RouterBoard CCR1036-12G-4S Extreme Performance Cloud Core Router with Twelve-10/100/1000 ethernet ports, 4 SFP ports and RouterOS Level 6 license
http://www.amazon.com/gp/product/B00B1ZJ2VG/?tag=snbforums-20
http://routerboard.com/CCR1036-12G-4S-EM

This is the one I'm looking to get, pending centurylink confirmation their fiber device has a fiber channel I can use for WAN. I'll be using it for firewall, vpn, bonding, and QOS as needed. I'd like to team 2 gigabit connections to each of my managed switches and two to my main workstation that has dual Intel NICs.

Not looking forward to the initial setup as I've used an evolving set of DHCP reservations, static IPs and port forwarding for 3 years now on my n66u, but im hoping to set it up in a weekend.
 
You can always ask me if you need help with configurations. You can bond ports in routerOS very easily with different bonding modes to choose from. When you bond ports it creates a new bonded interface which you use to apply your rules on.
You dont really need the extra memory but they use standard laptop DDR3 ram and use BGP and other sorts of cisco routing. EM stands for extra memory.

I presume you went with the CCR1036 to get VPN throughput at your WAN speeds?

Very important to remember that each VPN connection will use up to 1 core maximum so each connection will do 300Mb/s of PPTP or L2TP+IPSEC. You can load balance over multiple VPN tunnels though.
 
Last edited:
@System Error Message : can you recommend some how-to pages for the Mikrotik Routerboard? I'd like to learn about this. Perhaps a stable wired connection plus APs would be my best bet for getting my home network stable and secure.
 
When playing with these high speed pipes I think you will find you want to transfer all the local network functions and overhead off the router to keep the speed up on the router to where it is just opening the internet door and closing the internet door. This is the way of larger networks. Usually at the center of large networks are key layer 3 switches for the high speed core networking. I think as we move into the GIG internet pipes we can take advantage of the same type of structure. This leaves the router able to apply 100 percent of it's resources to routing on the internet. So it may be time to start thinking of adding a layer 3 switch to your network to handle the local network so the router can concentrate on high speed routing. It is a little more work but I think worth it in the long run.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top