A Solid Week with the ER-4

[MichaelCG]

Using VPN back to your home from a location is controlling both sides of the VPN. This is what VPN was built for. Don't think you are hiding as your home network is still on the radar but you are secure to your home network.

Correct, it doesn't hide my Internet browsing from my ISP, but it does secure my traffic flows to those in near proximity of the WiFi I may be using.

I not sure why you need 3rd party VPN service? Just don't connect to hot spots. There is a setting for that. That will keep the man in the middle attacks away. I have not had any problems using public Wi-Fi by not connecting to any hot spots. I don't use airport Wi-Fi but I don't travel much any more either.

3rd Party service is for testing/playing from home...but more for times when my home VPN isn't responding and I want to secure my communications still.

Why use public hotspots? Sometimes mobile data services isn't available or is just slow as dirt. Or I just don't want to burn through all of my data for the month. If I can secure my communications....why wouldn't I use someone else's data instead of my limited LTE? Many reasons to still use public WiFi....but people need to be aware of the risks of using a network path that is unknown. Open WiFi leaves you open to MiTM attacks and/or just someone sniffing everything you are doing.

Even before I had OpenVPN as an option, when I traveled I only browsed the web on Public WiFi from my work laptp connected to the corporate VPN. Never browsed outside of the VPN.

 

[coxhaus]

Yes I agree a work connection should be protected with VPN. You have to be careful with split VPN where you have a non-VPN connection at the same time as you have a VPN connection . This opens the door down the VPN pipe straight to your work's inside network.

I don't trust hotspots. To easy to connect to someone else's "bad" hotspot when you are out in the wild drinking or partying. So I don't use hotspots. I know there are good ones too. I just don't use them. I use public Wi-Fi that is available at places I go.

 

[NUTW0RX]

Since VPN throughput-versus-price is the only purchase criteria for many buyers, this is a totally useless review. I also noticed that Ubiquiti does not publish any VPN throughput statistics. Furthermore, the spec sheet for the Edgerouter 4 only states the CPU architecture, and does not identify the specific CPU model. When manufacturers don't provide accurate specifications, it means they know there is something else on the market which provides better performance at a lower price, and they don't want you to go around comparing their products to anything else.

That comment is worthless because you probably stopped reading at my lack of need for VPN. I'm not doing point-to-point or need access to my internal network from the outside. It's just an edge router for me - get on with your life and continue playing with your 10 year old linksys toys.

 

[System Error Message]

@coxhaus and @SN382 funny arguing going on. I know coxhaus has shown a better understanding of networking than you.

Thing is, VPN performance is dictated largely by encryption and encapsulation performance. So if you do not push these things out, you are also ruining other important features that some consumers like myself or even others do, that is to create a p2p tunnel between sites using encrypted tunnels.

And yes ubiquiti does not show the exact CPU model because their router isnt really fast for the customer it is pointed at. Ubiquiti edgerouters to me will always be a home target because of their reliance of hardware acceleration. For reference, mikrotik is cheaper in price/performance also because they maintain high performance when you use the other features it comes with. For instance QoS performance in mikrotik is much better than on ubiquiti, my mikrotik CCR1036 will max out its ports before it runs out of CPU power to network a lot of things, with a few Gb/s of VPN performance using hardware encryption. I dont think the best ubiquiti has to offer is capable of that because at best they will achieve a 1+ Gb/s of QoS on their highest end model and there are many fanatic ubiquiti fans as well which ubiquiti mentions in their investor book.

While im not a fan of ubiquiti, i never recommend their routers, always their wifi and other mini products. In my opinion, despite the nice new manycore MIPS they sell, they arent selling the best from the manufacturer and the pricing does not match what mikrotik offers (dont use their hardware acceleration charts to compare). Theres a reason why mikrotik doesnt release routers like ubiquiti and its because they know that they're customers are going to be putting a lot of load on it.

The best manycore MIPS i've seen a few years ago was 48 cores, and now a lot more. The most ubiquiti stuffs in is about 16 cores i believe into their highest end routers. Im not recommending to stay away from the edgerouter line, but make sure you recognise what the product is first. I always see ubiquiti edgerouters a little like consumer linux routers but much easier on the linux bit if you want a flexible embedded router. Its not great as a dedicated router (Cisco and mikrotik are better at that), its not great as a linux box either (pfsense, linux), but its in between them.

 

[umarmung]

@System Error Message

1. You can get better overall IPSEC performance for a single tunnel with a Mikrotik device almost 30% price of your 36-Tile CCR monster, i.e. the ARM RB1100AHx4 and the Dude Dx4 variant.
2. As far as I am aware, the Tile architecture still suffers to this day from out-of-order packets with IPSEC. So, I am not sure how widely used it is for that purpose anyway.
3. Yes, Mikrotik routers scale well with additional features compared to most consumer hardware and even compared to many SOHO products, including Ubiquiti. But with Mikrotik, like most manufacturers, its their way or no way.

The real value of Ubiquiti Edgerouters and Unifi products are their relatively open platform, they are quick to add features that are SOHO and consumer driven. By contrast, SOHO seems to be very much a secondary priority to Mikrotik. Ubiquiti even maintain a user Feature Request system which they implement against.

So, for example, you can run modern SQM (including fq_codel in stock firmware), which can make a large difference to a residential Internet connection, that can only normally be found in third party firmware on consumer routers, e.g. Merlin or LEDE/OpenWRT. Try finding that feature and others like proper OpenVPN support, or the ability to directly add such features to any other SOHO or enterprise platform ...

I would not be so quick to dismiss this niche. As the number of devices, speed of broadband connections and lifelong security concerns increase, people want performance, management, consumer-level flexibility, and extended software support, all without having to become a technical guru or pay, build and maintain their own ~$300 device. These requirements currently span very different markets and types of users.

It must also be nice to walk around in your pocket with a $50 device (ER-X) that beats any consumer VPN travel router, can beat the wired performance of most consumer routers as a residential Internet gateway, can be used to manage a SOHO office network as an L3 VLAN-aware device, all while using less power than a light bulb!

 

[System Error Message]

@System Error Message...

i know, to be more specific i already positioned ubiquiti edgerouters in a place. I just dont recommend them because of the shady descriptions from their investor portfolio, not something you want to hear.

The issue with IPSEC on tile has been fixed in mikrotik. The TILEgx is a network optimised TILE that was used as accelerators in servers used by google and facebook in their datacenter to handle both firewall, LAN and parallelised stuff like their webserver via their 100 core PCIe cards.

Mikrotik is a bit slow with features because a lot have requested some sort of way to create other functions for it such as a java platform for example, and other features. Mikrotik is late to implement them especially considering their optimisation process and how limited the flash space is on their devices. I do mention that mikrotik is a dedicated router, its focused on being a router while i did say that ubiquiti edgerouters both embedded linux and a router, it can do both but not great at either, this is also from my own personal experience as i own the ERPRO as well and have tried using it for a few things, it really does not match up to mikrotik as a router but i can run other things on it like a network AV and squid, alongside a few other linux applications, even htop.

Im not quick to dismiss this niche. Ubiquiti's other product lines are a lot better as i was saying because they target their edgerouters to businesses when homes would be better at it, or small businesses that need the flexibility, but not the WAN performance. If one is choosing the particular MIPS that ubiquiti edgerouters use, i will always recommend ubiquiti edgerouters over VPN routers because they use the same CPUs, only thing is that ubiquiti clocks theirs much higher, has more cores and a better firmware and hardware platform than those dreaded and buggy VPN routers. For instance if choosing between a tplink VPN router, cisco RV or ubiquiti edgerouter i would pick the edgerouter.

Ubiquiti is not an open platform, you cant mix and match their USG or even their special software/licensing with other products with their controller stuff for instance. Mikrotik is fully open when it comes to being a router, totally closed at everything else. You need to understand what their customer is gonna care about and open source isnt one of them, but ubiquiti edgerouter's open sourced OS does help them improve their firmware but nothing else from ubiquiti is open. They also like to draw up unfair differences between their products and others, including reliance on hardware acceleration in order to sell. No one likes buying a product advertised to do wirespeed NAT when they find out that it will only do 200Mb/s of their setup and this is something ubiquiti really needs to change, in their performance charts and descriptions.

 

[umarmung]

Ubiquiti is not an open platform, you cant mix and match their USG or even their special software/licensing with other products with their controller stuff for instance. Mikrotik is fully open when it comes to being a router, totally closed at everything else.

Think we have different definitions of "open". I specifically meant you can run your own packages, and take advantage of other people's packages on Edgerouters (which can also be transferred to Unifi routers since they use the same hardware). This also means there is some valuable direct interaction between Ubiquiti engineers and interesting packages on their forums where they discuss the value of incorporating features into stock.

Mikrotik, like most manufacturers, has no such open interaction with most of their customer base, if for no other reason than their software products like RouterOS are completely proprietary, closed and not officially modifiable. This also means they cannot take direct advantage of upstream modifications in open source (this can be both good and bad). They will always lag in such respects - which breaks SOHO and consumer flexibility - have to make their own modifications and do it across multiple architectures, which is even harder because they choose to present a unified interface for many disparate architectures such as mips variants, mmips, Arm, x86, and ppc.

Most customers do not care about anything other than how well products work and how well they are supported. It is also not a zero-sum game. As we've already discussed, these two companies do not even span the same customers nor are they driven by the same demands, except in a few areas.

 

[sfx2000]

The issue with IPSEC on tile has been fixed in mikrotik. The TILEgx is a network optimised TILE that was used as accelerators in servers used by google and facebook in their datacenter to handle both firewall, LAN and parallelised stuff like their webserver via their 100 core PCIe cards.

@System Error Message - Tilera, you're quoting info from 2011/2012 timeframe relating to Google/Facebook/etc...

They're not doing that any more - in fact, Tilera is not an ongoing company... they were bought by EZChip back in 2014 - e.g. for a startup, not a successful exit.

tile - Linux 4.17 dropped support - see here - https://lkml.org/lkml/2018/6/3/142

Interesting arch - they just got out-scaled... interesting that many small cores (e.g. Xeon Phi) have been deprecated recently... big ARMv8's (Cavium Thunder x2) are interesting, as it what AMD is doing at the moment with AMD64 on their Zen platforms (eypc/threadripper)

 

[System Error Message]

@System Error Message - Tilera, you're quoting info from 2011/2012 timeframe relating to Google/Facebook/etc...

They're not doing that any more - in fact, Tilera is not an ongoing company... they were bought by EZChip back in 2014 - e.g. for a startup, not a successful exit.

tile - Linux 4.17 dropped support - see here - https://lkml.org/lkml/2018/6/3/142

Interesting arch - they just got out-scaled... interesting that many small cores (e.g. Xeon Phi) have been deprecated recently... big ARMv8's (Cavium Thunder x2) are interesting, as it what AMD is doing at the moment with AMD64 on their Zen platforms (eypc/threadripper)

the xeon phi has been renewed, it now shares the same socket as the manycore 20+core xeons so if you have a multi socket board you can combine them. i know Tilera isnt operating anymore, they had a good arch but their pricing on their page is what killed them, they werent able to secure contracts with vendors to make devices too, mikrotik managed to secure a good contract with them to produce their CCR line.

its more of a matter of price to benefit. Those 100 core PCIe cards could be stuffed into 2U for a few hundred smaller cores to handle firewall and webserver for example. The xeon phi has a niche market at the moment where it is a better offering than GPUs because of the lower actual price points (nvidia teslas arent cheap if you need ECC, a lot of memory and unrestricted architecture) among R&D and science. At the moment with google and facebook distributing servers, they need more database performance rather than front end so epyc, xeons get picked instead.

The ARMv8 works well for low performance stuff. if you want redundancy without the cost then ARMv8 is the answer, like your own mini cloudfare for example where the only CPU you need is to run a webserver.

 

[sfx2000]

The ARMv8 works well for low performance stuff. if you want redundancy without the cost then ARMv8 is the answer, like your own mini cloudfare for example where the only CPU you need is to run a webserver.

The Cavium ThunderX2 platform performs quite well - better than what one would expect... gives Epyc 7451 and Xeon Gold a good run..

 

[mtganzer]

The Cavium ThunderX2 platform performs quite well - better than what one would expect... gives Epyc 7451 and Xeon Gold a good run..

Yes, but those power consumption numbers...yikes!

Re the rest of this thread, I give you this thought, which I find useful in network engineering as well other parts of life:

“The enemy of a good plan is the dream of a perfect plan.” - Carl von Clausewitz

 

[Audio-catalyst]

In the USA I do not see a reason for running a VPN except to work networks. The performance hit is too great to run every day VPN. You are making noise about nothing.

hate to disagree, but especially as of late, usa is THE prime example of why running everything through a vpn is important, just like china and GB
most of main land europe that is not the case as there are good privacy laws in place.

the rest i agree on

send from a mobile device, so typo's are to be expected

 

[coxhaus]

hate to disagree, but especially as of late, usa is THE prime example of why running everything through a vpn is important, just like china and GB
most of main land europe that is not the case as there are good privacy laws in place.

the rest i agree on

send from a mobile device, so typo's are to be expected

So you use a VPN service. You have a secure connection to a VPN service. The VPN service dumps all internet traffic onto the plain unencrypted internet routing. Your original source IP address is on the header of the TCP packet. What have you accomplished? Why take the VPN slow down hit? You are exposed and very easy to tell where your internet traffic originated from. You did not hide anything. All you did was encrypt your traffic from point A to point B being your router to the VPN service with a performance slow down due to using a VPN tunnel. The rest of the routing was unencrypted regular routing internet traffic. Source IP addresses are not encrypted on internet traffic.

 

[MichaelCG]

Source IP is not in the header as it exits the VPN. The VPN provider must SNAT the traffic to keep routing intact. You will be able to somewhat prevent a 3rd party from identifying you by your source IP since you will show up as the VPN provider. But you are putting all faith into the VPN provider to not do the same madness that your local ISP is doing.

It all depends on what your goal is on using a VPN if it is worth it or not.

 

[coxhaus]

Source IP is not in the header as it exits the VPN. The VPN provider must SNAT the traffic to keep routing intact. You will be able to somewhat prevent a 3rd party from identifying you by your source IP since you will show up as the VPN provider. But you are putting all faith into the VPN provider to not do the same madness that your local ISP is doing.

It all depends on what your goal is on using a VPN if it is worth it or not.

Your source IP is in the stack of TCP/IP headers. Every time you are routed their info is appended to your packet. So yes the VPN provider is the top source but that is true every time you are routed. So where ever you are routed they are the top source. The VPN has nothing to do with that. It is basic routing. But on every packet is the original source IP.

 

[sfx2000]

The VPN has nothing to do with that. It is basic routing. But on every packet is the original source IP.

I think we're both on the same side here - and the risk with VPN is traffic aggregation...

VPN provides a level of security, but it doesn't provide any privacy, as everything can be traced back to the source.

TOR doesn't really help, as that well has been deeply and truly poisoned these days - a nation state can seed millions of nodes, and they have the resources to dig into things there...

 

[coxhaus]

Source IP is not in the header as it exits the VPN. The VPN provider must SNAT the traffic to keep routing intact. You will be able to somewhat prevent a 3rd party from identifying you by your source IP since you will show up as the VPN provider. But you are putting all faith into the VPN provider to not do the same madness that your local ISP is doing.

It all depends on what your goal is on using a VPN if it is worth it or not.

I can still no reason for using a VPN in the USA when you don't control both ends of the VPN. Please list reasons. All it does is slow your traffic flow down having to encrypt all the VPN traffic.

PS
I guess if you think you are running in a hostile environment. Is the only one reason I can think of. It should not be the case in the USA.

 

[sfx2000]

I can still no reason for using a VPN in the USA when you don't control both ends of the VPN

Going deeper - one must own both end-points to have a really trusted VPN - anything else is basically public, and traffic on the other end is concentrated for the commercial/public VPN providers...

 

[coxhaus]

I don't know if you own your work connection. It is the reason I used the word control. But what ever.

Work may own you so you are both kind of under the same umbrella. ha ha ha.

 

[System Error Message]

The point about discussing VPN here is not as a way of anonymity or bypassing your local filters, its about the tunnel itself. People see VPN as it is marketed around rather for what it is, another network over a layer 3 network, and layer 3 networks run over layer 2 networks. You also get tunnels too that arent really called a VPN rather a point to point connection. The thing about performance for VPN and features isnt what most think.

There are 2 other things that matter for performance other than just routing/NAT for hardware which is encryption and encapsulation. Lets talk about an example of an ISP that uses a lot of layers just to connect to it. First when you connect the cable you gotta set your VLANs, then you set your PPPOE, then you have to NAT (also routing too). So taking a look at this you have VLANs which is a layer 2 thing, switch chips do this but on your router it is done via software instead as the WAN interface is directly connected to the CPU and not a switch chip (good practice to do). Then you have PPPOE which is a tunnel between you and your ISP (the network is crazy in wiring, so some way to differentiate is needed. PPPOE uses encapsulation and encoding (in some cases, encryption too), its basically the tunnel between you and your ISP over some crazy wiring network, and one reason that PPPOE is used is because the use of encoding and encryption helps improve throughput over lossy or lower bandwidth wires because you can also use compression (another math heavy feature). Then once you're finally connected to your ISP, your router has to do NAT and routing in order to talk to the internet via your ISP and handle devices/connections on both sides. This is literally the very basic thing needed at homes for internet, and all this is hardware accelerated nowadays because it is simply inefficient to do it via software especially for higher speeds.

then comes features, For example firewall, QoS, and other network related stuff, and for some non homes, BGP. What we should be discussing here isnt about VPNs or such, but rather the product line itself ubiquiti edgerouters, its software and hardware. I've always hated ubiquiti as a company because of their shady shareholder recruitment, and their product marketing is actually shameless or terrible. This is why we need people like this website to shed light on what segment their products are actually good for. I always say that the edgerouter line is good for homes for those users who want a balance between a linux router and a dedicated router.

If you wanted anonymity on the net you need both a multi node encrypted routing VPN (like tor's protocol for example not the network) combined with a dual sided https web proxy alongside some tweaks.

So getting back to the topic of this thread.

The edgerouter from my experience is bad at being a dedicated router or a good linux box, but it will be able to fulfil both roles. If you want the best of both worlds you're looking at combining mikrotik with a linux server over separate devices for example, this router isntead fulfils a niche in the home segment for those who want a flexible router that can both be a router and embedded linux both, its a bit better than a good consumer router at being a router (definitely leaps better over some), its not quite a linux server as many things wont work on it, but plenty of things can be used, even transparent squid filter cache, hotspot/radius server, and plenty other things that the CPU does a decent job running and will even run htop. Its interface is not user friendly, and doesnt expose the capabilities unlike what you'd find with mikrotik, juniper and pro cisco.

The hardware of the edgerouter is lacking. The MIPS CPU uses itself is pretty decent but it uses the lower end spectrum of the manufacturer but still way more than the CPUs used in those horrid VPN routers. The MIPS itself being somewhat decent at software, i'd put it to be better than ARM as ARM suffers from requiring things to be compiled for each CPU and software does tend to run better than some of the ARMs, it also comes with a lot of hardware acceleration which is the main highlight of the architecture, but dont expect good software performance for things the hardware doesnt cover. Compared to any VPN router or the cisco rv, the edgerouter is the best choice of all of them in both hardware and firmware both in performance and reliability.

If you're considering getting an edgerouter for VPN (or a VPN router either) then you're doing it wrong. The edgerouter is simply a flexible router, its basically best for the embedded linux box and router role at the same time but its not great at either one. This is speaking from experience ofcourse. It'll do VPN well as the architecture has the hardware acceleration for it, but to get it just because you want good VPN performance would be a bad reason as if you want good VPN performance theres no substitute to x86 if that is your only goal.

Other products at ubiquiti however are well worth more spotlight and consideration though than the edgerouter line, The main flaw of the ubiquiti edgerouter is that it is unsuited for the same customers as those who get mikrotik or pro cisco/juniper or who set up a fully featured linux box to use as a router/firewall but is marketed to those very same people rather than where their market actually would benefit from. Till now i have not seen an ISP distributing edgerouters but i've seen some ISPs distributing mikrotik or cisco boxes, which goes to show how important it is to market your product to its intended audience rather than the wrong audience. Ubiquiti consistently advertises speeds that cannot be kept with QoS and does not provide testing numbers that other brands provide more of and more relevant as Ubiquti's marketing is not relevant for its intended target.