What's new

Fast router with VLAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lukaszg

Occasional Visitor
Hi,

I have FTTH 1Gbps internet connection. Currently I am using Asus n66u router with Merlin firmware.
I would like to create a VLAN to separate my less secure devices and guest network from my internal devices.
AFAIK Asus router supports Merlin, ddwrt and tomato. Merlin has hardware nat acceleration support but not VLAN support.
In addition to that I would like to switch from wireless router to wired router + access point(s) model.

I found following options:

1. Mikrotik RB2011UiAS-IN
According to their documentation it supports FastTrack (which as I understand is hardware nat acceleration) and can VLAN frames.
It also have SFP cage so I could connect the fiber directly to it.

2. Ubiquity EdgeRouter Poe-5
The specification mentions 1 million pps and it should route 1Gbps (page with tests).
It has Poe so the Access Point can be powered by it.
ER-X-SFP looks more tempting (has SFP), but according to this thread it will not route 1Gbps obver NAT.

For the reference:
it will be used with Ubiquity UAP-AC.

I know that to have hardware NAT support I need to switch off QoS and other packet filtering mechanisms. What about VLANs? Is it possible to have both - VLAN and fast NAT?
 
I looked at both ERX and ERL before as I wanted to get one..

ERX's hardware has quite a few accelerators in its SoC actually. Unfortunately the firmware lacks support for the reason that the platform is new and completely different from the rest of EdgeRouter lines. You may have to wait for 1-3 years to see accelerations enabled _if_ UBNT has such a will for ERX. The current firmware also doesn't support per-port VLAN config.

ERL, by that the rest of edge routers, does support per-port VLAN config with h/w acceleration (since firmware v1.7 ?). ERL (ER-POE5 too same clocked CPU ?) can do ~1900Mbit/s NAT (in/out combined) with h/w acceleration and 200Mbit/s IPsec throughput, again with h/w acceleration only.
 
personally i think the ER-X is a lot better because the platform is better than the ERL.

It is untrue that the ERL can do 1.9Gb/s NAT, it does 1.3Gb/s pf NAT with hw acceleration.

Consider the mikrotik RB3011 because that has a much better internal architecture and CPU compared to the RB2011 which is good for your FTTH. Since you have FTTH a router with SFP port will help you a lot.

Dont go for hardware accelerated numbers, mikrotik's numbers are not hardware accelerated and both brands quote routing or bridging performance not NAT performance. At the very least mikrotik routerOS lets you accelerate some packets so you can apply QoS and firewall on some packets and accelerate the ones you want.

If you have 1Gb/s symmetric you will need 2Gb/s forwarding throughput. It is just sad that many dont get that the performance specs on these products are for layer 3 and layer 2 performance and not NAT speeds. At the very least mikrotik gives a more realistic performance table (i usually just take the lowest in the table as the expected throughput for NAT).

If you are considering hardware acceleration than what about all those consumer routers that can do near 2Gb/s NAT with hardware acceleration? A lot of consumer routers support VLANs on the WAN side.
 
Last edited:
1.3Gbps is more than I need, while ER-X can route only 0.3 according to the other thread I mentioned (I would prefer ER-X as it has PoE and SFT...).
 
ERL, by that the rest of edge routers, does support per-port VLAN config with h/w acceleration (since firmware v1.7 ?). ERL (ER-POE5 too same clocked CPU ?) can do ~1900Mbit/s NAT (in/out combined) with h/w acceleration and 200Mbit/s IPsec throughput, again with h/w acceleration only.

That's good news. I will need separate fiber to Ethernet converter but at least AP will be powered with PoE from the router.

Just to make sure that what I want to achieve is possible:
I would need 3 VLANs:
1) trusted private network (for my devices, printer etc)
2) guest and internet-of-things network (for guest wifi and all the insecure stuff)
3) public server network (for my banana pi running apache and openvpn)

ERPoe-5 has 5 ports:
1 port for WAN
1 port for Access Point (VLANs 1 and 2, Access Point will need to have two ssids, to separate that traffic)
1 port for trusted private network (VLAN1)
1 port for insecure network (VLAN1)
1 port for public server (VLAN 3)

I don't have any fancy VLAN enabled switches, but the only port that will support both VLANs will be the one for AP. Everything other will have one VLAN assigned to it. I understand that I can use regular switch then and all the frames not VLAN tagged will be treated by the router as they belong to the default VLAN for given port.
 
The RB3011 does software routing fast and has SFP and has the qualcomm ipq-8064 CPU. POE can be done through an injector and it has 2 switch groups but it lets you perform segmentation all the way down to layer 1. The other interesting bit is that the switch chips on the RB3011 have 2Gb/s link to CPU each.

If you transmit VLANs than you will need a semi managed switch for vlan otherwise passive vlans dont need the device at the other end to support it. Active VLANs require the connected device to support it as it is a way of extending a vlan across to another switch.
 
What about keeping your ASUS router and adding a layer 3 switch for VLANs. A layer 3 switch will handle all the local VLANs. I posted how to do this on this site under switches for Cisco SG300 switches. You could buy a SG300-10 if you do not need a lot of ports for around $100 on eBay used.
You may need wireless devices as it will depend on how you want to handle them. But they are required if you want to run wireless users in separate VLANs any way.

PS
Sorry just noticed your WAN connection is not fast enough.
 
Last edited:
I don't have any fancy VLAN enabled switches, but the only port that will support both VLANs will be the one for AP. Everything other will have one VLAN assigned to it. I understand that I can use regular switch then and all the frames not VLAN tagged will be treated by the router as they belong to the default VLAN for given port.

You can use regular switches for working with one VLAN. You use an access port which does not contain any VLAN tags and can then use as many regular switches as you would like. So trunked ports which contain tags will not work with regular switches.

You would use a trunked port for your wireless devices to assign users to the different VLANs.
 
a layer 3 switch will indeed take some load of the router for inter vlan routing and simplify things even if you are only doing a layer 3 segmentation. The reason why i scorn at hardware accelerated speeds is because hardware acceleration is unreliable or doesnt always work. You also cant accelerate every packet, only some packets and mikrotik's manual on fasttrack explains it.
The RB3011 has 2 switch groups with more internal bandwidth and SFP directly connected to CPU. Having to get a POE injector for both devices is worth it for a good router. If you have to use PPPOE to connect dont expect the ER series to perform NAT at your WAN speed. If you combine your upload and download you will get the throughput you need.
 
a layer 3 switch will indeed take some load of the router for inter vlan routing and simplify things even if you are only doing a layer 3 segmentation.
I don't expect much traffic between vlans. Guest network will not have access to internal one, and there is also no need to connect in the opposite direction.

The reason why i scorn at hardware accelerated speeds is because hardware acceleration is unreliable or doesnt always work. You also cant accelerate every packet, only some packets and mikrotik's manual on fasttrack explains it.
That's true. But at least it works for speedtest.net test (otherwise I feel bad, when seeing only 300Mbps on 1Gbps connection ;))

The RB3011 has 2 switch groups with more internal bandwidth and SFP directly connected to CPU.
But the other group is Fast Ethernet, not gigabit right? I have synology NAS in my network, all the devices supports gigabit ethernet. I also have gigabit switch (without vlan support though), that I would prefer to use.

Having to get a POE injector for both devices is worth it for a good router. If you have to use PPPOE to connect dont expect the ER series to perform NAT at your WAN speed. If you combine your upload and download you will get the throughput you need.
I don't have PPPoE.
 
I just looked at RB3011 - looks tempting (and the other group is 1Gb, not 100Mb, which is good). Do you know what type of the PoE they are supporting (passive 24 or 48, vs 802.3af)?

Edit:
From their specification:
The Ether10 port suports PoE output, with auto detection feature. This means you can connect Laptops and other non-PoE devices without damaging them. The PoE on Ether10 outputs approximately 2V below input voltage, and supports up to 0.5A (So provided 24V PSU will provide 22V/0.5A output to the Ether10 PoE port).

It is more less the same as what UAP-AC-LR expects (Power Supply 24V, 0.5A Gigabit PoE Adapter*) but the "auto detection" part worries me.
 
Last edited:
for mikrotik even though they support 24-48V POE on many of their devices i would choose the lowest voltage unless you are using a long cable. On many of their routerboards their lowest input voltage (not POE) is 12V so 24V should do fine. I believe they list the POE input voltage on their product page.

The only thing that mikrotik doesnt have is STP for their switching but they do for bridges so avoid making loops.
Just make sure you have enough amps to support all the devices. According to the page it supports 10-30V input so 24V would be plenty. I seem to have made an error regarding the POE, it seems it supports POE out too.

So in order otherwords the RB3011 has 10 gigabt ethernet ports (2x 5 port switch group), SFP and POE in and out. I guess it fits all you're looking for in a device and will support your internet speed without a problem. Let us know how it goes since i myself use a mikrotik CCR but i use the edgerouter pro as a mini linux server. I have both and i can tell you i prefer mikrotik when it comes to routing as for the edgerouters it is easier to treat them as a linux server instead. Basic router stuff can be done from GUI but anything more from linux terminal. On the good side ubiquiti accepts linux scripts whereas routerOS uses their own language. I rarely use the mid or low end stuff.

One trick you can do is use a bridge and apply the rules on the bridge interface so you can use RSTP and such (also lets you apply VPN to bridges).
 
Can I still use these two groups, when I use SFP (i.e. isn't it using one of these 2Gbit bus connections)?

I am not sure if I understood PoE nuances. Just to make sure: will RB3011 work as a power supply for UAP access point that expects 24V, 0.5A?
 
you can. What happens when you plug in SFP is that 1Gb/s from CPU goes to it and 1Gb/s goes to the switch group but 2Gb/s goes to the other switch group.

Im not too sure how POE works too but assuming your UAP isnt far from the router than using a 24V PSU for the router will be fine. Although the router says it uses a max of 10W so you would need a 24V 0.5A PSU for the router too so adding them up the minimum you need is 24V 1A PSU for the router but you can go further like 1.5A just to make sure it covers USB or unexpected thins (who knows they might let you overclock as with some routerboards). If you plan to expand in the future with more devices than getting a higher wattage PSU will help. Make sure to get a good PSU. You will want to read about POE voltage and distance so you will also want to use pure copper cables or basically the lowest resistance cable.

I also suggest getting a micro-SD card if it has a slot otherwise a usb flash drive just to minimise using the onboard storage as you will need to place the files there everytime you update.
 
I will buy RB3011UiAS-RM and it comes with 24V, 1.2A. The ethernet cable is 10 meters long (LogiLink, flat cable, cat 5e).

For a SOHO environment, I don't think VLANs are needed to segregate different "LANs". But I would love to get a Microkit for the sake of it..so congrats on your decision!

One thing I don't quite understand is RouterOS and its different levels. Do you figure out which level you need or want? And actually what are the major difference from different levels?
 
1.2A 24V should cover your needs for both the router and AP. If you plan to add more APs you may need to get a bigger PSU.

10M will have no problems with voltage so just make sure to use good cables.
 
Thanks, that's all great news. Having more APs would require additional PoE injector anyway, as only one port is PoE enabled. Not sure about the cables quality, they has to be flat (because of where they are aligned).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top