More reliable and refined edgerouter lite alternative for soho?

[hzmeister]

I'm setting up a new network in my parent's home office and I'm looking for some advice on what equipment to use. Reliability and stability are the most important factors - it must never go down or need to be rebooted. The router only needs to handle simple soho tasks such as dhcp, nat, firewall, ect with a 200Mb cable connection. Although they don't need vpn capabilities right now, they might in the future. I will be using an HP Procurve 1410-8G switch to distribute ethernet throughout the house and a separate wireless access point for mobile devices. All I really need is 1 wan port and 1 lan port to connect the cm820 modem and hp switch. I was considering the edgerouter lite but it doesn't seem to be fully developed yet and I don't have the skill to configure it perfectly. I also looked at some of the newer asus routers with merlin firmware(among the other highend consumer routers) but I'm unsure of the long term reliability.

Does anyone have any insight into what equipment is available for this kind of setup?

 

[System Error Message]

personally id use mikrotik, they are actually easier to setup using their winbox GUI but they can also be harder to set up than edgerouter if you are using it for advanced routing. Mikrotik routerboards are very reliable and stable on the wire side (their wireless looks good but i have never tried it). They are very reliable but you do need to update firmware. Routerboards have the reliability you ask for as long as you dont overclock them or use unstable features such as traffic sniffer.

If you're looking for wired only the 850gx2 is a solid wired only router and should be able to give you VPN speeds of 200Mb/s considering it uses a PPC CPU. The consumer routers you looked at are very fast at NAT but if you want to use them for VPN and QoS they become much slower. For what you will use them for the consumer high end variants would only give up to 500Mb/s of NAT while the newer routerboards can give you higher speeds with QoS. NAT Acceleration on ARM based routers requires disabling a bunch of features that are important in a multi user environment.

RouterOS may be harder to configure than a consumer router but there are wiki and examples. For what you want to do it is easy to set up. To get the most out of a routerboard make sure your WAN is connected to a port that isnt switched. NAT on switched ports in routerOS use more CPU. Some routerboards can add or remove ports from a switched group or chip. The Rb450G and the 850GX2 (450g successor) can add or remove eth0 from being switched.

Other known alternatives to business are zyxel and cisco.

 

[hzmeister]

Thanks for your reply. Mikrotik looks like a really solid option. After looking into them some more I'm 99% sure I'll go with one. While the Rb450G and 850GX2 are really powerful, would an Rb750GL suffice? I probably won't need qos and will very rarely use vpn. Also, I forgot to mention, my younger brother has an xbox one which will also be on the network. Would the more powerful boards have any effect on latency/lag compared to less powerful routers like the Rb750GL?

 

[stevech]

Mikrotek might work for you.
For me, in a schedule-pressured situation, they proved non-viable.
Buggy.
Being in Latvia, small company, they just weren't good for the project.

YMMV

 

[hzmeister]

Mikrotek might work for you.
For me, in a schedule-pressured situation, they proved non-viable.
Buggy.
Being in Latvia, small company, they just weren't good for the project.

YMMV

What would you recommend otherwise?

 

[System Error Message]

For the kind of network he is trying to build i dont think the bugs really matter. The only buggy things are the packet sniffer on MIPS and certain new features that are still being worked on. Even consumer routers have bugs too and are actually less stable than mikrotik.

Im not sure about the 750GL but check the CPU and that it has sufficient ram. 64MB for MIPS is enough for basic features (no advanced routing). When choosing a routerboard look at its CPU. The performance table is for use within ISPs not end users. NAT is 1/4 the performance of L3 routing for a well configured routerOS (security wise). VPN performance would be much lower and dependent on the CPU's capabilities.

The 850gx2 is a better choice than the rb450g because its about the same price and newer. Theres nothing wrong about choosing a routerboard that has a lot more CPU power than you need when it is the same price. A high end consumer router would be much more than that. You could go with minimal if it was much cheaper and what you required.

PPC CPU is a better choice for VPN since it includes hardware encryption while the RB450G uses an older MIPS which doesnt have as much hardware based acceleration such as for encryption. ARM CPUs are faster than MIPS for VPN because they can do math faster. I have yet to test VPN speed with the rb450G but i do know from experience that with firewall and QoS the rb450G does about 200Mb/s+ of NAT. For VPN if you are using encryption like IPSEC you will need a PPC CPU or TILEGX at least which means either 850gx2,RB1100AHx2 or CCRs.

You cant really seperate features for performance. If you wanted 200Mb/s of VPN it will also have to do 200Mb/s of NAT and other things at the same time. To compare PPC is very much like x86 so it is quite consistent in performance for different things whereas MIPS is faster for simpler things but slow when given complex work like encryption or complex tasks. ARM is fast for simpler things and simple math but slower for logic and complicated things (Still faster than MIPS). By default OSes on PPC, TILE, x86 use more ram than MIPS but the amount varies. On MIPS routerOS uses slightly more than 32MB of ram while on my CCR which has tilegx it uses 400MB of ram at start settles at 600MB ram usage after a long while but i basically use every available package for CCRs.

Latency only matters if you are using full CPU or your bandwidth is full. QoS will help keep latency low for what traffic you want when bandwidth is full. In a multi user environment QoS is actually very helpful. If VPN speed isnt required you can use MIPS based routerboards. There are new MIPS based routerboards that feature newer MIPS architectures but many of them integrate wireless. I am planning on getting one with wireless and miniPCIe but i am unsure if it supports other brands like intel wifi miniPCIe cards which is quite cheap. For consoles there is UPNP and IGMP proxy. If it did support other brands you could get a routerboard with 3 miniPCIe slots, 3 intel 2 stream AC cards for £20 each and have 6 stream AC wifi for a much lower price.

 

[Trip]

Great suggestion with MikroTik. I would add, before you go ahead with a pricier board, order up a RB7xx or 9xx plastic model to play around with. The feature set is practically identical, so at least you'll get a solid feel for RouterOS, and for whether or not a config for your parents would be workable, or overwhleming. And whether you use it for the project, just keep it on hand as a hot spare, or re-purpose it for something else, just playing around with a routerboard is well worth the meager price for the networking lessons alone.

If you're thinking something a bit more turn-key, then perhaps a Zyxel ZyWall 110, or for more UTM maybe a Zyxel USG60 or Fortinet FortiGate 30D. Remember, for most of the integrated security appliances, you don't need an ongoing licensing just to run them as simple router/firewall/vpn boxes... There's also Cisco RV/Linksys LRT, Netgear ProSafe and TP-Link, but I don't have much experience and quite honestly the feedback seems "meh" on that stuff in general. Yet certain models in simple use cases seem to review alright, so your mileage may vary.

 

[System Error Message]

mikrotik doesnt have time limited license except demo runs for x86 boxes. When you buy a routerboard the license comes with it lasts forever and for all upgrades. routerboards can be fun if you want to play around since the small ones are configurable having modules and slots you can use with different things.

The features arent entirely the same and depend on the hardware. Some CCRs dont have switch feature because they dont have switch chips. Multicore routerboards cant run metarouter(virtualisation) because they havent made that feature multi threaded yet. Some dont have LCD screens. But for the rest of 90% of the features they are the same for all boxes.

 

[coxhaus]

Just to add one to the suggestion is the TP-Link TL-ER6120 router. I have one that does basic functions and runs for months. I think almost 1 year is my longest run. The router never quits it is just an environment issue has come up and power down is in order. I have switched providers without ever rebooting the router. I have only seen this on Cisco gear before. All my half dozen or so home routers before required many more reboots. This has been a good basic router for me.

 

[Deepcuts]

Using a Mikrotik 1100AHX2 and very happy with it.
Capable of NAT or simple routing over 1 Gbps.
Did I mention very simple to configure?

PS: stay away from ZyXel!
Most problematic routers I ever used. Not to mention performance is lacking. To say the least.

 

[YeOldeStonecat]

Mikrotiks are quite good and stable...but in our experience Ubiquitis EdgeRouters are also very stable and function well, easy to setup. yeah a couple of years ago when they came out firmware was buggy and clunky and the GUI was limited...but the firmware has gone through a few updates, the GUI does pretty much all you need, even have a quick setup/config wizard now. And very very stable. We've deployed quite a few of the little models to clients, and in our data center we run the big Pro model for our servers on the fiber pipe. Very stable, and fast.

 

[coxhaus]

Good to hear. I have been following the Ubiquitis EdgeRouter Lite for a while now. I think when version 1.7 stabilizes I will buy one to try. I really like my TP-Link ER6120, it is faster than my old Cisco RV180 runnning as a basic router, no VPN. I think it has better caching.

 

[Nnyan]

I had the opposite experience with the ER6120. Just to make sure my tests were accurate I dusted it off again and tested it against the ER6120 and I found the RV180 was significantly faster than the ER6120. I also has a chance to test out the ERLite-3 (borrowed from a friend) and while overall the ERLite-3 was faster it wasn't a huge difference. If I take into account the hours over two days it took me to get this setup then it's a no-brainer for me. Heck, I was able to get my Sophos UTM up and running in less time (and that included the install time).

Until I have my ESXi server up my "default" standby router is the TP-Link C5 (wireless disabled) which I got based on the review here and I've found to be a very fast little router.

 

[coxhaus]

It is interesting that you found the opposite thing out between the 2 routers. I assume you are running the latest firmware on the ER6120 router. I wonder what could be different in our setups or configurations. My connection was a 30 meg TimeWarner connection. I run Untangle UTM behind the router. I also run a lot of Access Control Lists(ACL) on the router. All my connections are 1 gig. I was streaming video and using data. The ER6120 does a better job. I did not have any VLANs defined to the RV180 as the ER6120 does not handle tagged VLANs. What was your setup?

I am not sure what takes so long to swap a router. I can do it in 15 or 20minutes. I have to type in all the ACLs and IP reservations for DHCP which takes longer than swapping the equipment.

 

[AdvHomeServer]

Interesting thread. I took notes.

I don't think the 1.7 release for the edgerouter light will bring it up to the competition. From what I read on the aplha forum, they're still debating whether to add no-ip as a predefined ddns provider and it doesn't look good for no-ip. This is only reading tea leaves however, and they might make it better than that. Perhaps by 1.10 the visual interface will provide access to all the main features. VyOS is incomprehensible except for those who wish to make a full time career of it or have exceptional programming skills. PfSense for this router is still only a discussion. There's a cost for DD-WRT for this router and I'm not convinced it's a good idea.

I'm still thinking about putting some UTM gateway software on a dual nic small form PC, but only thinking about it.

For me, VPN passthrough (tun) at the router is important so I can travel and confidently use public wifi. OpenVPN on my R6300V1 via DD-WRT has been reliable and blocked only once, even using port 443 TCP. I'm losing confidence in DD-WRT however and, unless it looks really stable down the road, I will have to move along. The Fourms at DD-WRT make it look hit or miss per release.

UTM gateway capabilities are also an interest, but not necessarily a need.

What else is out there? The R6300V1 could be turned into a wireless access point in about 30 seconds.

 

[Trip]

Really good additions AHS. It's a shame EdgeOS is taking so long to be brought up to snuff in certain regards, but then again, you do get what you pay for, and for $99 base the platform is pretty much offered as one would expect -- heavy on capability, light on usability/support. The other elephant in the room there is MikroTik, but again you're dealing with a similar animal. Relying on the distributor/consultant channels for support doesn't really pan out in the consumer space.

As far as the third-party firmware on commodity hardware goes, it indeed is a bit of a mess. As you said, even between sub-releases, things that used to work often get broken, and that to me is totally unacceptable when viewed in any other light than a fun toy to experiment with. I'm as thankful as the next person for the work those devs are doing to "liberate" us from the crummy OEM firmware (which in and of itself is a whole other bag of disappointment...) but lets be realistic about where/when it should be deployed; certainly not in any mission-critical scenario, that's a given.

That leaves us with open-source router/firewall distros (pfSense, IPCOP, etc.), some pre-built and supported by various shops, and of course, full-on business and enterprise gear. IMHO, this is the space I think the bulk of this forum should be in when looking for stable solutions. Yes, features come at a premium, but I would like to think one has a higher chance of them actually working, and more recourse with the vendor if they don't. Me personally, I've been through the run-around enough that now I run all my residential routing/firewall deployments on Zyxel or better, mostly for the stability and support, and if I can't sell the prospect as to why, then they simply aren't my client. But again, to each their own.

 

[coxhaus]

Interesting thread. I took notes.

I'm still thinking about putting some UTM gateway software on a dual nic small form PC, but only thinking about it.

For me, VPN passthrough (tun) at the router is important so I can travel and confidently use public wifi. OpenVPN on my R6300V1 via DD-WRT has been reliable and blocked only once, even using port 443 TCP. I'm losing confidence in DD-WRT however and, unless it looks really stable down the road, I will have to move along. The Fourms at DD-WRT make it look hit or miss per release.

UTM gateway capabilities are also an interest, but not necessarily a need.

What else is out there? The R6300V1 could be turned into a wireless access point in about 30 seconds.

Untangle does a good job. Overtime you see the counters of things blocked start to rise. It may be in the web-filter or the intrusion-prevention modules but the counters blocked rise over time. We had a friend over and he brought his laptop. The laptop had a malware on it and it was spitting data. Untangle flagged it and shutdown internet access. They never even knew the malware was on their laptop. It was going right out their router at home.

 

[AdvHomeServer]

I've been thinking about trying out sophos free-for-home-use down the road and I have an idea to make it less costly. Will this work and/or work well?

I have a small 11 inch HP laptop with 8gb ram and an a6-1450 AMD processor with a passmark of about 1500. Last year, I bought it as a refurb to use as a tablet replacement (tablets are nice but not universal). It's not bad but isn't snappy. In a few months I will think about replacing it with something faster and maybe 13 inches, providing I can find it really off price (I'm incredibly cheap and a great bargain hunter).

My point .. if I were to get a usb 3.0 dual gigabit RJ45 network adapter and plug it into the little laptop, would sophos recognize it? What about if I loaded sophos into a VM using the adapter? The adapters cost about $50 so I don't want to try without an educated guess or better that it would work. Also, would that level of processor work OK?

 

[coxhaus]

I have not run Sophos UTM. I have heard it is better than Untangle UTM but Sophos UTM requires much more time and effort to setup and maintain than Untangle. I have run Untangle for years and not once have I had to fix a problem. I once had to install Untangle again as there was not an upgrade path to the next version. The Untangle team does a great job making sure all the updates are transparent and nothing goes wrong.

The UTM software seems to run better with fewer problems if you can use Intel NICs not to say it won’t work with other NICs, it just does a better job with Intel NICs. I have heard the NICs can make more difference than a processor.

My test for a good UTM is there is no lag on web pages. I have run some in the old days where you would pick up 2 or 3 ms delays. That is not acceptable to me. I want it to be as if there was no UTM installed. So I used hardware which will achieve this. Now day’s processors are so fast and NICs so quick it tends to not be a problem. Test your laptop and see how it works. Check the vendor’s forum for hardware compatibility.

 

[Nnyan]

It is interesting that you found the opposite thing out between the 2 routers. I assume you are running the latest firmware on the ER6120 router. I wonder what could be different in our setups or configurations. My connection was a 30 meg TimeWarner connection. I run Untangle UTM behind the router. I also run a lot of Access Control Lists(ACL) on the router. All my connections are 1 gig. I was streaming video and using data. The ER6120 does a better job. I did not have any VLANs defined to the RV180 as the ER6120 does not handle tagged VLANs. What was your setup?

I am not sure what takes so long to swap a router. I can do it in 15 or 20minutes. I have to type in all the ACLs and IP reservations for DHCP which takes longer than swapping the equipment.

I typically do my tests with just the bare install (minimal config) run it three times on two different days. My connection is 100meg Comcast, one HP 1800-24G switch (to latest firmware which was in 2013 I believe) I only run about a dozen ACL's so it's pretty light. I haven't played with Untangle yet but have a Sophos UTM install on a re-purposed Barracuda webfilter 210. I typically prefer Intel nics (works best with ESXi so I tend to stick with them).

My main beef with Sophos is that it's not very well laid out (GUI) even if it's great looking. It can take some patience to find what you need to enter and where. Even simple things (adding websites to whitelists) can be a PITA until you know where to go (since there are other places that you would THINK would be where you make some changes). Having said that it wasn't as bad as doing a PFSense install (if you're not a linux guru).