Router choice

[Mike77]

I have three separate gigabit LAN's that I want to connect to each other over the internet via Openvpn in bridge mode.
Lan 1: 200 Mbit/s down 20 Mbit/s up;
Lan 2: 200 Mbit/s down 20 Mbit/s up;
Lan 3: 200 Mbit/s down 200 Mbit/s up;

Now I'm trying to find out which VPN routers I should get to do this, wiithout them becomming a bottelneck. I first looked at the Linksys LRT-214 and 224. BUt I found out that they have a maximuum IPsec throughput of 110Mbit/s. So I might be reading this wrong, but I believe that this means that they would form a bottelneck uplouding from let's say LAN 3 to LAN 1 or LAN 2.

Q1: Am I seeing this correctly?

Second thing is that I also have a spara Asus RT-AC68U with the stock firmware. If possible I'd like to use it as one of the VPN routers in bridge mode.

Q2: what firmware could/should I use (tomato/merlin/DD-wrt) to do this, and do they all have the option of OpenVPN in bridge mode.
Q3: what is the maimum throughput of a OpenVPN brdige over IPsec of te 68U running that firmware.

Can Anyone help me?

 

[thiggins]

I think you're going to have a tough time finding any consumer router that supports anywhere near your VPN throughput requirements on ONE port, let alone three.

 

[Mike77]

I think you're going to have a tough time finding any consumer router that supports anywhere near your VPN throughput requirements on ONE port, let alone three.

@thiggins : Thanks. Yes, I was afraid of that. If I understand it correctly even small business routers (The Linksys 214 and 224) will not do the trick..... Which is kind of strange, seeing that nowadays a private home's could get a 200-500Mbit/s up and down connection on let's say glassfiber. The 200Mbit/s down and 20 Mbit/s up connections are good but not special and the 200Mbit/s up and down connection is also a private home...

 

[System Error Message]

The cisco RV isnt a proper cisco and cannot even support your throughputs. What you need is either an expensive cisco or an x86 based router (that uses a good CPU such as xeon that have hardware encryption). Also Some routerboards have hardware encryption too but you will have to read the specs and brochure relating to the product. I suggest checking out the RB1100AHx2 and the mikrotik CCR as both have CPUs that are very fast at routing and VPN and have hardware encryption. Each PPC core above 1Ghz does 500Mb/s of PPTP VPN while each TILE core at 1.2 Ghz does 300Mb/s of PPTP. Since you have 3 connections it can use 3 cores. Each connection in routerOS can use a maximum of one core and some routerboards have up to 36 cores (they are planning to release a 72 core variant in a year or 2). Hopefully the hardware encryption on the routerboards should include IPSEC but you can find more details by googling for the CPU architecture details which manufacturers love to post their capabilities.

Both the MIPS based CPUs and ARM A9s will not be fast enough because their VPN throughputs are less than 100Mb/s for what you want to do.

In total you have
220Mb/s
220Mb/s
400Mb/s
Total required throughput 840Mb/s IPSEC VPN + 840Mb/s of routing even though the total wire in + out is 840Mb/s as the actual routing between layers happens within the router.

Business class routers even the cisco RV are still classified as consumer and IPSEC requires a good CPU or a CPU with IPSEC hardware encryption.

For x86 theres pfsense, routerOS, any full linux/unix server OS, router based OSes. I suggest to avoid windows server mainly because of routing and stability reasons.

 

[L&LD]

Seems to me that the most economical right now might be to buy three routers that surpass the 20Mbps Uplink on LAN 1 and LAN 2. Assuming LAN's 1, 2 and 3 all need to connect equally, there would be no reason for LAN's 1 and 2 to connect faster to LAN 3 than it can connect to them.

If or when that changes, higher priced models could be considered at that future time. I really value having identical brand / models of hardware throughout the organization. Learn once, copy many.

Depending on the quantity and type of information shared over the VPN's, even 20Mbps may be fast enough. At least for a few users. Very rarely do I see businesses need everyone to connect to everything and at the same time.

 

[Trip]

Like @thiggins eluded to and @System Error Message expounded upon, hardware that can push that kind of throughput at 256-bits of encrypt/decrypt and do so reliably is going somewhat beyond consumer-class embedded devices with SoC-based architectures...

Perhaps integrated security hardware/vendors, if you've got the coin? Cyberroam is one of the better ones for throughput value (sub-brand of Sophos). Assuming you wanted 100% WAN throughput utilization over VPN, you'd need 2 CR35s and 1 CR50, which would be $3,000-ish in hardware. Probably a fair amount higher than I'm guessing you're looking to spend... but regardless, even if it's with MikroTik or a black-box/DIY build, you won't be able to go a whole lot cheaper. Perhaps eBay or AliExpress may net some deals? Good luck!

 

[System Error Message]

I think i got the network routing wrong since i expected he was combining all 3 LANs at 1 location when he is combining them at each points. Throughput wise, hopefully if the mikrotik RB850gx2 uses the same CPU as the RB1100AHx2 it will be fast enough at LAN 2 and 3 while at LAN 1 you might want to look at RB1100AHx2 or microtik CCR1009.

RB850gx2 costs $120-$150 - half clocks of the RB1100AHx2
RB1100AHx2 costs around $300-$400 does - 500Mb/s of PPTP per core
CCR1009 costs around $400-$500 - 300Mb/s of PPTP per core

For x86 you can use atoms since you arent expecting gigabit VPN throughput. Cost wise since you need 3 capable routers would be below $1000 if you use mikrotik whereas cisco could cost more while going with x86 atoms might cost below or around $1000 since you need 3 boxes. The throughput figures i quoted were the ones i tested.

 

[Mike77]

Guy's thanks,

Let me try to rephrase what I was trying to say. It's three lan's, all separated by the internet. So the throughput won't be more then the best internet connnection, beeing the fiber 200Mbit up and down. So no adding the the connections. I'd like it to be as fast as the Gbit networks, but sadly that won't happen for me in the near future.

I think system Error Message, is on the same page in his last post.The idea is to make every LAN connect to the other two. But that won't increase the maximum demand on throughput. The only extra thing I have to take into account is that internet connections will keep increasing in speed. So it might be better to spend a little more for the fiber connection on a 500Mbit/s RB1100AHx2. The other two will be alright with something like the RB850gx2.

A thing I hadn't thought of the possibility of using old computers as routers. I've got more then three HP
core i3 2100 systems doing nothing. Would a 2100 with 8GByte of ram and two Gigabit intel NIC's be enough to do the job on the fiber connection?

 

[Trip]

Yeah, the 3.1Ghz core clock and i3 architecture should even accommodate your aggregate 400Mb link... You could use RouterOS, pfSense, etc. to test one of them. One thing to consider, though, is your power draw on those three boxes -- it will likely be 10x that of an embedded device, and thus 10x the power bill on an ongoing basis (don't know if that matters to you, but worth considering perhaps).

 

[System Error Message]

one thing you should note was that the speeds i quoted was per core which in routerOS is per connection. Each connection in routerOS in NAT or any other thing like QoS will use up to 1 core so the RB1100AHx2 being a dual core PPC will do 1Gb/s of PPTP VPN in total and the CCR1009 having 9 cores will do 2.7Gb/s PPTP in total whereas for IPSEC over tunnel it might be faster and you can use tunnels instead of VPN and in many examples for your setup you will find them using tunnels because it eliminates the server client complications for multiple p2p networks.

All the mikrotik routerboards use routerOS which is also available for x86 so you can buy it for your 3 hp servers. The x86 license is limited to a system or drive. PFsense is also a good choice but im not so sure of its tunneling capability although it is free and has a better proxy cache and preconfigured firewall than routerOS.

The intel i3 even if its a dual core is fast enough even if it was 2Ghz because you are using intel NICs which really help reduce the CPU usage.

As Trip said, the difference between using x86 or embedded like the mikrotik devices i mentioned is mainly power usage. If you want to future proof your network you can go with mikrotik CCRs because some of them are faster than x86 in their NAT throughput and are comparable to the performance of the cisco edge routers while using only up to 60W. The CCR idle power isnt good since the 9 core one idles at 15-20W (higher than sandybridge and up laptop idle) while the 36 core one idles at 47W.

Since you have the i3s, routerOS has 1 day free usage after you download and install it so you can test its throughput first before buying a routerboard.

 

[Mike77]

Guys, thanks again.

I’ll first try it on the I3’s. After I get it all up and running I'll look for something less power hungry and more permanent.