A Solid Week with the ER-4

[NUTW0RX]

I was looking for new border gateway equipment to handle an ISP change that could handle 1 Gb service and picked up the Ubiquiti Networks EdgeMAX EdgeRouter 4 last week from B&H for 200 with free next day shipping. UBNT was out of stock and Amazon sellers were price gouging. I also picked up the UF-RJ45-1G SFP for a little less than 20 w/shipping at Provantage since it was less than UBNT and didn’t like the more expensive ‘other’ brands found on Amazon.
https://www.ubnt.com/edgemax/edgerouter-4/


The ER-4 came with v1.9.8 firmware (12/28/17) and the first thing I did was upgrade to v1.10.0 firmware (02/15/18) before I configured and connected to a live network. I initially used the Basic Setup wizard to see how easy it was but then decided to manually configure it. If you have experience configuring networking/security gear, then this should be straight forward for the most part. There are more advanced settings that can be configured and the EdgeOS User Guide touches on most topics.
https://community.ubnt.com/t5/EdgeM...eRouter-software-release-v1-10-0/ba-p/2233263


I configured a WAN port and three LAN subnets with some basic firewall/NAT rules since it’s a router after all, and I like letting routers do their job of routing. I have other security devices downstream handling their respective duties. I configured some port forwarding rules on one interface providing external services and that’s pretty much it. I configured NTP and turned off pretty much everything else to include SSH, DHCP, DNS forwarding etc. You can change the default admin name and aren’t restricted in password character usage or length like you are with some vendors. I’m looking into getting SYSLOG configured to be used with certs and SSL. Throughput testing has been between 900-940Mb with my configuration. I haven’t bothered with QoS or VPN because I don’t use either.


The build quality, performance, features and professional grade OS make this router a bargain, especially for home network use. The Dashboard and Traffic Analysis tabs have enough information (eye candy) for those who care. I have RT2600acs on a couple of my segments and didn’t need an edge router with unused features that added cost to a unit. It’s time to get rid of toy ‘consumer’ routers and start playing with ‘big boy toys’. You’ll get business grade quality and software support while the consumer gear gets forgotten with their short product cycles and insecure hardware/software. UBNT released the $100 ER Lite 5 years ago and it’s still getting updates. Good luck getting updates on consumer routers costing 3-4X that.

 

[kvic]

Firmware support is definitely better and more ambitious than consumer vendors.

For example, ubnt upgrades Linux kernel in ER-X to align with the higher end models recently. Also pushed MediaTek to release a SDK with 4.x kernel. So by firmware v2 timeframe, all EdgeRouters will be upgraded and aligned on Linux 4.x. Such as these actions are essential upgrades over a product's multiyear lifetime.

Consumer vendors like ASUS do have "good" firmware support in a sense that she keeps posting new releases. For example, the 4+ year old RT-AC56U still receives new firmware. However, if people look closer into its changelog, updates lack substantial improvement in core networking performance.

Other performance, let's say IPsec. A $50 ER-X still performs on par if not exceeds the latest generation of ASUS. Not to mention the exceptionally well done hEXr3 that pushes the limit of hardware which MediaTek is shy from advertising.

For now home with 500/500 or below, I can't see a reason why ER-X won't fit and perform well. ubnt has promised to looking into and enabling the extra 1Gbps pipe. If that really happens, ER-X will still be a killer deal for home up to 1000/1000.

Of course, for people willing to spend more or with higher bandwidth requirement, ER-4 is lovely. Some models from Mikrotik are also good...for the sake of a balance view.

 

[netwrks]

Installed an ER4 about 3 weeks back. Running v1.10.0. with a bunch VLAN's, firewall rules, no QoS, no VPN. So far no issues. I relegated my my ERX and ERX SFP's to switch duty. I ran the ERX SFP for a couple of years, with no issues either. I like to use the SFP port, so it was nice to see an SFP port on the ER4/6P

 

[RMerlin]

Other performance, let's say IPsec. A $50 ER-X still performs on par if not exceeds the latest generation of ASUS.

Are you sure?

P:\Tools>iperf -c 192.168.1.51 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 192.168.1.51, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[292] local 10.10.10.1 port 2754 connected with 192.168.1.51 port 5001
[ ID] Interval       Transfer     Bandwidth
[292]  0.0-30.0 sec  1.07 GBytes    307 Mbits/sec

 

[bwana]

So for a small home network , is there a performance/reliability benefit of the er4 over the erx?

 

[SN382]

I haven’t bothered with QoS or VPN because I don’t use either.

Since VPN throughput-versus-price is the only purchase criteria for many buyers, this is a totally useless review. I also noticed that Ubiquiti does not publish any VPN throughput statistics. Furthermore, the spec sheet for the Edgerouter 4 only states the CPU architecture, and does not identify the specific CPU model. When manufacturers don't provide accurate specifications, it means they know there is something else on the market which provides better performance at a lower price, and they don't want you to go around comparing their products to anything else.

 

[coxhaus]

VPN is not a criteria for all users. I am retired and don't need a work connection any more.

I think they are moving in the right direction and they are getting a handle on there software bugs much better than consumer gear. You have more future in their hardware than a lot of consumer gear.

Hardware comparison is not the same as for PC where you are running the same OS. Routers are not running the same software so software programming plays a big part in performance.

I would probably run their hardware but I am an old Cisco guy.

 

[SN382]

VPN is not a criteria for all users.

I never said that it was.

I am retired and don't need a work connection any more.

This is completely irrelevant since the world does not revolve around you. The Edgerouter is marketed as a business product. When people go around praising a product that does not represent a good value, it is a disservice to the reader and it's totally reasonable for someone to speak up. Furthermore, you are frightfully ignorant of the current security threats if you think that a VPN is only for business:

1. Many ISP's are collecting and selling personal information and a commercial VPN proxy service can prevent that. I know of cases where bad ISP employees have used their inside access to commit identity theft by looking at the web sites you visit and then sending phishing emails which impersonate those sites. Anyone who purchases your email address and surfing history from the ISP could do the same thing.

2. I also know of cases where cable companies have raised their internet rates on customers who subscribed to an IPTV service instead of paying for cable TV. Unfortunately, in most jurisdictions there is no law which says that all customers must be charged the same price for the same service, because the cable cartel routinely bribes politicians to let them go unregulated.

3. Even if you do not subscribe to a VPN proxy service, a VPN connection between your mobile device and your home would protect your traffic from being observed or tampered with by malicious WiFi access points.

4. Unlawful government surveillance programs continue to expand every year. For example:

DHS wants to initiate a massive, ceaseless capability of monitoring every journalist, blogger, publication, website, social media influencer or other online information outlet that publishes anything whatsoever relating to the Department.
https://stonecoldtruth.com/the-dhs-is-gearing-up-to-spy-on-you/

The CLOUD act has just legalized the following violations of the constitutional right to due process:

• Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.
• Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.

https://www.eff.org/deeplinks/2018/03/responsibility-deflected-cloud-act-passes

I think they are moving in the right direction and they are getting a handle on there software bugs much better than consumer gear. You have more future in their hardware than a lot of consumer gear.

From the way you are talking I reckon you've probably never installed Tomato or OpenWRT on consumer gear, which is generally superior to the factory software, and continues to be upgraded long after the manufacturer has discontinued support. And once you approach that $200 price point, you're probably better off to get a fanless mini PC or generic network appliance and install pfSense or Untangle, which are vastly more capable and useful than anything from Ubiquiti.

software programming plays a big part in performance.

Not when OpenVPN is your only option because you want strong encryption or you subscribe to a commercial VPN proxy service that supports nothing else. The OpenVPN package is in the public domain, so the software is the same on all routers. The OS is almost completely irrelevant, and the hardware is the factor which determines performance. If the CPU does not support AES-NI, performance will be significantly worse.

I would probably run their hardware but I am an old Cisco guy.

That pretty much says it all: you choose your hardware the same way you choose a favorite sports team, and performance means nothing to you. I honestly don't know why you felt the need to comment on this topic.

 

[coxhaus]

This is completely irrelevant since the world does not revolve around you. The Edgerouter is marketed as a business product. When people go around praising a product that does not represent a good value, it is a disservice to the reader and it's totally reasonable for someone to speak up. Furthermore, you are frightfully ignorant of the current security threats if you think that a VPN is only for business:

A VPN does not do much other than build you a secure tunnel from point A to point B. It is not an end all security solution just because you think it is. The world does not revolve around you either so deal with it.

I never said that it was.
1. Many ISP's are collecting and selling personal information and a commercial VPN proxy service can prevent that. I know of cases where bad ISP employees have used their inside access to commit identity theft by looking at the web sites you visit and then sending phishing emails which impersonate those sites. Anyone who purchases your email address and surfing history from the ISP could do the same thing.

It won't be long before commercial VPN proxy companies will be selling personal information also if they are not now. There is nothing to stop them. Your routing data is exposed where the VPN tunnel ends. The VPN only stops the middle man not the end point.

4. Unlawful government surveillance programs continue to expand every year. For example:

DHS wants to initiate a massive, ceaseless capability of monitoring every journalist, blogger, publication, website, social media influencer or other online information outlet that publishes anything whatsoever relating to the Department.
https://stonecoldtruth.com/the-dhs-is-gearing-up-to-spy-on-you/

The CLOUD act has just legalized the following violations of the constitutional right to due process:

• Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.
• Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.

You are over paranoid without a good network understanding. If you don't control all the network on both ends you are exposed.

From the way you are talking I reckon you've probably never installed Tomato or OpenWRT on consumer gear, which is generally superior to the factory software, and continues to be upgraded long after the manufacturer has discontinued support. And once you approach that $200 price point, you're probably better off to get a fanless mini PC or generic network appliance and install pfSense or Untangle, which are vastly more capable and useful than anything from Ubiquiti.

I have run many firewalls including more than you have mentioned. I have run pfsense for a couple of years. The old versions were better in my opinion. I ran Untangle for many years when I ran my mail server. It did an excellent job filtering email in the past. It has a slow response time because of all the filtering.

That pretty much says it all: you choose your hardware the same way you choose a favorite sports team, and performance means nothing to you. I honestly don't know why you felt the need to comment on this topic.

Sorry I chose my hardware based on what works and doesn't give me trouble and is easy to setup. The reason I commented even though I don't run Ubiquiti gear, they are doing a good job and your one sided network view is not the end all to networking even though you think it is.

 

[SN382]

A VPN does not do much other than build you a secure tunnel from point A to point B. It is not an end all security solution just because you think it is.

When you said "VPN is not a criteria for all users" you were essentially accusing me of saying something which I did not say. And here we go again. I never said it was an "end all security solution." Your ISP has your name, address, telephone number, and banking information. Anyone who has those things can find out everything else about you from public databases. In case you didn't know, AT&T was fined millions of dollars because they outsourced customer service to a foreign country and those foreign employees committed identity theft against Americans. That is one example of many. If you don't understand why decoupling your identity from your web surfing improves security, there is no point in continuing this conversation.

The world does not revolve around you either so deal with it.

The customer has every right to know the CPU model and VPN throughput, and the motive for withholding that information was to mislead the customer into buying a product that does not represent a good value. I have every right to point that out, and will not be silenced by a petty dictator who loves to talk about himself instead of providing information that's useful to others.

It won't be long before commercial VPN proxy companies will be selling personal information also if they are not now.

Man, you are just grasping at straws here. Many VPN services go out of their way to provide a purchase method which does not require the disclosure of personal information. And I never claimed that a VPN service eliminates all security risks. You are trying your best to change the subject with these off-topic posts, but the lack of meaningful specifications will continue to remain a legitimate concern for a large percentage of prospective buyers. Imagine if you went shopping for a new car, and the dealer would not tell you which motor it has, and what the fuel efficiency is. That's basically what Ubiquiti does with its routers. My complaint was about the manufacturer's failure to disclose meaningful specifications, and you want to turn this into a debate about all sorts of other unrelated things. I do not believe you are really as stupid as you are acting, I think you're just bored in retirement and want somebody to fight with.

You are over paranoid without a good network understanding.

I do admit that I am distrustful of people who tell me I don't need locks on my doors or my data. But when you resort to ad-hominem attacks of this nature, it demonstrates that you cannot win a debate based on the facts. And you obviously have not been to DEF CON, ha ha! But the bottom line is, no one here needs to justify their use of encryption to you. Once again, I must remind you that the world does not revolve around you.

Sorry I chose my hardware based on what works and doesn't give me trouble

I don't believe you are sorry for anything you have ever done in your life. But you should at least be sorry for trying to pick a fight just because I exposed Ubiquiti's deceptive marketing tactics.

The reason I commented even though I don't run Ubiquiti gear, they are doing a good job and your one sided network view is not the end all to networking even though you think it is.

The issue I raised is the question of whether or not the performance justifies the price. The lack of adequate testing and accurate specifications makes that impossible to determine. This is a perfectly legitimate concern, but you decided to change the subject and start an argument about whether VPN's are necessary at all. That is not for you to decide, because the world does not revolve around you. What you call being "one sided" is staying on topic, and you are just polluting this forum with noise. I did not come here to fight, I came to do purchasing research. When I see an opportunity to educate people about deceptive marketing tactics, I go ahead and do so. But I can't do much for those who are willfully ignorant.

 

[coxhaus]

In the USA I do not see a reason for running a VPN except to work networks. The performance hit is too great to run every day VPN. You are making noise about nothing.

 

[SN382]

In the USA I do not see a reason for running a VPN except to work networks.

You also apparently do not see why your opinions about the need for a feature are irrelevant to a discussion about the feature's performance. Everything that you are whinging about is a matter of your personal preference, while the issue I raised is of interest to every single customer who intends to use this feature. What you are doing here is just proving my point: you jumped in this thread because you wanted to fight, and that's why you keep re-stating your opinions like a broken record. The only thing I am concerned with is the missing specifications. What part of that do you not understand?

The performance hit is too great to run every day VPN.

That is not for you to decide if you are not paying my bills. Once again, the world does not revolve around you.

You are making noise about nothing.

You seem to think that you have won every debate so long as you get the last word, even if you have done nothing more than squawk like a parrot. Don't look now but your emotional immaturity is showing. I'm also starting to wonder if you might be an investor in a cable company that is collecting & selling personal customer data.

 

[coxhaus]

I think you need to reread this thread.

 

[SN382]

Suspicion confirmed.

 

[sfx2000]

In the USA I do not see a reason for running a VPN except to work networks. The performance hit is too great to run every day VPN. You are making noise about nothing.

Even within the US - things are changing - "the cloud" and moving auth and encryption up the stack...

Nice view here on where things are going -- https://www.beyondcorp.com

Reduces the threat surface, and takes away a single point of failure...

 

[MichaelCG]

Since VPN throughput-versus-price is the only purchase criteria for many buyers, this is a totally useless review.

While I will agree you have some valid points about the specs from the vendor not being detailed enough...I do not agree this is a totally useless review. It may be useless to you and those who do care about VPN performance, but overall it isn't totally useless. A better statement may be that it is incomplete since some potentially core/critical features were not tested/evaluated.

I think this thread has taken a turn for the worse. Too many childish comments and personal attacks. We are all going to have opinions....and we are all going to have different reasons/logic for doing things. Who cares if some of us are paranoid while others aren't. Who cares if someone wants to use a VPN...let them. If you want to run clear to the Internet...so be it. If you want to run all traffic over a VPN to some random VPN provider...so be it. I run a VPN from time to time, but it is mostly when I am remote using 3rd party WiFi. My ISP is Google...Google already knows waaaaaaay too much about me in the first place and a VPN won't change that without a major change in how I live my daily life with technology. I would need to change phones, email, browsers, music, and storage providers to even start getting Google out of my life. I am sure that if I were still on standard telco or cableco Internet, I would probably have a different take on this since they have been caught doing some shady stuff. Not saying Google isn't either...but again...they don't need to...they already know me.

In my experience and personal use cases, I also agree that for me the performance hit is too great to run VPN for everything. Even if I got an uber duber super VPN router, it is unlikely my VPN provider will be able to keep up with my Internet speeds. But when out and about using public WiFi at various places, I for sure will take the hit to attempt to have type of security/privacy. I either connect back to my home openVPN or to the 3rd party VPN service I subscribe to. Then again, rarely does public WiFi give you any type of bandwidth that will push the limits of most VPN services. I think the fastest guest/public WiFi I have used has been around the 100Mbps range. Most others are in the sub-10Mbps range.

 

[coxhaus]

Even within the US - things are changing - "the cloud" and moving auth and encryption up the stack...

Nice view here on where things are going -- https://www.beyondcorp.com

Reduces the threat surface, and takes away a single point of failure...

To me this is corporations handing over their inside data trusting google to keep it safe. Whether this will happen in the future or not I don't know. In the old days probably not.

 

[coxhaus]

In my experience and personal use cases, I also agree that for me the performance hit is too great to run VPN for everything. Even if I got an uber duber super VPN router, it is unlikely my VPN provider will be able to keep up with my Internet speeds. But when out and about using public WiFi at various places, I for sure will take the hit to attempt to have type of security/privacy. I either connect back to my home openVPN or to the 3rd party VPN service I subscribe to. Then again, rarely does public WiFi give you any type of bandwidth that will push the limits of most VPN services. I think the fastest guest/public WiFi I have used has been around the 100Mbps range. Most others are in the sub-10Mbps range.

Using VPN back to your home from a location is controlling both sides of the VPN. This is what VPN was built for. Don't think you are hiding as your home network is still on the radar but you are secure to your home network. I not sure why you need 3rd party VPN service? Just don't connect to hot spots. There is a setting for that. That will keep the man in the middle attacks away. I have not had any problems using public Wi-Fi by not connecting to any hot spots. I don't use airport Wi-Fi but I don't travel much any more either.

 

[umarmung]

It is also very different country to country.

The US may be unique for not having customer data used against them directly (for now).

But in many parts of the world, including the West, any domestic ISP, telco provider and country network are your worst Internet enemy. That is a threat model for which VPNS are widely used now.

Ubiquiti is one of the few solutions that offer OpenVPN client support for power users and small businesses.

The ER-4, in particular, sits in that sweet spot of bidirectional almost wirespeed Gigabit routing all the way down to below average Internet packet sizes, while also offering custom QoS, and enterprise features like VLANs. Its pricing is highly competitive. You could not even get a Mikrotik, who are known for budget SOHO and enterprise devices, that could offer the same bidirectional Gigabit forwarding performance at this price.

 

[coxhaus]

Yes I specified USA only. Outside USA all bets off.