I have a small situation I am heading into in about 1 months time, I will be relocating across country and starting to work from home. The issue is I will be making a home office where i need to IPsec (specified by my admin) to stay connected to the office, Mostly due to having an IP phone (NEC). Currently my entire house is wired with cat 6 cable throughout and i am a big time movie guy. like I said I now have everything wired through netgear 4500 pulling from a free nas. Where I am moving I will not have the freedom of running all the network cable through the walls and no attic so I was thinking to go totally wireless maybe even try out an AC router. Maybe i am wrong but I have not read anywhere one of these routers that support IPsec, looks like what wanted to try out was all Open VPN. I do run Roku 3 on the highest pass through at the highest quality and sometimes it still isn't enough where i use my mac mini (HTPC) to run the file if its a huge 3D with large audio. I need to set up my new wireless network that will handle my media requirements and have IPsec. I wanted to stay under the 200.00 mark as that would be 400 if i have to get a second device if the 4500 doesn't get the job done. I am no network genie by any stretch of the imagination so if i have missed a solution right in front please be nice and just point it out. I have no problem with flashing a router wrt or tomato
IPsec and throughput
- Thread starter j3iii
- Start date
chadster766
Very Senior Member
The Linksys LRT214 supports IPsec VPN and has a high WAN to LAN throughput. Then you could add your Netgear 4500 in a LAN to LAN configuration which basically turns it in an AP.
Formatted:
You have a ton of options if you need IPSec.
Like Chadster said, turn off the DHCP on the Netgear 4500 and use it as an AP.
Then get a VPN capable router.
A short list of what would support IPSec tunnels:
Any router that runs Tomato (you would need to do this Via strongswan installed with Entware)
Cisco RV series (RV180, RV042, RV320, etc . . .)
Linksys LRT214
Engenius ESR series (esr1200, esr900, etc . . .)
Ubiquiti edgerouter lite
TP-Link VPN series (er6020, er6120)
Zyxel VFG6005
Cradlepoint MBR1200
Peplink Balance 20
This list is not by any means exhaustive, but its a nice place to start. If I were you, ask your network admin what he would like you to get. That way if there is any issue troubleshooting there will be something he comfortable with.
You have a ton of options if you need IPSec.
Like Chadster said, turn off the DHCP on the Netgear 4500 and use it as an AP.
Then get a VPN capable router.
A short list of what would support IPSec tunnels:
Any router that runs Tomato (you would need to do this Via strongswan installed with Entware)
Cisco RV series (RV180, RV042, RV320, etc . . .)
Linksys LRT214
Engenius ESR series (esr1200, esr900, etc . . .)
Ubiquiti edgerouter lite
TP-Link VPN series (er6020, er6120)
Zyxel VFG6005
Cradlepoint MBR1200
Peplink Balance 20
This list is not by any means exhaustive, but its a nice place to start. If I were you, ask your network admin what he would like you to get. That way if there is any issue troubleshooting there will be something he comfortable with.
sfx2000
Part of the Furniture
FWIW - MacOS X has an IPSec/L2TP stack built in - for both client/server, and static tunnel - and then port forward on your router the appropriate ports (UDP 500, UDP 1701, and UDP 4500) - as long as your router supports VPN passthru (most do), you might already have a working solution
(and no, Mac OSX Server is not required, but Server.app does make it a bit easier for the point and click crowd)
chadster766
Very Senior Member
FWIW - MacOS X has an IPSec/L2TP stack built in - for both client/server, and static tunnel - and then port forward on your router the appropriate ports (UDP 500, UDP 1701, and UDP 4500) - as long as your router supports VPN passthru (most do), you might already have a working solution
(and no, Mac OSX Server is not required, but Server.app does make it a bit easier for the point and click crowd)
Did you miss the part about the ip phone?
Last edited:
sfx2000
Part of the Furniture
Did you miss the part about the ip phone?
No, I didn't - all depends on how one configures the VPN tunnel - the tunnel is point to point, and one can configure the stack so that all or some of the traffic is routed thru the tunnel.
I should mention that there are some pretty good solutions available for Linux as well - OpenVPN is one solution there, as is OpenSWAN -- https://www.openswan.org/
Having VPN in a SOHO router - it's convenient perhaps, and many folks go with it, but performance suffers as most Router/AP's just don't have the CPU/Memory to do it well...
chadster766
Very Senior Member
Yes but for the VPN tunnel to route from the MAC wouldn't some more complex configurations be required and a second network adapter to route through to the local LAN?
sfx2000
Part of the Furniture
no... you can bind multiple addresses to a single NIC... is it complicated, yes, perhaps, but no more so that "it's complicated" on the Facebook relationship status.
Stop and consider what most SOHO VPN routers do - exactly the same thing - multiple addresses on the same exact NIC
They just make it a bit easier by having a cookbook approach.
sfx
chadster766
Very Senior Member
In the case of a router the vpn comes in through the wan and routes out through the lan.
In windows routing and remote access vpn's comes in one adapter and rooted out the second.
I appreciate your thoughts on the subject.
In windows routing and remote access vpn's comes in one adapter and rooted out the second.
I appreciate your thoughts on the subject.
thanks for all the solutions and sorry for the time laps as I went on a job and was stuck for the last 3 weeks, Looks like a lot of good data here so I will research some of your suggestions this week while also to update my admin has bought ten seats on open VPN and set up a VM so with a little testing that might be back on the table which deletes the issue from the beginning. I definitely will use the 4500 as an AP and if I can get him comfy with open VPN I will try out the new R7000 (why not if I getting one for free) but for now will look at your suggestions. Again thanks for the direction. In the end as much as I want to get my work done in a seamlessly manner I really don't want my oversize movie to ever have to buffer during playback
I recommend you set this up before you leave and buzz it all out with your admin so that it is more or less plug and play when you get to your new digs. One of the first uses I had for and old linksys that I loaded with dd-wrt was vpn to my asa a few miles away in our old building to our new building. Handled 10 users with no issues sans the ip phones though. Took 10 min to configure it on the linksys and with the correct commands would restablish itself on a reboot or drop from the other end.
so I am officially in SF and got most everything set up and working to some degree. The issue I am seeing now is I can get the LRT214 over 21Mbps, If i bypass it I get 58Mbps but as soon as i go through the LRT it goes down. I have tried a few things like disableing the firewall, no VPN, with VPN, turned off packet inspection, nothing seems to matter. Although i got about 2 more Mbps with the firwall off but thats nothing really and i dont want the firewall off in the end. Could this be a bad router? any suggestions
chadster766
Very Senior Member
What type of internet connection do you have?
Is the LRT directly connected to the ISP Modem?
Is the LRT getting a Public or Private IP? (Nat behind Nat can cause this throughput issue)
i have a 50 Mbps connection from comcast
i dont have a static IP from them i am just recieving DHCP
i have the LRT connected directly to the Modem
I have set all my own Lan IP's 10.x.x.x
i have a netgear R7000 behind the LRT handeling he house WIFI and some other things. most everything in my house that can have a static address has one
if i remove the LRT and go to netgear i get around 58Mbps which is above my purchased speed
I am not the best at networking so if i didn't answer a question it wasn't on purpose
chadster766
Very Senior Member
i have a 50 Mbps connection from comcast
i dont have a static IP from them i am just recieving DHCP
i have the LRT connected directly to the Modem
I have set all my own Lan IP's 10.x.x.x
i have a netgear R7000 behind the LRT handeling he house WIFI and some other things. most everything in my house that can have a static address has one
if i remove the LRT and go to netgear i get around 58Mbps which is above my purchased speed
I am not the best at networking so if i didn't answer a question it wasn't on purpose
Check the LRT wan IP Address to see if it starts with a private ip address range.
Ex: 192.168.x.x or 10.x.x.x
Also is the R7000 configured Lan to Lan, Bridging or Nat behind Nat?
the LRT is on 50.131.x.x
the Netgear was being used as the main router for last 4 days so it was set up the same so i changed the last octet up one number and plugged it in lan to lan this way i can just move the Wan over to the netgear when i am done working and everything is fine. But i should be able to get the higher speed with the LRT in the picture
Last edited:
chadster766
Very Senior Member
I have some standard tips and instructions to help you add the R7000 router in a LAN to LAN cascade with the LRT. In the article a Linksys is used as the secondary router but the theory is the same for most other home routers.
Cascading or Connecting a Linksys router to another router
Thing to keep in mind when Cascading a router:
1.Change the secondary router's IP Address to something like 192.168.1.254 so its on the same network but doesn't conflict with the primary router
2.Make sure DHCP is disabled on the secondary router
3.Make sure nothing is ever plugged in the secondary router's internet port
This is very doable and something i was probably going to do already after i got things working today, i had a similar situation but wireless (APx2) in my old residence.The problem is that if I can not get the LRT to give me the throughput it should be supplying me then i will be disconnecting it during non work hours and using the Netgear as the main router as its just a quick cable swap. This was not the plan and i would rather have it all work in harmony but I don't want 20Mbps as i have so many devices and streaming and such which is the reason for the higher speed package.(wanted more but thats it for my block) In the end if it doesn't work i will get a work line installed and sperate the two but i know i should have no trouble getting the 50Mbps out of the LRT. The Netgear at this moment really isn't part of the picture but to show that the speed is there and if swapped everything is fine, something with this LRT is bottlenecking. I will make sure i have the latest firmware and check some more settings. It could be a bad unit. I guess for now I will held back during working hours.
chadster766
Very Senior Member
I did testing with the LRT and the throughput is there but I didn't do testing with a VPN connected. Is your LRT VPN Gateway to Gateway. I can try to replicate the issue with a few more details.
yes i believe it is, Ipsec. I did do some test in the beginning turning the VPN off and then turning SPI off then i tried turning the entire firewall off. It is strange. nothing seems to change it.
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| E | Improving throughput in basement. Replacing R7800 (with Banana Pi R3?) | Wireless Buying Advice | 5 |
Similar threads
-
Improving throughput in basement. Replacing R7800 (with Banana Pi R3?)
- Started by emilio
- Replies: 5
Latest threads
-
-
-
Proxmox running VM of Ubuntu and a SMB server how to make SMB multichannel work?
- Started by DJones
- Replies: 2
-
Question about locking a port forward rule to a source IP
- Started by road hazard
- Replies: 2
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!