Worthy VPN performance upgrade from RT-AC86U?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RT-AC86U

New Around Here
I love my RT-AC86U. But now I upgraded my connection from 100M to 500M and it seems now that my RT-AC86U‘s VPN performance is a bottleneck! with the RT-AC86U I got max 180M. With the NordVPN app I get 440M.

Does a Asus Router exist that has Hardware acceleration that can handle speeds up to 500M?
 

L&LD

Part of the Furniture
No. At least not an OpenVPN connection.
 

CaptainSTX

Part of the Furniture
For that speed you will need a roll your solution running router OS software such as Pfsense on a PC processor based system and even then ideally a system that will support WireGuard.
 

Centrifuge

Regular Contributor
For that speed you will need a roll your solution running router OS software such as Pfsense on a PC processor based system and even then ideally a system that will support WireGuard.
That's exactly what I did (Protecli FW4 using Pfsense). I liked the 86U's awesome wireless coverage so its my AP now, sitting behind a Celeron processor with 8gb ram. I've thrown all kinds of stuff at it, Pfblocker dnsbl, Suricata, Openvpn, Telegraf and still can't get it to go over 20% ram usage. No Wireguard support cuz the protocol is still "experimental". I don't have metrics for you OP but everything is faster including ovpn with road warrior client mode. Clean logs too fwiw, its almost boring.
 

Vimes

Regular Contributor
That's exactly what I did (Protecli FW4 using Pfsense). I liked the 86U's awesome wireless coverage so its my AP now, sitting behind a Celeron processor with 8gb ram. I've thrown all kinds of stuff at it, Pfblocker dnsbl, Suricata, Openvpn, Telegraf and still can't get it to go over 20% ram usage. No Wireguard support cuz the protocol is still "experimental". I don't have metrics for you OP but everything is faster including ovpn with road warrior client mode. Clean logs too fwiw, its almost boring.

If you don't mind me asking where did you buy your Protecli FW4 from and if so would you selct that one again or consider something else...?
It does seem impressive with what you describe and something that I've always hesitated doing. Perhaps it is my first impressions of seeing a little of pfsense that has me overwhelmed.

I suppose I could test out pfsense or opnsense in a VM to see what I think.
 

Centrifuge

Regular Contributor
If you don't mind me asking where did you buy your Protecli FW4 from and if so would you selct that one again or consider something else...?
It does seem impressive with what you describe and something that I've always hesitated doing. Perhaps it is my first impressions of seeing a little of pfsense that has me overwhelmed.

I suppose I could test out pfsense or opnsense in a VM to see what I think.
I just bought direct from them directly. Amazon has some appliance/mini pc opitons too, one brand is Qotom but support appears non existent. The 6 NIC model would have been overkill in my situation, so I maxed the ram on the 4 NIC model and called it good. I just liked the look of the support culture at Protectli which is out of San Diego. The device came preloaded with Opnsense which is a fork from Pfsense, which ran okay but the Opnsense support situation was weak and the wiki was outdated and unclear in places. Pfsense is solid and easy to work with, I'm a neophyte, and It was easy to switch given the knowledge base guides at Protectli, yes I would recommend.
 

RMerlin

Asuswrt-Merlin dev
I just bought direct from them directly. Amazon has some appliance/mini pc opitons too, one brand is Qotom but support appears non existent.
Qotom are actually quite popular with pfsense users, since they are quite affordable, and they use Intel NICs.

I personally use a Quotom as a mini Xen server here. Got one VM running a Windows machine for my employee, and I run other VMs on it for development purposes. Only issue with that one that I use is that during the summer running anything too CPU intensive will cause it to crash due to overheating. Shouldn't be an issue if you only run a firewall however, rather than a desktop OS.
 

Vimes

Regular Contributor
I just bought direct from them directly. Amazon has some appliance/mini pc opitons too, one brand is Qotom but support appears non existent. The 6 NIC model would have been overkill in my situation, so I maxed the ram on the 4 NIC model and called it good. I just liked the look of the support culture at Protectli which is out of San Diego. The device came preloaded with Opnsense which is a fork from Pfsense, which ran okay but the Opnsense support situation was weak and the wiki was outdated and unclear in places. Pfsense is solid and easy to work with, I'm a neophyte, and It was easy to switch given the knowledge base guides at Protectli, yes I would recommend.
Thanks for that, also great that you posted about Qotom as it gives me another brand to consider. Point taken about support, but they do seem to be affordable when compared to Prtotecli in the UK. I know of one person who has built themselves a pfsense box and also looked not to ubiquiti but to TP-Links EAP245 system for his WiFi needs.
Perhaps, one day, I'll buy myself such a box and consider trying out pfsense, then again I could just do that in a VM for no cost at all.
 

Vimes

Regular Contributor
Qotom are actually quite popular with pfsense users, since they are quite affordable, and they use Intel NICs.

I personally use a Quotom as a mini Xen server here. Got one VM running a Windows machine for my employee, and I run other VMs on it for development purposes. Only issue with that one that I use is that during the summer running anything too CPU intensive will cause it to crash due to overheating. Shouldn't be an issue if you only run a firewall however, rather than a desktop OS.

It seems, only looked a little, that the Quotom boxes are more affordable, not sure if that is due to being in the UK. But they do seem to be priced reasonably and also with the Intel NIC's you mention. As you noted the potential issues of overheating I had read one review about them on Amazon, the person noted that very thing and mentioned installing a USB internal fan IIRC.
 

gattaca

Senior Member
One option I'll toss in also is using one of the "mini/micro" machines as a pfSense unit. There are many blog postings out there for how to do that but there can be gotchas. Like not enough ports or even the slots, or physical connectors to add them. Then there are the gotchas of using genuine parts. Most boils down to how much time do you want to tinker/spend vs get an out-of-box working unit up/running?

With the pre-build units like ProtectLI or NetGate, you get a ready-to-go appliance, without a lot of those headaches to make it work. That's the KIS route that is sure to take the least time.

If you decide to tinker, many of the tiny-mini-micro-thins make fine pfSense units and these surface on eBay all the time - Dell, HP, Lenovo all sell units. Lenovo has an option to add a 4-port Intel pNIC to one of their Tiny models - but you may find the $ a bit higher than you want to spend - new. (ouch!) Buying used you have to know which models make good options b/c some may not even have the parts, slots or ability to add something like 4 port Intel card to and never assume. These manufacturers do not put the ability to add or parts on the motherboards to add something like a pci-e slot, if they never intend the unit to have/hold any sort of pcie card! Every .01 counts! There may also be special brackets to hold cards in place or you do a "make it work with a dremel...." ;)

Finding the right unit again is the issue b/c many times, they only have a single port which is often broadcom-based and pfSense works and support is much better with Intel pNICS. My biggest hang up is understanding the setups enough to make sure I don't leave the doors wide open by mistake and invite a world of trouble.

Search for pfSense guides on minis there are several. Just a few I've hit over the years as I've looked at this option as the main front-door router.

1. https://www.servethehome.com/netgate-sg-2100-pfsense-router-and-firewall-review/
2. https://www.servethehome.com/guide-tinyminimicro-pfsense-firewall/
3. https://www.thegeekpub.com/14863/the-best-pfsense-box/
4. https://www.servethehome.com/lenovo-thinkcentre-m720q-tinyminimicro-feature/
5. Fake 4 port Intels -> https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/
6. Doing it with 1 port --> https://www.joe0.com/2019/11/16/con...irtual-lan-configuration-on-a-managed-switch/
7. HP example -> https://boratory.net/hp-t730-thin-client/
8. ...

Example PITA of finding the right model and then adding the right parts -> https://forums.lenovo.com/t5/ThinkC...0-720-910-920q-TINY-series/m-p/4612559?page=1

BTW, me and a buddy have toyed with doing this for about 18 months now and so far, we've decided for now to remain with our tried, true and trusty Asus AC86U units + Merlin + AMTM +.... . For me, I just do no have the cycles to take on another project or have the family screaming about the internet being weird or down. Good luck!
 
Last edited:

Centrifuge

Regular Contributor
I could just do that in a VM for no cost at all.
Yeah, I had an old laptop and thought about doing Pfsense or Ipfire on it, getting a usb to ethernet dongle, but I couldn't resist. If I really want to tinker in the future I could just install Linux (Like Alpine, Ubuntu or Arch) on it and use kernel routing features, do all of it by hand, add services, I'm not quite ready for that, but there are some interesting guides out there for that.
 

Vimes

Regular Contributor
One option I'll toss in also is using one of the "mini/micro" machines as a pfSense unit. There are many blog postings out there for how to do that but there can be gotchas. Like not enough ports or even the slots, or physical connectors to add them. Then there are the gotchas of using genuine parts. Most boils down to how much time do you want to tinker/spend vs get an out-of-box working unit up/running?

With the pre-build units like ProtectLI or NetGate, you get a ready-to-go appliance, without a lot of those headaches to make it work. That's the KIS route that is sure to take the least time.

If you decide to tinker, many of the tiny-mini-micro-thins make fine pfSense units and these surface on eBay all the time - Dell, HP, Lenovo all sell units. Lenovo has an option to add a 4-port Intel pNIC to one of their Tiny models - but you may find the $ a bit higher than you want to spend - new. (ouch!) Buying used you have to know which models make good options b/c some may not even have the parts, slots or ability to add something like 4 port Intel card to and never assume. These manufacturers do not put the ability to add or parts on the motherboards to add something like a pci-e slot, if they never intend the unit to have/hold any sort of pcie card! Every .01 counts! There may also be special brackets to hold cards in place or you do a "make it work with a dremel...." ;)

Finding the right unit again is the issue b/c many times, they only have a single port which is often broadcom-based and pfSense works and support is much better with Intel pNICS. My biggest hang up is understanding the setups enough to make sure I don't leave the doors wide open by mistake and invite a world of trouble.

Search for pfSense guides on minis there are several. Just a few I've hit over the years as I've looked at this option as the main front-door router.

1. https://www.servethehome.com/netgate-sg-2100-pfsense-router-and-firewall-review/
2. https://www.servethehome.com/guide-tinyminimicro-pfsense-firewall/
3. https://www.thegeekpub.com/14863/the-best-pfsense-box/
4. https://www.servethehome.com/lenovo-thinkcentre-m720q-tinyminimicro-feature/
5. Fake 4 port Intels -> https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/
6. Doing it with 1 port --> https://www.joe0.com/2019/11/16/con...irtual-lan-configuration-on-a-managed-switch/
7. HP example -> https://boratory.net/hp-t730-thin-client/
8. ...

Example PITA of finding the right model and then adding the right parts -> https://forums.lenovo.com/t5/ThinkC...0-720-910-920q-TINY-series/m-p/4612559?page=1

BTW, me and a buddy have toyed with doing this for about 18 months now and so far, we've decided for now to remain with our tried, true and trusty Asus AC86U units + Merlin + AMTM +.... . For me, I just do no have the cycles to take on another project or have the family screaming about the internet being weird or down. Good luck!

Thanks, lots to bookmark there I appreciate that.

You summarised the situation well for me in your last paragraph. Around the end of 2017 my friend went over to build a pfsense box and ended up with that along with TP-Links solution for WiFi. I ended up buying a 86U.
Whilst I can appreciate that a pfsense box should be able to accommodate much more than what I could achieve with the 86U, and perhaps offer more for the future based on one box, for me the 86U has met our needs without taking on another project that I don't feel the sense of urgency in actually needing.

My 86U (almost 3 years old) router has been refunded and I bought.......another 86U, arrived a couple of days ago from a different retailer. The AX range is simply "too new" and 6E will not be too far away, plus the cost isn't great. Also I had to think about Ron's support with Merlin and the AX86U doesn't have that. So the 86U is a familiar friend and to be frank it does meet our needs. It would be better, for me, if the std firmware had policy based routing as I am a little wary of jumping over to the latest Merlin. probably coincidence but my last attempts didn't go too well and I feel the pain from our family when we loose stability of our connection for too long.
I don't know if it is the same as PBR but Asus has got "VPN Fusion" included with their ROG routers.

One day I might try out a pfsense box build, difficult for me to consider that too seriously with a 86U.
 

Vimes

Regular Contributor
Yeah, I had an old laptop and thought about doing Pfsense or Ipfire on it, getting a usb to ethernet dongle, but I couldn't resist. If I really want to tinker in the future I could just install Linux (Like Alpine, Ubuntu or Arch) on it and use kernel routing features, do all of it by hand, add services, I'm not quite ready for that, but there are some interesting guides out there for that.

For me it was more about testing out the whole experience of using pfsense over that of what I have already. Not so much about saving money on buying a small box solution, that would happen, but little point in investing in that if I simply did not like to use the pfsense / opnsense ui etc. My friend, when I mentioned opnsense, did suggest to ensure that I looked for the equivalent package for it of pfBlockerNG that he uses.
Still that is for a future project and a VM to try that out.
 

thecheapseats

Regular Contributor
@gattaca - and anyone else reading/considering pfsense...

Hardware compatibility issues for running pfsense on any device has ALWAYS been about compatibility with the underlying operating system - freebsd... and freebsd is notoriously picky about nics, drivers and in rare cases, the bios config...

Throwing pfsense on an old desktop of unqualified origin almost NEVER works (as some here have found out) and inevitably leads to frustration... the real costs are not the hardware, but the invested time to config plus the add-on subscriptions to trick packages like snort...
 

Markster

Senior Member
Thanks for that, also great that you posted about Qotom as it gives me another brand to consider. Point taken about support, but they do seem to be affordable when compared to Prtotecli in the UK. I know of one person who has built themselves a pfsense box and also looked not to ubiquiti but to TP-Links EAP245 system for his WiFi needs.
Perhaps, one day, I'll buy myself such a box and consider trying out pfsense, then again I could just do that in a VM for no cost at all.
Don't forget very popular PC Engine ALIX systems. https://www.pcengines.ch/alix.htm
 

Centrifuge

Regular Contributor
Xen server
Would it work well as a router appliance to say install a hypervisor like Proxmox or XCP-NG, and have different setups installed and switch back and forth for testing, say like Pfsense, Openwrt, Ipfire, Opnsense etc.?
 

RMerlin

Asuswrt-Merlin dev
Would it work well as a router appliance to say install a hypervisor like Proxmox or XCP-NG, and have different setups installed and switch back and forth for testing, say like Pfsense, Openwrt, Ipfire, Opnsense etc.?
It works with XCP-NG, but with some limitations. For instance, pfsense's QoS won't work properly, and it requires some NIC tweaks if I recall to work properly with a virtualized interface (unless that has changed since last time I experimented with that). But yes, running a VM to test various firewall distros would work fine, I tried a few myself that way.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top