Router options to get full up/down bandwidth on Telus gigabit

[jimm_eh]

Hi all,

I'll be moving to Vancouver BC in about a month, and plan to get the full-gigabit Telus service at the new address.

I currently have AT&T gigabit in Los Angeles, but am mildly bottlenecked by my Edgerouter X, which only has 1gibabit total throughput - i.e. I can only get the full download speed if next to nothing is being uploaded at the same time. I work remote VFX, so I am looking at a router upgrade to ensure that I can saturate the WAN connection without knocking my GF's streaming video offline

 

I also anticipate the need for VPN's, and also plan to make use of VLAN to better segregate the network into 2 or 3 separate networks.

From what I've been reading so far, instead of stepping up to the Edgerouter 4 or similar, I might be better served by a pfSense box.  What minimum CPU specs should I look for in such a box?

[Falcon1986]

3 hours ago, jimm_eh said:

but am mildly bottlenecked by my Edgerouter

Really? Do you have hardware offloading and SQM enabled?

 

3 hours ago, jimm_eh said:

What minimum CPU specs should I look for in such a box?

Not much. If the Netgate SG-1100 can run pfSense and still handle a gigabit connection with VPN support, then you know.

[Alex Atkin UK]

7 hours ago, Falcon1986 said:

Really? Do you have hardware offloading and SQM enabled?

 

Not much. If the Netgate SG-1100 can run pfSense and still handle a gigabit connection with VPN support, then you know.

Actually if you read that page, it can't handle Gigabit under normal usage.  It can route Gigabit with no extra features enabled but it can only handle 656Mbit as a firewall, which I assume means NAT.  It then says 74Mbit over IPsec which is REALLY low considering it needs less resources than OpenVPN.

 

If you're looking for a low-power appliance then something around an Intel 7th Gen Core i5-7200U seems to be the best bet as it should handle even OpenVPN at Gigabit if you need it to.  Mine is the Kettop Mi7200L6 although I don't have Gigabit yet to give it a full test.

[Falcon1986]

2 hours ago, Alex Atkin UK said:

Actually if you read that page, it can't handle Gigabit under normal usage.  It can route Gigabit with no extra features enabled but it can only handle 656Mbit as a firewall, which I assume means NAT.  It then says 74Mbit over IPsec which is REALLY low considering it needs less resources than OpenVPN.

Sorry, for some reason I was thinking about the SG-5100 and wrote about the SG-1100. I guess the SG-1100 has been on my mind a lot lately since I’ve been wanting to experiment with it.

 

Do people still use IPSec these days? We should really be moving towards WireGuard. Even the popular VPN providers are starting to support it.

[Alex Atkin UK]

7 minutes ago, Falcon1986 said:

Sorry, for some reason I was thinking about the SG-5100 and wrote about the SG-1100. I guess the SG-1100 has been on my mind a lot lately since I’ve been wanting to experiment with it.

 

Do people still use IPSec these days? We should really be moving towards WireGuard. Even the popular VPN providers are starting to support it.

As I understand it there was some ego contest between Netgate devs and the person who was porting Wireguard, so its still OpenVPN for now.

Seems disingenuous for them to quote IPsec performance though seeing as its the least CPU intensive VPN AFAIK.  I guess its still heavily used in enterprise environments?

[Falcon1986]

9 minutes ago, Alex Atkin UK said:

As I understand it there was some ego contest between Netgate devs and the person who was porting Wireguard, so its still OpenVPN for now.

Well, it seems like WireGuard can be used now. Looks very promising.

[jimm_eh]

17 hours ago, Falcon1986 said:

Really? Do you have hardware offloading and SQM enabled?

 

Not much. If the Netgate SG-1100 can run pfSense and still handle a gigabit connection with VPN support, then you know.

I'm running it with no QoS and all hardware offloading (hwnat) on.  So currently there's no real bottleneck 99.9% of the time, unless I do the aforementioned simultaneous upload/download from sites with big pipes.  But once I want to use QoS or certain other features beyond my current bare-metal setup (two subnets, no VLANs) it will become an issue. 

https://community.ui.com/questions/EdgeRouter-X-Poor-WAN-Throughput/ecab9a79-88ac-474f-ba29-a75f0eef93a2

See also orby's comment on this reddit thread:
 

So I'm looking to beef up enough to get the most out of the pipe, including for VPN's.  My anticipated use case, in addition to a better segmented network using VLANs, will also likely include VPN connections to secure client sites, where I'll potentially be sending up to hundreds of GB of data. 

[jimm_eh]

8 hours ago, Alex Atkin UK said:

As I understand it there was some ego contest between Netgate devs and the person who was porting Wireguard, so its still OpenVPN for now.
 

Yup.  This had me a bit hesitant to use pfSense, but I'm hoping this story shook things up some.

https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/

[Alex Atkin UK]

10 hours ago, jimm_eh said:

Yup.  This had me a bit hesitant to use pfSense, but I'm hoping this story shook things up some.

https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/

I was considering OPNsense but it would be hard to give up the false sense of security I get from pfBlockerNG blocking connections from bad actors.  I do not use adblocking though as I find it breaks too much.

Not to mention I just wasn't in the mood for replicating my configuration.

[jimm_eh]

Hi all,

I've discovered that Novus 2.5 gigabit internet is available in my building, and after a day or two of reading, that changes quite a lot.  I'm going to start a new topic on that.