Question Help with Network setup

KillerBob

Member
May 3, 2003
145
0
76
So, I am looking for advice on a new network setup I am contemplating:

I have relatively fast internet (1000/100) and I right now use my ISP Modem as router. I have connected a LinkSys Velop WiFi Mesh system to it (in Bridge), as well as a few LAN switches, to connect my QNAP NAS, my ReadyNAS, two Mac Pros, printers, two Time Capsules, a HUE Bridge, and the Home Security system. It's a very flat network, all is part of the same subnet.

For security I am using the built-in firewall in the ISP modem, and I have it locked down, with no WAN-to-LAN, and only a few LAN-to-WAN openings.

I would like to clean this up; put the ISP Modem into Bridge, get a Router with built-in VPN and Firewall, perhaps eliminating a switch in my current setup. The biggest reason is that I would like to VPN into my NAS, as well as have some more control over the DHCP settings (my ISP is Shaw and the Blue Curve is pretty restrictive).

The options I am looking at are;
  • MikroTik RB3011UIAS-RM
  • Ubiquiti ER-6P EdgeRouter 6P
But I am very open to suggestions... My requirements are;
  • 6+ GigaBit ports
  • Built-in VPN (for accessing my NAS from outside - I do not want to run the crap QVPN service on my NAS)
  • High VPN throughput
  • High Firewall throughput
Can someone give me some suggestions on how to achieve this, and perhaps suggest a router or two I could use?

Thanks!
 

Tech Junky

Senior member
Jan 27, 2022
781
246
76
  • 6+ GigaBit ports
  • Built-in VPN (for accessing my NAS from outside - I do not want to run the crap QVPN service on my NAS)
  • High VPN throughput
  • High Firewall throughput
Build your own out of a PC + NIC's if you're looking for performance.

2 x 4 port NIC's = $100
SFF PC = $150

Linux - $0 including FW / NAT / VPN / etc.

Wireguard is your friend when it comes to VPN speed. I can get full line speed using this setup on a 1gbps plan and also by bundling the ports with the CM can snag the over provisioned BW as well hitting 1.2-1.5gbps w/o VPN and about 1.2gbps with VPN enabled.

For the CM you have some options but, I use a MB8600 which has 4 gig ports that can be bundled together into LACP bundle to get past the 1gbps barrier. If my provider went with plans up to 4gbps I could get there by using all 4 ports in a bundle.
 

KillerBob

Member
May 3, 2003
145
0
76
Build your own out of a PC + NIC's if you're looking for performance.
I hear what you are saying, and 15 years ago I probably would have been half-way through that project already. However, it's been a long time since I fancied myself capable of building it all out myself, and these days I am just looking for a capable out-of-box experience. I would even go with a LinkSys WST router if it wasn't because they are notoriously slow with their VPN throughput, and only have 4 ports.
 

Tech Junky

Senior member
Jan 27, 2022
781
246
76
Well, port density is easy to take care of with a switch.

dumb switches with 8-10 ports are pennies but, if you want to aggregate things and have a 10GE uplink it's going to be a bit pricier but, better performance / management.

VPN though is going to be a PITA running off a 'router" you get off the shelf. You could go a bit hybrid with a PI and put the VPN on there and use that as your client gateway that then shoots out the router interface. You can also put the pihole on there as well w/o much impact to speeds. Firewall using iptables would work as well from there.

There's more to it though than we're discussing so far. Budget for most people comes into play more so than the performance these days. Anything can be accomplished with the right amount of money / planning.
 

mxnerd

Diamond Member
Jul 6, 2007
6,411
983
126
RB5009UG uses Marvell 1.4G 88F7040 CPU
It says it has Cryptography and CRC extensions

RB5009UG+S+IN IPSec performance
Yet tech support from MikroTik said RB5009UG does not have IPSec hardware acceleration (post#232)
seems conflict with info from NIST page.

It does support Wireguard but I suspect it has similar performance as IPSec

OpenVPN performance can only be worse. ZeroTier is a little better than OpenVPN.

Any VPN solution using OpenVPN is slow (running in user space). Only Wireguard / IPSEC (running in kernel space) can achieve near line speed, but you need a powerful CPU, and that usually requires a powerful x86/ARM chips with AES/crypto support.



Only a few prebuild router comes with Wireguard support, however.

pfsense Wireguard

Wireguard on supported consumer ARM routers.
Don't think consumer router has powerful ARM chips though.

Prebuild mini PC that can run pfSense

or buy used mini PC as @Tech Junky suggested (ex: Dell Optiplex SFF PC) + 2 quad port NICs, likely a cheaper and better solution.
 
Last edited:

ASK THE COMMUNITY