Community discussions

MikroTik App
 
jasejames
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri Jun 26, 2009 11:04 am

RouterBoard real world performance for IPSEC deployment

Fri Jun 26, 2009 11:17 am

Hi,

We're interested in this device/OS at work here, and we have a specific use for the box.

What we need is a box that can do the following:

1) Has an AP built-in, which can be used in conjunction with an existing RADIUS/WPA2/EAP-TLS installation for small branch sites.
2) Can connect to two ADSL modems and load-balance traffic between the two.
3) Has a full-featured firewall set that can be configured for two zones, one public and one staff, and separate traffic between them. So multiple VLANs/SVIs are essential.
4) VPN tunnels: potentially two of, both going to the same VPN concentrator (a Netscreen 5000)and data to be load-balanced between the two VPNs.

This leads to

5) Real-world IPSEC/3DES or AES tunnel performance of at least 16Mbps to cope with the maximum throughput of the two connections.
6) Inexpensive. Looking at the options available the RB493 or 450 would seem to be the ones we'd be after. We already have a $1000 solution (a Juniper SSG5 connected to two Netgear DG834s for dual-ADSL, which lacks wireless, or a Cisco 877 single ADSL which is obviously cheaper). I'd be interested in any small, easily deployable alternative (I've seen the PicoITX being mentioned a few times but I think the problem with that would be the lack of ethernet ports -- we're going to need at least four).

Does the above seem feasible? Looking at the specs it seems to be a bit of a borderline case, so I'd be interested to hear any comments.

Thanks!
 
RK
Long time Member
Long time Member
Posts: 565
Joined: Tue Nov 21, 2006 11:22 am
Location: Winnipeg, Canada and Central America

Re: RouterBoard real world performance for IPSEC deployment

Fri Jun 26, 2009 11:48 pm

2,3 and 4 are no problem, especially if you use the RB450G.
If you need the wifi part, then go for a RB411AH and use a switch which supports VLAN to provide the extra ports.
 
jasejames
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Fri Jun 26, 2009 11:04 am

Re: RouterBoard real world performance for IPSEC deployment

Sat Jun 27, 2009 3:28 pm

Thanks very much for the reply.

Unfortunately we have a code of connections which dictates that we cannot have public and corporate data traversing the same link on different VLANs -- due to a ten-year-old Cisco bug which leads to VLAN-hopping if improperly configured. Whilst I am sure we could secure the network properly the powers that be won't entertain it, so we need something with several ports. That's the reason I looked at the 493 rather than the 411.

From what I have read so far it would seem that the Routerboard may well be the ideal solution for what we need. We have some sites that require two ADSLs and some that don't, and some sites that need wireless and some that don't. It was for this reason that the modular structure of these devices really appealed.

From information elsewhere on this forum (and thanks to the person who released a PDF of his findings) it seems that these boxes manage about 9Mbps with ESP/3DES, and 23Mbps with AH. These figures should be OK for the majority of installs.

What I was thinking was that we could use the 450G (or perhaps the 411AH) for simpler sites that need no wireless/LB, going up to the 493AH for the larger sites. We already have a huge pile of Cisco 837s which are mostly up to the task, but they all need their IOS upgrading to the Plus feature set to switch on the 3DES accelerator which would cost as much as a 450 to buy in -- you have to question the logic if there is an alternative available ;)

I have to say as well that given the feature-set on these devices I can see a bunch of other uses for these. We often have a need for simple failover/load-balancing solutions and if we can achieve this for $50-100 (as opposed to at least $700 for many other solutions) I could see us buying in many of these devices.

In general what is the reliability like on these? Given the proven hardware and Linux architecture I don't see too much of a problem but I would appreciate any insight.

Who is online

Users browsing this forum: mkx and 27 guests