my first experience I’ve made with the CRS109-8G-1S-2HnD-IN. It was set up mainly as a hardware firewall and as VPN-Gateway for Site-to-Site (OVPN) and Client-to-Site (SSTP) Connections from some Roadwarriors. Well, as already known - the learning curve with Mikrotik especially with winbox was/is pretty steep. Nevertheless, I want to learn more and to get better and better.
The CRS did the job very well, but in the meanwhile it seems, that the bandwith becomes to small for all the VPN Connections (average: 2x S2S and about 4x C2S). The reason, why we took the CRS109 was an offer from an IT-Consultant (2015). Today I’m wondering why the CRS109 Spec Sheet doesn’t show anything about IPsec throughput rates. (https://mikrotik.com/product/CRS109-8G-1S-2HnD-IN#fndtn-testresults Maybe the CRS109 was not the best shot for these intended tasks?!
Now, I’m looking for a new Router or CRS for the same tasks, but with way better throughput rates for VPN connections. Maybe combined with a change of Protocoll to Wireguard.
Could you advise me, or give me some hints?
Depending on how much throughput your Internet link can handle, or how much encrypted throughput you actually need, the hEX S, hAP AC2 or hAP AC3 might be sufficient (150-400Mbps IPsec, 1Gbps unencrypted). Otherwise, I second the 4011 and 5009, which are rated for 400-1200Mbps IPsec, up to 5-6Gbps unencrypted.
Also, yes, Wireguard will be much easier on the CPU than IPsec, translating to better performance. Personally, I like that I can leave Wireguard enabled on my iPhone and be connected to the home/office network all the time. L2TP/IPSEC disconnects all the time.
Well yeah - I learned my stuff. In the past, it was not my decission to use this switch - nevermind. For me it was necessary for my confidence, that the decission to take the CRS109 was not the best of my earlier boss. I think I will go with the 5009 and look for some used switches.
Thanks a lot for the input.
