I’m looking for a new router for my office. There will be two internet connections connected by eternet. Connection1 20/20mbit, connection2 200/20mbit. There will be an IPSec VPN to a datacenter over the second internet connection. The first connection is used for internet access on two different LANs and has a few NAT and firewall rules.
I doubt between the RB1100AHx2 and the CCR1009-8G-1S-1S+. The last one has a higher throughput, but the first has hardware encryption. Which one is the best for my scenario?
Both have hardware encryption and both are fast enough for your connections. If you think the redundant PSU is worth the extra money… go for the CCR, else the 1100AHx2 will be fine.
If you are using GRE or IPIP tunnels over IPSEC, don’t get the Tilera CPU. VERY broken. MT Support won’t even respond about it. Limited to about 25mbit full duplex. AHx2 pushes over 300mbit.
Just for informations sake the RB1100AHx2 essentially has dual power supplies by the way of AC in the back, DC in the front (PoE injector), so you can essentially have redundant power on the 1100AHx2 as well.
If the encrypted tunnel speed between the RB1100AHx2 and the CCR is almost the same, the CCR is a better choice I think because of the better throughput.
Maybe in the future I get more tunnels, higher bandwidth or more LANs. The CCR has more capacity to expand.
This comes as a big surprise to me .. I considered CCR series as a possible upgrade for our VPN infrastructure (ipsec/l2tp and ipsec/gre). Can anyone from Mikrotik elaborate on this please? Is this a bug or design fail? Will it get fixed? When?
Exactly why I ordered up 2 CCRs to use for production to replace the RB1100AHx2 proof of concept devices.. Unfortunately the 1100s performed better.
It seems as if its trying to do GRE, IPSEC, and all forwarding related to a particular connection on one core of the CPU at exactly the same time.. That’d be my guess.. Cant back it up though.
Likes me too but not in the expected way!
And if you will have a look into a white paper from Tilera according to
the TileGx platform you will think it must be a dream what this hardware is able to do. Tilera TileGx White Paper
Is this a bug or design fail? Will it get fixed? When?
In normal there should nothing be wrong with GRE as I was seeing here
in the RFC 2784
First I was thinking that only me is urgent needing many different vpn
methods and abilities and I was setting up a poll for that and the response
give me the feedback I am not alone with this wishes. VPN Poll
Sorry for bumping an old post..but i’m also looking at these 2 models…
So whats the verdict…
With newer routerOS versions is the IPSEC problem solved? (GRE or IPIP or L2TP tunnel over IPSEC in transport mode)
If you dont mind complicated configs you can go with the CCR, otherwise go with the RB1100AHx2. VPN on mikrotik generally has poor performance (i am using routerOS 6.21) so no matter which device you use the throughput will be low however it is possible to push loads of VPN throughput on the CCR if you are not using the CCR as a VPN server because you cant have multiple VPN of the same servers on mikrotik however you can chain 2 different types of VPN together to get 300Mb/s of throughput in which case the CCRs more cores will help on that while having some extra cores for internet routing.
The PPC has advantage over tile per core for being a more complex CPU that perhaps has a better decoder and logic for complexity but i would suggest the CCR if you are going to handle many things. Tile’s encryption throughput is lower if math is involved because Tile is better at logic and shifting than it is with math. I have read through the TIle’s assembly specsheet and i have before made a compiler for a custom soft CPU. This is evident if you compare simple L2/L3 CPU routing tests between them, encryption and virtual networking. However Tile is still faster than MIPS per core except for some of the larger less power efficient ones.
I suspect even 1100AHx2 will handle that in its hardware if you set it up correctly as per http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption. CCR will do even better and if you can afford it get better get CCR. It is multicore, it boots much faster and I also suspect it’ll be supported for longer (1000/1100AHx2 are quite old series).
1100AHx2 is quite noisy, because of its cooler. CCR can be noisy, too, but there are models to choose from (if that can be serious for you), and also has nice (but mostly useless) color display to show graphs (at CPU cost, by the way, but CCR are too powerful to let you notice that). CCR1009-8G-1S-1S+ is good for its second power supply, you have two PS instead of one (which is shame for Mikrotik when it comes to put one-powersource-equipped Mikrotik into server room and to connect it to different power lines).
CCR are multi-core and as a result, performance is variable depending on how data flows. A single stream, ie, one ipsec tunnel isn’t going to be all that fast. I highly doubt any CCR will be anywhere close to 500Mbps ipsec on a single tunnel… if it’s many ipsec tunnels, then yeah, doable.
