RB5009 IPSec Performance

osc86 · August 28, 2021, 6:23pm

Yesterday I received my RB5009UG+S+IN.
There’s nothing mentioned about the ipsec performance on the product page, so I did some tests how it performs as a Home Router with an IPSec Connection to my Workplace.
I bought the RB5009 as a replacement for my CCR1009, which did a great job for the last 4+ years.
Although the CPU of the CCR1009 does offer hw acceleration, I wasn’t too happy with the results.
I only did single-tunnel tests, as this is what’s important to me, when single big files are transferred over ipsec.

I removed the default configuration, only set up ipsec and connected it to the fiber modem. No firewall rules installed.

PC === RB5009UG+S+IN == 500M/100M FIber == Internet == 1G/1G Fiber == CCR2004-1G-12S+2XS === PC

Results (ROS v7.1rc1; iperf3, 8 parallel threads):
(/ip ipsec proposal: auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d pfs-group=none) = ~160 Mbit/s 1 2
(/ip ipsec proposal: auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=1d pfs-group=none) = ~256 Mbit/s 3 4

TBO I’m not impressed with these results. When the router is fully configured, Firewall Filter, Policy Routing, Multicast Routing, OSPF, QoS, CapsMan the results will be even worse.
In the long run, I’ll move to wireguard. In further tests I could fully utilize my 500Mbit/s connection using wireguard (CPU <50%), which is the only reason I won’t return the RB5009.
The CPU does have “Cryptography and CRC extensions”, so I hope they will be used in later releases of ROSv7. For now, I think the new CCR2004 is a way better choice, if ipsec performance is important.

Cablenut9 · August 28, 2021, 6:43pm

~256 Mbit/s

Wimpy!

Dude2048 · August 28, 2021, 7:57pm

There is no hw ipsec on the 5009. But I see now that you already know that.

http://forum.mikrotik.com/t/radius-not-responding/3561/1

msatter · August 28, 2021, 9:39pm

Yes we know, however Mikrotik did not want officially put the numbers up because there is only software IPSEC. Then we have it do it ourselves.

Also not impressed and the 4011 is running circles around the 5009 when using IPSEC.

Cablenut9 · August 29, 2021, 3:55am

Why can’t the Big Mik take advantage of the “added cryptography and CRC extensions” in the CPU?

mkx · August 29, 2021, 9:21am

As already mentioned in another post by MT staffer: RB5009 does not have IPsec acceleration for now.

osc86 · August 29, 2021, 11:02am

We know! It’s just an informative post for people to give an indication what can be expected from this model in terms of ipsec (software) performance.
It’s not a rant against Mikrotik or the product itself. I still think it’s a good choice for a Homelab Router.

mkx · August 29, 2021, 12:33pm

My post was direct reaction to preceeding post by @Cablenut9 … and I somehow highlited the most important part of my post.

msatter · August 29, 2021, 1:18pm

That is a lot of repeats in the first part of a tread. That all without hardware support from Mikrotik.

dakobg · August 30, 2021, 2:55pm

Yep 5009 look like a killing device for many task however lack of HW support for ipsec is frustrating ..
So again Mikrotik folks .. can you please end the drama and just confirm / deny about 5009 ipsec hw support.. should we expect hw support for ipsec with future ros7 release or not

chechito · August 31, 2021, 4:34pm

i think you are going very aggressive in this topic

always in the history of MikroTik hw-acellerated ipsec was delivered several months after a device is released so we must be patient

this kind of feature (hw-accelerated ipsec) is not in the top priority when a new product is released, i think because of that the feature is not offered, to avoid this kind o misunderstanding

you bought this device knowing this facts, so assume your blame, instead of blowing a scandal to pressure manufacturer to follow your individual needs

if you are responsible for a network you only make responsible moves and decisions
also
keep in mind this is a routerOS 7 only board and this version of software is new so expect some issues and refining process who takes time

all the other facts you have mentioned are your personal assumptions

anav · August 31, 2021, 7:49pm

Very reasoned post Chechito, much thanks! (or muchas grassy ass as I would say to my mother and then she would scold me and I would reply hoder (how dare) you speak to me like that)!

santyx32 · August 31, 2021, 9:50pm

Jajajajaja

dakobg · September 6, 2021, 8:13pm

In 2021 I will not say ipsec hardware support is a personal use case, pick any reason and will get the answer by your self, also the same apply and for the the question why is important.
So I don’t see nothing wrong for the people to ask.

note: https://youtu.be/ibRUPoVxldc?t=94 my Russian is rusty but I think this answer the question for ipsec and 5009

JohnL19 · September 8, 2021, 10:42pm

http://forum.mikrotik.com/t/v7-1rc3-development-is-released/151711/1 Will be another weekend home lab task !

msatter · September 9, 2021, 8:26am

What’s new in 7.1rc3 (2021-Sep-08 13:29):
*) added IPSec hardware acceleration support for RB5009;

rextended · September 9, 2021, 9:26am

Thanks @msatter

End of speculation.

anav · September 9, 2021, 12:58pm

My speculative guess ;-P, is that the ipsec will not be significantly faster than the RB4011, in other words, Cat5/6 ethernet 1G will suffice.

dakobg · September 10, 2021, 4:17pm

Yep but 5009 have a usb port

Cablenut9 · September 10, 2021, 4:30pm

And since it’s USB 3.0, you can connect a 2.5 or 5 gigabit ethernet adapter and get a bonus port.