So - Just to make this clear in my own little mind…
I am interested in WAN to LAN performance primarily, and VPN and routing speed next. Metarouter is not a factor for my thinking.
What is the natural progression from the 2011?
RB980gx2
CCR1009
seems like a big jump… also afraid to ask this for fear of being banned… but where does the edgerouter pro stuff fit in?
Thanks in advance
Bueller…
What throughput under which conditions you want to get? There is no direct successor of 2011 so you need to make step aside if you need more powerful device.
I guess I was just asking about “faster” in general terms. We are dealing with 100mbps WAN connections regularly now. I have seen the charts on router board and get that, but I wonder how a few concurrent VPN connections running at the same time affect that performance?
One reason for my question is more … value based I guess. If moving from the RB2011 to the 850gx, for example, gets me a real world performance improvement, WAN to LAN, VPN, routing, etc… then for the ~$50 in cost I would just move to it and standardize on it. My customers would not know or care. If I move to the CCR1009 - it may be a tougher argument to make. That may be total overkill as well. The lineup seems to not be linear. Probably more accurate, is that I don’t understand the use case these various models are aimed at because I really only do large residential and small commercial systems.
Not sure if that makes any more sense, Where is the sweet spot for hardware, not just for today but in the reasonable future. Where is the best bang for the $$$. I am asking something that is probably to general to answer.
sorry to ramble…
It is really hard to say what is the difference in performance of 850gx2 in comparison to 2011 or to 1100ahx2. Probably it is somewhere in between, but I have not seen any real performance testing and mikrotik people looks also to be lazy with it as they did not provided test result table on the product page, even they were asked by comunity here on the forum. Maybe several times.
Actually it is not only cpu power that makes the usability of the router. 2011 offers very good radio and additional switch, together with sfp port and touchscreen in quite nice and robust metal case, that is something you can be missing if you would like to use 850gx2 instead.
Having 100Mbit connectivity with no forecast to go over 250Mbit in some near future, I would not take care about the performance so much, because all contemporary mikrotik routers are able to nat at this speed. 2011 have limits in natting performance somewhere around 250-300Mbits (depending on settings).
There are many ways how to make “a vpn”, different tunnel types have different impact on performance and have some advantages and disadvantages, so it is maybe impossible to honestly answer your question about it.
Maybe you can make your own test according to your needs and publish your findings here. If there is none that could help you at the moment, there are many readers wondering the same like you.
VPN performance has two components to it: the tunneling/encapsulation, and the encryption (if you use encryption). I suspect that the encryption part of the equation is vastly more CPU-intensive than the encapsulation part, and in that case, you should know that there have apparently been problems with CCR/Tile performance when it comes to this (search for roadracer96’s posts on the subject), although there is apparently a fix of sorts that was released with ROS 6.24 that might help (I have not read any reports either way, and I have not tested it…YMMV).
RB850Gx2 was originally advertised to contain an SoC part that implemented hardware-accelerated IPsec, but this SoC was swapped out at the last minute with a different Freescale SKU that does not contain the hardware encryption engine, and any references to it in the promotional and advertising materials for the 850Gx2 were later scrubbed out. Despite that, I am really liking the Gx2 so far.
The RB1100AHx2 is cheaper than the CCR1009, has the hardware-accelerated encryption engine, and the reports are that it actually works. So if you are interested in the most cost-effective box that will allow you to grow past the RB2011, the 1100AHx2 just might be it.
– Nathan
750 series
951/2011 series
1100AHx2
These are not official numbers, this is how we deploy our network and our customers.
I have not tested the new 850Gx2 yet, it should be between the 951/2011 and the 1100.
Shame they had to drop the HW aes acceleration on it tho 
Thanks very much for the information from each of you. This helps me frame it up.
@ Nathan, The 1100 looks like a defiantly step up, but the pricing delta puts it really close to the entry 1009. I have been watching the prices and sometimes they are within about $60. so the 1009 is not that much more at a selling price (depending on margin) so that we be the defacto choice imho. Thanks for your help!
Looks like there is still a possibility that 6.24 did not fix IPsec performance on CCR/Tile: see this post/thread. Personally, I’d go with the 1100 for now, and keep a CCR on the bench to continually test new releases with until you are satisfied with performance.
– Nathan
in simplest terms the RB850gx2 is half the speed of the RB1100AHx2 but whether or not it has hardware encryption is another matter.
The CCR1009 is a nice router. We use one as a backup to our CCR1016 at work. It is a nice step up to a multicore processor and more RAM. It is what I will be replacing my home RB2011 with someday.
Thanks for all he replies!
Are you sure about the hardware crypto?
The website states the part as P1023NSN5CFB, and according to this Freescale page it includes an “Encryption Hardware Accelerato” … http://www.freescale.com/webapp/sps/components/partparamdetail.sp?PART_NUMBER=P1023NSN5CFB&buyNow=true&fromSearch=true
I am trying to boot a custom kernel on the RB850Gx2 so I can play with this in more detail as I also think the device has the potential to be superb. Sadly that’s failing at the moment, but I will persist (although my interest will shrink if there is no crypto!)
Lee.
Quite sure. Search the forums. You’ll find this post from Normis, which you can read, as well as the posts that came after his in the same thread: Re: RB850Gx2 - Release date?. Supposedly they will be releasing an enhanced 850Gx2 with the encryption engine in the future (and presumably at a higher MSRP).
I imagine the way things went down is that they originally planned to use the CPU with the encryption engine, and had prototype boards with that CPU on them, but they originally planned on shipping the 850G with much less NAND flash capacity (128MB) than the 450G it is aiming to replace (512MB). Customers asked to have NAND capacity on the 850G matched to the 450G, so NAND was upgraded (which seemed to be more important to people in the market for this particular product), and I am guessing CPU was swapped to keep MSRP at the same number they had already published. This is just speculation, of course.
At $129 it runs circles around the $99 450G even without an encryption engine (which the 450G doesn’t have, either) and I think is an incredible value, so I have no problem with the call they made.
That appears to be a mistake. If you download the data sheet for the P1023, you will see that instead of “P1023xxNxxxx”, part numbers with the encryption engine included would take the form “P1023xxExxxx”.
I have managed to get a custom kernel to boot on it, but the main showstopper is that there doesn’t appear to be any open source drivers for the ethernet interfaces on this SoC. The binary kernel module/driver for the P1017/1023 ethernet that ships with RouterOS for this particular board is far and away the largest of all of them, weighing in at a whopping 1.5MB! Presumably the code for the thing is under NDA. (EDIT: I appear to be mistaken on this point. It looks like Freescale have submitted it to be merged in with the mainline kernel; good for them: dpaa_eth: Ethernet driver for Freescale QorIQ DPA Architecture)
– Nathan
I got the 250Mbps downlink finally.
My RB2011UiAS-2HnD-IN does not cut it anymore. It can only reach 180Mbps, when my connection can do 250Mbps to many destinations.
I also need ac. Simultaneous dual band. I only have n (2.4 and 5).
The P1023 with hardware crypto would be enough power for the price if it could be used to build a 10x gigabit unit.
But I don’t want to wait more than a couple months.
The fanless CCR seems overkill, and I am not convinced about its crypto performance compared to the RB1100AHx2, which is out of the question.
I think this is a big hole in the lineup right now.
The 1100AHx2 is cheaper than the new fanless CCR1009, so why is the AHx2 out of the question if you would readily buy the CCR if it weren’t for your doubts about its crypto performance? There should be little to no doubt about the AHx2’s crypto performance. Is it just because you are worried about the fan noise?
– Nathan
It is out of the question because it is a big rack unit and not fanless. It also does not seem like a good deal because its hardware is several years old now.
The actual board inside the rackmount aluminum enclosure is about as wide as the fanless CCR1009. You could probably put it in a custom enclosure that was smaller, if you were so inclined. And the fans on the AHx2 are nothing like the screamers that shipped with the original 1100 or the 1100AH mark 1…they are super-quiet and are actually variable-speed fans that ramp the RPM up and down based on CPU load (they will even shut off completely if things are running cool enough).
…and yet it runs circles around the CCR’s encryption performance, so what does that tell you? Maybe older tech has some of its own benefits, such as developmental maturity? Also, I have found the AHx2 listed for under $300 USD at different times…just keep your eyes peeled.
Seems strange that you would entertain a P1023-based option but the AHx2 is off the table because it is “older technology”, even though a P1023 is really just a cheaper and slower P2020. If something performs how you need it to perform, is being actively supported and sold, and is worth what you paid for it, why does the age of the technology matter?
– Nathan
This for home use. A big unit or with a fan is a no-no in my case.
That something is cheaper, it does not mean it is a good deal. The normal price/performance ratio of the CCR is mumch better, it is the current status of encryption on it that clouds the decision.
A P1023 would seem like a more reasonable expenditure for the current needs, however it is true that I have reservations about it being a sound choice given that there might be the possibility of DOCSIS 3.1 rollout by my ISP next year.
Also, I will not hack an enclosure solution.
I have RB1100AHx2 at home (albeit in a closet) which works excellent holding up multiple IPsec and L2TP roadwarrior configs. Was in the same boat as you (CCR vs 1100AHx2) but chose the proven technology. Haven’t looked back to be honest: absolutely rocksolid and fast.
Recently have deployed a couple of RB850Gx2’s at a 100/100 location. Haven’t done definitive performance testing BUT while sufficient, it is significantly less (as expected) than the RB1100AHx2. I don’t think that configured as an edgerouter you’ll max out your line over VPN @ 250MBit, especially at the higher encryption levels and multiple firewall rules so if that’s a requirement you’ll have to turn to RB1100AHx2 and above. For normal routing up to 500? Mbit and offer a fairly solid VPN up to 100? MBit my guess is that the RB850Gx2 should suffice.
Speaking of EdgeRouter, since you asked about it: one of the RB850x2’s I’ve deployed was replacing and ERL-lite which performance wise was okay, but management wise way way way behind Mikrotik. UI-development is really lagging behind the core functionality here so be prepared to basically revert to CLI for ANY VPN configuration that goes past standard IPsec and PPTP. Also, be prepared to do the occasional bugfixing yourself by hacking into source (as I did to have the CLI accept an otherwise valid OpenVPN config). Won’t go into details on this, but deploying a RouterOS based device takes me probably 1/4 of the time it takes me to do the same on an ERL, not taking into account troubleshooting after updates or any changes in the network. I’m not a fan, I’m sure you can tell by now.
For wifi I have RB912UAG-5HPnD + R11e-2HPnD (so 802.11n on 2.4 and 5GHz). Also splendid. Depending you needs you could go down the RB911G-5HPacD route to build a standalone 802.11ac or perhaps use the RB922UAGS-HPacD along with the R11e-2HPnD to create a dual band one. One could argue interference-wise it’s best not to combine these things in close proximity; that said I haven’t done any A/B testing but it’s working fine here.
With regard to your comment on 10x GB ethernet: I’m very happy with a dedicated L2+ switch for that, but I’ve also used the RB1100AHx2 for this extensively. Be advised though that there are 2 switch groups of 5 10/100/1000BASE-T ports and that traffic BETWEEN those groups will takeup CPU time. But if I were you, I’d buy the RB850Gx2, use funds I’d save for 802.11ac accesspoints and switch and I think you’ll find you’ll have still some spare $$$. By the time you’ll run out of juice with the current RB850Gx2, who knows what models and prices we’re getting.
Cheers