Which RouterBoard for multiple site VPN?

kintho · May 20, 2015, 8:50pm

Hello all,
I’ve decided to implement MikroTik RouterBoards to manage VPN link between three sites (headquarter and branch offices).
I need also the possibility to have roadwarriors with the possibility to connect via VPN to the headquarter.

Here the actual situtation:

Headquarter
SHDSL 8Mbit
ADSL 7Mbit
30 workstation/servers

Branch Offie #1
SHDSL 8Mbit
Fibre Optical 100Mbit
20 workstation/servers

Branch Offie #2
SHDSL 8Mbit
ADSL 7Mbit
15 workstation/servers

I want the future possibility to have HA on all this sites.

What are the suggested routerboards for this scenario?

Thank you.

chechito · May 20, 2015, 11:36pm

i think only you know the budget avaliable

if budget are limited RB2011UiAS-RM 120 US
http://routerboard.com/RB2011UiAS-RM

60 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

the next step in performance if budget allows it is RB1100AHx2 350 US
http://routerboard.com/RB1100AHx2

278 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

is good to consider a little upgrade in money but big in performance the CCR1009-8G-1S 425 US
http://routerboard.com/CCR1009-8G-1S

907 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

comaprison2.jpg

kintho · May 21, 2015, 7:13am

Thank you checito for the reply.

I can dedicate for a single routerboards a budet of 350/400 €.

If the CCR1009-8G-1S has a maximum kpps of 907 and considering the SHDSL and Fibre Optic in the B.O. #1 maybe I need something more powerfull?

And why the maximum kpps is misured on a such low number of filter rules?
I think that if I install a CCR1009-8G-1S for sue I will configure more than 25 firewal rules.

Am I missing something?

chechito · May 21, 2015, 11:15am

that number of 25 rules its only a point of comparison, ccr1009 will be enough surely for fiber even at gigabit speed, ccr1009 has the power to run a medium size ISP

kintho · May 21, 2015, 3:12pm

Thank you.

For the idea to implement the HA on each site I was thinking to use two CCR1009-8G-1S or also two CCR1009-8G-1S-1S+.

Some suggestions?
Two CCR1009-8G-1S-1S+ are too oversized?
The final HA configuration wil be in master/backup or with both router active using some load balancing?

kintho · May 21, 2015, 8:47pm

I have also another question: can I use the Routerboard also as a Firewall or I need to implement a separate hardware for the security?

djdrastic · May 22, 2015, 5:36am

For IPSec VPN I would always go for a 1100AHx2 . CCRs choke at around 50-80 mbits range on IPSec whilst a AHx2 will give you at least 400 mbits or so minimum.

djdrastic · May 22, 2015, 5:45am

I’m not too keen on the mikrotiks for road warriors but you can make them work with some massaging. Keep aware of the gotchas on the mtk front like the Mikrotik requiring to be public facing as the Nat-t doesn’t seem to work on the server side.

kintho · May 22, 2015, 7:50am

This throughput problem with VPN is a big concern for me.

A quick serach in the forum (http://forum.mikrotik.com/t/rb1100ahx2-or-ccr1009-8g-1s-1s/77054/1 and http://forum.mikrotik.com/t/rb1100ahx2-or-ccr1009-8g-1s-1s/77054/1) made me realize that (at least until the 1016 model) routerboards are not very great with multiple VPN servers and complex configurations (espcially with higher encryption).

Is that corerct?

What do I need to buy If I don not want to worry about to run more than one VPN server on a routerboard with EoIP and a good encryption plus NAT and rule filters with the configuratione of sites I worte in the first post?

kintho · May 25, 2015, 8:27am

No suggestions?

chechito · May 25, 2015, 8:33am

in paper specs the hardware encryption acceleration of CCR series its superior than rb1100ahx2 but rOS actually do not take advantage of it

i expect in the future this can change