RB953GS-5HnT
http://routerboard.com/RB953GS-5HnT

This processor is 720 MHz, cpu is QCA9558-AT4A-R.
this cpu is faster or on par with ppc or it's slow than it ???

Any tests or indication of what the IPSEC AES-128 througput will be on this unit?

Using 433AH today, and we get roughtly around 20-25Mbits throug ipsec. But the last cuple of months we have upgraded our sites, and I am now looking to get higher speeds(40-75Mbit) over IPSEC. Considering to use RB953GS-5HnT on all my remote sites, to peer up with my HQ CCR's over VPN.

Best Regards

IPSEC performance info would be very nice to know.
3DES-MD5, AES-128-MD5 and SHA1

older (and current on MIPS) models are struggling with SHA1...and IPSEC overall ..

IPSEC performance info would be very nice to know.
3DES-MD5, AES-128-MD5 and SHA1

older (and current on MIPS) models are struggling with SHA1...and IPSEC overall ..

for that, we would first have to test the existing models, so that one can compare. We currently only have IPsec tests for CCR

Normis,

please test them all because it is a vital feature for some of us.
It is good to know what speeds can be achieved with different hardware

I would love to see the speeds as well for IPSEC.

Have some here, which test would you like to know? Have a couple 953's, and CCR1009-8G-1S, CCR1016-12G not in production yet (will go soon) so I don't mind carrying out some tests.

Have some here, which test would you like to know? Have a couple 953's, and CCR1009-8G-1S, CCR1016-12G not in production yet (will go soon) so I don't mind carrying out some tests.

Would appreciate if you can do a WAN-to-LAN NAT throughput test (with regular stateful firewall rules) on the RB953GS

Which kind of rules? feel free to post in export format the fw rules.

Also, you mean the typical NAT scenario (natting a class C or whatever to one external IP??)

Which kind of rules? feel free to post in export format the fw rules.

Also, you mean the typical NAT scenario (natting a class C or whatever to one external IP??)

The standard Stateful Firewall ... i.e. allow Established & Related and drop Invalid

Yes, regular NAT throughput (Class C to 1 external public IP).

I believe this is the standard Firewall & NAT configuration for most home/SME routers.

Thank you in advance

Well, I'm struggling to make traffic generator work, more on that later.

So far was able to test using mikrotik bandwidth test in the meantime.

Setup rig (all have ROS 6.17, routerboard firmware upgraded to the latest):

[CCR1016] eth2 -> 192.168.100.2 <-> 192.168.100.1 eth2  - [RB953] - eth1 172.26.0.2 <-> 172.26.0.1 eth1 [CCR1009]

Did a system reset with no defaults on three systems.

RB953 has only one switch chip for the three gigabit ports, so although I wired and setup both ether2 and ether3 as LANs test was done using only one.

Firewall setup:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0

/ip firewall connection tracking set enabled=yes

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"

Tests results (bw client CCR1016, connecting to BW server 172.26.0.1 on CCR1009):

Packet size TX RX Protocol Direction
1500 600Mbps 0 UDP send
1500 ------- UDP receive -> doesnt work

1500 280Mbps 260Mbps TCP both
1500 420Mbps 0 TCP receive
1500 - not reliable- TCP send

So far using bw test doesn't look very scientifical so take these tests with a grain of salt; sometimes on some runs traffic will decrease slowly
to an end...

Regarding the traffic generator, all traffic seems to be rejected by the RB953, whereas ping and connections from CCR1016 to CCR1009 (via telnet etc) work fine.

Setup like IPSec testing example on wiki page on Traffic Generator



Router1: RB953
Router2: CCR1009
Traffic Generator: CCR1016

aes-128-cbc/SHA1 : 46.3Mbps (23Mbps each stream or Full Duplex)
3des/MD5: 14.9Mbps (7.7/7.2Mbps)
3des/SHA1: Same as previous

ATG it looks RB953 can be a choice...

will do the rest of encryptions soon, also test other devices (951G, 2011 UiAS).