Hello all,
I've decided to implement MikroTik RouterBoards to manage VPN link between three sites (headquarter and branch offices).
I need also the possibility to have roadwarriors with the possibility to connect via VPN to the headquarter.

Here the actual situtation:

Headquarter
SHDSL 8Mbit
ADSL 7Mbit
30 workstation/servers

Branch Offie #1
SHDSL 8Mbit
Fibre Optical 100Mbit
20 workstation/servers

Branch Offie #2
SHDSL 8Mbit
ADSL 7Mbit
15 workstation/servers

I want the future possibility to have HA on all this sites.

What are the suggested routerboards for this scenario?

Thank you.

i think only you know the budget avaliable

if budget are limited RB2011UiAS-RM 120 US
http://routerboard.com/RB2011UiAS-RM

60 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

the next step in performance if budget allows it is RB1100AHx2 350 US
http://routerboard.com/RB1100AHx2

278 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

is good to consider a little upgrade in money but big in performance the CCR1009-8G-1S 425 US
http://routerboard.com/CCR1009-8G-1S

907 kpps with packet size of 64 bytes with 25 ip filter rules in routing mode

Thank you checito for the reply.

i think only you know the budget avaliable

I can dedicate for a single routerboards a budet of 350/400 €.

If the CCR1009-8G-1S has a maximum kpps of 907 and considering the SHDSL and Fibre Optic in the B.O. #1 maybe I need something more powerfull?

And why the maximum kpps is misured on a such low number of filter rules?
I think that if I install a CCR1009-8G-1S for sue I will configure more than 25 firewal rules.

Am I missing something?

Thank you checito for the reply.

i think only you know the budget avaliable

I can dedicate for a single routerboards a budet of 350/400 €.

If the CCR1009-8G-1S has a maximum kpps of 907 and considering the SHDSL and Fibre Optic in the B.O. #1 maybe I need something more powerfull?

And why the maximum kpps is misured on a such low number of filter rules?
I think that if I install a CCR1009-8G-1S for sue I will configure more than 25 firewal rules.

Am I missing something?

that number of 25 rules its only a point of comparison, ccr1009 will be enough surely for fiber even at gigabit speed, ccr1009 has the power to run a medium size ISP

Thank you.

For the idea to implement the HA on each site I was thinking to use two CCR1009-8G-1S or also two CCR1009-8G-1S-1S+.

Some suggestions?
Two CCR1009-8G-1S-1S+ are too oversized?
The final HA configuration wil be in master/backup or with both router active using some load balancing?

I have also another question: can I use the Routerboard also as a Firewall or I need to implement a separate hardware for the security?

For IPSec VPN I would always go for a 1100AHx2 . CCRs choke at around 50-80 mbits range on IPSec whilst a AHx2 will give you at least 400 mbits or so minimum.

I'm not too keen on the mikrotiks for road warriors but you can make them work with some massaging. Keep aware of the gotchas on the mtk front like the Mikrotik requiring to be public facing as the Nat-t doesn't seem to work on the server side.

This throughput problem with VPN is a big concern for me.

A quick serach in the forum (http://forum.mikrotik.com/viewtopic.php?t=84918 and http://forum.mikrotik.com/viewtopic.php?t=84918) made me realize that (at least until the 1016 model) routerboards are not very great with multiple VPN servers and complex configurations (espcially with higher encryption).

Is that corerct?

What do I need to buy If I don not want to worry about to run more than one VPN server on a routerboard with EoIP and a good encryption plus NAT and rule filters with the configuratione of sites I worte in the first post?

No suggestions?

in paper specs the hardware encryption acceleration of CCR series its superior than rb1100ahx2 but rOS actually do not take advantage of it

i expect in the future this can change