Community discussions

MikroTik App
 
User avatar
osc86
Member Candidate
Member Candidate
Topic Author
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

RB5009 IPSec Performance

Sat Aug 28, 2021 9:23 pm

Yesterday I received my RB5009UG+S+IN.
There's nothing mentioned about the ipsec performance on the product page, so I did some tests how it performs as a Home Router with an IPSec Connection to my Workplace.
I bought the RB5009 as a replacement for my CCR1009, which did a great job for the last 4+ years.
Although the CPU of the CCR1009 does offer hw acceleration, I wasn't too happy with the results.
I only did single-tunnel tests, as this is what's important to me, when single big files are transferred over ipsec.

I removed the default configuration, only set up ipsec and connected it to the fiber modem. No firewall rules installed.

PC === RB5009UG+S+IN == 500M/100M FIber == Internet == 1G/1G Fiber == CCR2004-1G-12S+2XS === PC

Results (ROS v7.1rc1; iperf3, 8 parallel threads):
(/ip ipsec proposal: auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d pfs-group=none) = ~160 Mbit/s 1 2
(/ip ipsec proposal: auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=1d pfs-group=none) = ~256 Mbit/s 3 4

TBO I'm not impressed with these results. When the router is fully configured, Firewall Filter, Policy Routing, Multicast Routing, OSPF, QoS, CapsMan the results will be even worse.
In the long run, I'll move to wireguard. In further tests I could fully utilize my 500Mbit/s connection using wireguard (CPU <50%), which is the only reason I won't return the RB5009.
The CPU does have "Cryptography and CRC extensions", so I hope they will be used in later releases of ROSv7. For now, I think the new CCR2004 is a way better choice, if ipsec performance is important.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: RB5009 IPSec Performance

Sat Aug 28, 2021 9:43 pm

~256 Mbit/s
Wimpy!
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: RB5009 IPSec Performance

Sat Aug 28, 2021 10:57 pm

There is no hw ipsec on the 5009. But I see now that you already know that.

https://forum.mikrotik.com/viewtopic.p ... ec#p875278
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 12:39 am

Yes we know, however Mikrotik did not want officially put the numbers up because there is only software IPSEC. Then we have it do it ourselves.

Also not impressed and the 4011 is running circles around the 5009 when using IPSEC.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 6:55 am

Why can't the Big Mik take advantage of the "added cryptography and CRC extensions" in the CPU?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 12:21 pm

As already mentioned in another post by MT staffer: RB5009 does not have IPsec acceleration for now.
 
User avatar
osc86
Member Candidate
Member Candidate
Topic Author
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 2:02 pm

We know! It's just an informative post for people to give an indication what can be expected from this model in terms of ipsec (software) performance.
It's not a rant against Mikrotik or the product itself. I still think it's a good choice for a Homelab Router.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 3:33 pm

My post was direct reaction to preceeding post by @Cablenut9 ... and I somehow highlited the most important part of my post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: RB5009 IPSec Performance

Sun Aug 29, 2021 4:18 pm

That is a lot of repeats in the first part of a tread. That all without hardware support from Mikrotik. ;-)
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: RB5009 IPSec Performance

Mon Aug 30, 2021 5:55 pm

Yep 5009 look like a killing device for many task however lack of HW support for ipsec is frustrating ..
So again Mikrotik folks .. can you please end the drama and just confirm / deny about 5009 ipsec hw support.. should we expect hw support for ipsec with future ros7 release or not
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RB5009 IPSec Performance

Tue Aug 31, 2021 7:34 pm

i think you are going very aggressive in this topic

always in the history of MikroTik hw-acellerated ipsec was delivered several months after a device is released so we must be patient

this kind of feature (hw-accelerated ipsec) is not in the top priority when a new product is released, i think because of that the feature is not offered, to avoid this kind o misunderstanding

you bought this device knowing this facts, so assume your blame, instead of blowing a scandal to pressure manufacturer to follow your individual needs

if you are responsible for a network you only make responsible moves and decisions
also
keep in mind this is a routerOS 7 only board and this version of software is new so expect some issues and refining process who takes time

all the other facts you have mentioned are your personal assumptions
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 IPSec Performance

Tue Aug 31, 2021 10:49 pm

Very reasoned post Chechito, much thanks! (or muchas grassy ass as I would say to my mother and then she would scold me and I would reply hoder (how dare) you speak to me like that)!
 
santyx32
Member Candidate
Member Candidate
Posts: 215
Joined: Fri Oct 25, 2019 2:17 am

Re: RB5009 IPSec Performance

Wed Sep 01, 2021 12:50 am

Very reasoned post Chechito, much thanks! (or muchas grassy ass as I would say to my mother and then she would scold me and I would reply hoder (how dare) you speak to me like that)!
Jajajajaja
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: RB5009 IPSec Performance

Mon Sep 06, 2021 11:13 pm

In 2021 I will not say ipsec hardware support is a personal use case, pick any reason and will get the answer by your self, also the same apply and for the the question why is important.
So I don't see nothing wrong for the people to ask.

note: https://youtu.be/ibRUPoVxldc?t=94 my Russian is rusty but I think this answer the question for ipsec and 5009
 
JohnL19
just joined
Posts: 1
Joined: Fri Oct 09, 2020 12:29 pm

Re: RB5009 IPSec Performance

Thu Sep 09, 2021 1:42 am

viewtopic.php?f=1&t=178341 Will be another weekend home lab task !
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: RB5009 IPSec Performance

Thu Sep 09, 2021 11:26 am

We know! It's just an informative post for people to give an indication what can be expected from this model in terms of ipsec (software) performance.
It's not a rant against Mikrotik or the product itself. I still think it's a good choice for a Homelab Router.
What's new in 7.1rc3 (2021-Sep-08 13:29):
*) added IPSec hardware acceleration support for RB5009;
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RB5009 IPSec Performance

Thu Sep 09, 2021 12:26 pm

Thanks @msatter

End of speculation.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 IPSec Performance

Thu Sep 09, 2021 3:58 pm

My speculative guess ;-P, is that the ipsec will not be significantly faster than the RB4011, in other words, Cat5/6 ethernet 1G will suffice.
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: RB5009 IPSec Performance

Fri Sep 10, 2021 7:17 pm

My speculative guess ;-P, is that the ipsec will not be significantly faster than the RB4011, in other words, Cat5/6 ethernet 1G will suffice.
Yep but 5009 have a usb port 😀
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: RB5009 IPSec Performance

Fri Sep 10, 2021 7:30 pm

And since it's USB 3.0, you can connect a 2.5 or 5 gigabit ethernet adapter and get a bonus port.
 
prghix
just joined
Posts: 2
Joined: Sun Nov 29, 2020 7:03 pm

Re: RB5009 IPSec Performance

Sun Nov 21, 2021 3:35 pm

you bought this device knowing this facts, so assume your blame, instead of blowing a scandal to pressure manufacturer to follow your individual needs
the lack of HW ipsec was a deal-breaker for me until I found out this thread. Now knowing that HW support is present, only not sw-enabled by the time being, I've just ordered two 5009s.

Thanks everyone.
 
rb5009ipsec
just joined
Posts: 1
Joined: Wed Dec 01, 2021 4:13 pm

Re: RB5009 IPSec Performance

Wed Dec 01, 2021 4:20 pm

Hello!
Please share the results with HW-acceleration.
 
cmartin
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed Nov 07, 2007 7:04 pm
Location: Plzeň, Czech Republic

Re: RB5009 IPSec Performance

Fri Jan 07, 2022 11:47 am

Although IPsec hardware offloading on RB5009 is clearly work in progress, can MikroTik, please, update matrix on this page (https://help.mikrotik.com/docs/display/ROS/IPsec) in paragraph "Hardware acceleration"?

Information on which algos would have better throughput than others would be useful. Off-course any performance tuning done later will be welcome for sure.
 
marcin21
Member Candidate
Member Candidate
Posts: 214
Joined: Tue May 04, 2010 4:50 pm

Re: RB5009 IPSec Performance

Wed Feb 02, 2022 1:07 pm

Anyone could post IPsec results on rb5009 with newest routeros?
 
HomeUser
just joined
Posts: 3
Joined: Sat Feb 12, 2022 3:55 am

Re: RB5009 IPSec Performance

Mon Feb 21, 2022 4:41 am

I'm on 7.1.2 which is the latest stable and ran an IPSec performance test and my results were a little higher but I think still indicate that there is no hardware acceleration. I'm also in a more controlled setup with a client directly on the WAN port instead of going through the internet. With AES-128 I'm getting ~550 Mbps with ~50-60% CPU usage. Without VPN it's ~950 Mbps. This is maximum TCP segment size, smaller segment sizes are lower but I don't remember those exact results.

This is a little strange to me because 7.1rc3 release notes said that hardware IPSec acceleration was added but maybe it was pulled before the final 7.1 release (or is 7.1.2 before 7.1rc3?).
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: RB5009 IPSec Performance

Thu Mar 10, 2022 5:01 pm

I can see on all SAs "hw-aead" - 7.2rc4 ?!

Is hardware offload is working or not ?
Unfortunate with rb5009 I hit my IPS bw limitation (which is good :) ) with no issues but I cannot do full tests

Why still we don't see official performance tests on mikrotik.com ?

note: ~150Mbit around 15% cpu (mk bw test)
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: RB5009 IPSec Performance

Fri Apr 08, 2022 12:25 am

i did some tests with 7.1.1 and achieved more than 800 Mbit/s with pretty high encryption algorithms.
https://sleepytechbloke.wordpress.com/2 ... g-support/
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: RB5009 IPSec Performance

Fri Apr 08, 2022 9:40 am

Perhaps it’s just an oversight but if you go to the MikroTik hardware listing and select the models that have IPSec hardware acceleration as a feature, the RB5009 doesn’t show up at all. The support was reportedly added in 7.1rc3 but your results do make a guy wonder as 800 mbps is a far cry from the performance of the 4011.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: RB5009 IPSec Performance

Wed Mar 29, 2023 9:59 pm

So, has anyone managed to get the IPsec single tunnel number listed on the product page?
https://mikrotik.com/product/rb5009ug_s ... estresults

I can't get more than 750-800mbps no matter what I try on a completely blank router with nothing but the IPsec tunnel.

On RB4011 I get, at best, half the advertised single tunnel speeds.

How does MikroTik achieve those numbers? Does anyone have a working config?
Or is it just marketing BS and I should forget achieving a full Gbit over IPsec?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 IPSec Performance

Thu Mar 30, 2023 12:56 am

Wow I would be happy with 500Mbps speeds based on their test results, you are doing better then they did.
(512 bytes are real world, ignore the other columns)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: RB5009 IPSec Performance

Thu Mar 30, 2023 2:44 am

On RB4011 I get, at best, half the advertised single tunnel speeds.
They don't say the version specifically. I'd imagine for RB4011 that was done using V6. If you tried V7 on RB4011.. no route cache in V7 & your testing a single tunnel, dunno.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: RB5009 IPSec Performance

Thu Mar 30, 2023 2:58 am

I am asking for RB5009.
RB4011 was mentioned for reference because I have never managed to get anywhere near close the IPsec results on all MikroTik products.

So it's not product or version specific. That's why I am asking, how exactly they achieve those speeds, even if it's a non "real world" test.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: RB5009 IPSec Performance

Thu Mar 30, 2023 3:11 am

They're saying this in the footer:

- All tests are done with Xena Networks specialized test equipment (XenaBay),and done according to RFC2544 (Xena2544)
- Max throughput is determined with 30+ second attempts with 0,1% packet loss tolerance in 64, 512, 1400 byte packet sizes
- Test results show device maximum performance, and are reached using mentioned hardware and software configuration, different configurations most likely will result in lower results

Seems pretty transparent to me, although I have no idea what Xena Networks or XenaBay is, nor what RFC2544 says.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: RB5009 IPSec Performance

Thu Mar 30, 2023 3:29 am

Yes I know all that.

Doesn't change the fact that no one seems to have ever managed to get anywhere near close the advertised IPsec results. Even in lab/testing environments. On any MikroTik device.
I know I haven't, and I've used pretty much all of MikroTik's lineup since 2005.

Who is online

Users browsing this forum: GoogleOther [Bot] and 62 guests