Technical Discussion
>> Home Networking, Internet Connection Sharing, etc.

Pages in this thread: 1 | 2 | 3 | (show all)

Print Thread

Ixel
(experienced) Tue 24-Aug-21 09:17:12

Future upgrade consideration advice wanted

[link to this post]

Hi,
Recently I purchased a Unifi Dream Machine Pro, sadly it was a disappointment though. Firmware is nowhere near finished imo, well, it's a somewhat shared opinion over at the Ubiquiti forum I can see. Some basics that I took for granted, like NAT settings, don't even exist. I've sent it back to the seller pending a refund and am now back on my EdgeRouter Pro 8 again (which I was going to sell).

Now, slight possible rant aside, I'm looking for some advice. I've been used to VyOS (or EdgeOS) for some time but if need be I will learn a new interface and operating system. I'm looking for a router with at least four RJ45 ports but has sufficient processing power to handle gigabit PPPoE and hopefully at least 500Mbit GRE throughput. The EdgeRouter Pro 8 can handle about 100Mbit GRE throughput at 50%~ CPU usage, so I've currently capped the tunnel to 100/100. Not shabby, but if it's possible to get a bit more out of it then I would like to.

I have considered running VyOS, or perhaps pfSense or opnSense on my Unraid system as a virtual machine, but sadly it only has two ethernet ports (both 10Gbit capable but running at 1Gbit at the moment). I thought about VLANs as my EdgeSwitch could handle that, perhaps isolating the PPPoE connection to its own VLAN or something? I've never played with VLANs though, a new area for me. Other option I suppose is purchasing a four port PCI-E card, still considerably cheaper than the cost of the UDM Pro.

Any advice please?

One other thing I'm considering is whether it's perhaps a good idea to buy a network/firewall appliance (also known as a mini PC with a few RJ45 ports on). I could install VyOS on that, for example. I just need to make sure the CPU is more powerful than the EdgeRouter Pro 8's one and that hopefully it meets my expectations on PPPoE and GRE throughput.

Thanks.

nofappingway
(learned) Tue 24-Aug-21 10:04:07

Re: Future upgrade consideration advice wanted

[re: Ixel] [link to this post]

I have a symmetrical gigabit FTTP connection and I use a DrayTek 2865 with it. I get line speed using PPPoE including filtering using its Firewall (IP filter). It has 5 Gbe ports and a lot features.

https://www.draytek.co.uk/products/business/vigor-28...

Ixel
(experienced) Tue 24-Aug-21 12:20:08

Re: Future upgrade consideration advice wanted

[re: nofappingway] [link to this post]

Thanks for replying.

That looks impressive. It's been a long time since I've used DrayTek, they generally make good routers though. I would need to double check, perhaps by contacting DrayTek, that it supports GRE without IPsec (as I don't need IPsec) and presumably a GRE tunnel can be setup without assigning it an IP address (all I do currently is just tell it the local IP address and remote/peer IP address, then route a specific IP subnet through it using some policy routing. Presumably this device could do that without much hassle.

This is what I currently do on the EdgeRouter:

Text

/sbin/ip tunnel add gre1 mode gre remote 51.x.x.62 local 83.x.x.169 ttl 255
/sbin/ip link set gre1 up/sbin/ip rule add from 198.x.x.0/24 table 666
/sbin/ip route add default dev gre1 table 666/sbin/ip route add 198.x.x.0/24 dev eth3 table 666
/sbin/ip route add 192.168.1.0/24 dev eth1 table 666

eth3 then has an IP address of 198.x.x.1/24 which acts as a gateway IP address. eth1 is just my LAN devices so they have a direct route locally.

Definitely one I will further look into and contact DrayTek about before potentially buying it. I have a 2862 in the cupboard at the moment, which I used to use at one point when I had VDSL2. Fairly reliable.

Edited by Ixel (Tue 24-Aug-21 12:23:52)

danielhyde
(member) Tue 24-Aug-21 15:00:58

Re: Future upgrade consideration advice wanted

[re: Ixel] [link to this post]

As far as I'm aware DrayTek routers do not support that.

Thanks
Dan

Ixel
(experienced) Tue 24-Aug-21 17:50:08

Re: Future upgrade consideration advice wanted

[re: danielhyde] [link to this post]

Looking at some of DrayTek's knowledge base I can at least see it looks like IPsec is optional for the GRE tunnel. How easy it is to setup the necessary policy routing and whether I can setup the GRE tunnel without assigning it an IP address is another question.

From what I understand on DrayTek's website, the 2862 may support GRE. I will get mine out of the cupboard, install the latest firmware and see if I can get any further insight into what's possible.

If it's not possible to do this on the DrayTek router then I guess my only other option is to ultimately buy some kind of mini PC with multiple ethernet ports on, then install something like VyOS. Could be more costly but I guess my use case isn't a common one.

EDIT: Looks like it may also be possible to setup the routing similar or perhaps even identical to how I have it at the moment. I will try to see if I can test this out on my 2862 before I buy a 2865.

Edited by Ixel (Tue 24-Aug-21 17:55:21)

Pheasant
(fountain of knowledge) Tue 24-Aug-21 19:03:41

Re: Future upgrade consideration advice wanted

[re: Ixel] [link to this post]

One of the multi-core ARM based Mikrotik routers should be able to get you decent GRE performance on a gig WAN link. Depends on your budget but they released two new routers recently...

RB5009UG+S+IN which comes in at £126+VAT from Eurodk

Alternatively if the name of the game is pure throughput, whether IPsec or straight, there is now an "all copper" CCR2004-16G-2S+ beastie which will give you multi-gig GRE performance, for around £268+VAT from Eurodk

Ixel
(experienced) Tue 24-Aug-21 20:30:33

Re: Future upgrade consideration advice wanted

[re: Pheasant] [link to this post]

The £268+VAT is within my budget, the UDM Pro cost me a bit more so that's fine. That looks like a beast, certainly an impressive piece of kit and I love the fact it's rackmountable too. I've never used RouterOS so it's something I will have to read up on and if there's an online demo then I will also play around with that. Else failing that I'm sure there's plenty of YouTube videos talking about it.

Wifi Stock UK apparently has them in stock for Friday delivery at the moment (probably until some point tomorrow), so where possible I'll order it from a UK store as I'm not sure if I'll get lumbered with customs delays or perhaps an extra charge if I buy from an EU store for that amount of money.

EDIT: Looking at the demo it doesn't seem all that complicated to learn. Things appear to be clearly labeled. Certainly very customisable from what I can see.

EDIT 2: Well I'm almost certain that's what I'll now be going for. In the unlikely event I get stuck with setting up what I want to do then I see they have a quite an active forum which is also nice. Thanks very much for the suggestion, it looks like the perfect solution for my needs!

Edited by Ixel (Tue 24-Aug-21 21:07:12)

deleted
(deleted) Thu 26-Aug-21 12:54:51

Re: Future upgrade consideration advice wanted

[re: Ixel] [link to this post]

One warning about those new Mikrotik Routers, they are using version 7 of their OS, which is still in Beta, although a release candidate has finally been posted. Why they are releasing them before the OS is ready is questionable.

They are both amazing routers though, just be aware the first few weeks could be buggy until the OS is ready.

Edited by deleted (Thu 26-Aug-21 12:55:55)

Ixel
(experienced) Thu 26-Aug-21 14:59:45

Re: Future upgrade consideration advice wanted

[re: deleted] [link to this post]

Sounds a little like the development of the UDM Pro's OS, but not anywhere near as bad as the UDM Pro's OS.

All being well the 'stable' version that came installed will be stable enough for the moment. I'll avoid the beta and release candidate if possible. I agree though, it's a little silly releasing something that's not quite ready.

---

Also to post an update to say that I received the item shortly before 12pm, the UPS man seemed to pretty much be Roadrunner though haha. I've never seen someone get out of a delivery van and then back in the van so quick.

It looks impressive in the cabinet, albeit everything else is in the cabinet is painted black so doesn't match.

I believe I've set it up correctly, at least to get things started anyway, I won't know until later this afternoon when I connect the LAN cables to the appropriate ports. I like how it didn't cause disruption by plugging it in to my switch, e.g. no IP address conflict, connected with Winbox via the MAC address.

Below is my current configuration which I hope will work without any hassle (sensitive information redacted of course):

Text

/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=60 name=\    "PPPoE Cerberus" password=x use-peer-dns=yes user=x
/interface greadd mtu=1468 name="OVH GRE Tunnel" remote-address=145.x.x.191
/routing tableadd disabled=no name=666
/ip addressadd address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0add address=198.x.x.1/24 comment="OVH GRE Tunnel" interface=ether3 \
    network=198.x.x.0/ip dns
set servers=1.1.1.1,1.0.0.1/ip firewall address-list
add address=192.168.1.0/24 list=LANadd address=198.x.x.0/24 list=OVH
/ip firewall filteradd action=accept chain=forward comment="Accept established and related" \
    connection-state=established,relatedadd action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward hw-offload=yesadd action=accept chain=input comment="Accept established and related" \
    connection-state=established,relatedadd action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" in-interface=all-ppp \    protocol=icmp
add action=accept chain=input comment=\    "Accept GRE traffic from 145.x.x.191" in-interface=all-ppp protocol=\
    gre src-address=145.x.x.191add action=drop chain=input comment="Drop all other traffic via PPP" in-interface=\
    all-pppadd action=accept chain=input
/ip firewall natadd action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip firewall service-portset tftp disabled=yes
set irc disabled=yes/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="OVH GRE Tunnel" \    pref-src="" routing-table=666 scope=30 suppress-hw-offload=no \
    target-scope=10add disabled=no dst-address=198.x.x.0/24 gateway=ether3 routing-table=666 \
    suppress-hw-offload=noadd disabled=no dst-address=192.168.1.0/24 gateway=ether2 routing-table=666 \
    suppress-hw-offload=no/routing rule
add action=lookup disabled=no src-address=198.x.x.0/24 table=666

My routing setup is based on the following commands I originally used on the EdgeRouter:

Text

/sbin/ip tunnel add gre1 mode gre remote 145.x.x.191 local 83.x.x.169 ttl 255
/sbin/ip link set gre1 up/sbin/ip rule add from 198.x.x.0/24 table 666
/sbin/ip route add default dev gre1 table 666/sbin/ip route add 198.x.x.0/24 dev eth3 table 666
/sbin/ip route add 192.168.1.0/24 dev eth1 table 666

ether1 is the PPPoE port
ether2 is the LAN port (192.168.1.1/24)
ether3 is the GRE tunnel port to OVH (198.x.x.1/24)

All being well I've implemented the policy routing correctly on this device. I still need to possibly sort out some QoS on the upstream and perhaps fine tune the firewall rules. It's hopefully a start though. I'll update again later. If anyone happens to notice any issues with my configuration in the meantime please comment! Thanks.

---

EDIT: All working it seems, went easier than I expected. Just had one setting incorrect which presumably disabled a route until it was corrected. Keepalive had to be disabled on the GRE tunnel. After that it worked. Speed test got me about 570Mbps down, so I need to do more fine tuning and perhaps check the OVH server to see if there's a bottleneck on that side. Either way it's far superior to the performance I was able to get out of the EdgeRouter Pro 8, so if 570Mbps is the best I can get, although I think that's unlikely by a long shot, I'm still pleased with the outcome.

Edited by Ixel (Thu 26-Aug-21 16:28:42)

Pheasant
(fountain of knowledge) Thu 26-Aug-21 19:06:00

Re: Future upgrade consideration advice wanted

[re: Ixel] [link to this post]

Well done on getting the setup running so quickly. I haven't looked into your config I must admit, but that's pretty decent throughput off the bat.

Pages in this thread: 1 | 2 | 3 | (show all)

Print Thread

Jump to