Posts made by FATeknollogee

Not to pile on or threadjack.

@Skyetel support is in my Top 3 of all IT related type support.
These folks are good.

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee
I did a test. I get 840 Mbps IPsec between two servers running xcp-ng and one pfSense in each. 4 vCPU 2.5GHz Xeon E5.
This was over 1GbE and with NAT, packet filtering, I/O overhead of Xen etc.

I expected more but was too lazy to try on bare metal. But I would assume it's faster, also a newer CPU with higher clock frequencies would likely give it another boost.

If you want a lot more speed you can add an accelerator card. Intel has their Quick Assist Technology and a card that can do up to 50 Gbps is priced around $650.

How much RAM?
Did you check CPU usage?

@Pete-S pfSense? What did you test with?

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

VyOS

Ok, will check it out!

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

It's always a bad idea to ask a vendor a question like this. Always.

If I chose to go this route, I def wouldn't use their appliance.
My question for them would be: what hardware & encryption levels are needed to achieve 500+ Mbps?

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

...pfSense, or TNSR. Just don't use OpenVPN. Use IPSEC.

Yep, heard that a few times...no OpenVPN.

pfSense + TNSR sounds interesting, just not sure if it's worth the "hassle" procuring my own hardware (which really isn't a big deal) vs ER4.
It's probably not a bad idea to at least speak w the pfSense folks.

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

So you are making a tunnel for a tunnel.

I guess you could call it that!

WTF are you pushing over RDP that needs 400mbps?

I'm just trying to take advantage of the solid connections at both ends

You should have no need for those speeds.

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

No, the tunnel is for site to site. But that means shit. What is going through the tunnel. That is what matters.

Ahh, I missed the question.
Mainly RDP type traffic.

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

2. How much over IPsec: as much as I can get!

What does this even mean?

As much of the available bandwidth (per site) as I can get, this is definitely hardware constrained by the router used.

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

3. Features: mainly Site to Site VPN

Duh, that was that point of the entire thread.

What are you doing over the tunnel?

S2S!! Like you said, this is the point of the thread.

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

So the plan to do BGP routing?

I'm just trying to keep it real simple & take advantage of the available internet speeds!

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

Shouldn't the first question be - how big are your pipes?

Then - how much of that will run over IPsec?

And - what features do you need?

That's a reasonable question(s)

1. Pipe size: 1x 400/400 (AT&T), 3x 500/500 (Frontier) & 1x 1000/40 (Spectrum). Colo pipe will be adjusted as needed.
2. How much over IPsec: as much as I can get!
3. Features: mainly Site to Site VPN

Well, you have peak 1900 Mbps in one direction and 940 in the other. But you never get that all the way so 1000/1000 in the colo will likely be more than you need. If it's all going to be IPsec traffic then ER4/ER6 is too small. Do you need HA as well?

HA would be a nice "luxury" to have!

If the ER4/6 is too small, what other choice(s) are available?

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

Shouldn't the first question be - how big are your pipes?

Then - how much of that will run over IPsec?

And - what features do you need?

That's a reasonable question(s)

1. Pipe size: 1x 400/400 (AT&T), 3x 500/500 (Frontier) & 1x 1000/40 (Spectrum). Colo pipe will be adjusted as needed.
2. How much over IPsec: as much as I can get!
3. Features: mainly Site to Site VPN

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

Your basic choices are....

ER4 is you want cheap, small hardware.
Bigger Ubiquiti if you want the same but even faster.
Whitebox with larger than Ubiquiti scale hardware.

Cheap: ER4/ER6
Bigger Ubiquiti: ER Infinity
Whitebox: pfSense (insert fav brand) w own hardware - bigger/faster cpu, more RAM, SSD, Intel NICs etc

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

Yeah, this is 100% about selecting the CPU, nothing else.

If that's the case, there should be some "better/more" choices than the ER4?

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

Hmmm...is this an option...? https://www.tnsr.com/

An option in general? Sure, it's just a vRouter that does IPsec. I'm sure it is good, but you can't run it on an EdgeRouter because it's an OS.

One would have to switch to pfSense if TNSR is a viable option.

I guess the real question I'd have is... why? What about TNSR makes it interesting in any way? Aren't you just looking at replacing tried and true, built in IPSec implementations with this complicated package that is just repacking OpenSwan?

I'm confused what you are trying to achieve. Connecting 5+ sites is the absolute clear use case for normal everyday IPSec on your outside hardware router. This is as "by the textbook" as it gets.

Can you use other VPN tech for this like OpenVPN, yes. Should you? Not really, it has no benefits to you. IPSec is best for this for speed, support, ease of use.

This is not a case where ZT has applicability unless you have needs that haven't been mentioned. Same with TNSR, what would this do other than make simple IPSec really hard and complicated for no reason?

This feels like one of those Aaron threads where he's captivated by all kinds of shiny product pages and misses that he's trying to do something very straightforward that is handled best by the tools that everyone uses for this every day. I'm missing what is driving the attempt to research new, hip, flashy products as none of them seem to bring anything to this particular table.

The claimed speeds is what caught my attention.
TNSR "claims" they can do High Speed Site-to-Site IPsec VPN
"TNSR provides secure high-speed routing solutions at 1, 10, 40, 100 Gbps, and beyond - at a fraction of the price of alternatives."

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

Hmmm...is this an option...? https://www.tnsr.com/

An option in general? Sure, it's just a vRouter that does IPsec. I'm sure it is good, but you can't run it on an EdgeRouter because it's an OS.

One would have to switch to pfSense if TNSR is a viable option.

Hmmm...is this an option...? https://www.tnsr.com/

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

But it's the fact that small routers have very weak CPUs but they can off load straight IPsec, when you are not doing packet inspection or anything that requires the CPU. However they can't off load OpenVPN.

Sounds like the choice should def be IPSec for less of a performance hit?

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

Well, once you have ZT setup, adding another site is likely the easiest. You just add ZT on a new ER, join the mesh and you're done.

Who has done this ZT on ER install?
The previous blog post seems to imply heavy/high CPU usage, wondering how this would affect performance?