Ubiquiti EdgeRouter performance testing

Ubiquiti EdgeRouter Lite 3-Port EdgeMAX Router
The EdgeRouter Lite from Ubiquiti promises excellent performance for a great price.
So what performance can you get out of it ?

We tested two things:

1) a typical routed configuration, including NAT, and stateful firewalling.
2) IPSec over a routed connection.

Here are the headline figures: (tests using iperf over TCP, details shown later)

1) 888 Mbits/sec routed
2) 111 Mbits/sec over an IPSec tunnel

A very good result.

This is how we tested:

We loaded a basic config http://community.ubnt.com/t5/EdgeMAX/Basic-SOHO-Home-Config/m-p/398057#M4993

This has LAN on eth0 and WAN on eth2 of the ERL.
The WAN was connected into our gigabit LAN and picked up an IP by DHCP.
The LAN was connected to a laptop.

eg

laptop -> EdegeRouter -> switch -> desktop

We then ran iperf -s on a server on the gigabit LAN, and ran the iperf client on the laptop.

Typical output:

[  4] local 81.187.78.194 port 5001 connected with 81.187.78.219 port 57654
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  1.04 GBytes    888 Mbits/sec
[  5] local 81.187.78.194 port 5001 connected with 81.187.78.219 port 57661
[  5]  0.0-10.0 sec  1.03 GBytes    887 Mbits/sec

To test IPSec was more complex.
We connected eth1 into a MikroTik cloud core router, using a /30 address range.
We then connected a MikroTik RB1100AHx2 into the cloud core router on another subnet to act as an IPSec endpoint (the RB1100AHx2 has hardware accelerated AES)
The RB1100AHx2 was in turn connected to a server.

eg.
laptop -> EdgeRouter -> CloudCoreRouter -> RB1100AHx2 -> server

192.16.1.10/24 -> EdgeRouter -> IPSec -> RB1100AHx2 -> 192.168.20.10/24

The 192.16.1.10/24 and 192.168.20.10/24 were connected using an IPSec tunnel.

iperf testing:

[  3] local 192.168.1.10 port 45695 connected with 192.168.20.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   132 MBytes   110 Mbits/sec
[  3] local 192.168.1.10 port 45690 connected with 192.168.20.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   132 MBytes   111 Mbits/sec

This is the configuration on the EdgeRouter:

ubnt@ubnt# show vpn 
 ipsec {
     esp-group TEST {
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ike-group TEST {
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth1
     }
     site-to-site {
         peer 10.250.1.2 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret testing
             }
             ike-group TEST
             local-ip 192.168.2.1
             tunnel 1 {
                 esp-group TEST
                 local {
                     subnet 192.168.1.0/24
                 }
                 remote {
                     subnet 192.168.20.0/24
                 }
             }
         }
     }
 }

This is the configuration on the RB1100AHx2

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128 lifetime=30m name=default pfs-group=modp1536
/ip ipsec peer
add address=192.168.2.1/32 auth-method=pre-shared-key dh-group=modp1536 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=testing send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=192.168.2.1 \
    sa-src-address=10.250.1.2 src-address=192.168.20.0/24 src-port=any tunnel=yes

We hope you find this useful.

2 Comments

  1. pcunite says:

    Cool, thanks for showing how you did this.

  2. feedmytv says:

    What firmware and did you enable hw acceleration?

Leave a Reply

Powered by sweet Captcha