HowTo: Ubiquiti EdgeRouter performance testing

Ubiquiti EdgeRouter Lite 3-Port EdgeMAX Router
The EdgeRouter Lite from Ubiquiti promises excellent performance for a great price.
So what performance can you get out of it ?

We tested two things:

1) a typical routed configuration, including NAT, and stateful firewalling.
2) IPSec over a routed connection.

Here are the headline figures: (tests using iperf over TCP, details shown later)

1) 888 Mbits/sec routed

2) 111 Mbits/sec over an IPSec tunnel

A very good result.

This is how we tested:

We loaded a basic config

This has LAN on eth0 and WAN on eth2 of the ERL.
The WAN was connected into our gigabit LAN and picked up an IP by DHCP.
The LAN was connected to a laptop.


laptop -> EdegeRouter -> switch -> desktop

We then ran iperf -s on a server on the gigabit LAN, and ran the iperf client on the laptop.

Typical output:

[  4] local port 5001 connected with port 57654
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  1.04 GBytes    888 Mbits/sec
[  5] local port 5001 connected with port 57661
[  5]  0.0-10.0 sec  1.03 GBytes    887 Mbits/sec

To test IPSec was more complex.
We connected eth1 into a MikroTik cloud core router, using a /30 address range.
We then connected a MikroTik RB1100AHx2 into the cloud core router on another subnet to act as an IPSec endpoint (the RB1100AHx2 has hardware accelerated AES)
The RB1100AHx2 was in turn connected to a server.

laptop -> EdgeRouter -> CloudCoreRouter -> RB1100AHx2 -> server -> EdgeRouter -> IPSec -> RB1100AHx2 ->

The and were connected using an IPSec tunnel.

iperf testing:

[  3] local port 45695 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   132 MBytes   110 Mbits/sec
[  3] local port 45690 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   132 MBytes   111 Mbits/sec

This is the configuration on the EdgeRouter:

ubnt@ubnt# show vpn 
 ipsec {
     esp-group TEST {
         proposal 1 {
             encryption aes128
             hash sha1
     ike-group TEST {
         proposal 1 {
             encryption aes128
             hash sha1
     ipsec-interfaces {
         interface eth1
     site-to-site {
         peer {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret testing
             ike-group TEST
             tunnel 1 {
                 esp-group TEST
                 local {
                 remote {

This is the configuration on the RB1100AHx2

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128 lifetime=30m name=default pfs-group=modp1536
/ip ipsec peer
add address= auth-method=pre-shared-key dh-group=modp1536 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=testing send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address= dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address= \
    sa-src-address= src-address= src-port=any tunnel=yes

We hope you find this useful.

About Nick

Check Also

Up to £3840 of FREE TruAudio Speakers with VSSL

FREE TruAudio Speakers with your VSSL Amplifier Purchase Save up to *£3840 in a Single …


  1. Cool, thanks for showing how you did this.

  2. What firmware and did you enable hw acceleration?

Leave a Reply

Your email address will not be published. Required fields are marked *