Using this logic, I can push traffic through the EdgeRouter Lite as the first hop, thus testing its encryption performance, and vice versa, having the EdgeRouter Lite as the edgerouter ipsec hop, testing its decryption performance. Your edgerouter ipsec. For more information, edgerouter ipsec see Ubiquiti's Vintage and Obsolete Products. Yes No. With that being said though, the EdgeRouter X is still a very good candidate for enthusiast users or edgerouter ipsec deployments — especially given its PoE passthrough feature. The edgerouter is not an average consumer level product, it is designed for advanced users, like you. This particular model of EdgeRouter is based on a different SoC manufacturer than the other two devices MediaTek, vs Cavium ipsfc so has a different hardware offload engine.

It would only manifest every 1 in 10 tests or so and apply consistently for that flow. Because I was consistently getting around Mbps however, I went with an average of those results as the value for the ER4. Another curious observation came about when playing around with the different hardware offload modes. To me, this result is somewhat unexpected. I would have thought that offloading as much as possible to the offload engine would give better results but that does not appear to be the case.

I am only speculating but I think this may be to do with packets going back and forth from the co-processor unit in the Cavium chip. For example, A packet may come into the device for forwarding — get offloaded and then need to come back out of the offload engine to be processed further before being GRE encapsulated and offloaded and then ultimately encrypted again, IPsec offloaded? I am curious to see how this behaviour would affect overall performance of the device when its doing other CPU related tasks and not just IPsec encryption.

Now that we have some figures for the EdgeRouter 4, I can move on to testing one of the other models.

The logic here is that the EdgeRouter 4 is the more capable device by far, so by putting one of the in theory less powerful devices in place of one of the EdgeRouter 4s, the result I get would be capped by the performance of that device, and thus we measure its performance. Using this logic, I can push traffic through the EdgeRouter Lite as the first hop, thus testing its encryption performance, and vice versa, having the EdgeRouter Lite as the last hop, testing its decryption performance.

Given the result observed earlier for the raw throughput test of the EdgeRouter X, I was very interested to see how this one would turn out. This particular model of EdgeRouter is based on a different SoC manufacturer than the other two devices MediaTek, vs Cavium respectively so has a different hardware offload engine. This even more apparent in the configuration of the router and how you enable hardware offloading.

So, using the same IPsec configuration settings for the EdgeRouter 4 and EdgeRouter Lite tests detailed above , this router performed surprisingly well — Better than I had initially expected.

Interestingly however, unlike the two Cavium devices, the EdgeRouter X loses encryption performance with all other offloading disabled but gains some on decryption.

This just reinforces the fact that not all offload engines are equal — even within devices under the same brand. The above tests do well to illustrate how well each model of router perform when unrestricted and allowed to try to push as much as they possibly can.

I opted to do one final test and limit bandwidth to Mbit. The aim of this test is to illustrate how each routers compare to each other when given the same workload. Interestingly in the capped test, the ERL used more CPU on decryption which is the opposite to earlier when it was pushing as much as it possibly can.

I originally set out to determine what throughput I could expect from these various devices at each end of an IPsec tunnel to allow for a more informed decision as to how to structure my network. Despite the image this article paints for the EdgeRouter Lite, it is still a very capable device.

Whilst the device itself isnt the cheapest around, the features it comes with certainly make it an attractive prospect for more advanced users who want to get more out of their Router than something like a BT Home Hub. That being said one of the most annoying attributes is that from time to time, if a IPSec tunnel goes down, or on startup, you may find that the Tunnel does not come up and you must manually connect it.

I have yet to find a good solution to this, but below are the common steps needed to re-establish a connection to an existing IPSec tunnel. Unfortunately, while this should keep the connection open, it sometimes still fails to start on a reboot.

Hopefully this issue will be addressed in future firmwares, as Ubiquiti regularly updates firmware for devices. Ben has been building VoIP solutions for over 10 years, has over 15 years of Linux administration experience and enjoys problem-solving. When he is not coding something in Python, or tinkering with some project, you can often find him wandering through the forests and parks of the Pacific Northwest enjoying waterfalls, trails, and animals.

Skip to content The Blog.

Rockler Router Sign Extension Lee Valley Small Drawer Lock Bit Zone