Page 1 of 1

CHR or Ethernet router?

Posted: Thu Mar 21, 2024 10:07 am
by ramirez
Dear community, what do you think can better cope as a VPN server with up to 200/200 Mb loads? Currently I am operating a CHR on a DELL R210 II/1xE3-1270/32GB and server speeds of up to 100/100 Mb (compressed video) through L2TP IPsec (5 clients - Sha1/aes128/modp2048) take anything between 20-50% CPU power and have no problems. On a separate location wishing to do the same (double the speed and up to 20 clients) would you advise towards a router or a CHR? Requirements regarding size of the machine are to be as compact as possible, thus was thinking of a Chatreey AMR5 Mini PC Ryzen 5 5600U or a LattePanda Sigma. I also want to hear your opinion regarding other methods of VPN currently supported (lighter or heavier due to encryption) in relation to the title. More important is CPU power, memory, both?

Thank you in advance !

Re: CHR or Ethernet router?

Posted: Thu Mar 21, 2024 1:49 pm
by mkx
Surely there are MT routers which can do IPsec with throughputs higher than 200Mbps. But only if they support appropriate HW offload functions (not all of them do). All MT routers have product pages and one of sections there is "Test results". And a part of test result page is "IPsec test results". So you can get an idea about IPsec capabilities of every router.

Beware that not all IPsec encryption algorithms and key lengths are supported in hardware. You can consult https://help.mikrotik.com/docs/display/ROS/IPsec , specifically section "Hardware acceleration" to see what fits and what not.

Generally I'd guess that for higher throughputs using CHR on decent hardware would be more cost effective solution than using a powerful MT router. And I'd guess that single core CPU speed is the most important parameter when choosing hardware for running CHR.

If you can, you may want to consider other tunneling protocols. Wireguard is supported quite well in ROS (v7) and requires only a fraction of CPU resources for same throughput as IPsec does. In addition, MT's IPsec implementation doesn't include all the bells and whistles of the best implementations, so there's possibility that IPsec tunnel doesn't establish if the other end is not Mikrotik.

Re: CHR or Ethernet router?

Posted: Thu Mar 21, 2024 4:38 pm
by Larsa
In short:

1. If you're running CHR/x64, use IPsec. This platform can scale up practically infinitely.
2. If you're running a Mikrotik with AES hardware acceleration, use IPsec. Check throughput limitation using the 512-byte column on the product page.
3. In all other cases, use WireGuard.

Re: CHR or Ethernet router?

Posted: Sun Mar 24, 2024 2:31 pm
by ramirez
Generally I'd guess that for higher throughputs using CHR on decent hardware would be more cost effective solution than using a powerful MT router. And I'd guess that single core CPU speed is the most important parameter when choosing hardware for running CHR.
Thank you MKX for all the info, on both sides I will have MT's and the question is whether on the server side it will be a CHR or a router. Now when you say single core CPU, the systems I have in mind will definitely have 6 cores at least, not because I have some absolute requirement but simply because they come with these and there is no way around...Since I will be using VMware Workstation pro with the CHR (if I go with it) are you saying that CHR can only take advantage of one core only or that the speed of that clock matters the most ? Also a CHR machine (I mean the hardware) will set me back at least 350-400 USD, just thought to mention it as well.
In short:

1. If you're running CHR/x64, use IPsec. This platform can scale up practically infinitely.
2. If you're running a Mikrotik with AES hardware acceleration, use IPsec. Check throughput limitation using the 512-byte column on the product page.
3. In all other cases, use WireGuard.


Thank you Larsa!

Re: CHR or Ethernet router?

Posted: Sun Mar 24, 2024 3:25 pm
by mkx
Now when you say single core CPU, the systems I have in mind will definitely have 6 cores at least, not because I have some absolute requirement but simply because they come with these and there is no way around...Since I will be using VMware Workstation pro with the CHR (if I go with it) are you saying that CHR can only take advantage of one core only or that the speed of that clock matters the most ?
CHR will use several cores so don't worry about that. What I was talking about is (differently worded) per-core performance. Certain things in ROS are processed sequentially by a single core (due to various reasons), so faster cores (vs. more cores) is sometimes the way to go. Typically packets of single connection are processed by same core (to avoid out-of-order packet delivery), so per-core performance can limit single-connection throughput. I don't have much experience with tunneling technologies, but I guess tunnel encryption may fall into this category as well.

Re: CHR or Ethernet router?

Posted: Thu Mar 28, 2024 10:37 am
by ramirez
Thank you MKX ! Got it !