![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Good Firewall with 1 Gbps port for under $1k?
- Thread starter KapsZ28
- Start date
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
Having 1Gb ports and moving 1Gbps of traffic are two different things entirely.
You did not say where you were going to use this....so I am assuming its for SMB under 20 users or home use.
Having said that as a firewall....
Ubiquiti Edgerouter
The Lite model is $99.99 and has higher firewall/routing performance than a Cisco ASA 5520.
As a VPN firewall Zyxel Zywall 110. Totally destroys the ASA 5510 on firewall and VPN performance, the routing performance is quite good.
You did not say where you were going to use this....so I am assuming its for SMB under 20 users or home use.
Having said that as a firewall....
Ubiquiti Edgerouter
The Lite model is $99.99 and has higher firewall/routing performance than a Cisco ASA 5520.
As a VPN firewall Zyxel Zywall 110. Totally destroys the ASA 5510 on firewall and VPN performance, the routing performance is quite good.
Last edited:
When it comes to a Firewall that can work with 1Gbps of traffic, that is the standard device. Honestly, it embarrasses a lot of oversold, underpowered hardware like what ZyXel and others are selling. The only difference is their software package is far more refined than Ubiquiti's Edgerouter at the moment. The EdgeRouter is almost more of a "beta" then a must implement now device.
Good news is it has a solid following with constant updates. I say go for that.
Well, being able to move a lot of traffic is important to me as you can see below.
If you guys say it is good, I will definitely give it a shot. It is obviously a huge savings in money. The documentation shows that it supports IPsec tunnels which is the next most important item. I guess you really can't go wrong for $98.
If you guys say it is good, I will definitely give it a shot. It is obviously a huge savings in money. The documentation shows that it supports IPsec tunnels which is the next most important item. I guess you really can't go wrong for $98.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
The Edgerouter has IPsec, L2TP and OpenVPN. Only IPSec is hardware accelerated at the moment. It was measured at 300Mbps throughput duplex.
The Zyxel Zywall 110 is a new hardware update to the Zywall series and supports IPSec, L2TP, PPP, and Web based SSL VPN. It comes with a couple SSL VPN licenses.
IPSec throughput is around 800Mbps duplex for the 110. I think the SSL throughput is around 100Mbps.
The Zyxel Zywalls and the USG series run the same custom version of BSD for their OS.
The Ubiquiti Edgerouteris based on fork of the Linux firewall distro Vyatta.
The big differences are.....Edgerouters slow down significantly when using VPN, Zywalls slow down when you ask them to route @ L3.
One is better at routing, the other is a better hardware VPN endpoint.
It all depends on what you want to do.
I plan on purchasing a Edgerouter for my firewall and a older Zyxel USG for my VPN....mostly because I want a web based SSL VPN.
I would consider purchasing the a Zywall 100, but I want/need advanced QOS, which the Edgerouter has. if you're willing to read the Vyatta documentation.
The Zyxel Zywall 110 is a new hardware update to the Zywall series and supports IPSec, L2TP, PPP, and Web based SSL VPN. It comes with a couple SSL VPN licenses.
IPSec throughput is around 800Mbps duplex for the 110. I think the SSL throughput is around 100Mbps.
The Zyxel Zywalls and the USG series run the same custom version of BSD for their OS.
The Ubiquiti Edgerouteris based on fork of the Linux firewall distro Vyatta.
The big differences are.....Edgerouters slow down significantly when using VPN, Zywalls slow down when you ask them to route @ L3.
One is better at routing, the other is a better hardware VPN endpoint.
It all depends on what you want to do.
I plan on purchasing a Edgerouter for my firewall and a older Zyxel USG for my VPN....mostly because I want a web based SSL VPN.
I would consider purchasing the a Zywall 100, but I want/need advanced QOS, which the Edgerouter has. if you're willing to read the Vyatta documentation.
Last edited:
byusinger84
Gawd
- Joined
- Feb 1, 2008
- Messages
- 806
I would look at PfSense. It runs on any x86 platform and has lots of features including VPNs, Proxy server, filtering, etc. Honestly just as good as an ASA or a SonicWall would be (or better IMO). PfSense is free to download and again you can run it on any x86 platform.
Usually for my clients I get one of these, a stick of 2 or 4 gigs of RAM, and a 30-60 gig SSD and it runs beautifully. The Atom proc is more than fast enough. If you have an old box you can run it on there too. P4 or better is plenty fast. I have over 600 simultaneous users on a 100 meg fiber connection and it never has more than a few percentage points load and maybe 10-12% memory usage, if that.
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364
http://pfsense.com/
Usually for my clients I get one of these, a stick of 2 or 4 gigs of RAM, and a 30-60 gig SSD and it runs beautifully. The Atom proc is more than fast enough. If you have an old box you can run it on there too. P4 or better is plenty fast. I have over 600 simultaneous users on a 100 meg fiber connection and it never has more than a few percentage points load and maybe 10-12% memory usage, if that.
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364
http://pfsense.com/
The EdgeRouter Lite will not do 1Gbit fine, far from it and hardware acceleration breaks stuff you might want to use to don't rely on those numbers. I'm not sure how efficient FreeBSD is compared to Vyatta which seemed to be very buggy at the time I last looked at it but I get around 250mbit doing iperf and I'd say about 15mbit using OpenVPN. That said, its still a very nice device given its price.
//Danne
//Danne
Last edited:
I already use pfSense frequently. Mostly as VMs. That is what I am currently using as a VM and looking for a physical appliance. Like you mentioned, you can install it on hardware, but I would prefer something with support just in case and I wasn't looking to purchase their commercial support.
OK, then what about the Zyxel Zywall 110 that Mackintire suggested? Will that handle 1Gbps much better than the EdgeRouter?
It does a good job, but thus far has proven it's a long way from 1Gbps. Based off those speed test of yours it'll probably be able to work with that just fine.
http://www.smallnetbuilder.com/lanwan/lanwan-reviews/32283-zyxel-zywall-110-vpn-firewall-reviewed
Kind of underwhelming for newer generation Cavium processors with 4 cores over 1 from their previous models. They've managed to tweak the software in the past to boost initial rates up by 50% so who knows.
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
Dizzy was correct on the Edgerouter when using firmware 1.2 and earlier. That issue was resolved a while ago. The current firmware build is 1.4
The problem with PFsense is that it's mostly single threaded.
An dual core Atom processor is find for 100Mbit on PFsense, but you'll need a i3 processor running 2.4Ghz or higher to reach 1Gbps
The Zyxel is 629 Mbps if you use smallnetbuilder's metric. Zyxel themselves are known for cherry picking their data.
Keep in mind the 110 is the baby model. The 310 is 50% faster than the 110.
At the OPs price point he could by the edgerouter pro or the max.
The problem with PFsense is that it's mostly single threaded.
An dual core Atom processor is find for 100Mbit on PFsense, but you'll need a i3 processor running 2.4Ghz or higher to reach 1Gbps
The Zyxel is 629 Mbps if you use smallnetbuilder's metric. Zyxel themselves are known for cherry picking their data.
Keep in mind the 110 is the baby model. The 310 is 50% faster than the 110.
At the OPs price point he could by the edgerouter pro or the max.
The firmware on the ERL still leaves much to desire but as I said, hardware accl will break stuff so don't rely on it irregardless of brand. That said, the Zyxel _is_ faster than the ERL hands down if you actually process packets.
Remember that pfsense != pf, FreeBSD-CURRENT (head) runs a multithreaded pf and so does my ERLs.
//Danne
Remember that pfsense != pf, FreeBSD-CURRENT (head) runs a multithreaded pf and so does my ERLs.
//Danne
Mackintire
2[H]4U
- Joined
- Jun 28, 2004
- Messages
- 2,984
I 'm a little under the weather here today...so I 'm probably not in the clearest mind.
I believe the packet scheduler in PFsense 2.x is still single threaded. PFsense is made up of multiple packages so when you consider all the packages inside.... PFsense itself is multithreaded.
Yes PFsense! = FreeBSD-current
"$320 for the EdgeRouter. Not bad. Not available yet either."
Streakwave has them: http://www.streakwave.com/itemdesc.asp?ic=ERPRO-8&eq=&Tp=
Don't believe it. There are stores that have them and are not advertising it. You need to verify who has them via the Ubiquiti Forum before placing the order.
Tim Higgens from Smallnetbuilder experienced the same thing when he did his first review of the edgerouter. He ordered it even though it said out of stock and it arrived a couple of days later.
I've see both sides of the HW acceleration breaks abc-xyz argument. The point is "You are both right" if it breaks something you are interested in, then yes it is an issue. I'd argue that most user's at this point are not running into that issue and the few issues that remain will be eventually fixed.
I believe the packet scheduler in PFsense 2.x is still single threaded. PFsense is made up of multiple packages so when you consider all the packages inside.... PFsense itself is multithreaded.
Yes PFsense! = FreeBSD-current
"$320 for the EdgeRouter. Not bad. Not available yet either."
Streakwave has them: http://www.streakwave.com/itemdesc.asp?ic=ERPRO-8&eq=&Tp=
Don't believe it. There are stores that have them and are not advertising it. You need to verify who has them via the Ubiquiti Forum before placing the order.
Tim Higgens from Smallnetbuilder experienced the same thing when he did his first review of the edgerouter. He ordered it even though it said out of stock and it arrived a couple of days later.
I've see both sides of the HW acceleration breaks abc-xyz argument. The point is "You are both right" if it breaks something you are interested in, then yes it is an issue. I'd argue that most user's at this point are not running into that issue and the few issues that remain will be eventually fixed.
The version of FreeBSD used in pfSense is indeed using a single threaded version of pf. pfSense itself is a customized version of FreeBSD, it's pretty close to vanilla in terms of source code but has some changes made due to storage model and networking. Calling pf a packet scheduler is somewhat misleading as the network stack is multithreaded but pf isn't and the scheduler would be ALTQ or dummynet if you're going to nitpick. ;-)
The ERPRO-8 should perform better than the ERL, probably not twice as fast but ~70% or so I'd guess. Looking at the hardware itself Zyxel's router should perform better in raw performance without hardware acceleration since its a quad core compared to a dual core.
I would also be a bit careful with the firmware as early versions of the ERL were pretty much useless.
Hardware acceleration have been broken on several platforms (Ralink, Atheros etc), things like SIP to online gaming have been affected so do your testing carefully before leaving it on.
//Danne
The ERPRO-8 should perform better than the ERL, probably not twice as fast but ~70% or so I'd guess. Looking at the hardware itself Zyxel's router should perform better in raw performance without hardware acceleration since its a quad core compared to a dual core.
I would also be a bit careful with the firmware as early versions of the ERL were pretty much useless.
Hardware acceleration have been broken on several platforms (Ralink, Atheros etc), things like SIP to online gaming have been affected so do your testing carefully before leaving it on.
//Danne
Cool, glad to see someone has the EdgeRouter. I had tried a bunch of websites from Ubiquiti but they either did have them listed, show out of stock, or said available in March.
As for pfSense, is that something you would use in a datacenter as a primary firewall for a SMB?
As for pfSense, is that something you would use in a datacenter as a primary firewall for a SMB?
I guess you could do that but due to the performance drawbacks and limitations most use either OpenBSD or FreeBSD distros as they are. To be honest I've never heard of someone running pfsense in a "mission critical" setup for large networks, many are using/used OpenBSD though. Not saying that pfsense isn't used but I think its pretty rare. You probably want to look into CARP aswell in general.
//Danne
//Danne
We use CARP on our pfSense HA setups.