Reply
New Member
Posts: 27
Registered: ‎04-17-2018
Accepted Solution

Site-to-Site VPN recommendation

Hey everyone,

 

So I am setting up a site-to-site vpn between my house and office. The max upload of my house is 20Mbps and 5Mbps at the office. I currently have an ERx at my house and love it. I was wondering if my ERx could handle a site-to-site vpn connection and still handle everything else that I have it doing (4 VLANs, Firewall rules, and other normal router tasks like DHCP). If so, I will swap the router at my office to an ERx as well and get rid of a nasty TP-Link. The office is much simpler, just a trusted network and a guest. Or is there a different ER that would do better? I am on a bit of a budget though.

 

Thanks for all your help!


Accepted Solutions
Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: Site-to-Site VPN recommendation

20 Mbps shouldn't be an issue.  But how much traffic is there between the 4 vlans?  All inter-vlan traffic has to be routed, and that has a much larger chance of affecting performance than your 20Mbps WAN connection.

 

Is performance good now?

 

For the 5Mbs work connection, the ER-X will be the cheapest ubiquiti solution, and it should have enough power, even if you use a CPU intensive vpn like openvpn.

 

Your vpn connection will be slower than the slowest end, so don't expect more than 3-4 Mbps over the VPN connection.

View solution in original post


All Replies
Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: Site-to-Site VPN recommendation

20 Mbps shouldn't be an issue.  But how much traffic is there between the 4 vlans?  All inter-vlan traffic has to be routed, and that has a much larger chance of affecting performance than your 20Mbps WAN connection.

 

Is performance good now?

 

For the 5Mbs work connection, the ER-X will be the cheapest ubiquiti solution, and it should have enough power, even if you use a CPU intensive vpn like openvpn.

 

Your vpn connection will be slower than the slowest end, so don't expect more than 3-4 Mbps over the VPN connection.

New Member
Posts: 27
Registered: ‎04-17-2018

Re: Site-to-Site VPN recommendation


@BuckeyeNet wrote:

20 Mbps shouldn't be an issue.  But how much traffic is there between the 4 vlans?  All inter-vlan traffic has to be routed, and that has a much larger chance of affecting performance than your 20Mbps WAN connection.

 

Is performance good now?

 

For the 5Mbs work connection, the ER-X will be the cheapest ubiquiti solution, and it should have enough power, even if you use a CPU intensive vpn like openvpn.

 

Your vpn connection will be slower than the slowest end, so don't expect more than 3-4 Mbps over the VPN connection.


Great thanks for answering my main question.

 

As for the other question of how much traffic goes between my vlans, not much yet... One of them is completely segregated and can only access the internet, another is for my IOT stuff, i have one for my trusted lan, and i was thinking of adding one for my servers (I have 3), but I think that is a little overkill. So there isn't really that much that goes between vlans other than if I add one for my servers. Performance right now is great, I get around 950-980Mbps between my nas and desktop, however they are on the same vlans for now.

New Member
Posts: 27
Registered: ‎04-17-2018

Re: Site-to-Site VPN recommendation

Should I look into getting a different ER at my house? Is there one that will better fit my needs?

Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: Site-to-Site VPN recommendation


@protechservices wrote:

As for the other question of how much traffic goes between my vlans, not much yet... One of them is completely segregated and can only access the internet, another is for my IOT stuff, i have one for my trusted lan, and i was thinking of adding one for my servers (I have 3), but I think that is a little overkill. So there isn't really that much that goes between vlans other than if I add one for my servers. Performance right now is great, I get around 950-980Mbps between my nas and desktop, however they are on the same vlans for now.

 

Should I look into getting a different ER at my house? Is there one that will better fit my needs?


TL;DR summary: Your ER-X will almost certainly be fine, as long as you leave your NAS on your trusted network.

 

I don't know what the situation is in your home, but what is the reason you want to segregate the servers from the trusted "home" lan?  In other words, what restrictions would you place between the home lan and the servers?

 

If there are not going to be any restrictions, or if there is another way to enforce the restrictions (firewall on the servers), I would be inclined to leave the servers on the trusted lan (unless it isn't really trusted).  That will give you better performance, especially on the ER-X, which is limited by a single lane 1Gbps connection between the CPU and the switch.  Normally that isn't a problem, because traffic flows tend to be very asymmetrical. When you download a file, over 95% of the traffic will be in one direction, the only traffic in the other direction is the acknowledgement that packets have been received correctly.

 

If you want to put the NAS devices on their own network, and you have many clients, the ERX may become a bottleneck.  But you don't have to replace it until it becomes a problem. I have ERX at home with offload disabled, an I have around 40/5 connection.  If it becomes a bottleneck, and I had to choose from today's Ubiquity products, I would choose an ER12.  But I would also consider a pfsense appliance, primarily because I miss the per ip traffic stats I used to get with Tomato Shibby.

Highlighted
New Member
Posts: 27
Registered: ‎04-17-2018

Re: Site-to-Site VPN recommendation


@BuckeyeNet wrote:

TL;DR summary: Your ER-X will almost certainly be fine, as long as you leave your NAS on your trusted network.

 

I don't know what the situation is in your home, but what is the reason you want to segregate the servers from the trusted "home" lan?  In other words, what restrictions would you place between the home lan and the servers?

 

If there are not going to be any restrictions, or if there is another way to enforce the restrictions (firewall on the servers), I would be inclined to leave the servers on the trusted lan (unless it isn't really trusted).  That will give you better performance, especially on the ER-X, which is limited by a single lane 1Gbps connection between the CPU and the switch.  Normally that isn't a problem, because traffic flows tend to be very asymmetrical. When you download a file, over 95% of the traffic will be in one direction, the only traffic in the other direction is the acknowledgement that packets have been received correctly.

 

If you want to put the NAS devices on their own network, and you have many clients, the ERX may become a bottleneck.  But you don't have to replace it until it becomes a problem. I have ERX at home with offload disabled, an I have around 40/5 connection.  If it becomes a bottleneck, and I had to choose from today's Ubiquity products, I would choose an ER12.  But I would also consider a pfsense appliance, primarily because I miss the per ip traffic stats I used to get with Tomato Shibby.


Awesome! Thats what I thought. I was considering moving it because I had heard somewhere that if my servers have open ports I should consider moving it to its own lan. But I don't really see the need for that as of right now. I will leave them on my trusted lan for the time being. If I had to upgrade I would probably go for the either the ER12 like you, but I will cross that road when I get there.

 

Thanks for everyone's help.

Reply