Page 1 of 2 12 Last
Results 1 to 25 of 32

  1. Post
    #1

    Ubiquiti Edgerouter X or Lite 3 - help recommendations

    So my home setup needs replacing and I'm thinking these all in one/gaming routers just aren't cutting it for me any more.

    I'm looking at switching to Ubiquiti Edgerouter X or Lite 3 with a wireless AC access point. To me it makes sense to use a Ubiuqiti access point at the same time, depending on the router I choose I can power it using the built in POE or an injector.

    Has anyone had experience with these 2 devices lately, I say lately as over time there may have been improvements in firmware etc but any recommendations welcome. I'm looking for help basically in making the decision between the two.

    What I'm looking for:

    WAN that will handle 200/200 fibre - occasionally I bump this up to Gig if I'm going to host a lan.

    Can handle 10 to 15 port forward rules
    Able to do hairpin nat/reflection
    Run a VPN server- IpSec/maybe Open VPN for remote access. with teh use of a local userlist and not a radius server.
    DHCP server that allows you to assign an internal IP other than the router itself - looking at you D-Link firmware.

    Central management of the attached Access point.
    I'm guessing that in this day and age if I use an AP made by Ubiquiti then it can be centrally managed/monitored in the web interface? Is this a thing or does it require some sort of network management software installed on a PC? I'm not interested in the Unifi range as a whole, I'd then need to buy their cloudkey and from what I'm hearing a lot of functionality is stripped out of it's interface requiring you to go into the CLI anyway.

    For an access point in thinking an Aircube AC (https://www.gowifi.co.nz/wireless/acb-ac.html)
    Partly because where I have space for it, it's going to look better than a big flying saucer like the AC-Lite, but also it gives me a few more Gig Ports that I can use without adding yet another switch to the stack.

  2. Post
    #2
    I had Edgerouter X-SFP and a Unifi AP, was rock-solid. The AP doesn't have its on web UI, so needs to be managed by a server (if you don't go with the cloud key).

    Only changed because I wanted to switch to mesh (went with Google WiFi which has been great, did consider Ubiquiti's option here but don't think it supported ethernet backhaul which I wanted).

  3. Post
    #3
    Run a VPN server- IpSec/maybe Open VPN for remote access. with teh use of a local userlist and not a radius server.
    Be aware with the ER-X that you can't run more than 10mbps with OpenVPN due to it having no hardware acceleration. A Rasbperry Pi could run OpenVPN better than an Edgerouter. The speed's also extremely inconstent (possibly dropping packets?). I don't know about the Lite 3 (I suspect it's not that much faster) but I found out the hard way with the ER-X it's not worth the effort.

    I also believe they stuffed up IPSec hardware acceleration in one of the later updates that enabled StrongSwan as well.

  4. Post
    #4
    10MBit - wow, can it not do some sort of hardware offloading, even for software that's pretty bad. I have raspberry Pi's on my network but I want the VPN to be able to get in so I can reboot them or change a port forward if they have an issue- some of the services im experimenting with on them are.... beta so less than stable sometimes.

  5. Post
    #5
    XenoM wrote:
    10MBit - wow, can it not do some sort of hardware offloading, even for software that's pretty bad. I have raspberry Pi's on my network but I want the VPN to be able to get in so I can reboot them or change a port forward if they have an issue- some of the services im experimenting with on them are.... beta so less than stable sometimes.
    Nope, no hardware offload for OpenVPN, a quick google shows there's no OpenVPN hardware offload for anything in the Edgerouter lineup either. Should be fine if you wanna get in for some basic maintenance stuff but if you wanna stream anything (like I did) it's definitely a no-go.

  6. Post
    #6
    Sorry for all the questions.

    Were you able to define local users or cert for open vpn or did you need a radius server? watching some youtube vids the configuration was in the Web Interface but if you have SSH into the CLI I imagine you can pretty much do what you want.

    Well generally yeah I guess 10MBit would cover basic tasks, I also have some IP cams I might want to look in on which I don't want to just expose to the web. I could lower their streaming rate I guess.

    I'm guessing you went the RPi route yourself for the VPN?

    Sounds like both DW and yourself went with the X models. IS that the way to go - VPN aside.

  7. Post
    #7
    XenoM wrote:
    10MBit - wow, can it not do some sort of hardware offloading, even for software that's pretty bad. I have raspberry Pi's on my network but I want the VPN to be able to get in so I can reboot them or change a port forward if they have an issue- some of the services im experimenting with on them are.... beta so less than stable sometimes.
    edgerouters (like almost all other routers) do IPSec hardware offload. i don't think you could even buy a device that does openvpn offload if you looked for it.

    if you want to use openvpn (particularly for streaming video) you really should use a dedicated server, or go overkill with something like an ER-4 minimum.

  8. Post
    #8
    IPSec is fine for me, was a toss up on which VPN solution to use. I guess this is now answered

    So all that aside... I can get the ERX for around $120 new, ERL about $185 but there is a second hand ERL on Tardme for $70 which is tempting but I would like to go new - you never know if it's been running hot for extended periods of time and isnt half cooked.

    So with the choice being ERX or ERL - whats everyone's thoughts. Same same so save a few bucks or does the ERL have an edge over the ERX I'm not seeing?

  9. Post
    #9
    What's your requirement for using a VPN?

    You can use whatever VPN you want on your client machine(s). It does not, and in most cases should not, need to be a hardware one.

  10. Post
    #10
    VPN is just for occasional remote access to connect to something on my LAN or to have a peek at my IP cameras. This part seems to be all sorted now, IPSec is hardware offloaded on both of these devices so should get enough throughput to achieve this.

  11. Post
    #11
    sorceror wrote:
    edgerouters (like almost all other routers) do IPSec hardware offload.
    How do you do this with NordVPN? I can't seem to find any good tutorials on it.

  12. Post
    #12
    XenoM wrote:
    VPN is just for occasional remote access to connect to something on my LAN or to have a peek at my IP cameras. This part seems to be all sorted now, IPSec is hardware offloaded on both of these devices so should get enough throughput to achieve this.

    Oh ok. I thought you were meaning outbound VPN, i.e. to browse the internet on a different IP address.

    Can you not setup a linux box within your internal LAN with a public facing static IP address to remote into? or is there something I am not understanding here.

  13. Post
    #13
    BURN_BABY wrote:
    How do you do this with NordVPN? I can't seem to find any good tutorials on it.
    NordVPN is total garbage. I'd suggest using something like Mullvad.

  14. Post
    #14
    Lethargic wrote:
    NordVPN is total garbage. I'd suggest using something like Mullvad.
    I mean, the process for setting them up for IPSec should be the same, I just can't find the right tutorial for any external VPN.

  15. Post
    #15
    BURN_BABY wrote:
    How do you do this with NordVPN? I can't seem to find any good tutorials on it.
    never tried, but should be possible from what i'm reading. may need to tinker with the actual linux .conf files to get it working.

  16. Post
    #16
    sorceror wrote:
    never tried, but should be possible from what i'm reading. may need to tinker with the actual linux .conf files to get it working.
    Yeah, there are some forum posts (like this one) that get you about 90% of the way there before chucking up an error. It's a bit beyond my knowledge, I'm afraid.

  17. Post
    #17
    It's because the likes of NordVPN expect your end to operate as a client, probably in Aggressive mode (most *nix ipsec stacks only seem to like main mode), and will only support a single remote host in the policy/peer mapping (as opposed to a subnet).

  18. Post
    #18
    Vulcan wrote:
    It's because the likes of NordVPN expect your end to operate as a client, probably in Aggressive mode (most *nix ipsec stacks only seem to like main mode), and will only support a single remote host in the policy/peer mapping (as opposed to a subnet).
    People have got it working as a client but they keep getting up to the 'juicy' bit in their posts and say 'oh, now you can figure out the rest, I got it working on mine'. Like yeah, thanks. I doubt how reliable it would be in any case, seems like the Edgerouter falls over whenever you want something even slightly out-of-the-box.

    Perhaps the most frustrating thing is that I was gonna grab a different router until GP swayed me into buying a Ubiquiti for its OpenVPN capability. Apparantly 10mbps non-hardware accelerated with constant dropouts and no official support for a L2TP client is "far more reliable than those NightHawk or TP Link consumer grade gear."
    Last edited by BURN_BABY; 13th November 2019 at 1:56 pm.

  19. Post
    #19
    L2TP client capability on any edge device (router or firewall) is not a common feature.

  20. Post
    #20
    Vulcan wrote:
    L2TP client capability on any edge device (router or firewall) is not a common feature.
    Fair point, but it's undeniable in my case that I would've been far better off spending the ~$100 I spent on a ER-X to get a RPi which gets 30-40mbps on OpenVPN, or spending a bit more for a user-friendly AsusWRT/Merlin router or a cheap NUC. Recommending an ER-X for someone who exclusively wants something that works on OpenVPN is utterly moronic.

    Not aiming this at you at all but saying "Feel free to get one though, just don't come crying when your VPN is constantly disconnecting :P " (in reference to Linkzor regarding getting AsusWRT instead) when you obviously have no experience with running OpenVPN on any Edgerouter is just being an utter troll.

    It's so frustrating wading through the crap to actually find someone who has experience with this use-case rather than blindly recommending ubiquiti for absolutely everything. They're great but not that great.
    Last edited by BURN_BABY; 13th November 2019 at 2:41 pm.

  21. Post
    #21
    Well I'm not a ubiquiti fan anyway. OpenVPN is SSL anyway, most router chipsets have IPSEC hardware acceleration but no TLS/SSL acceleration. So expecting OpenVPN to suck on shit-tier routers is expected.

    I would have pointed to some cheap Fortigates (or Sonicwalls or Junipers) on trademe, you can currently pick up 80Cs for < $200 which do 140Mbps IPSEC and 70Mbps SSL VPN.

  22. Post
    #22
    my APU2c4 (https://teklager.se/en/knowledge-bas...n-performance/ for this use case, fwiw)

  23. Post
    #23
    pfSense/opnSense running on a system with intel NICs (do not use realtek nics, they work but will crash the system underload) can't be beat. As long as the CPU has AES-NI it can offload crypto and you can get almost line rate VPN throughput.

  24. Post
    #24
    Still the money you'd spend building the necessary box could be better spent on something with dedicated hardware for the task (e.g. ASICs/Caviums).

  25. Post
    #25
    Or, like, sub-$200 when the exchange rate is good. https://www.pcengines.ch/newshop.php?c=4