Hi @Radmeister  @MR.S 

Thanks for posting in our business forum.

Radmeister wrote

  @MR.S 

 

Their specs make no sense, Wireguard 1411 Mbps, OpenVPN 4424.1 Mbps....To me it seems like for Wireguard they are giving you best case scenario PER tunnel. For OpenVPN it looks like they are giving you the TOTAL. From the logs i can see both protocols run on a single core. So for OpenVPN 4424.1/4 = 1106 Mbps per user. I was seeing much less, like 1/3 of that.

 

For Wireguard I was seeing closer to the advertised speed, but still about 40% short, which could be a difference in testing, their numbers might be on LAN using IPerf3 with a higher MTU....Actually using it to connect through the internet remotely is different because in the best case scenario your MTU is locked to 1460. In my case i am locked to 1474 by ISP, then subtract another 40 for vpn overhead = 1434 mtu on vpn connection.

 

I'm seriously considering turning the ER8411 into a smart switch and for the omada controller and buying a Minisforum MS-01 and putting it infront of it. Have the MS-01 do the PPPoe, DHCP routing, VPN.

 

Edit:

 

See https://github.com/cyyself/wg-bench - no way we can hit those speeds, the ER8411 is closer to a Raspberry Pi4 overclocked to 2ghz, so around 1020 Mbps maybe 10% more because we are at 2.2ghz, so 1122 Mbps which minus my MTU loss is about 1072 Mbps, which is pretty close to what i was seeing. Now... Wireguard is 3.2x faster than OpenVPN, so 335Mbps, which is pretty much right where I saw my highest result.

Just point out that even though you have a super powerful CPU does not mean that your device can de- and encryption well enough to go beyond the limit. There is no chipset on the computer to de- and encrypt like the router. You might have a module, but you have to refer to your CPU vendor specs and check if the environment is ready for acceleration.

As you know, both of you are very sophisticated network and computer geeks, the hyped concept now is AI CPU, with an extra chipset for AI generation. So does the VPN which requires the extra chip for the de- and encryption.

I did a test with the 8-core CPU, just a generic latest gen of AMD. On that PC, I don't get more than 600Mbps as an OVPN client to the ER8411 where another PC is the iperf server.

I asked the team about this and basically, all the computers we have to test have the same limit of 500-600Mbps speed.

Proper test methodology for you two to clear misconceptions up:

Use two ER8411, one client, and one server, and use two machines to iperf that. With a gigabit port, you should get a decent speed over the result you see now.

If you pair up ER8411 and the rest of other products of Omada, which do not have any better performance than hundreds of Mb, you definitely would not get some good results.

Hi @Radmeister 

Thanks for posting in our business forum.

Radmeister wrote

  @Clive_A 

Are you doing your testing between two ER8411 on lan or over internet? If you are on LAN you can cheat and set all the MTUs higher and get more performance.

 

Thats kind of an irrelevant test because why would anyone run a VPN tunnel on LAN. Whole point is to securely access a remote site. 
 

My setup is 3000Mbps/3000Mbps fibre (line speed is actually 3400/3200Mbps going into the ER8411 10gb sfp using an authentic tp-link sfp to rj-45 transceiver. In the ER8411 I have the OC-300 controller, a bunch of printers and other appliances that don't need more than 1gb. Then I have the tp-link sfp to sfp 10gb cable going into the TP-link Omada 2.5gb POE switch. All the computers on the 2.5gb switch hit 2.5gb on all speed tests. I also have a Omada EAP690e HD plugged into the switch and on wifi I hit about 1.6gbps. So I don't think anything is wrong with my setup.

 

I am quite confident that my 13950HX CPU with 64gb of ram and pcie gen 4 nvme should get more than 300Mbps on OpenVPN and more than 1Gbps on Wireguard when there are celeron based routers hitting multi gig speeds. There is either something is wrong in your software or your numbers are incorrect. Theoretically it should not be possible for your OpenVPN speeds to be 3x higher than Wireguard, should be the other way around, also unless you have a hardware accelerator that is not listed in the specs, there is no way that a A72 4 core at 2.2ghz would hit the advertised OpenVPN speeds. Had I done more research I would have purchased the Minisforum MS-01 from the start.

 

I would seriously love to see an Iperf3 test, site to site over internet showing anywhere close to 4000Mbps single user OpenVPN performance. My bet is you won't hit anything above 350Mbps, I wasn't even consistently getting that and my site to site latency is 4ms. The fact you didn't get above 600Mbps in your testing at the very least proves the specs are wrong - like wayyyy wrong, 7x wrong.

1. The test should be the maximum performance. It does not really matter if it is WAN or LAN. The datasheet should reflect the max speed of the capability of a product.

Why it is irrelevant?

2. Intel and AMD both support CPU acceleration for AES but unless you find it and enable it. I did not try it on my PCs but you should do that.

3. Powerful CPU does not mean anything. I got an AMD 5600G and 5800x, 8-core AMD mobile 8840HS and 14900HX mobile, and Pi5(8G), which means nothing to the acceleration as there is no option to accelerate. GPU acce is not an option as well. I got things from 4090 to 4060. I am thinking about a NUC like Minisforum but nowadays pre-built computers do not have extra chips for acceleration. I am running an Openwrt with several cores on 5600G.

CPU does not even use all the cores to de/encrypt.

As my office test bench is not 10G port, the computer belongs to the company property, so I cannot use 10G NIC on it. Gigabit and will use my own laptop to test that 1Gbps speed.

I requested another 8411 and am waiting to check the inventory. I'll try out the test when I have an environment.

Hi @avpopov1977 

Thanks for posting in our business forum.

avpopov1977 wrote

  @Clive_A 

 

Hello dear 8411 developers! I found some time for composing Total bug-report.

Most of the bugs I found migrated from 6120 router that I utilised for 5 years.

I will mark bugs OLD as from 6120 and NEW as found in 8411 only, 

I will range bugs from most serious to cosmetical.

 

1. NEW. CPU extra loads when any of interfaces changing/enabling/disabling. All the traffic will hangs at this time at all other WANs. The same situation is when enabling/disabling Policy Routes, but this is caused only for Traffic to exact route that enabling/disabling.

 

2. NEW. OpenVPN and WGuard clients have no Interface for Static or Policy routing. Older L2TP/PPTP could be used in the routing.

 

3. OLD. Policy Routing is going to works wrong after few hours of operating. Some of LAN users got Policy Routing gateway as a Default gateway, this bug is very specific and I'm not shure that you can simulate it without traffic from 100+ users and 30+ Policy Routings.. All other users have a problems with random site browsing. Trace Route is works correctly at this moment. I leave only 4 Policy Routings and re-setupped 30+ Static Routing => works fine. The problem could be temporary solved by pressing disable/enable button for the exact Policy Route.

 

4. OLD. DHCP Problem. If to resetup MAC for some of my 100+ user it will caused problem in ~50% of the cases. User will not get IP binded for his new MAC at his old IP. Problem is solved by 8411 (6120) rebooting but it so looong rebooting..

 

5. OLD. Online Detection. Dynamic IP WAN will not going back online after been ofline more than ~15 mins if WAN interface was UP (LAN signal is on). WAN port must be UP all this 15 mins. No problem if WAN port gone down (LAN signal is off) and up after 15 mins. Also sometimes WAN provider is loosing 40-50-60% of the packets and still could be detected as ONLINE. Please add some Persantage of LOSS to accept WAN as Online. For example if Loss > Y% then WAN is Offline. Y% is variable by me.

 

6. NEW. OpenVPN server clients traffic Ignoreing static/policy routing. All the traffic from OpenVPN users gone to Default gateway only, never by static/policy route.

 

7. (Cosmetic) DPI statistics calculating wrong and could not be resetting.

8. (Cosmetic) SFP+ WAN1 is not used but dispayed in Statistics.

 

Thanks for reading this. If someone have the similar bugs please add your cases.

Best Regards.

Some are not bugs but normal features or expected behavior of the device.

1. Normal.

2. They don't support PBR and Static Routing yet. PBR is expected to be on V5.15.
If you are new to the forum, please kindly visit the request page for existing requests.

3. You can start a new thread with the details posted. There is no feedback ranges from the basic model to the 8411. I think there must be some misunderstanding in your test.

As you mentioned if the traceroute is working properly then this means the feature is working normal. Unless you are providing something else in your new thread if you think you'd follow this up.

4. Start a new thread to illustrate this. Just FYI, if your imported IP-MAC binding or reserve anything, you should reconnect the clients so they refresh the IP addresses. Not sure if you didn't refresh it.

Long rebooting is normal when the configs increase. The more config you have to load, the longer bootup time that is.

5. Start a new thread. I require an illustration and your verification steps and results. I require this information for the points above and below.

You can read this before you start a new thread: Common Questions About the Load Balancing, Link Backup(Failover) & Online Detection

6. It does not support. Repeated in point 2. And note that the OVPN is determined by the server tunnel mode. If you have any questions on this, please check out the OVPN docs.

7. How do you judge and conclude this result?

I mean the DPI calculates the packets and you have more accurate stats by digging the packets? Which concludes and consists of your comment?

8. As long as a port is defined as WAN, it will display in the WAN stats. What do you mean?

Hi @avpopov1977 

Thanks for posting in our business forum.

avpopov1977 wrote

  @Clive_A 

 

Hello! can you connect p2p to me please?

I've tried to wright personal message but it was rejected by forum.

What do you mean? My message is not open to others.

If you have steps to illustrate, please place them publicly. I do not offer private support.

If you need to put this off the record, forum, you can contact the support team.

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.