Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: 10G routing

  1. #1
    Newbie
    Join Date
    Feb 2021
    Posts
    14

    Wink 10G routing

    Hello,

    My ISP is upping my DIA from 1G/1G to 10G/10G. You may be wandering that’s an overkill for a home environment, however let’s say in Switzerland we’re a bit spoiled from that perspective...

    My question is the following:

    Provided my whitebox is HW capable of handling 10G, from both a CPU and SFP+ (WAN, LAN) perspective, is untangle capable of routing 10G? If so, any particular configurations I shall be considering?

    My topology is the following:

    10G fiber ISP -> SFP+ in -> Untangle -> SFP+ out -> mGbit Switches -> APs WiFi 6

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    If the hardware can push it, Untangle will route it.

    The rub is... I've never seen anything smaller than a hex core Xeon with 24gb of RAM keep up with that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    tjk
    tjk is offline
    Untangler
    Join Date
    Apr 2021
    Posts
    46

    Default

    I've been able to push a full 10G of pure iperf traffic, no apps turned on - no IPS, scanning, etc etc etc.

    If I have bypass turned on, my cpu's don't even break a sweat, if I don't have bypass rules turned on, my cpu's across the box sit at about 50% as the traffic is going through the UVM. Latency goes up really high on packets going through the UVM since it has to scan all that traffic.

    My use case is more traditional firewall in front of VM's (web servers) - so I'm not concerned about user control, bw control, etc. Trying to find a replacement for Sophos as I really like the central mgmt that UT offers compared to Sophos. So my use case is probably a bit different than most users on these forums or really for most UT use cases.

    Perhaps I'm trying to fit a square peg in a round hole, not sure yet. Some stuff I love, some stuff is just like "what were they thinking!"

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    Oh yeah it's trivial to get wire speeds with iPerf... getting those kinds of wirespeeds with all the modules actually working now... that's a different reality, and it's so different that it makes iPerf testing almost worthless.
    tjk likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    tjk
    tjk is offline
    Untangler
    Join Date
    Apr 2021
    Posts
    46

    Default

    Agree with you, but I don't have a use case for all those modules, basic port fwd'ing, blocking, etc. Like I said in my previous post, I'm probably not the target audience for UT, but I love the central point of mgmt CC offers, and the ability to license month to month for our customers and such is not many other FW vendors do, or do well.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    Yeah the primary value points for me are Reports, Web Filter, and the VPN terminators. Wireguard is still basically 1.0 so it needs some work, but having that insanely mature OpenVPN module, and a workable IPSec / L2TP terminator on the same router? It's the most flexible thing ever. I've been doing SDWAN with Untangle long before SDWAN was even a thing, and with Wireugard actually working correctly a whole new world opens up.

    Central Management is handy, but not a deal breaker for me. It depends on the client, and having some decentralized infrastructure isn't too bad. Besides, my RMM does the central connecting for me, and that too is open source.
    tjk likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    tjk
    tjk is offline
    Untangler
    Join Date
    Apr 2021
    Posts
    46

    Default

    Quote Originally Posted by sky-knight View Post
    Yeah the primary value points for me are Reports, Web Filter, and the VPN terminators. Wireguard is still basically 1.0 so it needs some work, but having that insanely mature OpenVPN module, and a workable IPSec / L2TP terminator on the same router? It's the most flexible thing ever. I've been doing SDWAN with Untangle long before SDWAN was even a thing, and with Wireugard actually working correctly a whole new world opens up.

    Central Management is handy, but not a deal breaker for me. It depends on the client, and having some decentralized infrastructure isn't too bad. Besides, my RMM does the central connecting for me, and that too is open source.
    What are you using for SDwan, the SDwan product or the NGFW? I looked at the SDwan product, but from what I saw on the videos and with some testing, their SDwan product wants to be the termination point in the on-prem network, and most of our customers already have a FW on prem they aren't willing to swap out, so it would have to live behind their firewall, which is a pita.

    Sophos has the RED device, which works behind customer firewalls and works well. I didn't have to convince customers to replace their fw, and would just drop in a RED device into the network. Was like extending a layer2 cable from fw to RED.

    Also curious, what opensource RMM product are you using, and I assume you like it based on your comments?
    Last edited by tjk; 04-10-2021 at 06:19 PM.

  8. #8
    Newbie
    Join Date
    Feb 2021
    Posts
    14

    Default

    Quote Originally Posted by sky-knight View Post
    If the hardware can push it, Untangle will route it.

    The rub is... I've never seen anything smaller than a hex core Xeon with 24gb of RAM keep up with that.
    That seems a bit too high for a bunch of home users and a total of ~45 devices.
    At the moment I have a i5 with 8G ram and cpu stats never go over 0.4 utilisation with ram at just 34%

    Apps running are:

    Policy manager
    Firewall
    IPS
    Anti virus
    SSL inspection
    Web filter
    Application control
    Bandwidth control
    TP
    Captive portal

    Don’t you think it’ll be able to handle 10G?

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    Quote Originally Posted by NW4FUN View Post
    That seems a bit too high for a bunch of home users and a total of ~45 devices.
    At the moment I have a i5 with 8G ram and cpu stats never go over 0.4 utilisation with ram at just 34%

    Apps running are:

    Policy manager
    Firewall
    IPS
    Anti virus
    SSL inspection
    Web filter
    Application control
    Bandwidth control
    TP
    Captive portal

    Don’t you think it’ll be able to handle 10G?
    No, I don't. And your expectations are utterly bonkers. Just because you're in a "home" environment doesn't change the fundamental requirements of the software and the nature of the work you're doing. There's a reason why every other UTM that does this work offloads all of it to the cloud somewhere. The fact that Untangle doesn't is part of its primary value, but that change comes with a direct cost in hardware.

    Besides, I HIGHLY doubt that i5 of your has the PCIe lanes to handle 10gbit interfacing at all. Also, what are you using for storage? SATA is 1gbit... How are you going to log 10gbit worth of traffic with 1gbit to the disk? Untangle's reporting, is amazing and yet a huge technical liability here.

    You haven't even gotten started on the problem yet... but you will see it clearly if you attempt it.
    Last edited by sky-knight; 04-11-2021 at 06:36 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    Quote Originally Posted by tjk View Post
    What are you using for SDwan, the SDwan product or the NGFW? I looked at the SDwan product, but from what I saw on the videos and with some testing, their SDwan product wants to be the termination point in the on-prem network, and most of our customers already have a FW on prem they aren't willing to swap out, so it would have to live behind their firewall, which is a pita.

    Sophos has the RED device, which works behind customer firewalls and works well. I didn't have to convince customers to replace their fw, and would just drop in a RED device into the network. Was like extending a layer2 cable from fw to RED.

    Also curious, what opensource RMM product are you using, and I assume you like it based on your comments?
    Forgive me, but I'm not in the habit of giving away trade secrets, much less in public. I have an MSP to operate as well and what you're asking is really privileged information. I will simply say this... SDWAN is a waste of time, if you're thinking in those terms you're off target. And no, I do not use, nor do I sell, nor do I even really consider in any productive way Untangle's SDWAN product as a result. They don't get it either... a fact that hurts NGFW severely.

    I will say my process doesn't care what firewall the client has on premise, or even if they HAVE a firewall on premise. I don't need it... I'd love an NGFW at the HQ and any main branches that have 20+ people at them. But smaller offices work just fine with whatever China junk router they get from Walmart. I will also say all the core technology I use is open source. Well except the Microsoft stuff... can't live without Win10 and M365/Azure.

    SASE is the buzz word... SDWAN was 5 years ago.
    Last edited by sky-knight; 04-11-2021 at 06:36 AM.
    tjk likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2