10G routing

[NW4FUN]

Hello,

My ISP is upping my DIA from 1G/1G to 10G/10G. You may be wandering that’s an overkill for a home environment, however let’s say in Switzerland we’re a bit spoiled from that perspective...

My question is the following:

Provided my whitebox is HW capable of handling 10G, from both a CPU and SFP+ (WAN, LAN) perspective, is untangle capable of routing 10G? If so, any particular configurations I shall be considering?

My topology is the following:

10G fiber ISP -> SFP+ in -> Untangle -> SFP+ out -> mGbit Switches -> APs WiFi 6

[sky-knight]

If the hardware can push it, Untangle will route it.

The rub is... I've never seen anything smaller than a hex core Xeon with 24gb of RAM keep up with that.

[tjk]

I've been able to push a full 10G of pure iperf traffic, no apps turned on - no IPS, scanning, etc etc etc.

If I have bypass turned on, my cpu's don't even break a sweat, if I don't have bypass rules turned on, my cpu's across the box sit at about 50% as the traffic is going through the UVM. Latency goes up really high on packets going through the UVM since it has to scan all that traffic.

My use case is more traditional firewall in front of VM's (web servers) - so I'm not concerned about user control, bw control, etc. Trying to find a replacement for Sophos as I really like the central mgmt that UT offers compared to Sophos. So my use case is probably a bit different than most users on these forums or really for most UT use cases.

Perhaps I'm trying to fit a square peg in a round hole, not sure yet. Some stuff I love, some stuff is just like "what were they thinking!"

[sky-knight]

Oh yeah it's trivial to get wire speeds with iPerf... getting those kinds of wirespeeds with all the modules actually working now... that's a different reality, and it's so different that it makes iPerf testing almost worthless.

[tjk]

Agree with you, but I don't have a use case for all those modules, basic port fwd'ing, blocking, etc. Like I said in my previous post, I'm probably not the target audience for UT, but I love the central point of mgmt CC offers, and the ability to license month to month for our customers and such is not many other FW vendors do, or do well.

[sky-knight]

Yeah the primary value points for me are Reports, Web Filter, and the VPN terminators. Wireguard is still basically 1.0 so it needs some work, but having that insanely mature OpenVPN module, and a workable IPSec / L2TP terminator on the same router? It's the most flexible thing ever. I've been doing SDWAN with Untangle long before SDWAN was even a thing, and with Wireugard actually working correctly a whole new world opens up.

Central Management is handy, but not a deal breaker for me. It depends on the client, and having some decentralized infrastructure isn't too bad. Besides, my RMM does the central connecting for me, and that too is open source.

[tjk]

Yeah the primary value points for me are Reports, Web Filter, and the VPN terminators. Wireguard is still basically 1.0 so it needs some work, but having that insanely mature OpenVPN module, and a workable IPSec / L2TP terminator on the same router? It's the most flexible thing ever. I've been doing SDWAN with Untangle long before SDWAN was even a thing, and with Wireugard actually working correctly a whole new world opens up.

Central Management is handy, but not a deal breaker for me. It depends on the client, and having some decentralized infrastructure isn't too bad. Besides, my RMM does the central connecting for me, and that too is open source.

What are you using for SDwan, the SDwan product or the NGFW? I looked at the SDwan product, but from what I saw on the videos and with some testing, their SDwan product wants to be the termination point in the on-prem network, and most of our customers already have a FW on prem they aren't willing to swap out, so it would have to live behind their firewall, which is a pita.

Sophos has the RED device, which works behind customer firewalls and works well. I didn't have to convince customers to replace their fw, and would just drop in a RED device into the network. Was like extending a layer2 cable from fw to RED.

Also curious, what opensource RMM product are you using, and I assume you like it based on your comments?

[NW4FUN]

If the hardware can push it, Untangle will route it.

The rub is... I've never seen anything smaller than a hex core Xeon with 24gb of RAM keep up with that.

That seems a bit too high for a bunch of home users and a total of ~45 devices.
At the moment I have a i5 with 8G ram and cpu stats never go over 0.4 utilisation with ram at just 34%

Apps running are:

Policy manager
Firewall
IPS
Anti virus
SSL inspection
Web filter
Application control
Bandwidth control
TP
Captive portal

Don’t you think it’ll be able to handle 10G?

[sky-knight]

That seems a bit too high for a bunch of home users and a total of ~45 devices.
At the moment I have a i5 with 8G ram and cpu stats never go over 0.4 utilisation with ram at just 34%

Apps running are:

Policy manager
Firewall
IPS
Anti virus
SSL inspection
Web filter
Application control
Bandwidth control
TP
Captive portal

Don’t you think it’ll be able to handle 10G?

No, I don't. And your expectations are utterly bonkers. Just because you're in a "home" environment doesn't change the fundamental requirements of the software and the nature of the work you're doing. There's a reason why every other UTM that does this work offloads all of it to the cloud somewhere. The fact that Untangle doesn't is part of its primary value, but that change comes with a direct cost in hardware.

Besides, I HIGHLY doubt that i5 of your has the PCIe lanes to handle 10gbit interfacing at all. Also, what are you using for storage? SATA is 1gbit... How are you going to log 10gbit worth of traffic with 1gbit to the disk? Untangle's reporting, is amazing and yet a huge technical liability here.

You haven't even gotten started on the problem yet... but you will see it clearly if you attempt it.

[sky-knight]

What are you using for SDwan, the SDwan product or the NGFW? I looked at the SDwan product, but from what I saw on the videos and with some testing, their SDwan product wants to be the termination point in the on-prem network, and most of our customers already have a FW on prem they aren't willing to swap out, so it would have to live behind their firewall, which is a pita.

Sophos has the RED device, which works behind customer firewalls and works well. I didn't have to convince customers to replace their fw, and would just drop in a RED device into the network. Was like extending a layer2 cable from fw to RED.

Also curious, what opensource RMM product are you using, and I assume you like it based on your comments?

Forgive me, but I'm not in the habit of giving away trade secrets, much less in public. I have an MSP to operate as well and what you're asking is really privileged information. I will simply say this... SDWAN is a waste of time, if you're thinking in those terms you're off target. And no, I do not use, nor do I sell, nor do I even really consider in any productive way Untangle's SDWAN product as a result. They don't get it either... a fact that hurts NGFW severely.

I will say my process doesn't care what firewall the client has on premise, or even if they HAVE a firewall on premise. I don't need it... I'd love an NGFW at the HQ and any main branches that have 20+ people at them. But smaller offices work just fine with whatever China junk router they get from Walmart. I will also say all the core technology I use is open source. Well except the Microsoft stuff... can't live without Win10 and M365/Azure.

SASE is the buzz word... SDWAN was 5 years ago.