dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1256

Anon13d9a
@videotron.ca

Anon13d9a

Anon

Whole Home VPN Router. What are u using and seeing with your ISP?

Trying to port the "Whole Home VPN Router" talk here from pages 3-4 of this topic »Bell lobbying for criminalization of copyright as part of NAFTA negotiations

Hope the mods will allow this hardware talk with Canadian ISP's to see what people are using, what people are trying with various Canadian ISP's, and what they are getting from their Canadian ISP.

I'm curious if we will find certain ISP's being slower.

For those who have seen talk and had questions about going this route, then this topic will be for you to ask away. this could be a place to maybe see what fits your budget and if worth doing.

Also, I am very aware of Bell's DPI (and the patent on it) that tries to identify the encrypted traffic and classify it and classify the traffic type/use, so wondering if we will see diff speeds on same hardware due to the ISP one is using. Very interested in this.

If you use a whole home VPN router type set-up, and if you are comfy pasting what you have, VPN service used and your ISP, I think it could be interesting.
Pls share your knowledge to date.

My research had lead me to the Netgear Nighthawk for lower cost (under $200), but more bugs and required firmware flash. Netgear forum people are telling people to get the Asus. While the more expensive Asus AC2900 AC86U being better. I snagged the Asus 2900 last week for 50$ off (and I had to travel to find it, was sold out everywhere)

The newer triple band Asus (think it is the Rog) was coming in at over 500$. Wasn't in my budget. Thus why I went AC86U.

Didn't pick a VPN provider yet. Will be NordVPN or Private Internet Access (PIA) I think, unless someone shows me beter.

V good VPN specials on both the past week. Was seeing 32$/yr or ~90$/3yrs.

Anyhow... I blabbed enough, your turn
Vishwa
Premium Member
join:2015-03-03
Edmonton, AB

Vishwa

Premium Member

Windscribe, a Canadian based company, has worked well for me. One more to consider. I had Nordvpn and PIA and I haven't seen any difference except the number of countries/servers. I also got the lifetime pro and wasn't sure how it would be. My thought was that for the price, if I used it for a year I am even and anything more would be bonus. So far it has worked well. Other things being equal(if you aren't looking for specific features) better to support a Canadian outfit.
Of course this may change if there is any change in Canadian law in the future. Also, you may consider flashing Merlin's firmware on your new Asus router. Has a few more features, specifically the ability to send some clients through VPN and others through ISP--policy based routing.
ve7alb
join:2013-08-06
Victoria, BC

1 recommendation

ve7alb to Anon13d9a

Member

to Anon13d9a
I have a Mikrotk RB3011 at my house and run a L2TP over IPSec tunnel to a CCR1009 which I have colo'd in a datacenter about 100km away. Latency between my house and the datacenter is about 20ms. I've been routing all my traffic over this tunnel for a few months now (mainly to use some routed IPv4 subnets on my home LAN) and notice that I get about 90% of my ISP's 75/7.5 speed. The rest of the speed discrepancy is due to the overhead of the tunnel. Added latency is negligible and I don't notice it.
DrGreg
join:2013-09-25

DrGreg to Anon13d9a

Member

to Anon13d9a
I've been using PIA for about 5 years now, and they've been mostly consistent during that time. Previously, I used BTGrard, but I had several issues during my time with them, ranging from being double billed, to a stretch of a about 5 days where I couldn't connect at all.

I will say that they were on top of things once they were notified, but since I've gone with PIA, it's been much better. I do find that some of the major gateways (Toronto, New York) can have congestion issues, but most of the time, I get between 35-45Mbps on my 50Mbps connection.
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to Anon13d9a

MVM

to Anon13d9a
a) what is your internet pipe size, both up and down?

b) what (if any) is your budget? An actual figure, not an adjective / adverb.

c) what is your technical skill level? Just to get a better sense of what you'd be comfortable in dealing with.

d) which VPN protocol are you planning? Ipsec? SSL? OpenVPN? PPTP? Something else? A combination?

Honestly if you don't want your equipment to be the limiting factor, and if you're willing to invest the time, money, and effort, I'd get
something with more punch than 192.168.x.x kit. Specifically, look into the Ubuquiti EdgeRouter Lite or X (~$100USD), mikrotik ($50 - $150),
or build a router/vpn on a spare computer with pfsense, Vyos, Untangle, etc.

My initial 00000010bits

Regards
bjlockie
join:2007-12-16
Ontario
Technicolor TC4350
Asus RT-AC56
Grandstream HandyTone 702/704

1 recommendation

bjlockie to Anon13d9a

Member

to Anon13d9a
said by Anon13d9a :

Also, I am very aware of Bell's DPI (and the patent on it) that tries to identify the encrypted traffic and classify it and classify the traffic type/use, so wondering if we will see diff speeds on same hardware due to the ISP one is using. Very interested in this.

Many IISPs don't throttle.

Anondd81b
@videotron.ca

Anondd81b

Anon

bjlockie, not speaking of the throttle. All traffic goes through the DPI and is fingerprinted. If it fails initial fingerprinting or not recognized, or the app initiating the data isn't fingerprinted etc it goes through a secondary loop for deeper analysis before being sent.

Am curious to see if this secondary data processing and fingerprinting is adding to the loss many people speak of. And then there are different levels of inspection... In turn, this causes packet loss, latency, lower speeds etc.

All this was in a patent for one of the many Bell DPI appliances I saw. So my curiosity isn't just the speed of a VPN & the processing power of the router, but also wondering if we can see a difference between ISP's themselves due to their hardware and the level of inspection being used. It's all additive losses.

So diff people using same set-up may show differences in what they see based on what ISP they use. This is what has my curiosity. Want to see if there is a diff. If one ISP is more aggressive than others etc.
Anondd81b

Anondd81b to ve7alb

Anon

to ve7alb
ve7alb, that's a nice set-up I expected to see from the more advanced users here.

Your latency and speed sound better than most of what I have read to date with standard commercial router-vpn setups.

Correct me if i'm wrong, the Mikrotk RB3011 = ~250$?
Mind if I ask the cost for the colo? Or a link to something similar?
Any limits or extra costs for usage?

Vishwa, thanks. Yes was looking at Merlin and specifically that feature.

HellFire, Yes, have 4 spare computers here. Plan on trying this when I find the time. But you know... laziness and time.
HELLFIRE
MVM
join:2009-11-25

1 edit

HELLFIRE to Anon13d9a

MVM

to Anon13d9a
said by Anondd81b :

Correct me if i'm wrong, the Mikrotk RB3011 = ~250$?

»mikrotik.com/product/RB3 ··· 1UiAS-RM -- $179.
said by Anondd81b :

but also wondering if we can see a difference between ISP's themselves due to their hardware and the level of inspection being used.

To be blunt, without knowing exactly WHAT DPI equipment in Bell is using, much less other ISP networks, this is going to
go nowhere. Also, I highly doubt any ISP employee'd release the specifics of the make / model of DPI equipment being
used -- insert comment about "proprietary company information" and/or "trade secrets." That being said, hunting around
for vendors in the DPI field, I came across this. I've heard anecdotally that Sandvine is used by Shaw, but cannot confirm
the veracity of that information.
said by Anondd81b :

If it fails initial fingerprinting or not recognized, or the app initiating the data isn't fingerprinted etc it goes through a secondary loop for deeper analysis before being sent.

Not necessarily. Look up what a network SPAN or a network TAP is. TL;DR, for maximum network performance, it's a COPY
of the data stream that is made and sent to the DPI box for analysis / trending / etc. and that can be done at linerate -- 10Gbit/sec
and up.

But the qualifier again is without access and knowledge of the specifics of how Bell or any other ISP's network is set it up, there's
no way to tell for sure.

Regards

Anon13d9a
@videotron.ca

1 recommendation

Anon13d9a

Anon

TY for finding the price, HellFire. What place is selling these? Can run encryption out of the box? Can use a VPN out of the box like the commercial routers such as the Netgear or Asus? I know nothing of this router you guys mentioned.

In regards to the DPI, yes, Bell stated it in a CRTC filing. Created by a Montreal guy (think Rogers or Bell were financially backing him and his project) then a US company bought it up. Anyhow, yes. I had all the info on it and where it was being used. And yes, there is more than one appliance along various routes. I can't recall the name off the top of my head, I would have to dig into my crtc filings. Was able to dig up the patents on it and look at how it was done. What I wrote above is more or less it.

Yes, they do mirror the data (think prism), But at what point they do this, I don't know or just can't recall. Pretty sure it was at a different stage.

Keep in mind, this is just one DPI at the incoming. As it goes on the data encounters more. But I only had the info for this specific one on incoming.

Wouldn't surprise me if it's all fingerprinted by now. At least the weaker "out of the box" 128-bit stuff. "ve7alb's" set-up is likely the most secure.

You can correct me if i'm wrong but think I recall reading L2TP is the better of the various methods, but also the slowest. Yet he is achieving damn good results.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS to Anon13d9a

Premium Member

to Anon13d9a
Whole home VPN by router will mess up your ability to watch Netflix, as most, if not all US VPN providers have been flagged.
Been trying to setup my own VPN, by using the pfsense setup described by PIA, but am running into mental roadblocks.
ve7alb
join:2013-08-06
Victoria, BC

ve7alb to Anondd81b

Member

to Anondd81b
Yeah the 3011 runs about $200. I usually buy my Mikrotik gear out of Solimedia in Vancouver as they're geographically close.
No hardware crypto on the 3011, but the CPU is powerful enough to handle probably up to 100mbps - it hits about 60% CPU usage when running full tilt on my 75mbps cable line.

Colo's not particularly cheap, but if you're lucky deals for around $50/mo. can be had. I lucked out in that my ISP has a bunch of rack space and gives me a pretty decent deal on a couple U along with some blade servers. Bandwidth is a 1gbps shared connection and I haven't had any issues.

Another option would be to run a VPS as the VPN termination which would significantly cheaper (starting at around $5/mo.) Bandwidth provided will vary, but 1-2TB is not an unreasonable expectation for a base plan.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Anon13d9a

MVM

to Anon13d9a
said by Anon13d9a :

What place is selling these?

»mikrotik.com/buy/northamerica
said by Anon13d9a :

Can run encryption out of the box?

said by Anon13d9a :

Can use a VPN out of the box like the commercial routers such as the Netgear or Asus?

Far as I know they do.
said by Anon13d9a :

I can't recall the name off the top of my head, I would have to dig into my crtc filings.

If you can find that and the name, it'd give significantly more information than speculation. Least with the name, you can track down
the actual company and product lineup.
said by Anon13d9a :

You can correct me if i'm wrong but think I recall reading L2TP is the better of the various methods, but also the slowest.

"Better" or "slower" in what way? Really comes down to usecase and preference. I can say that with VPN As A Service providers, OpenVPN
is the one they prefer and supply guides and support on. Ipsec, not so much, but not to say Ipsec is useless as a VPN protocol. Though
with the same breath I'd definitely avoid PPTP as it's very insecure in comparison -- look up "bruce schneier pptp weakness" for a fuller
technical explanation.

Regards

kevinds
Premium Member
join:2003-05-01
Calgary, AB

2 edits

1 recommendation

kevinds to HELLFIRE

Premium Member

to HELLFIRE
said by HELLFIRE:

mikrotik.com/product/RB3 ยทยทยท 1UiAS-RM -- $179.

USD vs CAD comes into play

Personally, I wouldn't go without hardware encryption acceleration on new routers unless your area is stuck at 6 mbps or less.

Even still, the RB750Gr3 is less than $100 and has hardware encryption acceleration.. Unless you are like me and require rack mount stuff.. Doesn't take much to attach a RB750 to a rack shelf either.

For VPN tech, I like OpenVPN for remote access to a network, but find that a

Edit: Ending of post was missing

*but find that IPsec works better for site-to-site. Yes, both can be used for either, these are my experiences.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

said by kevinds:

the RB750Gr3

Thanks for that kevinds See Profile , was trying to remember that one. BTW, I can't seem to find it on Mikrotik's product page any more... or is it under a different model # now?

Regards

Anondd81b
@videotron.ca

Anondd81b to EUS

Anon

to EUS
EUS, yes. Which is why "Vishwa" recommends that commercially available routers that function as a "whole home VPN router" be flashed to Merlin firmware so that one can create policies for various devices (one for a TV, desktops, mobiles etc). See "Vishwa's" post above.

So "out of the box" VPN routers like the Asus will have this issue. But it is 3 clicks to enable and disable the vpn. The Merlin firmware addresses this.

No clue if the Neatgear 3rd party firmware does this as well. Worth finding out before buying for sure.

I am really in the dark with Mikrotk. Don't know if they will do this. Maybe HellFire or ve7alb will know. But seems like maybe it can.

And yes, a VPS may be another low cost solution.

HellFire:
The only thing I was getting at with the DPI is that each ISP may have it's own lag & slowdown due to the fingerprinting and classification and it would be neat to try and capture this for the various ISP's, but takes testing.

In regards to the name of it, did a quick look on my end, no clue where i put it. This will bug me now till i find it. But, in the CRTC Bell RAP file, in procedural requests, there should be a reply to PIAC and that reply gives the name of it. But when I looked into it back then their website doesn't give much info at all to the public. It's kind of hush-hush "call for a test install". All the info is in the patent, which is also in the CRTC file by an intervenor.

So: Search crtc for "bell rap" go to the public proceeding of it. Click on procedural requests, look for the Bell reply to the request to get the name. Should be there. Then scan intervenors docs for "patent". There are a few patents for it.

From the above information google has v old news available from when the guy started making it, Bell & rogers investing in him, then the sale to the US. etc.
grand total
join:2005-10-26
Mississauga

1 recommendation

grand total to HELLFIRE

Member

to HELLFIRE
»mikrotik.com/product/RB750Gr3 Hiding in plain sight.
Vishwa
Premium Member
join:2015-03-03
Edmonton, AB

Vishwa to Anondd81b

Premium Member

to Anondd81b
I did use policy based routing on Netgear Nighthawk R7000 using DD-WRT. I then changed to Asus RT-AC3100 for a faster CPU(1.4 vs 1 GHz) and more important for the traffic data statistics that Merlin firmware provides. Until very recently I only had 50Mbps service. I now have 150Mbps.

kevinds
Premium Member
join:2003-05-01
Calgary, AB

1 recommendation

kevinds to HELLFIRE

Premium Member

to HELLFIRE
said by HELLFIRE:

or is it under a different model # now?

Marketing name is hEX, but the marketing name stays the same across different models, the model is the model.. hEX used to be the RB750Gr2, which doesn't have the encryption acceleration. »mikrotik.com/product/RB750Gr3
ve7alb
join:2013-08-06
Victoria, BC

ve7alb to Anondd81b

Member

to Anondd81b
Mikrotik will do policy-based routing, you can specify specific source IPs or ranges to be routed a particular way.

Anondd81b
@videotron.ca

Anondd81b

Anon

So if I understood everyone correctly, and correct me if i'm wrong, the following is true (all prices CDN):

Asus RT-AC3100 (Dual 1.4 Ghz CPU):
No speed issues
In regards to this, looked at price. Might be better off getting the AC86U. Ballpark price 250$

Mikrotik RB3011 (Dual 1.4Ghz CPU I think):
No speed issues.
Ballpark price 250$ (Cad) is what I saw.

Mikrotik RB750Gr3 (Dual 800Mhz CPU):
Works, but no one said what speeds they are getting and what speed they have from their ISP.
From reviews been seeing people saying not to bother with anything 800Mhz (but not specifying this brand).
Ballpark price 80-120$

NetGear Nighthawk R7000 (Dual 1 Ghz CPU):
Speed issues. Reviews speak of speed issues as well.
Reviews all say to go Asus over NetGear in Netgears own forum even. Applies to the AC1900 & AC2300 as well. People don't seem happy with this one.
Ballpark price 200-250$

Asus AC2900 AC86U (Dual 1.8Ghz CPU) = Not tested yet. Reviews say no issue though.
Ballpark price 220-270$

kevinds
Premium Member
join:2003-05-01
Calgary, AB

1 edit

1 recommendation

kevinds

Premium Member

said by Anondd81b :

not to bother with anything 800Mhz

The RB750Gr3 is dual core, 4 threads

If you want to run VPN on your router with any decent throughput (higher than 25 mbps), you will need hardware acceleration.

Anoncfbae
@cogentco.com

1 recommendation

Anoncfbae to Anon13d9a

Anon

to Anon13d9a
Whole Home VPN router will slow down your whole family. Also how do you know if these VPN providers don't disclose your info if they're asked by FBI or RCMP?

Anondd81b
@videotron.ca

Anondd81b to kevinds

Anon

to kevinds
They are all dual core, all have acceleration, though I am unsure of the netgear in terms of acceleration.
Datalink
Premium Member
join:2014-08-11
Ottawa ON

Datalink to Anondd81b

Premium Member

to Anondd81b
Keep an eye out for the RT-AC86U to go on sale at Best Buy. Current price: $269.99. That should drop $30 to $40 on sale. Here are the links from the previous thread regarding the VPN performance for the Asus RT-AC86U:

»www.snbforums.com/thread ··· u.41217/

»www.snbforums.com/thread ··· d.44857/

»www.snbforums.com/thread ··· o.44687/

The latest Merlin-Asuswrt Beta version has "Added IPSEC Server support for the RT-AC86U, with hardware acceleration. Benchmarks pushed it at over 300 Mbps."

»www.snbforums.com/thread ··· e.44941/

Anondd81b
@videotron.ca

Anondd81b to Anoncfbae

Anon

to Anoncfbae
said by Anoncfbae :

Whole Home VPN router will slow down your whole family. Also how do you know if these VPN providers don't disclose your info if they're asked by FBI or RCMP?

And this is what policy based routing is for as spoken about above.

As for the RCMP, who cares. What do they have to do with anything?
HELLFIRE
MVM
join:2009-11-25

1 edit

HELLFIRE to Anon13d9a

MVM

to Anon13d9a
Click for full size
1cj9901!.PDF
961,991 bytes
said by grand total:

»mikrotik.com/product/RB750Gr3 Hiding in plain sight.

said by kevinds:

Marketing name is hEX, but the marketing name stays the same across different models, the model is the model.. hEX used to be the RB750Gr2, which doesn't have the encryption acceleration. »mikrotik.com/product/RB750Gr3

Ahh, thanks for that you two.
said by Anondd81b :

I am really in the dark with Mikrotk. Don't know if they will do this. Maybe HellFire or ve7alb will know.

I can point you to the vendor website and the datasheets. kevinds See Profile has handson experience with the actual product.
said by Anondd81b :

It's kind of hush-hush "call for a test install".

said by Anondd81b :

So: Search crtc for "bell rap" go to the public proceeding of it. Click on procedural requests, look for the Bell reply to the request to get the name. Should be there. Then scan intervenors docs for "patent". There are a few patents for it.

See attached PDF, is that the file / patent # you're referring to?
said by Anondd81b :

though I am unsure of the netgear in terms of acceleration.

For the Asus and Netgear kit? Likely zilch : remember this type of 192.168.x.x kit is designed to be cheap as possible and for genericized mass production.
said by Anondd81b :

said by Anoncfbae :

Whole Home VPN router will slow down your whole family. Also how do you know if these VPN providers don't disclose your info if they're asked by FBI or RCMP?

As for the RCMP, who cares. What do they have to do with anything?

My Cautionary 00000010bits? Using VPN for patently illegal activities, and expecting the VPN to hide it all "because the marketing slideware said so."
Case in point is this recent case : »betanews.com/2017/10/09/ ··· ogs-fbi/

Regards
HELLFIRE

HELLFIRE

MVM

said by Anondd81b :

Mikrotik RB750Gr3 (Dual 800Mhz CPU):
Works, but no one said what speeds they are getting and what speed they have from their ISP.

Also, if you take a look at the product link under "Test Results" it gives the performance numbers of the box in an Ipsec VPN configuration.
I don't know if there's any posted numbers what this can do with OpenVPN, though.

Regards

kevinds
Premium Member
join:2003-05-01
Calgary, AB

1 recommendation

kevinds to Anondd81b

Premium Member

to Anondd81b
said by Anondd81b :

all have acceleration

You are sure about this?

Anondd81b
@videotron.ca

Anondd81b to HELLFIRE

Anon

to HELLFIRE
Ah yes, that is the name, Guavus, they bought Tremblay's work that was funded by either Rogers or Bell (or both). There are a few more of those with more/better details.

As for the acceleration, pretty sure I came across it last night while looking into the work of the guy doing the Merlin firmware (didn't know he is Canadian). Spotted it either on his twitter of website. Don't recall which.