Replacement for Edgerouter Pro?

trympet

New Member
Feb 4, 2021
4
1
3
Alas, my edgerouter just died, so I need a new firewall. I'm trying to find something that has comparable performance, doesn't break the bank and rackmount. The Mikrotik RB5009UPr+S+INN seems to be a suitable replacement, but I need 2x SPF. Does anyone have any suggestions?
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
938
379
63
RB5009UP... doesn't even have 2x SFPs, and it's not rack-mountable (without a shelf of sorts)
I think you ought to look a bit higher in range at MikroTik CCR2004-16G-2S+ - it has better performance and 2x SFP+ (1 or 10 gigs with adapters, like fiber ethernet)
 

jjacobs

Member
Dec 25, 2020
74
32
18
CO
Would be better to have more details about your requirements: throughput, etc; to give a specific recommendation. Edgerouter pro isn't particularly high throughput, the Edgerouter 4 with the rack mount kit would drop right in. That is, if you can find stock and you want to continue with Ubiquiti. Maybe you can find a used EdgeRouter 4 from someone who jumped off the Ubiquiti train(wreck). Some white box server running VYOS, maybe even virtualized? You could port your config over with minimal headache.
 

kpfleming

Active Member
Dec 28, 2021
255
113
43
Pelham NY USA
I've got a nice clean EdgeRouter 4 with rackmount kit that I'm ready to sell (came out of service a few weeks ago). Single SFP, though, so if you really need 2x SFP that won't be sufficient.
 
  • Like
Reactions: jjacobs

jjacobs

Member
Dec 25, 2020
74
32
18
CO
It's just 1Gbe. Without knowing the specifics I can't say for sure but that doesn't sound like something that couldn't be resolved easily. Was the EdgeRouter connected directly to fibre service and using the other as the downlink to a switch? We'll have to wait and hear more from the OP...

Edited to add: I've had 3 EdgeRouter 4's over the last year or so. Put them in friends/coworkers places with an unmanaged switch and a few used AP's flashed with OpenWRT. I can drop that in and know that I can walk away for months and months and they are going to be way happier than they would be with some blackhawkbladesupergaming whatever from Best Buy for the same or less money. It's not sexy stuff but it just works... Eventually I do encourage people to move away from Ubiquiti, usually to VYOS, and those routers come home to be used again.
 
Last edited:

trympet

New Member
Feb 4, 2021
4
1
3
Would be better to have more details about your requirements: throughput, etc; to give a specific recommendation.
My main focus is connections and packets per second. What I'm looking for is:
- Reasonable power efficiency
- 2x SFP for upstream and downstream.
- Stateful firewall capable of handling a webserver with 200-600 req/s and 1k-5k concurrent conns.
- AES256 acceleration for IPSec site-to-site
- IGMPv2 Proxy
- Rack-mountability is a plus

The CCR2004-16G-2S+ is a good option, however, the CCR2004-1G-12S+2XS is similarly priced and has much more "usable" IO IMO.

I would totally be down for building my own router as well, but all of Supermicro's offerings are out of my price range. Maybe I can scour the used market?

As an emergency replacement I'm running a VM with Mikrotik CHR, but this is far from ideal w.r.t. power-consumption and fault-tolerance. The lack of IGMP filtering on the vswitch is causing garbage packets to be blasted at my VMs. Soo so many wasted interrupts. On the bright side, I can now configure VRRP with ease once I get a new router :)

I've got a nice clean EdgeRouter 4 with rackmount kit that I'm ready to sell (came out of service a few weeks ago). Single SFP, though, so if you really need 2x SFP that won't be sufficient.
Thanks for the offer! However, 2x SFP is really a must.

Was the EdgeRouter connected directly to fibre service and using the other as the downlink to a switch?
Yes, bang on the money.
 
  • Like
Reactions: jjacobs

RTM

Well-Known Member
Jan 26, 2014
899
336
63
The CCR2004-16G-2S+ is a good option, however, the CCR2004-1G-12S+2XS is similarly priced and has much more "usable" IO IMO.
I am not arguing against you getting it, but it should be mentioned that the CCR2004-1G-12S+2XS is massively oversubscribed in terms of I/O bandwidth to actual routing performance of the SoC.

What kind of internet connection do you have? Do you even need a really beefy router/firewall?

Usually you are better off with a L3 switch to route internal traffic and a slightly less beefy router/firewall that is more or less sized just for the bandwidth of the internet connection.
 
  • Like
Reactions: coxhaus and jjacobs

trympet

New Member
Feb 4, 2021
4
1
3
I am not arguing against you getting it, but it should be mentioned that the CCR2004-1G-12S+2XS is massively oversubscribed in terms of I/O bandwidth to actual routing performance of the SoC.

What kind of internet connection do you have? Do you even need a really beefy router/firewall?

Usually you are better off with a L3 switch to route internal traffic and a slightly less beefy router/firewall that is more or less sized just for the bandwidth of the internet connection.
You are right, however, I will probably die of old age before maxing out the routing performance of the SoC lol.

My connection speed is 1G, but I don't think it's relevant, since most of the traffic is fairly small in terms of frame size. The old bottleneck was the number of connections (I think, not an expert!). If my webserver went down for just a couple of minutes, I would DoS myself due to the high volume of incoming traffic. It was also idle at around 30% CPU. I don't want that to happen after I upgrade. Also, periodic sync of my database cluster to a remote site would usually max out one (i.e., 50%) of the CPU cores because of shitty crypto acceleration on the edgerouter.
 

trympet

New Member
Feb 4, 2021
4
1
3
budget?

You can get 1 or 2 Lenovo m720q or m920q and put a 10G card in it that has 2 x SFP+ ports.
Then you can either do a bare metal hypervisor or install OPNsense directly.

These are my current go to tiny firewall boxes as they are just so cheap and speedy :D
That's an excellent suggestion -- especially considering it's impossible to get my hands on a CCR these days. Do you know how many watts you're drawing with your setup?
 

jjacobs

Member
Dec 25, 2020
74
32
18
CO
usually max out one (i.e., 50%) of the CPU cores because of shitty crypto acceleration on the edgerouter.
Yeah, and the newer edgerouters aren't *that* much better.

You might look at a Netgate 6100. $800 and you do get some support for that. Not sure how you feel about pfsense or Netgate but people here like them... Fan-less and reasonably power efficient. 2 combo ports, 2 SFP+ and 4 2.5 Gb ports. The support forum is very good. Some of the mods are a bit cranky, but they know their stuff and will put in effort to help should you need it.