Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Performance - Routing

Testing and analysis by Tim Higgins

With up to 4 WAN connections and Gigabit ports on the both sides, routing throughput is important.  NETGEAR advertises the router as having “1 Gbps of stateful firewall throughput,” although they list it in their spec sheet as capable of 924 Mbps from LAN-WAN.

I ran the SmallNetBuilder standard routing throughput tests on the SRX5308, with the results summarized in Table 2.  Note that these results were taken using one LAN and one WAN port.

Test Description Throughput - (Mbps)
WAN - LAN 449
LAN - WAN 582
Total Simultaneous 535
Maximum Simultaneous Connections 48,924 (test limit)
Firmware Version 3.0.6-9
Table 2: Routing throughput

When testing products, we frequently run results past the vendor for a "sanity check". For the SRX5308, our results were much lower than NETGEAR's, which, as you might imagine, started a good deal of back-and-forth to try to achieve better correlation.

In the end, it turned out that a major source of difference between our measurements and NETGEAR's is that NETGEAR has standardized on using Linux-based clients for its performance testing (currently Red Hat Enterprise Linux Release 4, Nahant update 5). And it appears that the TCP/IP handling in RHEL is much more efficient than in any of the Windows OSes that we tried, with significantly higher throughput as a result. NETGEAR provided IxChariot test files to me to verify its claims, which I have no reason to question.

So the bottom line is that SmallNetBuilder and NETGEAR's much higher routing throughput results are both correct. But, if you're running a Windows client, your throughput will be more like we've shown in Table 2.

Another difference in NETGEAR's performance claims and our results is the Maximum Simultaneous Connections results. NETGEAR's claim is 200,000 Concurrent Connections, which is a hellaciously high number! It's way beyond the limit of what our recently-updated test process can test, however, so we have no way of verifying that claim. (NETGEAR used IxExplorer with 1280 Byte frames to verify their spec.) Our result of 48,924 connections is essentially the limit of what our process can do.

Figure 14 shows our IxChariot results, which show a good deal of routing throughput variation. Note that the minimum throughput in the dips is around 90 Mbps.

SRX5308 router throughput
Click to enlarge image

Figure 14: SRX5308 router throughput

Performance - VPN

Testing and analysis by Doug Reid

To test IPSec throughput, I connected a PC running Win 7 (32 bit) and the TheGreenBow IPsec client to one of the SRX's WAN ports and a client running Win 7 (64 bit) on its LAN side. Both machines were running iperf with default settings to measure TCP throughput.  (iperf's defaults are TCP Window Size: 8KB, MSS: 1460 Bytes and Buffer Length: 8KB).

iperf's defaults don't produce the best throughput that a Windows-based client can achieve. But I've used the defaults of my other tests of VPN routers, so I'm sticking with them for consistency.

Netgear specs the SRX' IPSec VPN throughput with 3DES tunnel encryption as 180 Mbps. But our results in Table 3 were nowhere near that.

Test Description Throughput - (Mbps)
Client to SRX5308 31.8
SRX5308 to Client 42.6

Table 3: IPsec client-to-router throughput

This difference prompted a series of retests that culminated in a conference call with NETGEAR where we tried to resolve our differences. We found that NETGEAR's 180 Mbps throughput spec was once again based on using Linux clients on both ends of a site-to-site tunnel using two SRX5308's.

But even when we fell back to both using the same setup (client-to-gateway, using TheGreenBow client with Win 7 systems), our results were still much lower than NETGEAR's. It wasn't until I took NETGEAR's suggestion to reset my SRX to defaults and then run the test that I achieved the measurements shown in Table 3, which were close enough to what NETGEAR measured using the same conditions.

I also checked the performance of an SSL tunnel, using PCs running 32 bit Windows XP Pro and 64 bit Windows 7 Pro. With my 64 bit Windows 7 machine, I had to use the 64 bit version of IE. But other than that, I had no issues. Table 4 summarizes the results.

Test Description Throughput - (Mbps)
Client to SRX5308 0.72
SRX5308 to Client 13.2

Table 4: SSL client-to-router throughput

The upstream (client to gateway) SSL tunnel throughput results are pretty disappointing, although the opposite direction is plenty fast. NETGEAR was able to duplicate these results, but hasn't yet tracked down the source of the upstream / downstream difference. Note that, once again, NETGEAR's 21 Mbps spec for SSL tunnel throughput is based on using a Linux client, which isn't officially supported.

Closing Thoughts

I've tested numerous dual WAN routers and VPN Firewalls, but none with quad WAN ports, VLAN and VPN capability.  The closest thing to the SRX5308 that I've previously tested is the triple WAN port PepLink Balance 30

The PepLink can be found on line for $465, but doesn’t include VLANs, VPNs or Gigabit ports.  Even with slightly higher street pricing around $500,  without question, the SRX5308 is head and shoulders above the PepLink.

Another comparison to the SRX5308 is NETGEAR's own FVS336G, which has dual WAN ports and four Gigabit LAN ports.  The FVS336G is an older model router, and can be found on line for around $250.  While the FVS336G was impressive in 2008, it has far lower throughput, lacks VLAN capability and has only two WAN ports. 

I would like to see the SRX's VPN performance with Windows-based clients more closely match NETGEAR's Linux-based specs.  Nevertheless, the IPSec throughput numbers are higher than any other router I've tested to date. 

The SSL VPN throughput numbers were asymmetric, which simply means remotely uploading data to the SRX LAN via the SSL VPN will be slower than downloading data from the SRX LAN via the SSL VPN.  If you're using the SRX VPN to remotely access your network, odds are you'll be doing more downloading than uploading.

The SRX5308 is the most powerful router NETGEAR has produced to date and also the most powerful that I've reviewed.  NETGEAR designed it to be at the core of a complex network such as the one in Figure 15.

SRX5308 in use
Click to enlarge image

Figure 15: SRX5308 in use

With the capability of connecting up to four Internet connections as well as VLAN, VPN, and security (but not UTM) features, plus a lifetime hardware warranty, the SRX5308 certainly earns the title as flagship of NETGEAR’s ProSafe business-class VPN Firewall line!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2