Any of the eight interfaces on the EdgeRouter Pro can be configured as a WAN interface, but load-balancing is currently limited to two WAN interfaces. I set up my EdgeRouter Pro with the WAN+2LAN wizard and followed the dual WAN load-balancing with failover guide located here.
I followed the instructions to test each WAN interface with the other disconnected before I applied all the configs and connected both interfaces. As you can see from the below screenshot, interfaces eth1 and eth3 are now in a load balancing group called "WAN_FAILOVER."
Dual WAN Status
To test WAN failover, I enabled a continuous ping to google.com (ping google.com -t) on my PC (connected to eth0), and disconnected eth1. Only one ping failed before the EdgeRouter Pro failed over to eth3. I then reconnected eth1, allowed it to restore, and disconnected eth3. Only three pings failed before the EdgeRouter Pro failed over to eth1. So far so good, WAN failover worked as expected!
With the config I applied, eth1 and eth3 will failover between each other. They are also configured for 50-50 load balancing. According to the failover guide, "this configuration will also start up a watchdog thread for each WAN interface that pings www.ubnt.com every 10 seconds. If there 3 consecutive failures, all traffic will fail over to the other WAN interface." These timers and values are all adjustable.
A useful WAN feature, especially if you're getting your WAN IP address via DHCP is Dynamic DNS. The Edge supports Dynamic DNS to dnspark, dyndns, namecheap, zoneedit, dslreports, easydns, and sitelutions. Dynamic DNS can be configured via the CLI following this guide, and Ubiquiti tells me it will be available in the GUI in an upcoming release. Following the guide, I successfully set up dynamic DNS to dyndns, as shown in the screenshot below. (I deleted my IP address and host name from the status.)
Dynamic DNS Status
The Edge supports IPsec, PPTP, L2TP, and OpenVPN (SSL) tunnels. All VPN configuration is via CLI. I found some useful guides on the Ubiquiti wiki for configuring the VPN tunnels. I successfully configured IPsec Site-to-Site, as well as remote PPTP, and L2TP tunnels on the Edge using CLI guides available on Ubiquiti's support site.
I was not able to configure an OpenVPN or remote IPsec tunnels on the Edge. I experienced errors following the OpenVPN server setup using this guide when creating key files. I didn't attempt a remote IPsec tunnel, as I didn't find a guide on the Ubiquiti wiki.
I successfully tested IPsec on the EdgeRouter Pro by setting up a site-to-site tunnel to a Zyxel Zywall 110. The Edge supports 3DES and AES encryption as well as MD5 and SHA-1 authentication. The Ubiquiti wiki guide uses AES128 encryption and SHA-1 authentication, so I stuck with those settings. Below is a screenshot of the CLI show command displaying my active IPsec tunnel.
Further, I successfully tested PPTP and L2TP on the EdgeRouter Pro from a Windows 7 PC and an iPhone. Below is a screenshot of the CLI show command displaying my active PPTP tunnel.
We've been testing VPN throughput for some time using iperf as our real-world throughput test tool. Iperf has its limitations, though. Specifically, iperf measures throughput using a fixed TCP Window size.
After evaluating multiple different throughput test tools, we've chosen TotuSoft's LAN Speed Test as our new real-world VPN throughput test tool. Totusoft's LAN Speed Test measures TCP data transfer speeds from TotuSoft's free LAN Speed Test client application to and from a shared folder on another device or to TotuSoft's LAN Speed Test server application (cost = $6). I used the client and server application and measured throughput using a file size of 100 MB.
To measure VPN throughput, I used two PCs running 64-bit Windows with their software firewall disabled. I benchmarked these two PCs over a Gigabit LAN and measured 349 Mbps. My results for IPsec Site-to-Site, PPTP and L2TP tunnels are in Table 1.
|VPN Tunnel Type||Throughput (Mbps)|
Table 1: VPN throughput
Ubiquiti doesn't provide a rating for IPsec throughput on the Edge, although they reported to me they measured throughput "around 220 Mbps" between two EdgeRouter Lite routers, and hoped that two EdgeRouter Pro routers could hit up to 500 Mbps. I didn't expect to come close to 500 Mbps numbers as I'm testing the EdgeRouter Pro to a Zywall 110, which has an IPsec UDP rating of 300 Mbps.
As you can see, I measured the EdgeRouter Pro could encrypt and send IPsec data at 217.1 Mbps to the Zywall, and could receive and decrypt data at 156.1 Mbps from the Zywall. My guess is the Zywall was the bottleneck in my tests and these numbers would be higher if I was able to test between two EdgeRouter Pros.
For remote PPTP tunnels, I measured the EdgeRouter Pro could encrypt and send data at 34.7 Mbps to the client, and could receive encrypted data at 8.9 Mbps from the client. Finally, for L2TP tunnels, I measured the EdgeRouter Pro could encrypt and send data at 49.1 Mbps to the client, and could receive encrypted data at 36.9 Mbps from the client.
Overall, these speeds are tremendous! An IPsec tunnel between two routers running at over 150 Mbps enables LAN speed between two locations. Based on my tests, you would need WAN/Internet connectivity greater than 150 Mbps to max out the Edge's VPN throughput.
Remote tunnels are typically constrained by the far end Internet connection. L2TP throughput on the EdgeRouter Pro was the faster of the two remote VPN options I tested with a download speed of 49.1 Mbps and upload of 36.9 Mbps. These speeds easily exceeds the average US ISP download (as reported by Ookla, the technology behind speedtest.net) of 22.9 Mbps and the average upload speed of 7.4 Mbps.