Edgerouter X - IPsec Benchmarked

As I posted last time, the MediaTek SoC (MT7621AT) in ER-X has a EIP-93 crypto engine. It has impressive performance specification. Authentec quotes 450 Kpps for 64-byte packets and 300-500 Mbit/s throughput. MediaTek quotes around 200 Mbit/s.

I found mixed results from my tests. I use AES-128/SHA1 for ESP and AES-256/SHA256 for keying. In one direction, I consistently got as high as 380 Mbit/s. In the other direction it is around 130 Mbit/s regardless how hard I tried.

My test setup is same as in my previous post. Macbook Pro is the client from "Internet" which connects to ER-X and between them is a IPsec tunnel. Iperf3 streams are sent between MBP and iMac.

Let me summarise the numbers:

*IPsec throughput on ER-X with four iperf3 streams*

Download means iperf3 sending data from iMac to MBP. Upload is the other way round. I found four iperf3 streams saturate the maximum throughput.

Let's focus on the 1460-byte packet size. In download direction, 377 Mbit/s is very good throughput in my opinion. It surpasses the quoted number from MediaTek and close to the 500 Mbit/s upper bound quoted by Authentec. In upload direction, relatively speaking it's a little disappointing. 128 Mbit/s is only about one third of the download throughput.

Put the numbers in perspective. A single iperf3 stream gives 244 Mbit/s in download and 127 Mbit/s in upload. More streams do not increase the throughput in upload direction at all.

Why is the upload seemingly capped at 130 Mbit/s? I have some theories but I don't have the authoritative answer. I saw all four ksoftirqd working in download but only one or two working in upload.

Will see if could get feedback from Ubiquiti or possible improvement.

comments powered by Disqus