What route is most CPU economic?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

distilled

Senior Member
So if we held a contest for the dumbest, least important question asked on these wonderful forums, this one has to be at least a contender. It is pure curiosity and has zero real world relevance, at least insofar as residential routing. And yet, here it is.

I have multiple VPNs set up between Asus routers (running Merlin), one of which is for anonymizing connections to a couple specific machines, and the others site-to-site. Exceptions have to be made for the machines that are anonymized, so that they are able to see the remote site-to-site VPNs.

For example, Machine A has to be anonymized *except* when it looks at 192.168.150.9, 192.168.150.10, 192.168.150.11 and 192.168.200.200. If WAN routes are not made for those four machines, it tries to access them through the anonymizing VPN, which obviously doesn't work.

So, is it more CPU intensive to create 4 different routes to those individual IP addresses, or to just create a WAN route for 192.168.150.0/24 and 192.168.200.0/24?

In practice, there are about 10 addresses in each of these two subnets, so there are more like 20 specific routes.

As stated, this is just an OCD / retentive thing, and it really doesn't make any difference at all, but does anyone know which is preferable from a performance tuning (or "best practice") point of view, and why?

Hope everyone is having a wonderful Friday!
 

distilled

Senior Member
Lol no, I wish I could afford the juice for a couple racks of ASIC miners (and possibly cooling) but they are boring security cameras.

(They are monitoring my Saw victims)
 

heysoundude

Very Senior Member
are you using wireguard tunnels in your sig? If you're controlling your endpoints, it makes the most sense.
scratch that...I see one of them is a ac68.
 

distilled

Senior Member
Is the difference in performance that significant? I haven't been following the progress of WireGuard on Merlin, but I thought it was only available on the HND devices, and one of my endpoints is an AC68U. Is that a show stopper?

My ISP does support IPv6, but I want to go with one or the other and not both, and I lack the same degree of comfort with v6. But now is a fine time to learn. That might be a solid project, now that you mention it.

I considered digging an old, retired Pi out of the proverbial junk drawer and repurposing it as a VPN server behind the 1900, but this really is just a "For the heck of it" project, and it is prioritized below the really critical things (like putting Pi Zero W's in every room for Presense Detection, like every normal person needs).
 

distilled

Senior Member
Y
are you using wireguard tunnels in your sig? If you're controlling your endpoints, it makes the most sense.
scratch that...I see one of them is a ac68.
Yup, and I was likely typing that reply before noticing you noticing. :) Grandkid's birthday party today, so I was busy presenting myself as a responsible, "good" adult to a 5 year old, and not paying much attention to the forums. The kid will see through me in a few years, so I want to enjoy him mistakenly thinking I'm a decent person while I can. :)

The PiVPN runs on the $10 Pi Zero W, and PiVPN supports Wireguard, so it really isn't unreasonable to do WG between anything. OpenVPN works flawlessly though, and it is tough to rationalize spending money to fix it. The only issue I have had with OpenVPN is with a specific client who needed access to a little accounting package, QuickBooks, TUN wouldn't work for them, and I had to set up TAP. I didn't spend a lot of time examining the situation, but my hunch is that Intuit want to sell their SAAS package subscriptions, so they don't play nicely with VPN protocols.

Thanks for the suggestions, I will look into IPv6 (out of the boredom that comes with semi-retirement) and also check out the latest WG thread. Tinkering with this sort of thing is the geek version of having a car up on blocks in the front lawn - it passes the time. I think a Creality Ender might be in my near future though. That will absorb the time that IPv6 would take.
 

heysoundude

Very Senior Member
IPv6 - https://ipv6.he.net/ was where I was pointed, and in about 90min I had completed level 2, enough for my purposes.
I wouldn't stress over dual stack - I don't see it unless I go looking.
most things on my network switched over when I fired it up, and bypassing NAT does seem to have had a positive effect: the 0-1 usec bar on my unbound chart is taller than it was before the change - almost as tall as the average bar ;-D
WireGuard is performant and agile (equally able between v4 and v6). I've only used it between my desktop machine and a VPN provider when they had a free beta so I can't comment on how it runs on routers, but it was quite a difference to any other VPN I have tried in the past - I would call it transparent. Security that doesn't impact performance/flow is ridiculously elegant if you ask me...I think that's why Linus likes it enough to include it in the kernel.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top