Login

u/WindowReasonable6802

▲ 0 r/networking

RouterOS for Edge BGP routing

Hi everyone,

I'm looking for some architectural advice on redesigning the edge of my datacenter ASN.

Currently, I have two main edge routers running plain Ubuntu 22.04 + BIRD. This handles BGP perfectly, but my requirements have grown. I now need to introduce stateful firewalling, HA default gateway routing for the internal network, and IPsec tunnels. Managing BIRD, nftables, keepalived, and strongSwan as loosely coupled packages is becoming an administrative nightmare, so I want to move to a unified router OS.

The Hardware:

  • CPU: AMD EPYC (multi-core, NUMA architecture)
  • RAM: 64GB
  • Throughput Target: Pushing 10Gbps at peak.

Strict Requirements:

  1. Must be Open-Source.
  2. Highly prefer first-class Terraform support (manageable via code).
  3. BGP support (handling transit tables).
  4. HA support for internal gateways (VRRP/CARP) and state syncing.
  5. IPsec tunnel termination.

The Dilemma: I am currently weighing three main options: VyOS, OPNsense, and pfSense. My main concern is hitting 10Gbps of stateful throughput (Firewall + NAT + IPsec) on AMD EPYC hardware, alongside the automation requirements.

  • VyOS (Linux): Seems like the safest bet for high-throughput, multi-core EPYC hardware because of how the Linux kernel handles RSS (Receive Side Scaling) and netfilter across many cores. It also has great Terraform API support.
  • OPNsense (FreeBSD): I love the idea of having a web GUI for quick troubleshooting and a highly mature Terraform provider via its REST API, but I am worried about the pf firewall bottlenecking on single EPYC cores at 10Gbps without heavy sysctl tuning.
  • pfSense (FreeBSD): I am still strongly considering pfSense because it is the industry standard for this type of deployment. However, the lack of a native REST API makes my Terraform requirement tricky, and I'm unsure how well it scales to 10Gbps stateful on EPYC compared to Linux.

My Questions for the Community:

  1. Has anyone pushed 10Gbps of stateful traffic + IPsec through pfSense or OPNsense on an EPYC? Did it require heavy FreeBSD driver/queue tuning, or did it handle it out of the box?
  2. For those using VyOS via Terraform in a datacenter, how robust is the state sync (conntrack-sync) and VRRP under heavy load?
  3. If I go with pfSense, how are you guys managing it via Terraform in production? Are the community XML-RPC wrappers stable enough, or is it a headache?
  4. Are there any other hidden caveats with these OSs at this scale that I should be aware of before committing?

Thanks in advance for any insights!

reddit.com
u/WindowReasonable6802 — 10 hours ago