Main page image

VPN over Broadband


Internet connections have two channels - an upload channel (for transferring data out of the office) and a download channel (for transferring data into the office).

Broadband technologies such as ADSL and cable modem are referred to as Asymmetric broadband. In other words, the capacity of the two channels is different. Compare this to SDSL (Symmetric DSL) or leased lines where the two channels are the same.

With ADSL and cable, the size of the upload channel would appear to be disproportionately small compared to the download channel. When ADSL was first introduced, the download speed was a maximum of 2Mbit (2048k), but the upload speed only 256k - a quarter of the speed. As ADSL speeds have increased, we are now seeing download speeds of 8Mbit (BT based) or as high as 20Mbit (Virgin cable). These download speeds continue to increase and although the upload speeds are getting better, it is at nowhere near the same rate. It is only in 2009 we are starting to see upload speeds of 1Mbit with slightly over 2Mbit possible (but only in very limited areas).

At first, this may seem to be bordering on crazy, but there is a very valid and logical reason for this design. In fact, it can be traced as far back as the early 80's with modems connecting to the Prestel data service (similar to Ceefax) which operated on a split rate of 1200/75.

When broadband was introduced, the most common use for it was downloading from web sites. For the most part, this continues to be the case, albeit the volume and size of the downloads are increasing all the time. The amount of data being uploaded was considered to be small by comparison. It would comprise mostly web requests (very small) and outgoing e-mail. Thus, taking the overall capacity available on the line and having to split it in two, it made sense to have a non-even split.


Unfortunately, this is very bad for VPN connections between sites. Consider the following diagram:

VPN over Broadband diagram

For data (blue circles) to travel across the VPN from Site-A to Site-B, it first of all exits Site-A as an upload. In this case, it is at a maximum speed of 256k. Site-B can receive the data at 2048k (2Mbit), but Site-A basically cannot send it fast enough. The fastest it can go is 256k. Thus, the speed of the VPN is based on the slowest part of the link - 256k. The same goes for data travelling the VPN from Site-B to Site-A.

Solving the Problem

Assuming no better broadband facilities are available at the locations and the cost of other technologies is prohibitive, then the only available option is to increase the number of broadband links. However, it is not as simple as purchasing additional service and plugging additional routers into the network.

Fortunately, the Stonegate firewalls allow us to install additional broadband lines, or any mix of lines, into a site.