Community discussions

MikroTik App
  4. RouterOS
  5. General

CCR2004 bridge performance

Post Reply
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

CCR2004 bridge performance

Tue Dec 19, 2023 11:05 am

Hello,

I currently testing a CCR2004-16G-S2+ for VLAN routing.
The switch is connected via SFP+ ports (trunked) to a CRS326 & CSS326 switch (CRS326 is root bridge).

Current CCR2004 config would be:
Code: Select all
[mathias@IBR] > /interface/bridge/print     
Flags: X - disabled, R - running 
 0 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled arp-timeout=auto mac-address=48:A9:8A:3F:31:E9 protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=yes 
     ageing-time=5m priority=0x2000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no 
     dhcp-snooping=no port-cost-mode=short
Code: Select all
[mathias@IBR] > /interface/bridge/port/print 
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#   INTERFACE  BRIDGE   HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0   crs312     bridge1  yes     1  0x80             10                  10  none   
1   css326     bridge1  yes     1  0x80             10                  10  none   
2 I vlan10     bridge1         10  0x80                                     none   
3 I vlan20     bridge1         20  0x80                                     none   
4 I vlan31     bridge1         31  0x80                                     none   
5 I vlan500    bridge1        500  0x80                                     none
Code: Select all
[mathias@IBR] > /interface/bridge/vlan/print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE   VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge1       500  bridge1                         
                       crs312                          
                       css326                          
1   bridge1        31  bridge1                         
                       crs312                          
                       css326                          
2   bridge1        10  bridge1                         
                       crs312                          
                       css326                          
3 D bridge1         1                  bridge1         
                                       crs312          
                                       css326          
4   bridge1        11  bridge1                         
                       crs312                          
                       css326                          
5   bridge1        20  bridge1                         
                       crs312                          
                       css326                          
6   bridge1        30  bridge1                         
                       crs312
At the moment I just want to route traffice from VLAN10 to VLAN20.
Firewall rules allow any traffic between those VLANs.

When running iperf3 from VLAN10 & 20 and vice versa I only get around 80 Mbit/s.


Can someone explain me why I have such a bad performance?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2514
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CCR2004 bridge performance

Tue Dec 19, 2023 11:21 am

Can you please supply an export:
Code: Select all
/export file=anynameyoulike
Remove serial and any other private information

This will also provide the current RouterOS version, which is missing in your opening post.
(and it is way more readable than the print output).
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: CCR2004 bridge performance

Tue Dec 19, 2023 11:30 am

The current config would be below. Kindly note that at the moment I am using OPNsense as VLAN router (temporarily) until the low bridge performance on CCR2004 is fixed.

Code: Select all
# 2023-12-19 10:26:44 by RouterOS 7.13
# software id = 7092-YU0E
#
# model = CCR2004-16G-2S+
# serial number = ABC123
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge1 port-cost-mode=short \
    priority=0x2000 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=crs312
set [ find default-name=sfp-sfpplus2 ] name=css326
/interface gre
add name=Freetransit remote-address=82.197.169.75
add local-address=62.40.143.228 name=Tunnelbroker.li remote-address=\
    193.148.250.9
/interface wireguard
add listen-port=13230 mtu=1420 name=wg_roadwarrior
add listen-port=13231 mtu=1420 name=wg_schinken
add listen-port=13232 mtu=1420 name=wg_stefan
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan31 vlan-id=31
add interface=bridge1 name=vlan500 vlan-id=500
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan31 ranges=192.168.31.1-192.168.31.50
/ip dhcp-server
add address-pool=vlan31 interface=vlan31 lease-time=10m name=dhcp1
/interface vxlan
add local-address=62.40.143.228 mac-address=FE:B8:F6:AE:76:7A name=4IXP port=\
    4789 vni=180 vrf=main vteps-ip-version=ipv4
add mac-address=AA:48:25:63:62:1A name="BGP Exchange Barcelona" port=4789 \
    vni=1242 vrf=main vteps-ip-version=ipv4
add mac-address=82:4A:44:2E:5B:02 name="BGP Exchange Seattle" port=4789 vni=\
    1114 vrf=main vteps-ip-version=ipv4
add mac-address=42:E0:A1:36:89:B4 name=IXP.cat port=4789 vni=43 vrf=main \
    vteps-ip-version=ipv4
/port
set 0 name=serial0
set 1 name=serial1
/queue type
set 0 kind=sfq
add cake-mpu=64 cake-overhead=18 cake-overhead-scheme=docsis cake-rtt-scheme=\
    internet cake-wash=yes kind=cake name="cake down"
add cake-ack-filter=filter cake-mpu=64 cake-nat=yes cake-overhead=18 \
    cake-overhead-scheme=docsis cake-rtt-scheme=internet kind=cake name=\
    "cake up"
/queue tree
add bucket-size=0.01 max-limit=600M name=DOWN parent=global queue="cake down"
add limit-at=1M max-limit=600M name="VOIP DOWN" packet-mark="VOIP Down" \
    parent=DOWN priority=1 queue="cake down"
add name="DNS DOWN" packet-mark="DNS Down" parent=DOWN priority=2 queue=\
    "cake down"
add name="ACK DOWN" packet-mark="ACK Down" parent=DOWN priority=3 queue=\
    "cake down"
add name="UDP DOWN" packet-mark="UDP Down" parent=DOWN priority=3 queue=\
    "cake down"
add name="ICMP DOWN" packet-mark="ICMP Down" parent=DOWN priority=4 queue=\
    "cake down"
add name="HTTP DOWN" packet-mark="HTTP Down" parent=DOWN priority=5 queue=\
    "cake down"
add limit-at=10M max-limit=600M name="HTTP_BIG DOWN" packet-mark=\
    "HTTP_BIG Down" parent=DOWN priority=7 queue="cake down"
add name="QUIC DOWN" packet-mark="QUIC Down" parent=DOWN priority=5 queue=\
    "cake down"
add name="OTHER DOWN" packet-mark="OTHER Down" parent=DOWN priority=7 queue=\
    "cake down"
add bucket-size=0.01 max-limit=80M name=UP parent=global queue="cake up"
add limit-at=1M max-limit=80M name="VOIP UP" packet-mark="VOIP Up" parent=UP \
    priority=1 queue="cake up"
add name="DNS UP" packet-mark="DNS Up" parent=UP priority=2 queue="cake up"
add name="ACK UP" packet-mark="ACK Up" parent=UP priority=3 queue="cake up"
add name="UDP UP" packet-mark="UDP Up" parent=UP priority=3 queue="cake up"
add name="ICMP UP" packet-mark="ICMP Up" parent=UP priority=4 queue="cake up"
add name="HTTP UP" packet-mark="HTTP Up" parent=UP priority=5 queue="cake up"
add limit-at=20M max-limit=80M name="HTTP BIG UP" packet-mark="HTTP_BIG Up" \
    parent=UP queue="cake up"
add name="QUIC UP" packet-mark="QUIC Up" parent=UP priority=7 queue="cake up"
add name="OTHER UP" packet-mark="OTHER Up" parent=UP priority=7 queue=\
    "cake up"
add name="STEAM_BIG DOWN" packet-mark="STEAM_BIG Down" parent=DOWN queue=\
    "cake down"
add name="STEAM UP" packet-mark="STEAM Up" parent=UP priority=6 queue=\
    "cake up"
add name="STEAM BIG UP" packet-mark="STEAM_BIG Up" parent=UP queue="cake up"
add name="STEAM DOWN" packet-mark="STEAM Down" parent=DOWN priority=6 queue=\
    "cake down"
add name="Plex DOWN" packet-mark="Plex Down" parent=DOWN priority=3 queue=\
    "cake down"
add limit-at=30M max-limit=80M name="Plex UP" packet-mark="Plex Up" parent=UP \
    priority=3 queue="cake up"
add name="DATABASE Down" packet-mark="DATABASE Down" parent=DOWN priority=5 \
    queue="cake down"
add name="DATABASE Up" packet-mark="DATABASE Up" parent=UP priority=5 queue=\
    "cake up"
/routing id
add disabled=no id=62.40.143.228 name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=instV2 originate-default=always router-id=id-1
add disabled=no name=instV3 originate-default=always router-id=id-1 version=3
/routing ospf area
add disabled=no instance=instV2 name=backbone-v2
add disabled=no instance=instV3 name=backbone-v3
/routing bgp template
set default as=208185 disabled=no routing-table=main
add address-families=ipv6 as=208185 disabled=no input.filter=bgp_in_v6 name=\
    IPv6 output.remove-private-as=yes routing-table=main
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
    zt1 name=zerotier1 network=adsfadsf
/interface bridge port
add bridge=bridge1 interface=crs312 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=css326 internal-path-cost=10 multicast-router=\
    disabled path-cost=10
add bridge=bridge1 interface=vlan10 pvid=10
add bridge=bridge1 interface=vlan20 pvid=20
add bridge=bridge1 interface=vlan31 pvid=31
add bridge=bridge1 interface=vlan500 pvid=500
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan500,crs312,css326 vlan-ids=500
add bridge=bridge1 tagged=bridge1,vlan31,css326,crs312 vlan-ids=31
add bridge=bridge1 tagged=bridge1,vlan10,crs312,css326 vlan-ids=10
add bridge=bridge1 tagged=bridge1,css326,crs312 vlan-ids=11
add bridge=bridge1 tagged=bridge1,vlan20,css326,crs312 vlan-ids=20
add bridge=bridge1 tagged=bridge1,css326,crs312 vlan-ids=30
add bridge=bridge1 tagged=bridge1,css326,crs312 vlan-ids=90
add bridge=bridge1 tagged=bridge1,css326,crs312 vlan-ids=450
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan500 list=LAN
add interface=wg_schinken list=LAN
add interface=wg_roadwarrior list=LAN
add interface=wg_stefan list=LAN
add interface=Tunnelbroker.li list=WAN
add interface=vlan31 list=LAN
add interface=*1A list=WAN
add interface=vlan10 list=LAN
add interface=ether15 list=LAN
add interface=bridge1 list=LAN
add interface=zerotier1 list=LAN
add interface=vlan20 list=LAN
/interface vxlan vteps
add interface=4IXP port=4789 remote-ip=94.177.122.239
add interface=IXP.cat port=4789 remote-ip=65.21.3.59
add interface="BGP Exchange Seattle" port=4789 remote-ip=104.168.83.44
add interface="BGP Exchange Barcelona" port=4789 remote-ip=45.134.91.152
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 interface=wg_schinken preshared-key=\

add allowed-address=0.0.0.0/0 interface=wg_stefan preshared-key=\

add allowed-address=192.168.81.2/32 comment=Handy interface=wg_roadwarrior \

add allowed-address=192.168.81.3/32 comment=Macbook interface=wg_roadwarrior \

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=\
    192.168.88.0
add address=62.40.143.228/24 interface=ether1 network=62.40.143.0
add address=172.16.1.1/28 interface=vlan500 network=172.16.1.0
add address=82.218.185.128/29 interface=ether1 network=82.218.185.128
add address=82.218.185.129/29 interface=ether1 network=82.218.185.128
add address=82.218.185.130/29 interface=ether1 network=82.218.185.128
add address=82.218.185.131/29 interface=ether1 network=82.218.185.128
add address=82.218.185.132/29 interface=ether1 network=82.218.185.128
add address=82.218.185.133/29 interface=ether1 network=82.218.185.128
add address=82.218.185.134/29 interface=ether1 network=82.218.185.128
add address=10.0.10.1/30 interface=wg_schinken network=10.0.10.0
add address=10.0.11.1/30 interface=wg_stefan network=10.0.11.0
add address=192.168.81.1/24 interface=wg_roadwarrior network=192.168.81.0
add address=192.168.31.254/24 interface=vlan31 network=192.168.31.0
add address=100.66.37.10/22 interface="BGP Exchange Seattle" network=\
    100.66.36.0
add address=192.168.10.169/24 disabled=yes interface=vlan10 network=\
    192.168.10.0
add address=10.243.246.253/16 interface=zerotier1 network=10.243.0.0
add address=192.168.20.169/24 disabled=yes interface=vlan20 network=\
    192.168.20.0
add address=192.168.10.254/24 disabled=yes interface=vlan10 network=\
    192.168.10.0
add address=192.168.20.254/24 disabled=yes interface=vlan20 network=\
    192.168.20.0
/ip dhcp-server network
add address=192.168.31.0/24 dns-server=192.168.31.254 gateway=192.168.31.254 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.10.103,192.168.10.104
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=192.168.20.0/24 list=DMZ
add address=192.168.103.0/24 list=DMZ
add list=ddos-attackers
add list=ddos-targets
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=103.10.124.0/24 list="Steam Network"
add address=103.10.125.0/24 list="Steam Network"
add address=103.28.54.0/24 list="Steam Network"
add address=146.66.152.0/24 list="Steam Network"
add address=146.66.155.0/24 list="Steam Network"
add address=153.254.86.0/24 list="Steam Network"
add address=155.133.226.0/24 list="Steam Network"
add address=155.133.227.0/24 list="Steam Network"
add address=155.133.230.0/24 list="Steam Network"
add address=155.133.232.0/24 list="Steam Network"
add address=155.133.233.0/24 list="Steam Network"
add address=155.133.234.0/24 list="Steam Network"
add address=155.133.236.0/23 list="Steam Network"
add address=155.133.238.0/24 list="Steam Network"
add address=155.133.239.0/24 list="Steam Network"
add address=155.133.240.0/23 list="Steam Network"
add address=155.133.245.0/24 list="Steam Network"
add address=155.133.246.0/24 list="Steam Network"
add address=155.133.247.0/24 list="Steam Network"
add address=155.133.248.0/24 list="Steam Network"
add address=155.133.249.0/24 list="Steam Network"
add address=155.133.250.0/24 list="Steam Network"
add address=155.133.251.0/24 list="Steam Network"
add address=155.133.252.0/24 list="Steam Network"
add address=155.133.253.0/24 list="Steam Network"
add address=155.133.254.0/24 list="Steam Network"
add address=155.133.255.0/24 list="Steam Network"
add address=162.254.192.0/24 list="Steam Network"
add address=162.254.193.0/24 list="Steam Network"
add address=162.254.194.0/23 list="Steam Network"
add address=162.254.195.0/24 list="Steam Network"
add address=162.254.196.0/24 list="Steam Network"
add address=162.254.197.0/24 list="Steam Network"
add address=162.254.198.0/24 list="Steam Network"
add address=162.254.199.0/24 list="Steam Network"
add address=185.25.182.0/24 list="Steam Network"
add address=185.25.183.0/24 list="Steam Network"
add address=190.217.33.0/24 list="Steam Network"
add address=192.69.96.0/22 list="Steam Network"
add address=205.196.6.0/24 list="Steam Network"
add address=208.64.200.0/24 list="Steam Network"
add address=208.64.201.0/24 list="Steam Network"
add address=208.64.202.0/24 list="Steam Network"
add address=208.64.203.0/24 list="Steam Network"
add address=208.78.164.0/22 list="Steam Network"
/ip firewall filter
add action=jump chain=forward connection-state=new in-interface-list=WAN \
    jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=accept chain=input comment=wg_schinken dst-port=13231 protocol=udp
add action=accept chain=input comment=wg_stefan dst-port=13232 protocol=udp
add action=accept chain=input comment=wg_roadwarrior dst-port=13230 protocol=\
    udp
add action=accept chain=input comment=4IXP dst-address=62.40.143.228 \
    dst-port=4789 protocol=udp src-address=94.177.122.239
add action=accept chain=input comment=IXP.cat dst-address=62.40.143.228 \
    dst-port=4789 protocol=udp src-address=65.21.3.59
add action=accept chain=input comment="BGP Exchange Los Angeles" dst-address=\
    62.40.143.228 dst-port=4789 protocol=udp src-address=104.168.83.44
add action=accept chain=input comment="BGP Exchange Barcelona" dst-address=\
    62.40.143.228 dst-port=4789 protocol=udp src-address=45.134.91.152
add action=accept chain=input comment=Tunnelbroker.li dst-address=\
    62.40.143.228 protocol=gre src-address=193.148.250.9
add action=accept chain=input comment=Freetransit dst-address=62.40.143.228 \
    protocol=gre src-address=82.197.169.75
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=1d chain=input comment=Blacklist connection-state=\
    new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=15m chain=input comment="Second attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=5m chain=input comment="First attempt" \
    connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    !bruteforce_blacklist
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-mark=\
    no-mark connection-state=new new-connection-mark=DNS passthrough=yes \
    port=53 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new new-connection-mark=DNS passthrough=yes port=853 \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=DNS in-interface=\
    ether1 new-packet-mark="DNS Down" passthrough=yes
add action=mark-packet chain=prerouting connection-mark=DNS in-interface=\
    bridge1 new-packet-mark="DNS Up" passthrough=yes
add action=mark-connection chain=prerouting comment=VOIP connection-mark=\
    no-mark connection-state=new new-connection-mark=VOIP passthrough=yes \
    port=5060-5062,10000-10050 protocol=udp
add action=mark-connection chain=prerouting comment="VOIP Mumble UDP" \
    connection-mark=no-mark connection-state=new new-connection-mark=VOIP \
    passthrough=yes port=64738 protocol=udp
add action=mark-connection chain=prerouting comment="VOIP Mumble TCP" \
    connection-mark=no-mark connection-state=new new-connection-mark=VOIP \
    passthrough=yes port=64738 protocol=tcp
add action=mark-connection chain=prerouting comment="VOIP TURN" \
    connection-mark=no-mark connection-state=new dst-address=82.218.185.130 \
    new-connection-mark=VOIP passthrough=yes port=80,443,3478,5349 protocol=\
    udp
add action=mark-connection chain=prerouting comment="VOIP TURN" \
    connection-mark=no-mark connection-state=new dst-address=82.218.185.130 \
    new-connection-mark=VOIP passthrough=yes port=80,443,3478,5349 protocol=\
    tcp
add action=mark-connection chain=prerouting comment="VOIP TURN" \
    connection-mark=no-mark connection-state=new dst-address=192.168.20.101 \
    new-connection-mark=VOIP passthrough=yes port=80,443,3478,5349 protocol=\
    udp
add action=mark-connection chain=prerouting comment="VOIP TURN" \
    connection-mark=no-mark connection-state=new dst-address=192.168.20.101 \
    new-connection-mark=VOIP passthrough=yes port=80,443,3478,5349 protocol=\
    tcp
add action=mark-connection chain=prerouting comment="VOIP MS Teams UDP" \
    connection-mark=no-mark connection-state=new new-connection-mark=VOIP \
    passthrough=yes protocol=udp src-port=50000-50019
add action=mark-connection chain=prerouting comment="VOIP MS Teams TCP" \
    connection-mark=no-mark connection-state=new new-connection-mark=VOIP \
    passthrough=yes protocol=tcp src-port=50000-50019
add action=mark-packet chain=prerouting connection-mark=VOIP in-interface=\
    ether1 new-packet-mark="VOIP Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=VOIP in-interface=\
    bridge1 new-packet-mark="VOIP Up" passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-mark=\
    no-mark connection-state=new new-connection-mark=QUIC passthrough=yes \
    port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC in-interface=\
    ether1 new-packet-mark="QUIC Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=QUIC in-interface=\
    bridge1 new-packet-mark="QUIC Up" passthrough=no
add action=mark-connection chain=prerouting comment="Video MS Teams UDP" \
    connection-mark=no-mark new-connection-mark=UDP passthrough=yes protocol=\
    udp src-port=50020-50039
add action=mark-connection chain=prerouting comment="Video MS Teams TCP" \
    connection-mark=no-mark new-connection-mark=UDP passthrough=yes protocol=\
    tcp src-port=50020-50039
add action=mark-connection chain=prerouting comment=UDP connection-mark=\
    no-mark connection-state=new new-connection-mark=UDP passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP in-interface=\
    ether1 new-packet-mark="UDP Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=UDP in-interface=\
    bridge1 new-packet-mark="UDP Up" passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-mark=\
    no-mark connection-state=new new-connection-mark=ICMP passthrough=yes \
    protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP in-interface=\
    ether1 new-packet-mark="ICMP Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=ICMP in-interface=\
    bridge1 new-packet-mark="ICMP Up" passthrough=no
add action=mark-packet chain=prerouting comment=ACK in-interface=ether1 \
    new-packet-mark="ACK Down" packet-size=0-123 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=prerouting in-interface=bridge1 new-packet-mark=\
    "ACK Up" packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=Plex connection-mark=\
    no-mark connection-state=new dst-port=32400 new-connection-mark=Plex \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Plex in-interface=\
    ether1 new-packet-mark="Plex Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=Plex in-interface=\
    bridge1 new-packet-mark="Plex Up" passthrough=no
add action=mark-connection chain=prerouting comment=STEAM connection-mark=\
    no-mark connection-state=new dst-address-list="Steam Network" \
    new-connection-mark=STEAM passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
    connection-mark=STEAM connection-rate=2M-100M new-connection-mark=\
    STEAM_BIG passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=STEAM in-interface=\
    ether1 new-packet-mark="STEAM Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=STEAM in-interface=\
    bridge1 new-packet-mark="STEAM Up" passthrough=no
add action=mark-packet chain=prerouting connection-mark=STEAM_BIG \
    in-interface=ether1 new-packet-mark="STEAM_BIG Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=STEAM_BIG \
    in-interface=bridge1 new-packet-mark="STEAM_BIG Up" passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    no-mark connection-state=new new-connection-mark=HTTP passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
    connection-mark=HTTP connection-rate=2M-100M new-connection-mark=HTTP_BIG \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG \
    in-interface=ether1 new-packet-mark="HTTP_BIG Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG \
    in-interface=bridge1 new-packet-mark="HTTP_BIG Up" passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP in-interface=\
    ether1 new-packet-mark="HTTP Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP in-interface=\
    bridge1 new-packet-mark="HTTP Up" passthrough=no
add action=mark-connection chain=prerouting comment=DATABASE connection-mark=\
    no-mark connection-state=new new-connection-mark=DATABASE passthrough=yes \
    port=5432 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new new-connection-mark=DATABASE passthrough=yes port=\
    9200 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new new-connection-mark=DATABASE passthrough=yes port=\
    9300 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=DATABASE \
    in-interface=wg_schinken new-packet-mark="DATABASE Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=DATABASE \
    in-interface=bridge1 new-packet-mark="DATABASE Up" passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-mark=\
    no-mark connection-state=new new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER in-interface=\
    ether1 new-packet-mark="OTHER Down" passthrough=no
add action=mark-packet chain=prerouting connection-mark=OTHER in-interface=\
    bridge1 new-packet-mark="OTHER Up" passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=62.40.143.228 \
    dst-port=80,443,853,8008,8448 protocol=tcp to-addresses=192.168.20.100
add action=dst-nat chain=dstnat comment="Manage Engine" dst-address=\
    62.40.143.228 dst-port=8022,8027,8047-8048,8383,8553 protocol=tcp \
    to-addresses=192.168.10.102
add action=dst-nat chain=dstnat comment="Plex TCP" dst-address=62.40.143.228 \
    dst-port=32400 protocol=tcp to-addresses=192.168.20.10
add action=dst-nat chain=dstnat comment="Plex UDP" dst-address=62.40.143.228 \
    dst-port=32400 protocol=udp to-addresses=192.168.20.10
add action=dst-nat chain=dstnat comment="Mail HTTP" dst-address=\
    82.218.185.129 dst-port=80,143,443,587,993 protocol=tcp to-addresses=\
    192.168.20.102
add action=dst-nat chain=dstnat comment=Relay dst-address=82.218.185.129 \
    dst-port=25,465,8006 protocol=tcp to-addresses=192.168.20.150
add action=dst-nat chain=dstnat comment=TURN dst-address=82.218.185.130 \
    dst-port=80,443,3478,5349 protocol=tcp to-addresses=192.168.20.101
add action=dst-nat chain=dstnat comment=TURN dst-address=82.218.185.130 \
    dst-port=80,443,3478,5349 protocol=udp to-addresses=192.168.20.101
add action=dst-nat chain=dstnat comment="Gitlab SSH" dst-address=\
    82.218.185.131 dst-port=22,80,443 protocol=tcp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat comment="Murmur TCP" dst-address=\
    62.40.143.228 dst-port=64738 protocol=tcp to-addresses=192.168.20.97
add action=dst-nat chain=dstnat comment="Murmur UDP" dst-address=\
    62.40.143.228 dst-port=64738 protocol=udp to-addresses=192.168.20.97
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    62.40.143.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl address=192.168.10.0/24
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=2a0a:6040:4800::/40 advertise=no interface=vlan500
add address=2a0a:6040:4800:a1::1 interface=vlan500
add address=2a0a:6040:4800:81::1 interface=wg_roadwarrior
add address=2a0c:9a40:100f:330::2 advertise=no interface=Tunnelbroker.li
add address=2a0a:6040:4800:b1::1 advertise=no interface=wg_schinken
add address=2a0a:6040:4800:31::200 disabled=yes interface=vlan31
add address=2001:7f8:d0::3:2d39:1 advertise=no interface=4IXP
add address=2001:7f8:d0:4649:0:3:2d39:1 advertise=no interface=IXP.cat
add address=2a0e:8f01:1000:49::103 advertise=no interface=\
    "BGP Exchange Seattle"
add address=2a0e:8f01:1000:29::107 advertise=no interface=\
    "BGP Exchange Barcelona"
add address=2a01:20e:1000:177::2 advertise=no interface=Freetransit
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2a0a:6040:4800::/40 list=BGP_Out_HKS
add address=wwwubuntu.hks.lan list=wwwubuntu
add address=turn.hks-projekt.at list=wwwubuntu-turn
add address=zimbra.hks.lan list=Zimbra
add address=relay.hks-projekt.at list=Relay
add address=gitlab.hks-projekt.at list=Gitlab
add address=plex.hks.lan list=Plex
add address=proxmox1.hks.lan list=Proxmox
add address=proxmox1.hks.lan list=Proxmox1
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=10m chain=input comment="First attempt" \
    connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=1d chain=input comment="Second attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    !bruteforce_blacklist
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=wanin6 dst-address-list=wwwubuntu dst-port=\
    80,443,853,8008,8448 protocol=tcp
add action=accept chain=wanin6 dst-address-list=wwwubuntu-turn dst-port=\
    80,443,3478,5349 protocol=tcp
add action=accept chain=wanin6 dst-address-list=wwwubuntu-turn dst-port=\
    80,443,3478,5349 protocol=udp
add action=accept chain=wanin6 dst-address-list=Zimbra dst-port=\
    80,143,443,587,993 protocol=tcp
add action=accept chain=wanin6 dst-address-list=Relay dst-port=25,465,8006 \
    protocol=tcp
add action=accept chain=wanin6 dst-address-list=Gitlab dst-port=22 protocol=\
    tcp
add action=accept chain=wanin6 dst-address-list=Plex dst-port=34000 protocol=\
    tcp
add action=accept chain=wanin6 comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=jump chain=forward in-interface-list=WAN jump-target=wanin6
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS new-packet-mark=\
    DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\
    DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=\
    VOIP passthrough=yes port=5060-5062,10000-10050 protocol=udp
add action=mark-connection chain=prerouting comment="VOIP Mumble UDP" \
    new-connection-mark=VOIP passthrough=yes port=64738 protocol=udp
add action=mark-connection chain=prerouting comment="VOIP Mumble TCP" \
    new-connection-mark=VOIP passthrough=yes port=64738 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=\
    VOIP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new \
    new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=\
    QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new \
    new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=\
    UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new \
    new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=\
    ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new \
    new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP \
    new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK \
    packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting new-packet-mark=ACK packet-size=0-123 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    no-mark connection-state=new new-connection-mark=HTTP passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
    connection-mark=HTTP connection-rate=2M-100M new-connection-mark=HTTP_BIG \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG \
    new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\
    HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=\
    new new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=\
    tcp
add action=mark-packet chain=prerouting connection-mark=POP3 new-packet-mark=\
    OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER \
    new-packet-mark=OTHER passthrough=no
/ipv6 nd
add interface=vlan500
add dns=2a0a:6040:4800:31::200 interface=vlan31
add interface=wg_roadwarrior
/routing bgp connection
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2001:7f8:d0::3:2d39:1 .role=ebgp \
    multihop=yes name=4IXP-RS1 output.filter-chain=BGP-out-HKS .network=\
    BGP_Out_HKS .remove-private-as=yes remote.address=2001:7f8:d0::8b7c:1/128 \
    .as=35708 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2001:7f8:d0::3:2d39:1 .role=ebgp \
    multihop=yes name=4IXP-RS2 output.filter-chain=BGP-out-HKS .network=\
    BGP_Out_HKS .remove-private-as=yes remote.address=2001:7f8:d0::8b7c:2/128 \
    .as=35708 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2001:7f8:d0::3:2d39:1 .role=ebgp \
    multihop=yes name=4IXP-RS3 output.filter-chain=BGP-out-HKS .network=\
    BGP_Out_HKS .remove-private-as=yes remote.address=2001:7f8:d0::8b7c:3/128 \
    .as=35708 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2001:7f8:d0:4649:0:3:2d39:1 .role=ebgp \
    name=IXP.cat output.filter-chain=BGP-out-HKS .network=BGP_Out_HKS \
    .remove-private-as=yes remote.address=2001:7f8:d0:4649::c133:1/128 .as=\
    49459 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.role=ebgp name=Tunnelbroker.li \
    output.filter-chain=BGP-out-HKS .network=BGP_Out_HKS .remove-private-as=\
    yes remote.address=2a0c:9a40:100f:330::1/128 .as=34927 routing-table=main \
    templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2001:7f8:d0::3:2d39:1 .role=ebgp \
    multihop=yes name="Manuel Gatterer 4IXP" output.filter-chain=BGP-out-HKS \
    .network=BGP_Out_HKS .remove-private-as=yes remote.address=\
    2001:7f8:d0::3:1edc:1/128 .as=204508 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.address=2a0e:8f01:1000:49::103 .role=ebgp \
    name="BGP Exchange Seattle" output.filter-chain=BGP-out-HKS .network=\
    BGP_Out_HKS .remove-private-as=yes remote.address=\
    2a0e:8f01:1000:49::1/128 .as=24381 routing-table=main templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.role=ebgp name="BGP Exchange Barcelona" \
    output.filter-chain=BGP-out-HKS .network=BGP_Out_HKS .remove-private-as=\
    yes remote.address=2a0e:8f01:1000:29::1/128 .as=24381 routing-table=main \
    templates=IPv6
add address-families=ipv6 as=208185 connect=yes disabled=no input.filter=\
    bgp_in_v6 listen=yes local.role=ebgp name=Freetransit \
    output.filter-chain=BGP-out-HKS .network=BGP_Out_HKS .remove-private-as=\
    yes remote.address=2a01:20e:1000:177::1/128 .as=41051 routing-table=main \
    templates=IPv6
/routing filter rule
add chain=BGP-out-HKS disabled=no rule=\
    "if ( dst==2a0a:6040:4800::/40 ) { accept } else { reject }"
add chain="BGP IN reject any" disabled=no rule=\
    "if ( protocol bgp ) { accept }"
add chain=BGP-OUT-sent-any disabled=no rule="if ( protocol bgp ) { accept }"
add chain=bgp_in_v4 disabled=no rule=\
    "if ( rpki invalid ) { reject } else { accept }"
add chain=bgp_in_v4 disabled=no rule="if (dst in 10.0.0.0/8 || dst in 192.168.\
    0.0/16 || dst in 172.16.0.0/12 ) {reject }"
add chain=bgp_in_v4 disabled=no rule="if ( dst-len > 24 ) { accept }"
add chain=bgp_in_v6 disabled=no rule=\
    "if ( gw == 2a0c:9a40:100f:330::1 ) { set bgp-local-pref 200; accept }"
add chain=bgp_in_v6 disabled=no rule=\
    "if ( gw == 2a01:20e:1000:177::1 ) { set bgp-local-pref 90; accept }"
add chain=bgp_in_v6 disabled=no rule=\
    "if ( dst == ::/0 ) { reject } else { accept }"
add chain=bgp_in_v6 rule="if ( dst in fc00::/7 ) { reject } else { accept }"
add chain=bgp_in_v6 disabled=no rule=\
    "if ( rpki invalid ) { reject } else { accept }"
add chain=bgp_in_v6 disabled=no rule="if ( dst-len >= 48 ) { accept }"
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=vlan500 type=ptmp-broadcast
add area=backbone-v3 disabled=no interfaces=vlan500
add area=backbone-v2 disabled=no interfaces=wg_schinken type=ptp
add area=backbone-v3 disabled=no interfaces=wg_schinken type=ptp
add area=backbone-v2 disabled=no interfaces=wg_stefan type=ptp
add area=backbone-v2 disabled=no interfaces=*1E type=ptp
add area=backbone-v3 disabled=no interfaces=*1E type=ptp
add area=backbone-v2 disabled=no interfaces=vlan31 passive
add area=backbone-v3 disabled=no interfaces=vlan31 passive
add area=backbone-v2 disabled=no interfaces=wg_roadwarrior passive
add area=backbone-v3 disabled=no interfaces=wg_roadwarrior passive
add area=backbone-v2 disabled=no interfaces=zerotier1 passive
/routing rpki
add address=192.168.20.106 disabled=no expire-interval=7200 group=Routinator \
    port=3323 refresh-interval=20 retry-interval=600 vrf=main
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=IBR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system scheduler
add interval=1d name="schedule update" on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-02-02 start-time=03:30:00
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-protocol=tcp,udp filter-stream=yes streaming-enabled=yes \
    streaming-server=192.168.10.175
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: CCR2004 bridge performance

Tue Dec 19, 2023 11:40 am

As a side note: Doing VLAN routing on CCR2004 does not generate 100 % on any CPU core.
One core is usually at around 25 %
Top
 
biomesh
Long time Member
Long time Member
Posts: 574
Joined: Fri Feb 10, 2012 8:25 pm

Re: CCR2004 bridge performance

Tue Dec 19, 2023 2:12 pm

My guess is the crap ton of firewall rules you have. You are probably hitting multiple forward rules on the intra vlan traffic. You should check your rules and add criteria for in-interface={your-wan-interface} where appropriate.
Top
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: CCR2004 bridge performance

Tue Dec 19, 2023 2:16 pm

I already found the issue: QoS - I set an upload limit for 80M as this is my general WAN uplink.
As I added my other VLAN interfaces to the bridge I was not able to bypass the 80M limit.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], jaclaz, kleshki, mkx and 70 guests
  4. RouterOS
  5. General