Hi all,

Received my first Routerboard recently, an RB2011UAS-2HnD. Feature set and config flexibility is amazing at this price, but I'm wondering if there's anything I can do (or not do) to squeeze more throughput performance out of it.

The specs say with firewall & conntrack on, routing, it can in theory do up to ~950Mbps on large packets. I've tried a couple of different configurations but the most I can get through it with iperf is ~270-290Mbps. Still meets my needs, but can't help but wonder if there's any easy gains somewhere?

My test setup: To start with I baselined with PC1 & PC2 both connected to the HP switch on same subnet; iperf 900M+.
Moving PC2 to hang off the RB2011, most I saw was 290M.

On the RB e1-e4 are in a bridge group.
Vlan 10 is tied to that bridge group, and has an IP address on it.
e5 is not in any bridge group, and has an IP address in a different subnet directly on it.
I also tried it with e2 not in a bridge group (vlan was still there though).
PC's have routes configured to push traffic through the RB.
There's a handful of firewall rules on the RB, and conntrack is on - the traffic is routed, not nat'd; I've tried to turn most other features off.

Is the difference between specs & real-world throughput for this type of setup expected?
What model of RB would people suggest if I'm looking for 1Gbit routed firewall throughput?

Thank you,
-Martin.

Why a lot of people still uses BRIDGE GROUP that is pure software instead than SWITCHPORTS that is wire speed and in hardware?

Good point; if I ended up using more than one of the first few ports in the same L2 domain I could convert those to a master/slave switch group. Wouldn't change routed throughput in the example case though.

I do find the bridge group concept very flexible and easy to use as it creates an extra abstraction layer, rather than tying other objects to one of the physical ports themselves.

Why a lot of people still uses BRIDGE GROUP that is pure software instead than SWITCHPORTS that is wire speed and in hardware?

with bridge group then only you can see traffic each port but by switch group you can't see it but only on the master port.

Is there a way to show trafic through the switch? (Master port switch)
Thanks

OK, but switch mode is wire speed and faster, not done by cpu as software bridge

Deleted because not related.

Why a lot of people still uses BRIDGE GROUP that is pure software instead than SWITCHPORTS that is wire speed and in hardware?

Bridge filter (reduce broadcast) so its possible to get good speed from a Wireless l2 net?

Hi Dobby,

Thanks for response to my post. Don't get me wrong, I'm really happy with the 2011 - have thrown a lot more config at it since this and it's been flawless and fantastic value.
The baseline comparison when both hosts were connected to the HP was just to verify what the max rate of the end hosts themselves was....not to compare the HP to the RB.

What originally prompted my query is that the spec sheet for this model says it can do routing with firewall & conn track on, at up to 952.09Mbps with large frames. Since then I read the MT post about their testing procedures, so I suspect this means total combined throughput when processing traffic on multiple in/out ports at once?

I guess the piece I'm missing is this:
If the individual ports can run at wire speed (as I'm sure they would if I used them in a switch group),
and
if the cpu/system can process total combined routed/firewall traffic at 900M+
then what is stopping it from getting a single TCP connection from running that fast when no other load is present?
Just don't know which limit it's hitting...

Deleted because not related.

Deleted because not related.

re:

/interface ethernet switch set numbers=0 mirror-source=ether2 mirror-target=ether5

This seems to work fine, however, I have three related questions:

1) Does this mirror stay in effect after rebooting the router?

2) How do I undo this change - e.g. if I want to use ether5 as a standard bridge port again?

3) Is there a way to set/unset this from winbox?

Thanks much!

To answer at least one of my own questions:
winbox has a switch tab which allows the mirror to be turned on/off between source and destination ports.

I haven't rebooted the router, but I suspect the settings are persistent.
I don't see a way to change these settings from the web interface.

re:

/interface ethernet switch set numbers=0 mirror-source=ether2 mirror-target=ether5

This seems to work fine, however, I have three related questions:

1) Does this mirror stay in effect after rebooting the router?

2) How do I undo this change - e.g. if I want to use ether5 as a standard bridge port again?

3) Is there a way to set/unset this from winbox?

Thanks much!

Now:ROS 6.10 RB2011 latest routerboot and latest ROS

wan: eth6 100mb fiber link
LAN: eth2 1000gb to giga switch

I do NAT 1-1 with about 20 users, and nat "overload" one to many to about 300 users.

I can pass about 100mbit but cpu have average of 70%