Community discussions

MikroTik App
  4. RouterOS
  5. General

RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Post Reply
 
shivansps
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Fri Sep 22, 2017 1:18 am

RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 3:36 pm

Im having a medium to large setup here, as this RB760 handles 7 vlans and is a l2tp server.

This is the configuration im using.
Code: Select all
/interface bridge
add admin-mac=C4:AD:34:F2:8C:C6 auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Modem
set [ find default-name=ether2 ] name=ether2-DVR
set [ find default-name=ether3 ] name=ether3-Admin
set [ find default-name=ether4 ] name=ether4-CPE
set [ find default-name=ether5 ] name=ether5-EAP
set [ find default-name=sfp1 ] name=sfp1-Switch
/interface vlan
add interface=bridge name=vlan1-Empleados vlan-id=110
add interface=bridge name=vlan2-Clientes vlan-id=120
add interface=bridge name=vlan3-Ventas vlan-id=130
add interface=bridge name=vlan4-Servicio vlan-id=140
add interface=bridge name=vlan5-GamingVentas vlan-id=200
add interface=bridge name=vlan6-GamingEmpleados vlan-id=220
add interface=bridge name=vlan7-GamingServicio vlan-id=210
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=CPE_VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add hotspot-address=10.5.50.1 html-directory=flash/hotspot login-by=http-chap \
    name=Clientes rate-limit=5M/50M
/ip pool
add name=admin ranges=192.168.90.50-192.168.90.254
add name=clientes-pool ranges=10.5.50.2-10.5.50.254
add name=ventas-pool ranges=192.168.80.30-192.168.80.254
add name=empleados-pool ranges=192.168.81.10-192.168.81.254
add name=servicio-pool ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.82.2-192.168.82.254
/ip dhcp-server
add address-pool=admin disabled=no interface=bridge name=Admin
add address-pool=clientes-pool disabled=no interface=vlan2-Clientes lease-time=\
    1h name=Clientes
add address-pool=empleados-pool disabled=no interface=vlan1-Empleados name=\
    Empleados
add address-pool=ventas-pool disabled=no interface=vlan3-Ventas name=Ventas
add address-pool=servicio-pool disabled=no interface=vlan4-Servicio name=\
    Servicio
/ip hotspot
add address-pool=clientes-pool disabled=no interface=vlan2-Clientes name=\
    Clientes profile=Clientes
/ip hotspot user profile
set [ find default=yes ] address-pool=clientes-pool name=vip rate-limit=\
    10M/100M shared-users=30 transparent-proxy=yes
add address-pool=clientes-pool idle-timeout=30m mac-cookie-timeout=6h name=\
    clientes rate-limit=256k/2M shared-users=200 transparent-proxy=yes
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.82.1 name=VPN remote-address=\
    vpn-pool use-encryption=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2-DVR
add bridge=bridge interface=ether3-Admin
add bridge=bridge interface=ether4-CPE
add bridge=bridge interface=ether5-EAP
add bridge=bridge interface=sfp1-Switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="VLANS DEPOSITO" tagged=\
    bridge,ether4-CPE,ether5-EAP,sfp1-Switch vlan-ids=\
    100,110,120,130,140
add bridge=bridge comment="VLANS GAMING" tagged=bridge,ether4-CPE,sfp1-Switch \
    vlan-ids=200,220,210
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=VPN enabled=yes \
    use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=ether1-Modem list=WAN
add interface=vlan1-Empleados list=LAN
add interface=vlan2-Clientes list=LAN
add interface=vlan3-Ventas list=LAN
add interface=vlan4-Servicio list=LAN
add interface=vlan7-GamingServicio list=LAN
add interface=vlan5-GamingVentas list=LAN
add interface=vlan5-GamingVentas list=CPE_VLANS
add interface=vlan6-GamingEmpleados list=CPE_VLANS
add interface=vlan7-GamingServicio list=CPE_VLANS
add interface=vlan6-GamingEmpleados list=LAN
/ip address
add address=192.168.90.1/24 comment=Admin interface=bridge network=192.168.90.0
add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=\
    192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=\
    192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados \
    network=192.168.81.0
add address=10.5.50.1/24 comment=Clientes interface=vlan2-Clientes network=\
    10.5.50.0
add address=192.168.83.1/24 comment="Control de Puerta" interface=\
    vlan1-Empleados network=192.168.83.0
/ip dhcp-client
add add-default-route=no comment=CLARO disabled=no interface=ether1-Modem \
    script=":local newgw [ip dhcp-client get [find interface=\"ether1-Modem\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"FAILOVER WAN0\"] gateway ];\
    \r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"FAILOVER WAN1\"] gateway=\$newgw;\r\
    \n}"
add add-default-route=no comment="BACKUP POR CPE" disabled=no interface=\
    vlan7-GamingServicio script=":local newgw [ip dhcp-client get [find interfac\
    e=\"vlan8-GamingServicio\"] gateway];\r\
    \n:local routegw [/ip route get [find comment=\"FAILOVER WAN1\"] gateway ];\
    \r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"FAILOVER WAN1\"] gateway=\$newgw;\r\
    \n}"
/ip dhcp-server lease
add address=192.168.90.2 client-id=1:b0:95:75:e6:f3:fa comment="Switch TP-LINK" \
    mac-address=B0:95:75:E6:F3:FA server=Admin
add address=192.168.90.3 client-id=1:d8:47:32:3f:74:76 comment=EAP mac-address=\
    D8:47:32:3F:74:76 server=Admin
add address=192.168.90.10 client-id=1:bc:32:5f:11:a7:ca comment=DVR \
    mac-address=BC:32:5F:11:A7:CA server=Admin
add address=192.168.80.7 client-id=1:0:10:40:b8:ce:6e comment=IMP.LOGISTICA \
    mac-address=00:10:40:B8:CE:6E server=Ventas
add address=192.168.90.4 client-id=1:b0:95:75:1:16:bc comment=CPE_DEPOSITO \
    mac-address=B0:95:75:01:16:BC server=Admin
add address=192.168.90.5 client-id=1:3c:84:6a:7f:35:ae comment=CPE_Gaming \
    mac-address=3C:84:6A:7F:35:AE server=Admin
add address=192.168.90.11 client-id=1:bc:ba:c2:8e:80:9a comment=Fichador \
    mac-address=BC:BA:C2:8E:80:9A server=Admin
add address=192.168.83.2 comment="ESP8266 - Control de Puerta" mac-address=\
    5C:CF:7F:F7:E2:D8 server=Empleados
add address=192.168.90.9 comment=RB750GR3-GAMING mac-address=B8:69:F4:DB:9A:66 \
    server=Admin
add address=192.168.90.6 client-id=1:68:ff:7b:f6:f2:6f comment=EAP115-GAMING \
    mac-address=68:FF:7B:F6:F2:6F server=Admin
add address=192.168.90.8 comment="SWITCH 3COM GAMING" mac-address=\
    00:18:6E:CA:10:89 server=Admin
add address=192.168.90.7 client-id=1:b0:be:76:40:c3:aa comment=EAP225-GAMING \
    mac-address=B0:BE:76:40:C3:AA server=Admin
/ip dhcp-server network
add address=10.5.50.0/24 comment=Clientes gateway=10.5.50.1
add address=192.168.80.0/24 boot-file-name=grldr comment=Ventas gateway=\
    192.168.80.1 next-server=192.168.88.2
add address=192.168.81.0/24 comment=Empleados gateway=192.168.81.1
add address=192.168.83.0/24 comment="Control de Puerta" gateway=192.168.83.1 \
    netmask=24
add address=192.168.84.0/24 comment="Empleados Gaming" gateway=192.168.84.1 \
    netmask=24
add address=192.168.87.0/27 comment="Ventas Gaming" gateway=192.168.87.1 \
    netmask=24
add address=192.168.88.0/24 boot-file-name=grldr comment=Servicio gateway=\
    192.168.88.1 next-server=192.168.88.2
add address=192.168.89.0/24 comment="Servicio Gaming" gateway=192.168.89.1 \
    netmask=24
add address=192.168.90.0/24 boot-file-name=grldr comment=Admin gateway=\
    192.168.90.1 next-server=192.168.88.2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.90.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment=VPN dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid in-interface-list=!CPE_VLANS out-interface-list=!CPE_VLANS
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=dst-nat chain=dstnat comment=VOIP dst-port=11125 in-interface-list=\
    WAN protocol=udp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=11125 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=5095 in-interface-list=WAN protocol=\
    udp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=5095 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=5101 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=9000-10999 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.80.2
add action=dst-nat chain=dstnat dst-port=11130 protocol=udp to-addresses=\
    192.168.80.4
add action=dst-nat chain=dstnat dst-port=12000-20000 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.80.4
add action=dst-nat chain=dstnat comment="CODIGO QR" dst-port=587 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.80.2 to-ports=3306
add action=dst-nat chain=dstnat comment=MYSQL dst-port=6549 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.80.2 to-ports=3306
add action=dst-nat chain=dstnat comment=Puerta dst-port=777 protocol=tcp \
    to-addresses=192.168.83.2 to-ports=80
add action=masquerade chain=srcnat comment=WAN ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=vip
add name=gaming-city profile=clientes
/ip route
add check-gateway=ping distance=1 gateway=8.8.4.4
add distance=2 gateway=64.233.186.127
add comment="FAILOVER WAN0" distance=1 dst-address=8.8.4.4/32 gateway=\
    181.239.136.1 scope=10
add comment="FAILOVER WAN1" distance=1 dst-address=64.233.186.127/32 gateway=\
    192.168.89.1 scope=10
add distance=1 dst-address=192.168.84.0/24 gateway=vlan6-GamingEmpleados
add distance=1 dst-address=192.168.87.0/24 gateway=vlan5-GamingVentas
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=\
    32,192.168.90.0/24
set api-ssl disabled=yes
/ppp secret
add name=ezevpn profile=VPN remote-address=192.168.82.4 service=l2tp
add name=caballitovpn profile=VPN remote-address=192.168.82.3 service=l2tp
add name=catanvpn profile=VPN remote-address=192.168.82.6 service=l2tp
add name=salvadorvpn profile=VPN remote-address=192.168.82.2 service=l2tp
add name=mdpvpn profile=VPN remote-address=192.168.82.5 service=l2tp
add name=pablovpn profile=VPN remote-address=192.168.82.8 service=l2tp
add name=catan2vpn profile=VPN remote-address=192.168.82.7 service=l2tp
add name=moronvpn profile=VPN remote-address=192.168.82.9 service=l2tp
add name=abastovpn profile=VPN remote-address=192.168.82.10 service=l2tp
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system scheduler
add interval=1d name=Reinicio on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/01/2020 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
As you can see im using vlan filtering, and vlans on bridge. So here is the thing, i had already noticed this issue, and used iperf3 to check the speeds.
Inside the same VLAN im getting over 900mbps speeds, so thats fine, but using diferent vlans i get super slow speeds.

Example, going from 192.168.88.0 (vlan 140) to 192.168.80.0 (vlan 130) 150mbps to 200mbps max, and the router cpu usage is around 30%, enabling and disabling fastrack has no effect. What does have an effect is removing vlans id from the bridge vlans, but again i was able to get max 280mbps.

All other vlans to other vlans seems to have a similar effect, the only diference is going from the 192.168.90.0 (VLAN ID 1, untagged on bridge) to any other vlan, there i get maybe 300mbps.

Now, i used a similar setup in the past on a RB750GR3 and it did not had this issue, the only diference, as i was using non administrable switchs back then, every port on the RB750GR3 had a diferent vlan but as untagged traffic, here every port in the bridge is tagged and goes to diferent devices, an EAP (that has tagged wifis), a CPE, and a smart switch on the sfp port.
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 4:55 pm

1) Inter-VLAN traffic should be fasttracked on hEX (and you need to enable Fast Path in IP -> Settings for it to work).
It is not powerful enough to route full gigabit without it.

2) As you are using one of the ports outside of the bridge for uplink, and SFP port as part of the bridge, the CPU <-> Switch Chip bus speed is limited by 1Gb/s for all ethernet ports: so the maximum theoretical VLAN <-> VLAN performance is limited to 1Gb/s half-duplex.
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 5:46 pm

Visual of the posting above:

Image

As soon you enable the SFP, one of the 1Gbit get reserved for traffic on the SFP. Leaving half the speed for the Ethernet.

Vlan happens in the CPU so it has a big impact.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12985
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 6:38 pm

In addition: hEX S has a dual-core hyperthreding CPU... hence "router cpu usage around 30%" means one CPU thread is fully occupied with routing task. If you used multiple concurrent streams (e.g. using iperf with multiple parallel connections), the observed throughput would likely be considerably higher.
And also mind that hyperthreaded dual-core CPU is mostly worse than a quad-core CPU.

Test results (available on product page) indicate that hEX S is capable of routing somewhere around 400Mbps give or take. Keep in mind that the test involves all ports and multiple clients hence load spreads between all CPU threads.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 7:47 pm

From what I tried a year ago (this post and this post), hEX S is nice, but not exactly performance beast with vlans. If I remember correctly, those tests were without any firewall. Number of connections is critical. If you have many, it's relatively ok. But for example for copying file between vlans using smb (Windows sharing, single tcp connection) it's not good.

Now with fully configured router, while running internet speedtest on 200/200 connection from device behind it, cpu usage climbs to 50%. That's with download and upload tested one after other, not at the same time. Routing in this case is between single ethernet port and vlan using bridge vlan filtering. I like the device, but it would be mistake to expect too much from it.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21930
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sat Dec 19, 2020 10:46 pm

I am a bit confused by this line
/ip dhcp-server
add address-pool=admin disabled=no interface=bridge name=Admin

should not this be ether3?

The bridge is not serving DCHP for all...........
/ip address
add address=192.168.90.1/24 comment=Admin interface=bridge network=192.168.90.0

So this conflicts with all other vlans that are on the bridge but getting served by their own pools etc???.
So suspect this should ether3 as well.
Top
 
shivansps
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Fri Sep 22, 2017 1:18 am

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Sun Dec 20, 2020 5:43 am

Ether3 is just another bridge port with ID=1 like all others but it has no tagged traffic on it, so you dont see it on the export because it just has the default dynamic vlan ID 1 untagged setting.
From what I tried a year ago (this post and this post), hEX S is nice, but not exactly performance beast with vlans. If I remember correctly, those tests were without any firewall. Number of connections is critical. If you have many, it's relatively ok. But for example for copying file between vlans using smb (Windows sharing, single tcp connection) it's not good.

Now with fully configured router, while running internet speedtest on 200/200 connection from device behind it, cpu usage climbs to 50%. That's with download and upload tested one after other, not at the same time. Routing in this case is between single ethernet port and vlan using bridge vlan filtering. I like the device, but it would be mistake to expect too much from it.
Yeah i did not expect it to have anythere near gigabit speeds, but i was having problems using the recording timeline on my DVR from a diferent vlan, this is because transfer speeds sometimes went below 100mbps, i do not need super fast speeds because my fileserver has multiple NICs so the networks that actually need full gigabit has a direct access to the fileserver. This is also a HUGE issue with SMB3 because if you use the computer name, Windows is going to try to open multiple TCP channels to use and balance all avalible nics, and this is worse when a pc on 192.168.88.0 network can see the fileserver on 192.168.88.0 and 192.168.80.0 as Windows is going to try to use all paths to the server. Firewall rules are needed to prevent this.

Anyway, i still belive that my RB750GR3 that is on another site, very far away, performs better than this, and the only diference is that im using multiple non smart switchs so the traffic for each vlan leaves as untagged at diferent ports, and they are actually the same router, just it does not have the sfp port, but i never really did any iperf3 testing.
Here everything is leaving the router on a tagged vlan on SFP1 and all pcs are connected to that switch. I can already see that having 1gbps half duplex to be a HUGE issue, i need to test that asap.
1) Inter-VLAN traffic should be fasttracked on hEX (and you need to enable Fast Path in IP -> Settings for it to work).
It is not powerful enough to route full gigabit without it.

2) As you are using one of the ports outside of the bridge for uplink, and SFP port as part of the bridge, the CPU <-> Switch Chip bus speed is limited by 1Gb/s for all ethernet ports: so the maximum theoretical VLAN <-> VLAN performance is limited to 1Gb/s half-duplex.
1) fasttrack is enabled, but i see no diference, i think it does not work with tagged traffic, this is probably why it is faster (about 50 to 100mbps) going from ether3 untagged to a tagged vlan on sfp1... than two tagged vlans on sfp1.

2) This is interesting, i never consider this, my switch has 4 sfp, the Hex S has one and i had the cable so i went with it to save one ether port. Ill test disabling the spf and going full ethernet.
Top
 
shivansps
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Fri Sep 22, 2017 1:18 am

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

Tue Dec 22, 2020 1:37 pm

Ok, after disabling the sfp port and move the trunk to a ethernet port now i get about 280Mbits/s on single conection and about 480Mbits/s with 4 parallel streams. I think this is the most i can get out of the little Hex S and this is fine because Windows actually does this if you have multiple nics. Fasttrack also has a effect now.

Thanks.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests
  4. RouterOS
  5. General