Community discussions

MikroTik App
  4. RouterOS
  5. General

hEX router overloaded and very slow

Post Reply
 
ilja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Feb 22, 2018 1:15 pm

hEX router overloaded and very slow

Tue Apr 03, 2018 11:21 am

Hey all.

I very much need someone's help over here.

I have installed and deployed hostpot service in the office as on this diagram:
2018-04-03 09_39_11-network_diagram - draw.io.png
We have three Mikrotik devices. Router hEX poe lite and two access points - MikroTik cAP lite devices.
The hostpot+usermanger is configured on hEX router. The way it is configured - everything works, but it works very very slow. I have just about 10-15 workers in the office and when half of them are connected, the internet starts to work super slow. When i check hEX router CPU load it is bouncing at around 70-100%. Checking Tools-Profile(CPU) i can see that SPI takes a lot of resources. If i understand it correctly it has to do with traffic routing. And it kind of makes sense, if all 10-15 user's traffic is routed through one hEX router it might slow things down.
2018-03-30 19_24_46-admin@192.168.92.1 (MikroTik-router) - WinBox v6.41.2 on hEX PoE lite (mipsbe).png
Can someone help me to easier things up and make CPU load less?

What I thought might help is configuring CAPsMAN enabling "Local Forwarding" in Provision tab. After trying that it certainly makes hEX router work hard, but then cAP devices looses hotspot feature and start working as usual(no password) wi-fi network :/

Here are some of my configurations (please tell me if you need to see more configs):
Code: Select all
[admin@MikroTik-router] > caps-man provisioning print 
Flags: X - disabled 
 0   radio-mac=00:00:00:00:00:00 hw-supported-modes="" identity-regexp="" common-name-regexp="" ip-address-ranges="" 
     action=create-dynamic-enabled master-configuration=Office-main slave-configurations=Office-guest name-format=prefix 
     name-prefix="Office-
[admin@MikroTik-router] > caps-man configuration print 
 0 name="Office-main" mode=ap ssid="meshpower-office" country=rwanda 
   datapath.client-to-client-forwarding=no datapath.bridge=bridge-hotspot 
   datapath.local-forwarding=no channel.band=2ghz-b/g/n 

 1 name="Office-guest" mode=ap ssid="meshpower-guest" country=rwanda 
   security.authentication-types=wpa2-psk security.passphrase="meshpowerguest" 
   datapath.bridge=bridge-guest datapath.local-forwarding=no channel.band=2ghz-b/g/n 
[admin@MikroTik-router] > interface bridge print detail 
Flags: X - disabled, R - running 
 0 R name="bridge-guest" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled 
     arp-timeout=auto mac-address=66:D1:54:DF:7F:57 protocol-mode=rstp 
     fast-forward=no igmp-snooping=no priority=0x8000 auto-mac=yes 
     max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 
     region-name="" region-revision=0 max-hops=20 vlan-filtering=no pvid=1 

 1 R name="bridge-hotspot" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled 
     arp-timeout=auto mac-address=64:D1:54:DF:7F:57 protocol-mode=rstp 
     fast-forward=no igmp-snooping=no priority=0x8000 auto-mac=yes 
     max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 
     region-name="" region-revision=0 max-hops=20 vlan-filtering=no pvid=1 

 2 R ;;; created from master port
     name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto 
     mac-address=6C:3B:6B:76:DC:75 protocol-mode=rstp fast-forward=yes 
     igmp-snooping=no priority=0x8000 auto-mac=no admin-mac=6C:3B:6B:76:DC:75 
     max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 
     region-name="" region-revision=0 max-hops=20 vlan-filtering=no pvid=1 
[admin@MikroTik-router] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                      BRIDGE                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether3                         bridge1                    yes    1     0x80         10                 10       none
 1   H ether4                         bridge1                    yes    1     0x80         10                 10       none
 2   H ether5                         bridge1                    yes    1     0x80         10                 10       none
 3   H ether2-master                  bridge1                    yes    1     0x80         10                 10       none
 4 XI   ether1                         bridge1                    yes    1     0x80         10                 10       none
 5  D  Office-1                       bridge-hotspot             yes    1     0x80         10                 10       none
 6 ID  Office-1-1                     bridge-guest               yes    1     0x80         10                 10       none
 7  D  Office-2                       bridge-hotspot             yes    1     0x80         10                 10       none
 8 ID  Office-2-1                     bridge-guest               yes    1     0x80         10                 10       none
[admin@MikroTik-router] > ip hotspot profile print 
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=flash/hotspot html-directory-override="" 
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d 
     split-user-domain=no use-radius=no 

 1   name="Office-profile" hotspot-address=192.168.92.1 dns-name="" html-directory=flash/hotspot_office 
     html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap,mac-cookie http-cookie-lifetime=3d split-user-domain=no use-radius=yes 
     radius-accounting=yes radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="" 
     radius-location-id="" radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX
I m at the position when i m struggling, so any help will be highly appreciated!
You do not have the required permissions to view the files attached to this post.
Top
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: hEX router overloaded and very slow

Tue Apr 03, 2018 1:56 pm

As I stated on your other post about umfiles, the HEX POE lite was a poor choice to run UserManager+Hotspot on. It simply doesn’t have enough resources to run all of it.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13151
Joined: Thu Mar 03, 2016 10:23 pm

Re: hEX router overloaded and very slow

Tue Apr 03, 2018 2:17 pm

I might be wrong, but I guess SPI process is firewall. Firewall rules are omitted in printouts shown in first post..

Can you do "/ip firewall export hide-sensitive" and post output? It might be that config is missing some rule which would offload SPI engine (without compromising security).
Top
 
ilja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Feb 22, 2018 1:15 pm

Re: hEX router overloaded and very slow

Tue Apr 03, 2018 2:53 pm

Thank you, 2frogs and mkx for your messages.

@2frogs, yeh, now i start to understand that hEX lite was a poor choice. I wish i could do something about it :/

@mkx, here is the output:
Code: Select all
[admin@MikroTik-router] > /ip firewall export hide-sensitive
# apr/03/2018 13:52:48 by RouterOS 6.41.2
# software id = AI3C-TJQP
#
# model = RouterBOARD 750UP r2
# serial number = 72C106F108A2
/ip firewall filter
add action=accept chain=input comment="allows user manager to work with local hosts (RADIUS)" src-address=127.0.0.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=bridge1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=bridge1
add action=drop chain=forward comment="Isolate guest network from main-office " dst-address=192.168.88.0/24 src-address=\
    192.168.90.0/24
add action=drop chain=input comment="Isolate guest network from main-office " dst-address=192.168.88.0/24 src-address=\
    192.168.90.0/24
add action=drop chain=output comment="Isolate guest network from main-office " dst-address=192.168.88.0/24 src-address=\
    192.168.90.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=bridge1
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=bridge1 src-address=192.168.90.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.92.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp
Top
 
ilja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Thu Feb 22, 2018 1:15 pm

Re: hEX router overloaded and very slow

Tue Apr 10, 2018 1:09 pm

Any help?

Is there anything i can do to make it work normally?
Top
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1199
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:
Contact Steveocee

Re: hEX router overloaded and very slow

Tue Apr 10, 2018 2:43 pm

You can buy a better router, such as the Hex r3 and move the config over to that then re-use the Hex PoE as a switch.
Top
Post Reply
  4. RouterOS
  5. General