MikroTik

I am going to be moving all Layer-3 switching off our trusty CRS-125 and turning it into a pure switch. To route, I am considering going with a new RB4011iGS+RM and have a few questions:

Seems that all firewall/NAT/routing is SW based with hw offload only for IPsec. The spec test results (https://mikrotik.com/product/rb4011igs_ ... estresults) indicate (based on packet size) 800k-5m pps with "routing none (fast path)", 800k-1m pps with "25 simple queries," and ~600k pps with "25 simple filter rules."

• What is no routing-fast path? Would most established masqueraded NAT fall into this? I am guessing not.

• What is a "simple query" vs. "simple filter rule"? Right now, I have 3 VLANs, 7 NAT rules and 15 filters, and use L2TP IpSec, so not sure where I'd expect to be on the spectrum.

• Our office is cutting the cord and moving to video streaming for TV, and all Wi-Fi calling for voice. Does anybody have a sense for the average packet size for NetFlix, Hulu, apple Wi-Fi calling?

It seems that a well regarded and cheap router is Unifi Security Gateway (1m pps hardware offloaded routing). It is not nearly as full featured as MT (not even close), but I don't want to simply go with what I know in MT if that is the wrong answer for me.

Finally, the assuming the RB4011iGS+RM is the edge router, is there any advantage in plugging each of the 6 access points into the RB4011iGS+RM directly vs. all traffic going to a downstream switch which can allocate which segment a particular station is on? I guess the RB4011iGS+RM ports can be isolated on different VLANs (so that the switch never sees the traffic), but then one needs to deal with the broadcast/multicast mess for IOT, etc. (or is there a simple solution)?

Thanks!

You're asking a lot of questions for one post and no diagram. So, I'll answer the questions I like best.

My understanding and opinions are what follows.

What is no routing-fast path?
Bridging packets from port to port, aka like a switch under the perfect conditions.

What is a "simple queue" vs. "ip filter rule"?
A simple queue is a QoS mechanism within RouterOS. An ip filter rule is the firewall feature, basically.

Average packet size?
If someone pings you its 64, otherwise probably ~1500.

The Unifi Security Gateway does 1m pps ... I don't want to go with the wrong product.
That is with 64 byte packets. Not really a comparison to the RB4011 which is a top notch product clocking in at 5m pps for the same test, I bet and for only what, $70 more?

Any advantage in plugging each of the 6 access points into the RB4011iGS+RM directly? I have VLANs.
Well, how clean do you want things? Are you switching or routing? Seems you're hesitant. Here, I'll help you ... of course the correct answer is to use the RB4011 as a router only!

I honestly recommend to replace the CRS125 with the RB4011 if you have any of these conditions:

- More than 1 VLAN that requires HW Off-loading to not load the CPU of the router and not loose wired speed on the LAN.
- VLAN filtering (a.k.a) Firewall rules to control traffic between VLANs. Even if you can handle more than 1 VLAN with HW off-load this feature disables in all the Mikrotik devices when VLAN Filtering is turned on except on the CRS series (specially the CRS 3.xx)

I was on a similar dilemma (and still are) in which I want all the features on a single device: IPSec HW Acceleration, Great Performance as Router and as Switch, Wired Speed on VLANs (and also using VLAN filtering). Based on my own personal analysis Mikrotik doesn't have a single device with all these features built-in.

I have seen for years (and suffered myself) tons of posts of people struggling with the VLANs and its features. I finally opened my eyes when I spent a good quality time reading this wiki page (URL: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features). So to get all the features that I am looking for I cannot do it with a single device (even the RB4011 that was one of my first options when it came out last year).

Basically I do cross check now the diagram block of each device (found on the hardware specs) with the switch chip and the features (VLAN tables and rules tables) of each switch chip (plus the IPSec HW support or not). As non of the Mikrotik devices supports VLAN filtering with wired speed except the CRS3xx series basically is a non-go for me to go with a single device.

So my plan is (unless Mikrotik announces a product that has all these features integrated that I seriously doubt) is to do the following:

- For routing function only (to get IPSec HW Acceleration, Firewall, NAT, etc) and all the cool features on WAN connectivity my plan is to go with a hEX S that is an ARM dual core with IPSec HW Acceleration. I could go with the RB4011 but for the type of the connection that I do have it will be an overkill and I want to keep my costs low as I need to add a second device.
- For switching function that does Layer 3 VLAN intra-routing, VLAN filtering and get full wired speed I am planning to go with a CRS3.x series. My main candidate is the CRS326 that has 24 x 1 Gbps ports + 2 SFP+ ports BUT I am waiting for the CRS312 that was announced last year that has 10 Gbps interfaces (all copper).

With this approach I get all the features that I am looking for. I think you need to evaluate also your needs to make sure that the RB4011 can meet your requirements. If you have switching specific features like VLAN filtering I suggest you to follow a similar approach that I am doing.

Good luck!

Are you saying put all traffic on one port and trunk it all to the managed switch OR

Divide the switch into 3 segments and use three trunk ports on the MT to the managed switch

I think the op is looking for the most efficient way of handling all the data and streams etc..........

My approach is that all the inter-VLAN routing remains on the swtich (CRS3xx) so I can take advantage of all the switch chip features and avoid cripple my traffic with CPU bottleneck / limitations / issues including inter-VLAN filtering and routing. From the CRS3xx switch I will have an access port on a separate VLAN for all the traffic that needs to go to the external world.

This VLAN will have all the VLANs traffic combined from the switch (with no NAT) is what I call a Transit VLAN that will allow the communication between the CRS3xx and the hEX S router (or RB4011).

From there I take the full advantage of the hEX S routing features and horsepower (Firewall, IPSec HW Acceleration, NAT, etc.).

Haha, thank you. To be clear, I am very predisposed to get the MT (though our AP's are all Ubiquity, nothing else is).

That is with 64 byte packets. Not really a comparison to the RB4011 which is a top notch product clocking in at 5m pps for the same test, I bet and for only what, $70 more?

Is it the same test? Ub seems to indicate that their their L3 routing is hardware offloaded, so I assumed this also imply with filters/rules (else, it's just switching no?)? Unfortunately, I'm a bit ignorant.
I'm happy to spend the $70, just don't want to have to spend another $150 later.

Well, how clean do you want things? Are you switching or routing? Seems you're hesitant. Here, I'll help you ... of course the correct answer is to use the RB4011 as a router only!

That is definitely where I am going. I've attached a system diagram for two alternatives -- other than filter/NAT features, I am trying to understand if there are benefits of MT routing vs. UBT routing when it comes to traffic isolation to the APs, or anything else material. I care about:

• downstream throughput for 1Gbps WAN, with video streaming being the large bandwidth use

• the devices on the network need to be able to easily do discovery (not sure if broadcast or multicast)

• I feel like isolating traffic from the APs (which also do wireless) will be a good thing, but not sure if that's true or not

EDITs: The CRS-24 is a CRS125-24G... On the UBT side, this could just as easily be any other MT router -- just trying to figure out if using extra ports on the RB4011 for the AP's helps anything.

Are you saying put all traffic on one port and trunk it all to the managed switch OR

Divide the switch into 3 segments and use three trunk ports on the MT to the managed switch

I think the op is looking for the most efficient way of handling all the data and streams etc..........

That's fine and my point to other features that you may dismiss at the beginning and you find yourself needing those later. Today he has a CRS125 that is a Switch playing as a router but the device CPU for routing is too weak and there is no HW acceleration. The CRS3xx is a single core router with no IPSec HW acceleration that is designed to do L2 and L3 switching functions not a full blown router like the RB4011. My point here is that Mikrotik like any other vendor such as Cisco has defined specific functions / use cases for each model they sell. In my case there is no single device that has all the features so I split the problem in 2 devices to get the best of the 2 worlds .

When looking at performance figures, one needs to keep in mind the following:

• Neither CRS1xx nor RB4011 supports HW acceleration when switching with VLANs enabled if configured the new bridge vlan-filtering way. While RB4011 can hardly be configured the old way (which might offer HW offload), CRS125 can be configured in such way.
• RB4011 features two switch chips so even if HW offload was active, some of switching would pass device's CPU
• inter-VLAN routing has to pass device's CPU, which makes RB4011 better suited for that. If such application is better overall largely depends on physical LAN topology and amount of inter-VLAN routing (i.e. can interconnect between RB4011 as inter-vlan router and L2 switch (e.g. CRS125) get saturated because of excessive inter-VLAN traffic?). But then CRS125 is not a great router, even without any additional filtering and/or queuing setup it hardly routes at wire-speed (1Gbps), the hard limit being interconnect between switch chip and CPU at 1Gbps.

When speaking about CRS, keep in mind that CRS3xx is a very different beast than CRS1xx/CRS2xx, it features faster CPU as well as (even more important) internal switch chip - CPU interconnect which lifts the 1Gbps routing limit.

All in all, CRS is a really great L2 switch and personally I'd keep it doing it. I'd move all (including inter-VLAN) routing to a router, i.e. RB4011.