MikroTik

Community discussions
https://forum.mikrotik.com/

VLAN Routing is slow on hex S

https://forum.mikrotik.com/viewtopic.php?t=175788

Page 1 of 1

VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 1:25 pm
by nobody123
Hi,
I have a hex S and a CSS326 and using VLANs. This works so far, but the traffic between two VLANs is very slow (50 mb/s) and the CPU usage of the hex S is at 40-60 %.

Where is the error in the config?
Code: Select all
# jun/04/2021 12:18:29 by RouterOS 6.48.2
# software id = XE0V-A40Q
#
# model = RB760iGS
# serial number = xxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name="ether2(WLAN)"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan50 vlan-id=1
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether3,ether5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Block Site" regexp="^.+(facebook).*\$"
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool12 ranges=192.168.30.2-192.168.30.254
add name=WLAN ranges=192.168.50.3-192.168.50.100
add name=" pool-vpn" ranges=192.168.123.100-192.168.123.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-script=\
    dhcp-lease-script lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 lease-script=\
    dhcp-lease-script name=dhcp4
add address-pool=dhcp_pool12 disabled=no interface=vlan30 lease-time=4d4h10m \
    name=dhcp1
add address-pool=WLAN disabled=no interface="ether2(WLAN)" name=WLAN
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.123.254 local-address=192.168.123.254 name=vpn \
    remote-address=" pool-vpn" use-compression=no use-encryption=required
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=bonding1
add bridge=bridge1 disabled=yes interface="ether2(WLAN)" pvid=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=30
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=1
add bridge=bridge1 tagged=bridge1,bonding1 vlan-ids=50
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/interface ovpn-server server
set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=vpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=xx.xx.xx.xxx/30 interface=ether1 network=78.94.50.180
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=\
    00:02:C9:4E:89:26 server=server1
add address=192.168.0.113 allow-dual-stack-queue=no disabled=yes mac-address=\
    F2:E7:52:EB:6E:9B server=server1
add address=192.168.0.26 client-id=1:0:26:ab:6c:6:27 disabled=yes \
    mac-address=00:26:AB:6C:06:27 server=server1
add address=192.168.0.33 client-id=1:0:2:c9:51:77:dc disabled=yes \
    mac-address=00:02:C9:51:77:DC server=server1
add address=192.168.50.100 client-id=1:2c:f0:5d:3b:db:d3 disabled=yes \
    mac-address=2C:F0:5D:3B:DB:D3 server=WLAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=home.lab gateway=\
    192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.13 domain=service.lab \
    gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 domain=private.lab \
    gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.50.0/24 dns-server=192.168.0.1 domain=private.lab \
    gateway=192.168.50.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.3,192.168.10.13
/ip dns static
add address=192.168.100.110 name=mydomain1.de
add address=192.168.100.110 name=mydomain2.de
add address=192.168.100.110 name=mydomain3.de
add address=192.168.0.131 name=pve.home.lab
add address=192.168.0.2 name=r620.home.lab
add address=192.168.0.113 name=nanopineo.home.lab
add address=192.168.0.128 name=grafana.home.lab
add address=192.168.0.136 name=fileserver.home.lab
add address=192.168.0.10 name=pve2.home.lab
add address=192.168.10.18 name=bookstack.service.lab
add address=192.168.10.123 name=Guacamole.service.lab
add address=192.168.10.101 comment=#DHCP name=Heimdall.service.lab ttl=10m
add address=192.168.10.122 disabled=yes name=avideo.service.lab
add address=192.168.10.123 name=avideo1.service.lab
add address=192.168.0.21 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.22 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.28 comment=#DHCP name=T530.home.lab ttl=2h
add address=192.168.0.27 comment=#DHCP name=Ryzen-Workstation.home.lab ttl=2h
add address=192.168.10.6 comment=#DHCP name=kubuntu.service.lab ttl=10m
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="accept OpenVPN" dst-port=1192 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=51820 protocol=udp
add action=accept chain=forward dst-port=51821 protocol=udp
add action=accept chain=input comment=" accept OVPN->LAN" disabled=yes \
    dst-address=192.168.0.0/24 src-address=192.168.124.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established
add action=reject chain=input dst-port=22 in-interface-list=WAN log=yes \
    protocol=tcp reject-with=tcp-reset
add action=drop chain=forward dst-port=22 in-interface-list=WAN log=yes \
    protocol=tcp
add action=accept chain=forward comment="allow related connections" \
    connection-state=related
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.30
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.128 dst-port=8086 protocol=tcp src-address=192.168.0.131
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.19
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.217
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.156 dst-port=445 protocol=tcp src-address=192.168.0.127
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.0.127 dst-port=445 protocol=tcp src-address=192.168.100.156
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.100.138 dst-port=3479 protocol=tcp src-address=\
    192.168.100.211
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.100.138 dst-port=3479 protocol=udp src-address=\
    192.168.100.211
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.15
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.14
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.50.100 protocol=tcp src-address=192.168.100.110 src-port=443,80
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.0.12 protocol=tcp src-address=192.168.100.110 \
    src-port=443,80
add action=accept chain=forward comment="allow traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="allow traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.30.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.0.0/24 \
    src-address=192.168.20.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.10.0/24 \
    src-address=192.168.20.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.50.0/24 \
    src-address=192.168.20.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.30.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.0.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.10.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.20.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=10.9.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    in-interface=vlan50 out-interface=bridge1
add action=accept chain=forward comment=Drucker dst-address=192.168.0.26 \
    in-interface=vlan50 out-interface=bridge1 src-address=192.168.50.0/24
add action=accept chain=forward comment=Drucker dst-address=192.168.50.0/24 \
    in-interface=bridge1 out-interface=vlan50 src-address=192.168.0.26
add action=drop chain=input comment="drop ssh from wan" connection-state=\
    related in-interface-list=WAN log=yes
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=WAN log=yes protocol=tcp
add action=accept chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=!WAN log=yes protocol=tcp
add action=drop chain=forward comment="Block Fressebuch" layer7-protocol=\
    "Block Site" src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes in-interface=ether4 \
    src-address-list=192.168.100.0/24
add action=accept chain=input dst-port=4443 protocol=tcp
add action=accept chain=input dst-port=88 protocol=tcp
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input dst-port=161 in-interface=bridge1 protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=forward comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE (Wlan Telefonie)" \
    connection-type=sip dst-port=500 log=yes protocol=udp
add action=accept chain=forward comment="allow IKE (Wlan Telefonie)" \
    dst-port=500 protocol=udp
add action=drop chain=input comment="Block everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat dst-address-type=local
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=\
    xx.xx.xx.xxx dst-port=80,443 protocol=tcp to-addresses=192.168.100.110
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=8444 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 to-ports=\
    443
add action=dst-nat chain=dstnat disabled=yes dst-address=xx.xx.xx.xxx \
    dst-port=50000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.100.52 to-ports=50000
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1194 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1195 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.250 to-ports=1195
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1197 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.9 \
    to-ports=1197
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" \
    disabled=yes dst-address=xx.xx.xx.xxx dst-port=26070 in-interface=ether1 \
    log=yes protocol=tcp to-addresses=192.168.0.136 to-ports=32400
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3478 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3479 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3478 protocol=udp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3479 log=yes protocol=udp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5349 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5350 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5349 log=yes protocol=udp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5350 in-interface=ether1 log=yes \
    protocol=udp to-addresses=192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.11 \
    dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.117 to-ports=26065
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.217 to-ports=51820
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=51821 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.124 to-ports=\
    51821
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=xx.xx.xx.xxx
/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24 port=88
set ssh address=192.168.0.0/24 disabled=yes
set www-ssl address=192.168.0.0/24 disabled=no port=4443
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add type=internal
add interface=ether1 type=external
/ppp secret
add name=AWI profile=vpn service=ovpn
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether5
add interface="ether2(WLAN)"
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10
/tool mac-server ping
set enabled=no
Where's the problem?

Eth1 is connected to modem
Eth2 is connected to CSS
Eth3 is connected to CSS
Eth4 is directly connected to a NIC for DMZ
Eth5 is connected to CSS

Eth3 and Eth5 are linked together als a bond

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 1:39 pm
by loloski
Hi,

There's no hardware offload feature on hex so all vlan operation is done in the cpu not on a switch chip and that could potentially explain your situation, don't use the router to do what the switch is supposed to do as workaround configure your css switch and make an untagged/access port towards the router and do inter-vlan routing, your solution is pretty much valid on other gear like cisco/juniper but not so much here in MT land, just my 0.2$

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 1:41 pm
by nobody123
Hi,

There's no hardware offload feature on hex so all vlan operation is done in the cpu not on a switch chip and that could potentially explain your situation, don't use the router to do what the switch is supposed to do as workaround configure your css switch and make an untagged/access port towards the router and do inter-vlan routing, your solution is pretty much valid on other gear like cisco/juniper but not so much here in MT land, just my 0.2$
thank you for your reply.
How can I do this with the CSS?

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 1:58 pm
by loloski
Hi,

There's no hardware offload feature on hex so all vlan operation is done in the cpu not on a switch chip and that could potentially explain your situation, don't use the router to do what the switch is supposed to do as workaround configure your css switch and make an untagged/access port towards the router and do inter-vlan routing, your solution is pretty much valid on other gear like cisco/juniper but not so much here in MT land, just my 0.2$
thank you for your reply.
How can I do this with the CSS?
I don't have CSS here with me, i have CRS 3xx series switch and it has different way of doing the vlan, sorry can't help you with that but the same concept applies the key take away is you have to create access/untagged port towards the routerand assign the ip address on the interface directly just you normally do on a non vlan aware router and do the routing in between subnet

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 2:29 pm
by mkx
Don't mix intra-VLAN switching and inter-VLAN routing. Better switch (CSS3xx or CRS3xx) can help with former (intra-VLAN switching) but not with the later (switches suck at routing even if they run ROS, like CRS3xx does).

hEX S is not a very powerful router. Real-life routing performance with pretty simple setup is around 350Mbps. Your setup (which includes bond and VLAN tagging/untagging) drops the performance even further. And no, HW offloading of VLAN stuff doesn't help with inter-VLAN routing at all.
A thing to note: the performance number can only be achieved by running multiple connections in parallel. If you're using single TCP connection (e.g. SMB connection between windows client and some file server, such as windows machine or NAS), performance will be lower, could well be in range you're experiencing. And no, CRS3xx (running ROS v6) won't help with inter-VLAN routing. If you want to get near 1Gbps inter-VLAN routing throughput, you'll have to get a decent router. The cheapest device would probably be a RB4011.

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 5:09 pm
by nobody123
okay, I understand.
I deactivated the bond and now I'm facing some problems: If I transfer files between VLAN1 and VLAN10 the speed drops even further to 35 mb/s.
And in additon, if I activate the VLAN Filtering in the bridge I'll loose internet connection.


This is the new configuration:
Code: Select all
# jun/04/2021 16:03:46 by RouterOS 6.48.2
# software id = XE0V-A40Q
#
# model = RB760iGS
# serial number = A815099AF64D
/interface bridge
add igmp-snooping=yes name=bridge1
/interface ethernet
set [ find default-name=ether2 ] disabled=yes name="ether2(WLAN)"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan50 vlan-id=1
/interface bonding
add disabled=yes mode=802.3ad name=bonding1 slaves=ether3,ether5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Block Site" regexp="^.+(facebook).*\$"
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool12 ranges=192.168.30.2-192.168.30.254
add name=WLAN ranges=192.168.50.3-192.168.50.100
add name=" pool-vpn" ranges=192.168.123.100-192.168.123.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-script=\
    dhcp-lease-script lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 lease-script=\
    dhcp-lease-script name=dhcp4
add address-pool=dhcp_pool12 disabled=no interface=vlan30 lease-time=4d4h10m \
    name=dhcp1
add address-pool=WLAN disabled=no interface="ether2(WLAN)" name=WLAN
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.123.254 local-address=192.168.123.254 name=vpn \
    remote-address=" pool-vpn" use-compression=no use-encryption=required
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface="ether2(WLAN)" pvid=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=50
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=1
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/interface ovpn-server server
set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=vpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=xx.xx.xx.xxx/30 interface=ether1 network=xx.xx.xx.xxx
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=\
    00:02:C9:4E:89:26 server=server1
add address=192.168.0.113 allow-dual-stack-queue=no disabled=yes mac-address=\
    F2:E7:52:EB:6E:9B server=server1
add address=192.168.0.26 client-id=1:0:26:ab:6c:6:27 disabled=yes \
    mac-address=00:26:AB:6C:06:27 server=server1
add address=192.168.0.33 client-id=1:0:2:c9:51:77:dc disabled=yes \
    mac-address=00:02:C9:51:77:DC server=server1
add address=192.168.50.100 client-id=1:2c:f0:5d:3b:db:d3 disabled=yes \
    mac-address=2C:F0:5D:3B:DB:D3 server=WLAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=home.lab gateway=\
    192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.13 domain=service.lab \
    gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1 domain=private.lab \
    gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.50.0/24 dns-server=192.168.0.1 domain=private.lab \
    gateway=192.168.50.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.3,192.168.10.13
/ip dns static
add address=192.168.100.110 name=mydomain1.de
add address=192.168.100.110 name=mydomain2.de
add address=192.168.100.110 name=mydomain3.de
add address=192.168.0.131 name=pve.home.lab
add address=192.168.0.2 name=r620.home.lab
add address=192.168.0.113 name=nanopineo.home.lab
add address=192.168.0.128 name=grafana.home.lab
add address=192.168.0.136 name=fileserver.home.lab
add address=192.168.0.10 name=pve2.home.lab
add address=192.168.10.18 name=bookstack.service.lab
add address=192.168.10.123 name=Guacamole.service.lab
add address=192.168.10.101 comment=#DHCP name=Heimdall.service.lab ttl=10m
add address=192.168.10.122 disabled=yes name=avideo.service.lab
add address=192.168.10.123 name=avideo1.service.lab
add address=192.168.0.21 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.22 comment=#DHCP name=GUI.home.lab ttl=2h
add address=192.168.0.27 comment=#DHCP name=Ryzen-Workstation.home.lab ttl=2h
add address=192.168.10.6 comment=#DHCP name=\
    xxx-Standard-PC-i440FX-PIIX-1996.service.lab ttl=10m
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="accept OpenVPN" dst-port=1192 log=yes \
    protocol=tcp
add action=accept chain=forward dst-port=51820 protocol=udp
add action=accept chain=forward dst-port=51821 protocol=udp
add action=accept chain=input comment=" accept OVPN->LAN" disabled=yes \
    dst-address=192.168.0.0/24 src-address=192.168.124.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established
add action=reject chain=input dst-port=22 in-interface-list=WAN log=yes \
    protocol=tcp reject-with=tcp-reset
add action=drop chain=forward dst-port=22 in-interface-list=WAN log=yes \
    protocol=tcp
add action=accept chain=forward comment="allow related connections" \
    connection-state=related
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.30
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.128 dst-port=8086 protocol=tcp src-address=192.168.0.131
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.19
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.217
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.156 dst-port=445 protocol=tcp src-address=192.168.0.127
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.0.127 dst-port=445 protocol=tcp src-address=192.168.100.156
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.100.138 dst-port=3479 protocol=tcp src-address=\
    192.168.100.211
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.100.138 dst-port=3479 protocol=udp src-address=\
    192.168.100.211
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.15
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.100.110 dst-port=443,80 protocol=tcp src-address=192.168.0.14
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" dst-address=\
    192.168.50.100 protocol=tcp src-address=192.168.100.110 src-port=443,80
add action=accept chain=forward comment=\
    "Allow traffic between Workstation and Webserver" disabled=yes \
    dst-address=192.168.0.12 protocol=tcp src-address=192.168.100.110 \
    src-port=443,80
add action=accept chain=forward comment="allow traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="allow traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.30.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.0.0/24 \
    src-address=192.168.20.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.10.0/24 \
    src-address=192.168.20.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.50.0/24 \
    src-address=192.168.20.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.100.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.50.0/24 src-address=192.168.30.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.0.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.10.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    connection-state=established,related dst-address=192.168.20.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=10.9.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.20.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" \
    dst-address=192.168.10.0/24 src-address=192.168.100.0/24
add action=accept chain=forward comment="Block traffic between these subnets" \
    in-interface=vlan50 out-interface=bridge1
add action=accept chain=forward comment=Drucker dst-address=192.168.0.26 \
    in-interface=vlan50 out-interface=bridge1 src-address=192.168.50.0/24
add action=accept chain=forward comment=Drucker dst-address=192.168.50.0/24 \
    in-interface=bridge1 out-interface=vlan50 src-address=192.168.0.26
add action=drop chain=input comment="drop ssh from wan" connection-state=\
    related in-interface-list=WAN log=yes
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=WAN log=yes protocol=tcp
add action=accept chain=input comment="drop winbox from wan" dst-port=8291 \
    in-interface-list=!WAN log=yes protocol=tcp
add action=drop chain=forward comment="Block Fressebuch" layer7-protocol=\
    "Block Site" src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes in-interface=ether4 \
    src-address-list=192.168.100.0/24
add action=accept chain=input dst-port=4443 protocol=tcp
add action=accept chain=input dst-port=88 protocol=tcp
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input dst-port=161 in-interface=bridge1 protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=forward comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE (Wlan Telefonie)" \
    connection-type=sip dst-port=500 log=yes protocol=udp
add action=accept chain=forward comment="allow IKE (Wlan Telefonie)" \
    dst-port=500 protocol=udp
add action=drop chain=input comment="Block everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat dst-address-type=local
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=\
    xx.xx.xx.xxx dst-port=80,443 protocol=tcp to-addresses=192.168.100.110
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=8444 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 to-ports=\
    443
add action=dst-nat chain=dstnat disabled=yes dst-address=xx.xx.xx.xxx \
    dst-port=50000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.100.52 to-ports=50000
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1194 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1195 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.250 to-ports=1195
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=1197 \
    in-interface=ether1 log=yes protocol=udp to-addresses=192.168.0.9 \
    to-ports=1197
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" \
    disabled=yes dst-address=xx.xx.xx.xxx dst-port=26070 in-interface=ether1 \
    log=yes protocol=tcp to-addresses=192.168.0.136 to-ports=32400
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3478 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3479 log=yes protocol=tcp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3478 protocol=udp to-addresses=\
    192.168.100.156 to-ports=3478
add action=dst-nat chain=dstnat comment="TURN Server Nextcloud mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=3479 log=yes protocol=udp to-addresses=\
    192.168.100.156 to-ports=3479
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5349 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5350 log=yes protocol=tcp to-addresses=\
    192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5349 log=yes protocol=udp to-addresses=\
    192.168.100.138 to-ports=5349
add action=dst-nat chain=dstnat comment="TURN Server cloud.mydomain1" \
    dst-address=xx.xx.xx.xxx dst-port=5350 in-interface=ether1 log=yes \
    protocol=udp to-addresses=192.168.100.138 to-ports=5350
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.11 \
    dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.117 to-ports=26065
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.217 to-ports=51820
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xxx dst-port=51821 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.124 to-ports=\
    51821
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=xx.xx.xx.xxx
/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24 port=88
set ssh address=192.168.0.0/24 disabled=yes
set www-ssl address=192.168.0.0/24 disabled=no port=4443
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add type=internal
add interface=ether1 type=external
/ppp secret
add name=AWI profile=vpn service=ovpn
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/system script
add dont-require-permissions=no name=dhcp-lease-script owner=xxx policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=" \
    \_  :local DHCPtag\r\
    \n    :set DHCPtag \"#DHCP\"\r\
    \n    :if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\
    \" }\r\
    \n    :if ( \$leaseBound = 1 ) do={\r\
    \n        :local ttl\r\
    \n        :local domain\r\
    \n        :local hostname\r\
    \n        :local dnsname\r\
    \n        :local fqdn\r\
    \n        :local leaseId\r\
    \n        :local comment\r\
    \n        :local devicename\r\
    \n        :local convert ({})\r\
    \n        :local validChars \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQR\
    STUVWXYZ01234567890-\"\r\
    \n        /ip dhcp-server\r\
    \n        :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n        network \r\
    \n        :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n        .. lease\r\
    \n        :set leaseId [ find address=\$leaseActIP ]\r\
    \n        # Check for multiple active leases for the same IP address. It's\
    \_weird and it shouldn't be, but just in case.\r\
    \n        :if ( [ :len \$leaseId ] != 1) do={\r\
    \n            :log info \"DHCP2DNS: not registering domain name for addres\
    s \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n            :error \"multiple active leases for \$leaseActIP\"\r\
    \n        }\r\
    \n        :set hostname [ get \$leaseId host-name ]\r\
    \n        :set comment [ get \$leaseId comment ]\r\
    \n        /\r\
    \n        # Namen f\FCr Ger\E4t ermittlen\r\
    \n        :set devicename \$comment\r\
    \n        :if ( [ :len \$devicename ] <= 0 ) do={\r\
    \n            :set devicename \$hostname\r\
    \n        }\r\
    \n        # Ger\E4tenamen auf ung\FCltige Zeichen pr\FCfen\r\
    \n        :for validCharsIndex from=0 to=([:len \$validChars] - 1) do={\r\
    \n            :local validChar [:pick \$validChars \$validCharsIndex]\r\
    \n            :set (\$convert->(\$validChar)) (\$validChar)\r\
    \n        }\r\
    \n        :set (\$convert->(\"_\")) (\"-\")\r\
    \n        :set (\$convert->(\" \")) (\"-\")\r\
    \n        :for i from=0 to=([:len \$devicename] - 1) do={\r\
    \n            :local char [:pick \$devicename \$i]\r\
    \n            :local converted (\$convert->\"\$char\")\r\
    \n            :local convertedType [:typeof \$converted]\r\
    \n            :if (\$convertedType = \"str\") do={\r\
    \n                :set \$char \$converted\r\
    \n            } else={\r\
    \n                :set \$char \"\"\r\
    \n            }\r\
    \n            :set dnsname (\$dnsname.\$char)\r\
    \n        }\r\
    \n        # FQDN festlegen\r\
    \n        :if ( [ :len \$dnsname ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for addre\
    ss \$leaseActIP because of empty lease host-name or comment\"\r\
    \n            :error \"empty lease host-name or comment\"\r\
    \n        }\r\
    \n        :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n            :log error \"DHCP2DNS: not registering domain name for addre\
    ss \$leaseActIP because of empty network domain name\"\r\
    \n            :error \"empty network domain name\"\r\
    \n        }\r\
    \n        :set fqdn \"\$dnsname.\$domain\"\r\
    \n        /ip dns static\r\
    \n        :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and dis\
    abled=no ] ] = 0 ) do={\r\
    \n            :log info \"DHCP2DNS: registering static domain name \$fqdn \
    for address \$leaseActIP with ttl \$ttl\"\r\
    \n            add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHC\
    Ptag disabled=no\r\
    \n        } else={\r\
    \n            :log error \"DHCP2DNS: not registering domain name \$fqdn fo\
    r address \$leaseActIP because of existing active static DNS entry with th\
    is name or address\"\r\
    \n        }\r\
    \n        /\r\
    \n    } else={\r\
    \n        /ip dns static\r\
    \n        :local dnsDhcpId\r\
    \n        :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag\
    \_]\r\
    \n        :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n            :log info \"DHCP2DNS: removing static domain name(s) for add\
    ress \$leaseActIP\"\r\
    \n            remove \$dnsDhcpId\r\
    \n        }\r\
    \n        /\r\
    \n    }"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether5
add interface="ether2(WLAN)"
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10
/tool mac-server ping
set enabled=no

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 5:16 pm
by anav
Get rid of vlan1 for data it should only be used as the default bridge vlan!!! (use vlan10) and use this reference.....
viewtopic.php?f=23&t=143620

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 5:18 pm
by nobody123
Get rid of vlan1 for data it should only be used as the default bridge vlan!!! (use vlan10) and use this reference.....
viewtopic.php?f=23&t=143620
Do you mean I should place my computer and server and everything else into VLAN10 instead of 1?

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 6:16 pm
by mada3k
I reach about 250Mbps for plain VLAN-routing on a regular hEX with one port used as route-on-a-stick.

hEX <-trunk->switch<-trunk->switch<-trunk->(server with vm's on different vlans)

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 6:28 pm
by anav
Get rid of vlan1 for data it should only be used as the default bridge vlan!!! (use vlan10) and use this reference.....
viewtopic.php?f=23&t=143620
Do you mean I should place my computer and server and everything else into VLAN10 instead of 1?
That is one option, I dont know the purpose of your vlans or your desired management posture.
You could move vlan1 to vlan101 for example, just saying use a different ID number

Re: VLAN Routing is slow on hex S

Posted: Fri Jun 04, 2021 6:41 pm
by Hominidae
If you want to get near 1Gbps inter-VLAN routing throughput, you'll have to get a decent router. The cheapest device would probably be a RB4011.
The RB4011 can do far better than that.
Just did a test with iperf from a 10G Client to a NAS, where the RB4011 is on a RoaS setup vis SFP+ to a CRS326..
Client (10G) - CSS610 - CRS326 - NAS (bond 4x1G).

iperf (running 8 to 12 threads) accross VLANs easily maxes out the Bond (3.8Gbps) while CPU load on the RB4011 is between 12-16% each core.

If money is an issue and 1-Gbps Links and bonding options are enough, I'd look into the RB450Gx4 as well, which is about 2/3 of the pricetag (including enclosure and PSU) of the RB4011
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/