Greetings,
I've been trying to figure out a solution to this seemingly simple problem for about 14 hours and I hope someone has a simple solution. Basically what I'm trying to accomplish is to have a transparent web proxy for caching. If I dedicate a port on my router to be used for the LAN, my setup works flawlessly with speeds of approx 700 Mb/sec for cached content (x86-based router). As soon as I put my users on a VLAN, the speed for cached content drops to about 1.5 Mb/sec. For some reason, the web proxy has terrible issues with VLANs it seems.
Here's my setup:
I have a NAT rule to redirect web traffic through the proxy:
/ip firewall nat add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080
I have my users in a VLAN:
/interface vlan add interface=ether1 l2mtu=9010 name=vlan12 vlan-id=12
I have no firewall filtering rules in my test environment
My web proxy is configured as follows:
/ip proxy set always-from-cache=yes cache-administrator=cache@admin.com cache-on-disk=yes enabled=yes max-fresh-time=100w parent-proxy=0.0.0.0
/ip proxy access add
/ip proxy cache add
As indicated previously, if my users are on the subnet of one of my physical Ethernet ports on the router, this works flawlessly and is very fast. Only users on a VLAN interface have speed issues. I suspect a MTU issue, but I can't figure it out. If I turn off my redirect NAT rule (which basically turns off the web proxy), both sets of users are able to download at full speed, but obviously without any caching.
For VLAN users, I have a port on the router going to my switch (tagged port) and I have my users connected to the switch (untagged port). By the way, I get 1.5 Mbit/sec on RouterOS version 6.x and I get about 20 Mb/sec on RouterOS version 5.x with the exact same config.
Perhaps someone here has any ideas?
Thanks
Re: Web Proxy Very Slow With VLAN
Was the system running ros 5.2x and then updated to ros 6.x? Curious, because I have a similar experience. I'd email the support file to support at mikrotik.com . I emailed them my support file, a complete backup of the ros 5.x that was working and a system backup of ros 6.7 to help them track down the issue. Usually, the more info, the faster cause can be narrowed down.
Only other things I can think of, is your l2 mtu looks high? Not sure if that matters. On your vlan are you running an mtu of 1500? Have you tried lowering it to say 1472? Just guesses in case your issue is not the same as mine.
Only other things I can think of, is your l2 mtu looks high? Not sure if that matters. On your vlan are you running an mtu of 1500? Have you tried lowering it to say 1472? Just guesses in case your issue is not the same as mine.
Re: Web Proxy Very Slow With VLAN
I have already tried changing the MTU, but it made no difference. I tried this setup with 5.26, with 6.2 and with 6.7. All those versions had major speed issues with the transparent proxy enabled for users on a VLAN although version 5.26 is about 15 times faster than 6.x. I tried turning on the firewall for VLANs, I tried bridging the VLAN interface, I tried various methods of redirecting/natting the traffic to the web proxy, all of which had no measurable effect. No matter what I try, if a user is on a VLAN, their web traffic speed is reduced to snail pace if they go through the transparent web proxy. As soon as I disable the redirect rule, both non VLAN users and VLAN users are able to download at near wire speeds so I know the network functions properly.
I have deployed no less than 250 Mikrotik routers with varying ranges of complex configurations so have a solid base of experience with Mikrotik products. I'm usually not one to jump to conclusions and blame things on bugs, but after spending nearly 20 hours on something than should have taken me only a couple of minutes to configure, it looks like a bug to me. I really hope I'm wrong about this as I don't have months of time available to me to wait for a fix. We are deploying a centrally managed thin client solution to a couple of dozen of sites and they require the client's OS images (about 550 MB) to be cached locally using a web proxy. Without a local copy of the OS image, the thin clients can take half an hour to turn on depending on the local WAN speed so it's really important for us to have a working solution.
I'm thinking of deploying two Mikrotik routers per site as a temporary workaround... one for their normal network (the existing router) and the second to act as a transparent web proxy... since there would not be any VLANs on that router, I'm hoping that the web proxy would function normally. A real messy solution, but it could work in the short term. I still have my fingers crossed that there is a problem with my configuration and that someone out there can help point it out to me! I have also already sent all the details to Mikrotik support but I have not received an official response yet... but it's only been a day since I sent the information to them.
I have deployed no less than 250 Mikrotik routers with varying ranges of complex configurations so have a solid base of experience with Mikrotik products. I'm usually not one to jump to conclusions and blame things on bugs, but after spending nearly 20 hours on something than should have taken me only a couple of minutes to configure, it looks like a bug to me. I really hope I'm wrong about this as I don't have months of time available to me to wait for a fix. We are deploying a centrally managed thin client solution to a couple of dozen of sites and they require the client's OS images (about 550 MB) to be cached locally using a web proxy. Without a local copy of the OS image, the thin clients can take half an hour to turn on depending on the local WAN speed so it's really important for us to have a working solution.
I'm thinking of deploying two Mikrotik routers per site as a temporary workaround... one for their normal network (the existing router) and the second to act as a transparent web proxy... since there would not be any VLANs on that router, I'm hoping that the web proxy would function normally. A real messy solution, but it could work in the short term. I still have my fingers crossed that there is a problem with my configuration and that someone out there can help point it out to me! I have also already sent all the details to Mikrotik support but I have not received an official response yet... but it's only been a day since I sent the information to them.