Using a CRS326 as router (FTTH)

svh79 · Thu Mar 28, 2024 9:38 pm

Dear experts,

I have just received my first RouterOS hardware (CRS326-24S+2Q+RM) which should replace my consumer-grade switch (fiber-to-the-home) and router.

Currently, network attached devices can ping most IPv4 addresses and also resolve domain names. Devices also receive an IP within the expected address range on the correct network. However, there are still many connection issues: using a browser on an attached PC, hardly any website loads.

I think I have managed to set up these things:
- PPPoE connection via AON fiber SFP module
- DHCP server (LAN) and client (WAN)
- DNS

I have also created some firewall rules, but this is probably the part I have least knowledge and suspect this being the source of the issues.

Filter Rules

Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; drop invalid
chain=input action=drop connection-state=invalid

3 ;;; accept ICMP
chain=input action=accept protocol=icmp

4 ;;; accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

5 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

6 ;;; accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

7 ;;; accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

8 ;;; fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

9 ;;; accept established, related, untracked
chain=forward action=accept connection-state=established,related,untracked

10 ;;; drop invalid
chain=forward action=drop connection-state=invalid

11 ;;; drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

NAT

Flags: X - disabled, I - invalid; D - dynamic
0 I ;;;
chain=srcnat action=masquerade src-address-list=LAN out-interface=pppoe-out1 log=no log-prefix=""

1 ;;; masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

Mangle

Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough

3 I ;;;
chain=forward action=change-mss new-mss=1452 passthrough=yes tcp-flags=syn protocol=tcp out-interface=pppoe-out1 tcp-mss=1453-65535 log=no log-prefix=""

Do you have a hint for me where to look for the issue? Maybe you even have a possible solution?

Best,
Sven

TheCat12 · Fri Mar 29, 2024 8:43 pm

I think your masquerade rule and mangle rule #3 aren't working as intended (they're flagged as invalid). On the masquerading rule try to remove src-address-list and for the mangle rule I'm not quite sure (maybe you've put too big of a mss or the rule isn't needed)

patrick7 · Fri Mar 29, 2024 8:52 pm

Keep in mind that PPPoE can't be offloaded and is going through the CPU. And CRS326-24S+ don't have really strong CPUs. Routing through CPU (without PPPoE) is max 414 Mbps. With PPPoE it will be less.

svh79 · Sat Mar 30, 2024 9:40 am

Thank you for the hints!

The rules are probably marked as invalid, as I had removed the fiber SFP module when extracting the config.

I read about the CPU limitations and overall limited routing performance on the product website, however, I'd like to check if it is still sufficient for my local requirements.

anav · Sat Mar 30, 2024 3:32 pm

post config not snapshots
/export file=anynameyowish (minus router serial #, any public WANIP information )

Using a CRS326 as router (FTTH)

Using a CRS326 as router (FTTH)

Re: Using a CRS326 as router (FTTH)

Re: Using a CRS326 as router (FTTH)

Re: Using a CRS326 as router (FTTH)

Re: Using a CRS326 as router (FTTH)

Who is online