Community discussions

MikroTik App
  4. RouterOS
  5. General

RB5009UG+S+ download speed 600/1000 upload 800+/1000  [SOLVED]

Post Reply
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 1:47 pm

I recently decided to swap a chr with a RB5009UG+S+ in a datacenter where my wan is 1gbps.
Unfortunately with the "same" setup in matter of rules etc I now get max 600mbps out of 1000.
With the chr I was getting nearly 1000.
Is it the hardware or am I missing something?
I also swapped masquerade with src-nat.
I have 7-8 filter rules and I have fasttrack enabled and no mangle rules. Despite that I also disabled the firewall rules and there was nearly no significant change.
The RB5009UG+S+ is running on 7.14.1.
I am trying the speedtest behind the NAT from a PC. I also tried a linux vm and I tried the BTest as well which I didn't expect to win it as it needs lots of cpu recourses too.
I also tried to set the CPU from auto to max(1400) but also no change.
Could I do something to improve it or I need to look for a CCR or a CHR(again)?
Could it be an MTU value for example (all are in default)?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 3:52 pm

Is it the hardware or am I missing something?
Hardware is a big unknown with CHR, it really depends. But decent hardware, used to run hypervisors, tends to be much more capable for general processing (e.g. FW rules) than most of mikrotik's hardware. So I can imagine that CHR can outperform most (if not all) MT hardware routers/firewalls.

I also swapped masquerade with src-nat.
So you can't compare old and current setup after all.

Anyway, what you observe (faster UL than DL) seems to point at firewall rules (in particular DST-NAT) which seem to be a bit non-optimal. If it was something else (e.g. MTU), it would either present in both directions (but you see decent performance in UL) or the effect would be very dire (MTU mismatch usually means effective throughput in order of kbps or even no communication at all).

So it would be necessary to see actual RB5009 communication to give you some better advice.
Top
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 4:18 pm

I tried to disable all rules but nothing significant changed
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19404
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 4:52 pm

Its all conjecture and opinion without facts.....................
Top
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 4:59 pm

ookla speedtest app towards the server that is in the same datacenter (1ms ping)

all firewall rules enabled + fasttrack enabled
640 down
819 up

all firewall rules disabled (not fasttrack)
660 down
886 up

all firewall rules disabled + fasttrack disabled
696 down
839 up

all firewall rules enabled + fasttrack disabled
648 down
847 up
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 5:05 pm

I'll repeat what has already been said:
So it would be necessary to see actual RB5009 communication to give you some better advice.
Unless you show the config, everyone can guess and you will be on your own.

Terminal:
/export file=anynameyouwish
Move file to PC
Remove serial number and any sensitive info
Post contents between [code] quotes for easier readability.
Top
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 5:25 pm

I renamed to BBB DDD and so on the names and hostnames are random letters, and I removed all the keys from the wireguard peers
Code: Select all
/interface bridge
add fast-forward=no name=bridge165
add fast-forward=no name=bridgeBBB port-cost-mode=short
add fast-forward=no name=bridgeDDD port-cost-mode=short
add fast-forward=no name=bridgeDASH port-cost-mode=short
add fast-forward=no name=bridgeDB port-cost-mode=short
add fast-forward=no name=bridgeEEE port-cost-mode=short
add fast-forward=no name=bridgePPP port-cost-mode=short
add fast-forward=no name=bridgeKKK port-cost-mode=short
add fast-forward=no name=bridgeOSPF port-cost-mode=short protocol-mode=none
add fast-forward=no name=bridgeSupport port-cost-mode=short
add fast-forward=no name=bridgeTrunk port-cost-mode=short
/interface ethernet
set [ find default-name=ether8 ] comment="WAN LANCOM"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no
/interface wireguard
add listen-port=13102 mtu=1420 name=wireguardBBB1
add listen-port=13103 mtu=1420 name=wireguardBBB2
add listen-port=13110 mtu=1420 name=wireguardBBBUsers
add listen-port=13123 mtu=1420 name=wireguardCCC
add listen-port=13124 mtu=1420 name=wireguardCCCUsers
add listen-port=13104 mtu=1420 name=wireguardDDD
add listen-port=13114 mtu=1420 name=wireguardDDDKallithea
add listen-port=13111 mtu=1420 name=wireguardEEE
add listen-port=13117 mtu=1420 name=wireguardEEESpiti
add listen-port=13118 mtu=1420 name=wireguardEEEUsers
add listen-port=13115 mtu=1420 name=wireguardFFF
add listen-port=13108 mtu=1420 name=wireguardGGG
add listen-port=13109 mtu=1420 name=wireguardGGGUsers
add listen-port=13101 mtu=1420 name=wireguardPPP
add listen-port=13113 mtu=1420 name=wireguardPPPUsers
add listen-port=13106 mtu=1420 name=wireguardKKK
add listen-port=13125 mtu=1420 name=wireguardKKKUsers
add listen-port=13116 mtu=1420 name=wireguardHHHHHHHpiti
add listen-port=13105 mtu=1420 name=wireguardOOO
add listen-port=13121 mtu=1420 name=wireguardPx1JJJ
add listen-port=13122 mtu=1420 name=wireguardRouterEEE
add listen-port=13120 mtu=1420 name=wireguardVh1JJJ
add listen-port=13119 mtu=1420 name=wireguardVh2JJJ
add listen-port=13107 mtu=1420 name=wireguardXXX
add listen-port=13112 mtu=1420 name=wireguardXXXUsers
/interface vlan
add interface=bridgeTrunk name=vlan165.0-2.5G vlan-id=1650
add interface=bridgeTrunk name=vlan165.5-DASH vlan-id=1655
add interface=bridgeTrunk name=vlan165.15-DB vlan-id=1215
add interface=bridgeTrunk name=vlan165.20-SUPPORT vlan-id=1220
add interface=bridgeTrunk name=vlan195.0-PPP vlan-id=1950
add interface=bridgeTrunk name=vlan195.1-KKK vlan-id=1951
add interface=bridgeTrunk name=vlan195.2-EEE vlan-id=1952
add interface=bridgeTrunk name=vlan205.0-BBB vlan-id=70
add interface=bridgeTrunk name=vlan210.1-DDD vlan-id=2101
/interface list
add name=RomonExc
/ip vrf
add interfaces=wireguardDDD,wireguardDDDKallithea name=\
    DDDVRF
add interfaces=wireguardFFF,wireguardHHHHHHHpiti name=\
    FFFVRF
add interfaces=wireguardCCC,wireguardCCCUsers name=CCC
/interface sstp-client
add connect-to=mt1.PPP.gr name=mt1.PPP.gr port=4437 profile=\
    default-encryption user=dcrouter01
/routing ospf instance
add disabled=no name=ospf-instance-BBB-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-PPP-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-OOO-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-KKK-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-XXX-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-GGG-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-EEE-1 router-id=127.165.0.1
add disabled=no name=ospf-instance-EEESpiti-1 router-id=127.165.0.1
/routing ospf area
add area-id=0.0.4.0 disabled=no instance=ospf-instance-BBB-1 name=\
    ospf-area-BBB-1
add area-id=0.0.4.1 disabled=no instance=ospf-instance-BBB-1 name=\
    ospf-area-BBB-2
add area-id=0.0.0.2 disabled=yes instance=ospf-instance-BBB-1 name=\
    ospf-area-BBB-3
add area-id=0.0.2.0 disabled=no instance=ospf-instance-PPP-1 name=\
    ospf-area-PPP-1
add area-id=0.0.3.0 disabled=no instance=ospf-instance-OOO-1 name=\
    ospf-area-OOO-1
add area-id=0.0.5.0 disabled=no instance=ospf-instance-KKK-1 name=\
    ospf-area-KKK-1
add area-id=0.0.6.0 disabled=no instance=ospf-instance-XXX-1 name=\
    ospf-area-XXX-1
add area-id=0.0.7.0 disabled=no instance=ospf-instance-GGG-1 name=\
    ospf-area-GGG-1
add area-id=0.0.8.0 disabled=no instance=ospf-instance-EEE-1 name=\
    ospf-area-EEE-1
/system logging action
set 3 bsd-syslog=yes remote=10.165.20.15
/interface bridge port
add bridge=bridgeDASH interface=vlan165.5-DASH internal-path-cost=10 \
    path-cost=10
add bridge=bridgeTrunk interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeDB interface=vlan165.15-DB internal-path-cost=10 path-cost=\
    10
add bridge=bridgeSupport interface=vlan165.20-SUPPORT internal-path-cost=10 \
    path-cost=10
add bridge=bridgeBBB interface=vlan205.0-BBB internal-path-cost=10 \
    path-cost=10
add bridge=bridgeDDD interface=vlan210.1-DDD internal-path-cost=\
    10 path-cost=10
add bridge=bridgePPP interface=vlan195.0-PPP \
    internal-path-cost=10 path-cost=10
add bridge=bridgeKKK interface=vlan195.1-KKK internal-path-cost=10 \
    path-cost=10
add bridge=bridgeEEE interface=vlan195.2-EEE internal-path-cost=10 \
    path-cost=10
add bridge=bridgeTrunk interface=sfp-sfpplus1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeTrunk interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeTrunk interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeTrunk interface=ether5
add bridge=bridge165 interface=vlan165.0-2.5G
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!RomonExc
/interface list member
add interface=ether8 list=RomonExc
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.170.0.2/32,192.168.80.0/24 \
    client-listen-port=13101 endpoint-address=pc.PPP.gr endpoint-port=\
    13101 interface=wireguardPPP persistent-keepalive=25s 
add allowed-address=10.170.0.3/32 client-address=10.170.0.3/32 \
    client-listen-port=13101 comment="p2p torhout" endpoint-port=13101 \
    interface=wireguardPPP persistent-keepalive=25s 
add allowed-address=0.0.0.0/0 endpoint-port=13102 interface=wireguardBBB1
add allowed-address=0.0.0.0/0 endpoint-port=13103 interface=wireguardBBB2
add allowed-address=10.175.2.2/30,10.210.0.10/32 client-address=10.175.2.2/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13104 comment=DDD1 endpoint-port=13104 \
    interface=wireguardDDD 
add allowed-address=10.175.2.4/30,10.210.0.10/32 client-address=10.175.2.6/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13104 comment=DDD2 endpoint-port=13104 \
    interface=wireguardDDD
add allowed-address=10.175.2.10/30,10.210.0.10/32 client-address=\
    10.175.2.10/30 client-endpoint=dcrouter01.PPP.gr client-keepalive=\
    25s client-listen-port=13104 comment=DDD3 endpoint-port=13104 \
    interface=wireguardDDD
add allowed-address=0.0.0.0/0 client-address=10.175.2.14/30 client-endpoint=\
    dcrouter01.PPP.gr client-keepalive=25s client-listen-port=13104 \
    comment="DDD ergostasio" endpoint-port=13104 interface=\
    wireguardDDD 
add allowed-address=0.0.0.0/0 endpoint-port=13105 interface=\
    wireguardOOO 
add allowed-address=0.0.0.0/0 endpoint-port=13106 interface=wireguardKKK \
    persistent-keepalive=25s 
add allowed-address=0.0.0.0/0 endpoint-port=13107 interface=wireguardXXX \
    persistent-keepalive=25s 
add allowed-address=\
    10.175.4.8/30,192.168.21.0/24,192.168.250.0/24,224.0.0.5/32 \
    endpoint-port=13108 interface=wireguardGGG persistent-keepalive=25s
add allowed-address=10.175.4.12/30 client-address=10.175.4.14/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13109 comment=xarris endpoint-port=13109 interface=\
    wireguardGGGUsers persistent-keepalive=25s
add allowed-address=10.175.4.16/30 client-endpoint=dcrouter01.PPP.gr \
    client-keepalive=25s client-listen-port=13110 comment=\
    "laptop" endpoint-port=13110 interface=wireguardBBBUsers
add allowed-address=0.0.0.0/0 endpoint-port=13111 interface=wireguardEEE \
    persistent-keepalive=25s
add allowed-address=10.175.4.24/30 client-address=10.175.4.26/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13109 comment="xarris laptop" endpoint-port=13109 \
    interface=wireguardGGGUsers
add allowed-address=10.175.4.28/30,192.168.43.0/24 endpoint-port=13112 \
    interface=wireguardXXXUsers persistent-keepalive=25s
add allowed-address=10.175.4.32/30 client-address=10.175.4.34/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13109 comment="xarris tablet" endpoint-port=13109 \
    interface=wireguardGGGUsers 
add allowed-address=10.175.4.36/30 client-address=\
    10.175.4.38/30,192.168.80.0/24,192.168.123.0/24 client-endpoint=\
    dcrouter01.PPP.gr client-keepalive=25s client-listen-port=13113 \
    comment=bbbbbbbbb endpoint-port=13113 interface=wireguardPPPUsers
add allowed-address=10.175.4.40/30 client-address=\
    10.175.4.42/30,192.168.21.0/24,192.168.30.0/24 client-endpoint=\
    dcrouter01.PPP.gr client-keepalive=25s client-listen-port=13109 \
    comment="GGG mike laptop" endpoint-port=13109 interface=\
    wireguardGGGUsers
add allowed-address=0.0.0.0/0 client-address=10.175.4.46/30 client-endpoint=\
    dcrouter01.PPP.gr client-keepalive=25s client-listen-port=13114 \
    comment="DDD ergostasio" endpoint-port=13114 interface=\
    wireguardDDDKallithea
add allowed-address=0.0.0.0/0 comment="VVVVVVV thodora" endpoint-port=13115 \
    interface=wireguardFFF persistent-keepalive=25s
add allowed-address=0.0.0.0/0 comment="HHHHHHH spiti" endpoint-port=13116 \
    interface=wireguardHHHHHHHpiti persistent-keepalive=25s
add allowed-address=0.0.0.0/0 comment="HHHHHHH spiti" endpoint-port=13117 \
    interface=wireguardEEESpiti persistent-keepalive=25s
add allowed-address=10.175.4.60/30 client-address=10.175.4.62/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13118 endpoint-port=13118 interface=\
    wireguardEEEUsers
add allowed-address=0.0.0.0/0 endpoint-address=vh2mt.JJJ.com \
    endpoint-port=13119 interface=wireguardVh2JJJ persistent-keepalive=\
    25s
add allowed-address=0.0.0.0/0 endpoint-address=vh1mt.JJJ.com \
    endpoint-port=13120 interface=wireguardVh1JJJ persistent-keepalive=\
    25s
add allowed-address=0.0.0.0/0 endpoint-address=px1.JJJ.com endpoint-port=\
    13121 interface=wireguardPx1JJJ persistent-keepalive=25s
add allowed-address=0.0.0.0/0 endpoint-address=router.EEE.com.gr \
    endpoint-port=13122 interface=wireguardRouterEEE persistent-keepalive=\
    25s
add allowed-address=0.0.0.0/0 endpoint-port=13123 interface=\
    wireguardCCC persistent-keepalive=25s
add allowed-address=10.175.4.84/30 client-address=10.175.4.86/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13124 comment=maria endpoint-port=13124 interface=\
    wireguardCCCUsers
add allowed-address=10.175.4.88/30 client-address=10.175.4.90/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13124 comment=tounda endpoint-port=13124 interface=\
    wireguardCCCUsers
add allowed-address=10.175.4.92/30 client-address=10.175.4.94/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13125 comment="KKK spiti" endpoint-port=13125 \
    interface=wireguardKKKUsers
add allowed-address=10.175.4.96/30 client-address=10.175.4.98/30 \
    client-endpoint=dcrouter01.PPP.gr client-keepalive=25s \
    client-listen-port=13125 comment="KKK drapetsona" endpoint-port=\
    13125 interface=wireguardKKKUsers
/ip address
add address=10.160.0.10/24 disabled=yes interface=ether1 network=10.160.0.0
add address=10.165.0.1/24 interface=bridge165 network=10.165.0.0
add address=10.170.0.1/24 interface=wireguardPPP network=10.170.0.0
add address=10.165.5.1/24 interface=bridgeDASH network=10.165.5.0
add address=10.165.10.1/24 interface=bridgeDASH network=10.165.10.0
add address=10.165.15.1/24 interface=bridgeDB network=10.165.15.0
add address=10.165.20.1/24 interface=bridgeSupport network=10.165.20.0
add address=10.205.0.1/24 interface=bridgeBBB network=10.205.0.0
add address=10.175.0.1/24 interface=wireguardBBB1 network=10.175.0.0
add address=10.175.1.1/24 interface=wireguardBBB2 network=10.175.1.0
add address=127.165.0.1 interface=bridgeOSPF network=127.165.0.1
add address=185.70.76.135/24 disabled=yes interface=ether3 network=\
    185.70.76.0
add address=10.210.0.1/24 interface=bridgeDDD network=10.210.0.0
add address=10.175.2.1/30 interface=wireguardDDD network=10.175.2.0
add address=10.175.2.5/30 interface=wireguardDDD network=10.175.2.4
add address=10.175.2.9/30 interface=wireguardDDD network=10.175.2.8
add address=10.175.2.13/30 interface=wireguardDDD network=10.175.2.12
add address=10.175.3.1/30 interface=wireguardOOO network=10.175.3.0
add address=10.195.0.1/24 interface=bridgePPP network=10.195.0.0
add address=10.195.1.1/24 interface=bridgeKKK network=10.195.1.0
add address=10.175.4.1/30 interface=wireguardKKK network=10.175.4.0
add address=10.175.4.5/30 interface=wireguardXXX network=10.175.4.4
add address=10.175.4.9/30 interface=wireguardGGG network=10.175.4.8
add address=10.175.4.13/30 interface=wireguardGGGUsers network=10.175.4.12
add address=10.175.4.17/30 interface=wireguardBBBUsers network=\
    10.175.4.16
add address=10.195.2.1/24 interface=bridgeEEE network=10.195.2.0
add address=10.175.4.21/30 interface=wireguardEEE network=10.175.4.20
add address=10.175.4.25/30 interface=wireguardGGGUsers network=10.175.4.24
add address=10.175.4.29/30 interface=wireguardXXXUsers network=\
    10.175.4.28
add address=10.175.4.33/30 interface=wireguardGGGUsers network=10.175.4.32
add address=10.175.4.37/30 interface=wireguardPPPUsers network=\
    10.175.4.36
add address=10.175.4.41/30 interface=wireguardGGGUsers network=10.175.4.40
add address=10.175.4.45/30 interface=wireguardDDDKallithea network=\
    10.175.4.44
add address=10.175.4.49/30 interface=wireguardFFF network=\
    10.175.4.48
add address=10.175.4.53/30 interface=wireguardHHHHHHHpiti network=10.175.4.52
add address=10.175.4.57/30 interface=wireguardEEESpiti network=10.175.4.56
add address=10.175.4.61/30 interface=wireguardEEEUsers network=10.175.4.60
add address=10.175.4.65/30 interface=wireguardVh2JJJ network=10.175.4.64
add address=10.175.4.69/30 interface=wireguardVh1JJJ network=10.175.4.68
add address=10.175.4.73/30 interface=wireguardPx1JJJ network=10.175.4.72
add address=10.175.4.77/30 interface=wireguardRouterEEE network=10.175.4.76
add address=10.175.4.81/30 interface=wireguardCCC network=10.175.4.80
add address=10.175.4.85/30 interface=wireguardCCCUsers network=\
    10.175.4.84
add address=10.175.4.89/30 interface=wireguardCCCUsers network=\
    10.175.4.88
add address=10.175.4.93/30 interface=wireguardKKKUsers network=\
    10.175.4.92
add address=10.175.4.97/30 interface=wireguardKKKUsers network=\
    10.175.4.96
add address=185.70.76.105/24 interface=ether8 network=185.70.76.0
add address=10.160.0.1/24 interface=bridgeTrunk network=10.160.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=3m
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall address-list
add address=pc.PPP.gr list=whitelist
add address=grafeio.EEE.com.gr list=whitelist
add address=mt1.PPP.gr comment=pc.PPP.gr list=whitelist
add address=aaaa.sn.mynetname.net comment=lte1 list=whitelist
add address=10.160.0.1 list=whitelist
add address=10.165.0.10 list=whitelist
add address=ims.otenet.gr list=ims.otenet.gr
add address=sip.supervoice.eu list=whitelist
add address=ssss.sn.mynetname.net comment=p2p list=unifiPPP
add address=fffff.sn.mynetname.net comment=p2p list=unifiPPP
add address=gggg.sn.mynetname.net comment="kliniki " list=\
    unifiPPP
add address=hhhh.sn.mynetname.net comment="hasos" list=\
    unifiPPP
add address=jjjj.sn.mynetname.net list=unifiPer
add address=192.168.80.0/24 list=customersSubnets
add address=192.168.123.0/24 list=customersSubnets
add address=kkkk.sn.mynetname.net comment=GGG5g list=whitelist
add address=llll.sn.mynetname.net comment="DDD ergostasio" \
    list=whitelist
add address=192.168.3.0/24 list=customersSubnets
add address=10.195.2.0/24 disabled=yes list=customersSubnets
add address=dfgdfgdf.sn.mynetname.net comment=adamxl5g list=whitelist
add address=dsfgdsfgdsg.sn.mynetname.net comment=farmtheo5g list=whitelist
add address=dfghdfghdfgh.sn.mynetname.net comment=HHHHHHHspiti5g list=\
    whitelist
add address=vh2mt.JJJ.com list=whitelist
add address=dfghdfghdfgh.sn.mynetname.net comment="EA VSV Router" list=\
    whitelist
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-nat-state="" connection-state="" \
    in-interface=ether8 src-address-list=whitelist
add action=accept chain=input connection-nat-state="" connection-state=\
    established,related in-interface=ether8
add action=accept chain=input connection-nat-state=dstnat connection-state="" \
    in-interface=ether8
add action=accept chain=input comment=wireguard dst-port=\
    13101-13125,23106,23112 in-interface=ether8 protocol=udp
add action=accept chain=input comment=pbs dst-port=8007 in-interface=ether8 \
    protocol=tcp
add action=accept chain=input dst-port=\
    80,8080,443,444,8089,8085,8086,8445,8446,3478 in-interface=ether8 \
    protocol=tcp
add action=accept chain=input dst-port=8443 in-interface=ether8 protocol=tcp
add action=add-src-to-address-list address-list=blacklist25 \
    address-list-timeout=5h chain=input dst-port=25 in-interface=ether8 log=\
    yes log-prefix=blacklist25 protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=5h chain=input disabled=yes dst-port=5514,21116 \
    in-interface=ether1 log=yes log-prefix=blacklist protocol=udp
add action=drop chain=input in-interface=ether8 log=yes log-prefix=DROP
add action=accept chain=input connection-nat-state="" connection-state="" \
    disabled=yes in-interface=ether3 src-address-list=whitelist
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=2h chain=input disabled=yes in-interface=ether3
add action=drop chain=input disabled=yes in-interface=ether3
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether8 to-addresses=\
    185.70.111.111
add action=masquerade chain=srcnat disabled=yes out-interface=ether8
add action=dst-nat chain=dstnat comment=dcHAP01 dst-port=\
    80,443,8080,8443,8445,8089,8085,8086,8446 in-interface=ether8 protocol=\
    tcp to-addresses=10.165.20.20
add action=dst-nat chain=dstnat comment=dcHAP01 dst-port=5514 in-interface=\
    ether8 protocol=udp to-addresses=10.165.20.20
add action=dst-nat chain=dstnat comment=cloud.GGGbrewery.com dst-port=444 \
    in-interface=ether8 protocol=tcp to-addresses=10.165.20.101
add action=dst-nat chain=dstnat dst-port=2055 in-interface=\
    wireguardPPP protocol=udp to-addresses=10.165.20.25
add action=dst-nat chain=dstnat comment=dcpbs01 dst-port=8007 in-interface=\
    ether8 protocol=tcp to-addresses=10.165.0.11
add action=dst-nat chain=dstnat comment="sstp dude" dst-port=4437 \
    in-interface=ether8 protocol=tcp to-addresses=10.165.20.35
add action=dst-nat chain=dstnat comment="sstp dude" dst-port=500,4500,1701 \
    in-interface=ether8 protocol=udp to-addresses=10.165.20.35
add action=masquerade chain=srcnat dst-address=176.12.105.210
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.178.1
add action=masquerade chain=srcnat dst-address=192.168.21.0/24 src-address=\
    10.175.4.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.8.0/24 \
    src-address=10.175.4.28/30
add action=dst-nat chain=dstnat comment="p2p unifi udp" dst-port=\
    3478,3475,3476 protocol=udp src-address-list=unifiPPP \
    to-addresses=10.165.20.104
add action=dst-nat chain=dstnat comment="p2p unifi udp" dst-port=3476 \
    protocol=udp src-address-list=unifiPer to-addresses=10.165.20.106
add action=dst-nat chain=dstnat comment=\
    "gia tin xristina pou den pernage apo 13112" dst-port=23112 in-interface=\
    ether8 protocol=udp to-ports=13112
add action=dst-nat chain=dstnat comment=\
    "gia ton kafieri pou den pernage apo 13106" dst-port=23106 in-interface=\
    ether8 protocol=udp to-ports=13106
add action=masquerade chain=srcnat comment="bazias to customers subnets" \
    dst-address-list=customersSubnets src-address=10.175.4.38
add action=masquerade chain=srcnat comment="monedas to customers subnets" \
    dst-address-list=customersSubnets src-address=10.175.4.62
/ip firewall raw
add action=drop chain=prerouting disabled=yes log-prefix=RawDrop \
    src-address-list=blacklist
add action=drop chain=prerouting log-prefix=RawDrop src-address-list=\
    blacklist25
add action=notrack chain=prerouting protocol=ospf
add action=notrack chain=output protocol=ospf
add action=drop chain=prerouting disabled=yes in-interface=ether3
add action=drop chain=output disabled=yes out-interface=ether3
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=185.70.76.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address="" gateway=\
    bridgeDDD@DDDVRF routing-table=DDDVRF scope=10 \
    suppress-hw-offload=no
add disabled=yes distance=1 dst-address=10.210.0.0/24 gateway=\
    bridgeDDD@DDDVRF pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.210.0.0/24 gateway=bridgeDDD \
    pref-src="" routing-table=DDDVRF scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    10.175.2.14@DDDVRF pref-src="" routing-table=DDDVRF scope=10 \
    suppress-hw-offload=no target-scope=10
add comment=xristina disabled=no distance=1 dst-address=192.168.43.0/24 \
    gateway=10.175.4.30 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=\
    10.175.4.46@DDDVRF pref-src="" routing-table=DDDVRF scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.25.0/24 gateway=\
    10.175.4.50%wireguardFFF pref-src="" routing-table=\
    FFFVRF scope=30 suppress-hw-offload=no target-scope=10 \
    vrf-interface=wireguardFFF
add disabled=no distance=1 dst-address=192.168.177.0/24 gateway=10.175.4.54 \
    pref-src="" routing-table=FFFVRF scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=wireguardHHHHHHHpiti
add check-gateway=ping disabled=no dst-address=10.100.0.0/16 gateway=\
    10.175.4.74 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=172.28.0.0/22 \
    gateway=10.175.4.78 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=\
    10.175.4.82@CCC pref-src="" routing-table=CCC scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=wireguardCCC
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=10.175.4.46 \
    pref-src="" routing-table=DDDVRF scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.175.2.14 \
    pref-src="" routing-table=DDDVRF scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set www disabled=yes
/ip traffic-flow
set active-flow-timeout=5m cache-entries=4M sampling-interval=1 \
    sampling-space=1
/ip traffic-flow target
add dst-address=10.165.20.25 src-address=10.165.20.1
/routing ospf area range
add area=ospf-area-BBB-1 cost=200 disabled=yes prefix=192.168.78.0/24
/routing ospf interface-template
add area=ospf-area-PPP-1 disabled=no networks="127.165.0.1/32,10.170.0.\
    0/24,10.160.0.0/24,10.165.0.0/24,10.165.5.0/24,10.165.10.0/24,10.165.15.0/\
    24,10.165.20.0/24,10.195.0.0/24,10.195.1.0/24,10.205.0.0/24,10.210.0.0/24,\
    10.175.4.64/32,10.195.2.0/24"
add area=ospf-area-OOO-1 disabled=no instance-id=1 networks=\
    127.165.0.1/32,10.175.3.0/30,10.210.0.0/24,10.205.0.0/24
add area=ospf-area-BBB-1 disabled=no networks=\
    127.165.0.1/32,10.175.0.0/24,10.205.0.0/24,10.165.0.11/24,10.165.20.40/24 \
    priority=50
add area=ospf-area-BBB-2 disabled=no networks=\
    127.165.0.1/32,10.175.1.0/24,10.205.0.0/24,10.165.0.11/24 priority=50
add area=ospf-area-KKK-1 disabled=no networks=\
    127.165.0.1/32,10.175.4.0/30,10.195.1.0/24
add area=ospf-area-XXX-1 disabled=no networks=\
    127.165.0.1/32,10.175.4.4/30,10.165.15.0/24,10.165.20.0/24,10.205.0.0/24
add area=ospf-area-GGG-1 disabled=no networks=\
    127.165.0.1/32,10.175.4.8/30,10.175.4.12/30,192.168.80.0/24
add area=ospf-area-EEE-1 disabled=no networks="127.165.0.1/32,10.175.4.20/30\
    ,10.195.2.0/24,10.175.4.56/30,10.175.4.64/30,10.175.4.68/30,10.175.4.72/30\
    ,10.175.4.76/30,10.165.0.0/24"
/routing rule
add action=lookup disabled=no dst-address=10.175.2.0/24 table=DDDVRF
add action=lookup disabled=no dst-address=10.175.4.44/30 table=DDDVRF
add action=lookup-only-in-table disabled=yes dst-address=10.175.4.50/30 \
    table=FFFVRF
add action=lookup-only-in-table disabled=yes dst-address=10.175.4.54/30 \
    table=FFFVRF
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 \
    src-address=10.210.0.10/32 table=DDDVRF
add action=lookup-only-in-table disabled=no dst-address=192.168.2.0/24 \
    src-address=10.210.0.10/32 table=DDDVRF
add action=lookup-only-in-table disabled=no dst-address=192.168.177.0/24 \
    src-address=192.168.25.0/24 table=FFFVRF
add action=lookup-only-in-table disabled=no dst-address=192.168.25.1/24 \
    src-address=192.168.177.0/24 table=FFFVRF
/snmp
set contact=aaaaaaa.PPP.gr enabled=yes location="Athens DC" \
    trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Athens
/system identity
set name=aaaaaasffdf.PPP.gr
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=health
add action=remote topics=wireguard
add disabled=yes topics=wireguard
/system note
set show-at-login=no
/system package update
set channel=testing
/tool romon
set enabled=yes
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 6:16 pm

One can say this is _A_ way to make very sure everything has to be done by CPU, I think.
And then you come to the already indicated performance difference between CHR and RB5009 since you are totally missing out on any of the HW offloading possibilities.
Yet you wonder why performance suffers ?

Please have a look a this VLAN tutorial, the de facto reference guide around here for that topic.
viewtopic.php?t=143620

Given the little context you have shown in your config, it might also be possible RB5009 is not suitable for what you need.
But certainly not with the config as shown.

I could be wrong though. In that case I'm sure someone will correct me.
Top
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 6:24 pm

in case it helps if I do a btest I get similar numbers
tcp down ~600 at 45% cpu load
udp down ~800 at 33% cpu load
Top
 
User avatar
genesispro
Member Candidate
Member Candidate
Topic Author
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 6:46 pm

which is not using any vlans
in case it helps if I do a btest I get similar numbers
tcp down ~600 at 45% cpu load
udp down ~800 at 33% cpu load
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 7:06 pm

If I go from ax3 to rb5009 using internal btest, I get 950Mbps. No VLAN there.
Cpu on RB around 50%.
And that's a bad setup since you should never test using the devices being tested.
So RB5009 is perfectly capable of handling that traffic.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19404
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000  [SOLVED]

Fri Mar 15, 2024 8:24 pm

One bridge............., chalk this up to another poster child for Normis' inaction on first posting process.... And they will keep coming day after day after day..................
Top
 
CGGXANNX
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Thu Dec 21, 2023 6:45 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 10:52 pm

You should have only 1 bridge and use Bridge VLAN Filtering like others have already said. I have the same router and in my config I even put all ports under only one bridge, including the physical SFP+ port that has the GPON module connected to my ISP. All subnets are VLANs. the bridge has no IPs, the WAN connection uses PPPoE (single-thread disadvantage!) over a dummy VLAN that has the untagged traffics of the SFP+ port. The router can easily achieve 2.27 Gbps download speedtest.net result (which I think including overhead is pretty much near the limit of GPON) for both IPv4 and IPv6 (IPv4 with or without fasttrack), all defconf firewall rules (+more) active, while the CPU clock stays most of the time at 700MHz (half of the 1.4 GHz possible max frequency)

rb5009.png
You do not have the required permissions to view the files attached to this post.
Last edited by CGGXANNX on Fri Mar 15, 2024 11:19 pm, edited 1 time in total.
Top
 
CGGXANNX
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Thu Dec 21, 2023 6:45 pm

Re: RB5009UG+S+ download speed 600/1000 upload 800+/1000

Fri Mar 15, 2024 11:01 pm

in case it helps if I do a btest I get similar numbers
tcp down ~600 at 45% cpu load
udp down ~800 at 33% cpu load

Because the device has 4 CPU cores, even if it only shows 33% CPU load, it could still be that one of the 4 cores are already at max utilization. You have to open the CPU table from the Resources window to see the load on individual cores.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 42 guests
  4. RouterOS
  5. General