Adding veth slows internet

RouterOS General
1

I have a RB5009 running 7.9. I added a veth interface for a Pihole container. Even without the container running, the veth interface greatly slows internet.

My nominal connection speed is 500/500. If I have the veth port disabled, I get about 590 Mbps down and 520 up. As soon as I enable the veth port I get 10-25Mbps down and 450-500 up.

Can anyone help me troubleshoot this? Does a veth port run into some hardware offloading thing, but only for the download?

2

Given this prior post, I’ll guess that you’ve created a routing error, sending all traffic thru the container.

Post the output of “/ip/route/print”.

3

I’ve got a similar setup (Rb5009 with containers running) and don’t experience this. My WAN is inherently slower (100/100Mbps) but I get no apparent performance impact / slowdown on the native-side routing as a result of running the containers.. so yes, sounds like something config related?

4

@fragtion: Are you using the recommended NAT-based network configuration for your containers, or are you doing as the OP is doing and binding the veth straight to the bridge?

I’ve done the latter for justifiable cause, and it can work, but I’m using these “routers” as glorified switches, so they aren’t in the routing path for any inter-network traffic.

5

Ah okay. No, I’m using the recommended config of binding veth to a container bridge as a bridge port. The only NAT going on is srcnat/masquerading of traffic outbound from the container. I guess that is probably the key difference here

6

I’m using the 2nd bridge approach as shown by MT and don’t experience any slowdown on my device.
Also rb5009.
Containers: pihole, openspeedtest, and then iperf3 and helloworld by tangent :laughing:

7

So, I’ve determined that the issue happens when the veth interface is attached to the bridge with the LAN on it. Creating the veth interface on a new bridge doesn’t produce the problem. I have deleted all the NAT rules. Just adding

disabled=yes

to veth2 makes the problem go away.

Full config: https://pastebin.com/8Y8dAuAc

Even when veth2 is attached to bridge1, it seems hardware offload is still enabled and active:

[david@RoutyMcRouterson] > /interface/bridge/settings/print
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes
     bridge-fast-path-packets: 6980829
       bridge-fast-path-bytes: 4853024583
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0

Also, when running a speed test the cpu usage generally stays below 10% though one of the cores spikes to about 40% for an instant.

Unless I can find a fix I suppose I’ll just buy a new power supply and sd card for my Raspberry Pi and run Pihole in that. Let the router route…thanks for help all.

8

The asymmetric results is what’s a bit odd (e.g. up is rough same with VETH in bridge, only down is slow)… I’d say this seem like a MTU/fragmentation problem, somewhere –but VETH should be using stardard 1500 MTU. But I guess you can check the MTU of the bridge interface both with the VETH enable and not enable…see if it changes.

It really should be okay to be put VETH in the main/vlan-filtering=yes bridge. I haven’t seen these issue and never used a 2nd bridge for containers (only VLANs).

9

Or try a iperf test using UDP and see what speeds you get with VETH in the bridge?

10

Many questions:


  1. Where’s that “/ip/route/print” output I asked for? Your config is too complicated for me to reconstruct the dynamic routing rules from the static commands. Until you post what result you got from all this, my only option is to duplicate your configuration on a local router, and I’m not willing to do that merely to save you some copy-and-paste work.
  2. What’s all that VRRP stuff doing in there? You haven’t said anything about redundant routers. If you do have a legitimate use for VRRP, why are you doing it only for IPv6?
  3. Have you tried a reboot between interface/bridge changes? If you don’t, you must sometimes wait for the ARP timeout before the configuration re-settles on a new stable state. In the intermediate time, you’ve got stale information from the prior state interfering with the new configuration.
  4. Is the guest VLAN 10 or 15? Pick one. :slight_smile:
  5. Having never set up PiHole — nor having any desire to do so — realize that I’m asking merely to prod you into double-checking your config when I ask, can you have a DNS server on the router plus static DHCP reservations plus upstream CloudFlare DoH/DNS plus PiHole? Maybe I’m speaking from ignorance, but this looks contorted at best and non-functional at worst. I don’t see how one delegates smoothly to the next. Shouldn’t you need them all to be in a strict chain somehow? Shouldn’t the CloudFlare DNS configuration be inside PiHole, with the RouterOS DNS delegating to the PiHole, not CloudFlare?
11

Tangent on the pihole stuff, one can run a container or separate device for adguard dns, and at the same time run DOH on the router itself.
You may wish some subnets to use one or the other for example.

I worked recently on a config where the adguard container on mikrotik was strictly for three subnets going out third party wireguard, whereas the single subnet staying to local internet use the MT DOH server. So that is very possible..

However concur if the OP has the usually bloated mess of a config, impossible to troubleshoot.

12

Sorry to necro an old thread. I have been facing the same problem. As soon as I add a VETH interface to my bridge, it tanks my download speeds, even if there is nothing using the interface.

/interface veth
add address=10.0.200.200/32 gateway=10.0.200.1 gateway6="" name=veth1
/interface bridge port
add bridge=bridge interface=veth1

Just adding those two commands is enough to cause it. There is nothing using the VETH interface or anything. Just it existing on the bridge is enough.

13

Try /24 as the veth IP address. It’s currently just /32.

14

It makes no difference. As soon as a VETH of any kind is added to the bridge, the slowdown happens. It is more apparent with Usenet as it open a lot more connections than a regular download.

15

IMHO that’s a logical outcome. For many current (e.g. the RB5009 from this topic, RB4011, L009, CCR2xxx) and old (like the hEX/hEX S) MikroTik devices, the switch chip is capable of hardware offloading many bridge features:

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading

And that’s the reason why it’s recommended to only create one bridge per switch chip to take advantage of the features and so that switching between the ports of the bridge can be done by the hardware at wire speed. Now when you add a software-based interface/port to that bridge, you break the 1:1 mapping between switch chip & bridge. The switch chip cannot handle the foreign port so features that previously was hardware offloaded now need the main CPU to be involved. Frames might also need to go outside of the switch chip and use the link between the switch chip and the main CPU.

16

Is there an alternative way to use containers without resorting to a second bridge? I mean, it “works” but a single bridge is very much the correct way as far as I know, and it’s how my router is configured

17

Yes.

18

That’s the problem I’m facing though. If I add the veth to my single bridge, it completely tanks my download speeds, although speed tests are at full speed for some reason. It doesn’t even have to be be attached to a container.

19

I’ll try the NAT way and compare speeds.

20

That doesn’t happen here, but then, you haven’t told us how you’re determining this slowdown in a repeatable manner. You can tell us it’s repeatable where you are, but a far better way to get help is to give us a test that’s repeatable by everyone you would have help you with this.

On a flyer, I shut down the iperf3 container on my gateway router and removed the veth it was using, and I see no difference in performance.

Give me a reliably repeatable test.