Cannot download at 10 gbps

Any ideas on how I can get better throughput from WAN → LAN?

Just purchased ccr1036-8g-2s+ router but I cannot get more than about 4.82 gbps download (the upload measures about 8.5 gbps).

I have a 10 gbps down / 10 gbps up fiber connection to the internet and have verified the issues is the router by running iperf3 tests with a local machine on the WAN side and a local machine on the LAN side. When the machines are not going through the router I can get 9+ gbps in both directions with iperf3. When the router is between both machines I can only get:
4.82 gbps from WAN → LAN
8.50 gbps from LAN → WAN

I have the router configured with two IP NAT entries:

• Masquerade for my local network to get out to the internet (LAN → WAN).
• A single DNAT to allow a specific TCP port in from the internet to a specific server on the LAN.

I have not done anything else besides get these two NAT entries setup and hard code the WAN IP info.

This is the first Mikrotik product I have ever used so if someone could tell me how to export the config I am happy to post it here if that would be helpful.

I really want this to work well at 10G!

Thanks!

Well. The CCR10xx series is optimized for many-to-many connections (like in the real world), not maximum host-to-host communication. If you start additional 1-2 iperf sessions then I think you should be able to max it out.

Word of caution: CCR line of routers by default don’t have any firewall enabled whatsoever … not even for own protection. So do implement some decent firewall filter rules ASAP.

In addition to multi streams:

• what is the CPU usage in your original testcase?
• what is the CPU usage in the multi stream testcase?
• can you please share your config? (/export hide-sensitive)

What kind of BS answer is that?
The test results from MT clearly show the OP should easily reach 10Gigs (12-26K very doable) one way.
Even IPSEC shows at 4K

That’s not a BS answer, @anav. Those test results are with many streams in parallel (look at RFC2544). It’s quite possible that a single stream isn’t able to reach those speeds; the TILE cores aren’t very powerful; there just are many of them.

I can second that. TILE is optimized for many connections. Single streams or connections will melt down a single core.
With a CCR1009 is was not able to pass through more than 500 Mbps UDP without packet-loss. And this was without any firewall rules or NAT.

So the results of benc1337 seem reasonable to me.

Maybe the CCR2004 might be worth a look at.

Maybe your firewall rules on your CCR are not optimal. See this posting for verifcation and fixing:
http://forum.mikrotik.com/t/mikrotik-crs125-24g-speed-problem/141208/5

My apologies, I do not understand the TILE architecture and no where does MT state clearly that there speeds can ONLY be achieved by mutli-wan inputs to the router.
In fact its bordering on criminal, and I would prosecute them if I could as I recently shelled out big bucks for a CCR1009.
My assumption for example that an advertised 10K speed meant TOTAL regardless of how many WANs were in use,
In other words if you had one wan with 2gigs, another with 5 gigs and a third with 5 gigs, the max that could be achieved is 10K, (and not 12K).
I would never have dreamed the real answer if using only ONE WAN input the total = SOME FRACTION of 10K.

Normis, am I way off base here, or should I send you to jail???

LOL . Yes, you’re off base. It’s not the physical interfaces, but the number of data streams like TCP sessions that matters. Across the Internet, you don’t need to have 10G to run into this; that’s why things like BitTorrent and NNTP let you set up multiple sessions for a single download. And why iperf3 will do that if you tell it to.

If the OP did use multiple streams with iperf, a CPU profile would probably be enlightening.

I was thinking iperf3 is single-thread (single stream) and so for multi-thread one has to use iperf v2.
The last time I had tested iperf3 the server part could not accept multiple connections. So I switched back to iperf v2.

AFAIK iperf3 will let you run multiple TCP streams in parallel, with the -P/–parallel option.

What is the “K”:s you are talking about? Jumbo-frames? You can’t use jumbos over the Internet either way

I’m not talking about multiple WAN providers. I’m talking about traffic streams (e.g individual downloads)

Right so am I.
in other words, from 3 different providers in my example 2,5,8gigs with a router that lets say states 10Gig Throughput,

A. I dont expect greater than 10gig with all three WAN pumping out their max (ie 15 not possible).
B. I am not expecting a single session to exceed the capacity of any single WAN ( a single session can either max out at 2, 5, or

What I am saying is that I have a 10gib Wan connection I Certainly expect to be able to move a single session download at or near 10gig with the CCR30 something.
(Note: Assumes sender is capable of tx at that rate and the pipe in between can as well.)
If not then there is false advertising and if I had money I would take them to court LOL.

Thanks for all the replies everyone!

Okay, some more info about the iperf3 test I did to measure throughput between WAN and LAN:

Test Setup WITHOUT router:

10G_MacbookPro* ↔ 10G_Switch** ↔ 10G_NAS***

*8 x i7 CPU, 16GB ram, SONNET SOLO 10G Thunderbolt 3 dongle
**Mikrotik 10G switch (CRS306-1G-4S+IN)
***Linux PC (CentOS 7), 8 x XEON W-2123 @3.6GHz, 128GB ram, 12 x 12 TB SATA RAID, PCIe nic with 4 x 10G ports

MacbookPro iperf3 command: iperf3 -s

• The -s flag is “server” mode

NAS iperf3 command (for LAN–>WAN test): iperf3 -c -i 1 -t 30 -P 20

• The -c flag is “client” mode.
• The -i 1 argument is “interval” to output bandwidth reports every “1” second.
• The -t 30 argument is “time” to run test for “30” seconds.
• The -P 20 argument is “parallel” to run “20” iperf3 client streams in parallel.

Test result (LAN → WAN, no router): 9.40 gbps sustained

Now, run same test again but in reverse direction (WAN–>LAN):

NAS iperf3 command (for WAN–>LAN test): iperf3 -c -i 1 -t 30 -P 20 -R

• The -R flag is to do the test in the opposite direction (WAN–>LAN in this case).

Test result (WAN → LAN, no router): 9.40 gbps sustained

To this point, with no router, throughput is a “essentially” 10G (good enough for me).

Test Setup WITH router (ccr1036-8g-2s+):

10G_MacbookPro* ↔ 10G_WAN(sfp-sfpplus1) ↔ 10G_LAN(sfp-sfpplus2) ↔ 10G_Switch** ↔ 10G_NAS***

Testing is performed in the exact same way except the IP of the Macbook Pro had to be changed to work properly on the WAN side of the router.

Test result (LAN → WAN, WITH router): 8.40 gbps sustained
Test result (WAN → LAN, WITH router): 4.82 gbps sustained

NOTE: When I do this exact same test (through the router) out to the internet to an AWS EC2 Linux vm, I get very similar results:
Test result (LAN → cloud_vm, WITH router): 8.78 gbps sustained
Test result (cloud_vm → LAN, WITH router): 4.82 gbps sustained

Also, when I increase the parallel clients to 50 (“-P 50” arg) I STILL get 4.82 gbps for WAN → LAN and the CPU usage is about the same with some CPUs idle.

As for CPU usage, here is for the WAN → LAN test (sorted by CPU Load %):
(I don’t have an easy way to post screen captures so I’ll just type the data from my WebFig screen capture - grrrr!)
cpu10: 42%
cpu34: 40%
cpu30: 36%
cpu33: 24%
cpu7: 23%
cpu26: 22%
cpu11: 21%
cpu22: 21%
cpu9: 18%
cpu15: 11%
cpu21: 11%
cpu4: 2%
cpu6: 10%
cpu29: 10%
cpu3: 7%
cpu31: 6%
cpu32: 6%
cpu25: 5%
cpu35: 1%
…remaining 16 cpus: 0%

Here is for the LAN → WAN test (sorted by CPU Load %):
cpu35: 30%
cpu31: 26%
cpu4: 25%
cpu28: 12%
cpu9: 11%
cpu26: 10%
cpu5: 9%
cpu6: 9%
cpu8: 9%
cpu22: 9%
cpu2: 5%
cpu10: 5%
cpu3: 4%
cpu16: 4%
cpu21: 4%
cpu7: 3%
cpu11: 1%
cpu15: 3%
cpu29: 3%
cpu23: 2%
…remaining 16 cpus: 0%

Here is my exported config (thanks erlinden for showing me how to export it!) with the sensitive parts obfuscated with “XXXXXXXX”:

[admin@XXXXXXXX] > /export                
# jul/10/2020 14:13:24 by RouterOS 6.47
# software id = XFYP-96JK
#
# model = CCR1036-8G-2S+
# serial number = XXXXXXXX
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-sfpplus2
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.3.0.254/24 interface=ether1 network=10.3.0.0
/ip dhcp-client
add disabled=no interface=sfp-sfpplus1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=XXXXXXXX dst-port=XXXXXXXX in-interface=sfp-sfpplus1 log=yes log-prefix=XXXXXXXX protocol=tcp to-addresses=XXXXXXXX to-ports=XXXXXXXX
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.3.0.0/24
set ssh address=10.3.0.0/24
set api disabled=yes
set winbox address=10.3.0.0/24
set api-ssl disabled=yes
/lcd
set color-scheme=dark default-screen=informative-slideshow flip-screen=yes
/lcd pin
set pin-number=XXXXXXXX
/system clock
set time-zone-name=XXXXXXXX
/system identity
set name=XXXXXXXX
/tool graphing interface
add interface=sfp-sfpplus1
add interface=sfp-sfpplus2
add interface=ether1

I should note that the both the NAT rules work properly.

From user “mkx”:

So based on my exported config, do you see any glaring changes I should make ASAP?

I really only need this basic functionality:

1. Masq NAT working so LAN can get to internet.
2. A single DNAT entry to get to LAN server from internet.
3. Block all other outside traffic from getting in (including block access to router management from internet).
4. Get 10G to the internet in both directions (or at least 8+ gbps).

Any tuning optimizations, tips, or suggestions to improve my WAN → LAN performance are very much welcome and appreciated!

Yes add these firewall rules…

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Thanks anav. I added these firewall rules except for the IPSEC rules since I don’t have any IPSEC stuff going on.

I ran more tests to see if these firewall rules affected performance at all. My upload throughput was actually improved, but my download was still stuck exactly at 4.82 gbps like always.

Updated iperf3 throughput test results:
Upload (LAN → cloud_vm): 9.13 gbps
Download (cloud_vm → LAN): 4.82 gbps

What else am I missing in my config?? There must be a way for this 10G router to download @ 10G (or something remotely close like 8+ gbps).

Concur, maybe a class action lawsuit?

I see your IP addresses are attached to Ethernet ports which are attached to a bridge. My understanding/experience is that the IP addresses should be attached to the appropriate bridges.

Not sure if it will affect performance, but since you are running the ports bridged, the ip-adress should be put on the bridge.

Like:

/ip address add address=10.3.0.254/24 interface=> bridge1 > network=10.3.0.0