CRS125 Routing Performance

steginger · April 11, 2020, 12:11pm

I have a CRS125-24G-1S as main switch of my home network.
There are 2 VLANs configured:
100 is my home network managed by CRS125 (DHCP, DNS, Capsman, NTP).
200 is a foreign network which comes in via a separate VPN router - CRS125 does not do anything with it but tagging and switching it to some other switches.
VLANs are configured on switch level, I seem to get full (wire-) speed with it just switching.

I recently upgraded my internet connection and retired an old FritzBox up to then working as router - assuming that CRS125 could take over this job.
I configured one port as WAN with very basic firewall and NAT.
Works so far, but performance is really bad.
Seems as if I cannot get more than 30-50MBit/s (same speed test directly on cable modem gives me >300MBit/s).
When I hit the limit CPU is not maxed out, maybe around 40%.

I tried various things (interface queue types, different firewall/NAT rules) but nothing seems to make a difference.
Config is at the end of th epost, is there anything really wrong with it?
Apart from VLANs the use-case for routing can’t really get simpler… ?

I know, CRS is a switch, not router.
However, it is specified with max 680MBit/s.
I am not even close to that (more close to the 48MBit/s for 64 bytes… but, interface counters show that mostly bigger pakets are used).
Some threads claim that they get about 200MBit/s with a CRS125, others claim more than 400MBit/s… ?

I also tried to activate fasttrack.
As soon as I add the filter rule fasttrack counter increases, but internet connections don’t work anymore (at least most of them don’t work - some web sites do, speedtest doesn’t work at all).
I tried restricting it to different interfaces, but either it has no effect or connections don’t work.
Anything wrong there? Didn’t find any more documentation apart from this single rule.

Notes wrt config:
.110 is the address of CRS125, .111 was address of old router.
I added .111 so that I didn’t have to change gateway on every other (statically configured) device.
A guest VLAN is already in interface list, but not yet configured.
Used “***” to remove some private data…

Any ideas/hints?

Thanks,
steginger

# apr/11/2020 13:45:51 by RouterOS 6.46.5
# software id = VK13-BNI2
#
# model = CRS125-24G-1S
# serial number = 944E0985F5B7
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=2.4GHz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX frequency=5180 name=5GHz skip-dfs-channels=yes
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no name=bridge protocol-mode=none
/interface vlan
add interface=bridge name=vlan-100 vlan-id=100
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=datapath vlan-id=100 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm name=sec-***
/caps-man configuration
add channel=2.4GHz country=germany datapath=datapath installation=indoor mode=ap name=***-2.4G security=sec-*** ssid=***
add channel=5GHz country=germany datapath=datapath installation=indoor mode=ap name=***-5G security=sec-*** ssid=***
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
    ether17,ether19,ether21,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24 forward-unknown-vlan=no
/interface list
add comment="Local LAN interfaces" name=LAN
add comment="WAN Interface" name=WAN
add comment="Trunk Interfaces" name=TRUNK
add comment="Company VPN" name=CVPN
add comment="Guest Interfaces" name=GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.0.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan-100 lease-time=1d name=server1
/ipv6 dhcp-server option
add code=23 name=dns_servers value=0xfd00000000000000****************
add code=24 name=domain_list value="'fritz.box'"
/ipv6 dhcp-server option sets
add name=dhcp-options options=dns_servers,domain_list
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan-100
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=***-2.4G
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=***-5G
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether19
add bridge=bridge interface=ether21
add bridge=bridge interface=ether24
/ipv6 settings
set accept-router-advertisements=yes
/interface ethernet switch egress-vlan-tag
add comment="Trunk Home VLAN" tagged-ports=ether17,ether19,ether21,switch1-cpu vlan-id=100
add comment="Trunk CVPN VLAN" tagged-ports=ether17,ether19,ether21 vlan-id=200
/interface ethernet switch ingress-vlan-translation
add comment="Ports Home VLAN" customer-vid=0 new-customer-vid=100 ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
add comment="Ports CVPN VLAN" customer-vid=0 new-customer-vid=200 ports=ether24
/interface ethernet switch vlan
add comment="Home VLAN" ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether19,ether21,switch1-cpu \
    vlan-id=100
add comment="CVPN VLAN" ports=ether17,ether19,ether21,ether24 vlan-id=200
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=TRUNK
add interface=ether19 list=TRUNK
add interface=ether21 list=TRUNK
add interface=ether24 list=CVPN
add interface=ether23 list=WAN
add interface=ether18 list=GUEST
add interface=ether20 list=GUEST
add interface=ether22 list=GUEST
/ip address
add address=192.168.0.110/24 interface=vlan-100 network=192.168.0.0
add address=192.168.0.111/24 interface=vlan-100 network=192.168.0.0
/ip dhcp-client
add disabled=no interface=ether23 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
<...>
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.110 domain=fritz.box gateway=192.168.0.111 netmask=24 ntp-server=192.168.0.110
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,2620:fe::fe
/ip dns static
<...>
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.0.0/24
/ipv6 address
add address=fd00::****:****:****:**** eui-64=yes interface=vlan-100
/ipv6 dhcp-server
add dhcp-option=dhcp-options interface=vlan-100 lease-time=1d name=server1
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=vlan-100 other-configuration=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CRS125-UG
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/system ntp server
set enabled=yes multicast=yes

Zacharias · April 11, 2020, 6:02pm

I do not have time to look at your code right now, but i should tell you that this model in routing mode will perform in average about 240Mbps…
Also all the CRS1xx and 2xx series do not support hardware offload with vlans, so you increase the CPU useage there..
Also you increase the CPU usage since i guess you do some intervlan routing and as you already said it is not a router…

Dude2048 · April 11, 2020, 8:59pm

Wrong. Vlan switching can be handled in hardware. Vlan routing not.

Zacharias · April 11, 2020, 10:24pm

Wrong. Vlan switching can be handled in hardware. Vlan routing not.

Ok, then you can take a look at the manual https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading
CRS1xx/CRS2xx series do not support Hardware offloading along with VLANs… Only CRS3xx series do…

sid5632 · April 12, 2020, 12:02am

No, it is you who is wrong. Hardware offload is supported on the 1xx/2xx using the Switch menu, but not using the Bridge configuration used on the 3xx.

steginger · April 12, 2020, 6:26am

Thanks for the hints.
I don’t intend do inter-VLAN routing between VLAN100 and VLAN200, routing to internet should only happen from VLAN100.

So, I removed the VLANs from the CRS125 (I physically disconnected VLAN 200 stuff and strip/add VLAN 100 tags on switch level for connections to my other switches, so I don’t have to change whole network).

At first, I didn’t get more than my previous up to 50MBit/s.
I then did activate the fasttrack rule… and I get up to 200MBit/s-400MBit/s.
Not the 690MBit/s as mentioned in the specs, but from what has been mentioned looks like max. to get in real live from it.

So, question is:
Does fasttrack in general not work with VLANs (configured on switch level), or did I just make some mistake configuring it?

Thanks,
steginger

eddieb · April 12, 2020, 6:34am

Keep in mind that the CRS125 is a SWITCH …
It can do wirespeed switching but all routing will go thru the not so strong CPU …
IF you need routing, look for an other MT device, like a CCR or RB4000.

steginger · April 12, 2020, 9:14am

Yes, I do understand and accept that it is mainly a switch and I won’t get wire-speed performance routing via CPU.

I do get somewhat decent/acceptable routing performance when fasttrack is active without VLANs configured on switch level.
But, for me with VLANs on switch level fasttrack didn’t seem to work (fasttrack did work according to counters, but connections to internet were broken).

I just want to understand if fasttrack generally doesn’t work with VLANs configured on switch level, or if I just made something wrong there…

Regards,
steginger

mkx · April 12, 2020, 9:34am

Fasttrack in general has nothing to do with VLANs, it’s an L3 firewall feature. However it does come with a list of limitations … read about those in the manual. So I’d say you had something configured wrongly in your initial setup.

Zacharias · April 12, 2020, 3:57pm

No, it is you who is wrong. Hardware offload is supported on the 1xx/2xx using the Switch menu, but not using the Bridge configuration used on the 3xx.

You are right… am just used to Bridge VLAN filtering …