Fasttrack doesn't work (with VLAN) ?

quackyo · September 18, 2019, 6:41pm

Hi. Just finished converting a setup with 2x HAP AC with latest stable firmware from Switch VLAN setup to new bridge VLAN setup.
This sounds just stupid, but I could never get stable IPTV through the old setup. With bridge VLAN setup I can..
I know I loose HW switching this way, but…it works.
Only trouble is that with high load on normal internet connection, the CPU goes to 100% and TV lags..

It seems like fasttrack doesn’t work with the new setup… I have the correct (as far as I can see) filter rules, but I cannot get any packet to actually be fasttracked…

admin@MT_B9_router_kjellerstue] /ip settings> print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: yes
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0

Export hide-sensitive here (I also removed some capsman config unrelevant):

sep/18/2019 20:29:01 by RouterOS 6.45.6

software id = DFEC-PX9G

model = RouterBOARD 962UiGS-5HacT2HnT

serial number = XXXXX

/interface bridge
add igmp-snooping=yes name=bridge1 pvid=250 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] name=ether5-trunk-til-opp speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface vlan
add interface=bridge1 name=vlan102wan vlan-id=102
add interface=bridge1 name=vlan250-internt vlan-id=250
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.0.69.50-10.0.69.250
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no
interface=vlan250-internt lease-time=12h name=defconf
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether1 pvid=102
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether3 pvid=101
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=
ether5-trunk-til-opp
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether4 pvid=250
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge1 tagged=ether5-trunk-til-opp untagged=ether2,ether3
vlan-ids=101
add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=102
add bridge=bridge1 tagged=bridge1,ether5-trunk-til-opp untagged=
ether4,*1A,*1B vlan-ids=250
/interface ethernet switch vlan
add disabled=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=102
/interface list member
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5-trunk-til-opp list=discover
add interface=sfp1 list=discover
add interface=wlan2 list=discover
add list=discover
add list=discover
add interface=vlan250-internt list=discover
add list=discover
add interface=vlan102wan list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add interface=sstp-out1 list=discover
/interface wireless cap

set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=
wlan1,wlan2
/ip address
add address=10.0.69.1/24 comment=defconf interface=vlan250-internt network=
10.0.69.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
vlan102wan
/ip dhcp-server network
add address=10.0.69.0/24 comment=defconf dns-server=10.0.69.1,8.8.8.8
gateway=10.0.69.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” in-interface=
vlan102wan protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related in-interface=vlan102wan
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=vlan102wan
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=vlan102wan
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=vlan102wan

ofer · September 18, 2019, 7:34pm

I won’t go into details but I have a similar setup with HDTV and VLANs also with HapAC and the issue here is not in FastTrack
FastTrack is just a way of forwarding packets without using substantial amount of CPU.
I suggest you take a look here https://www.youtube.com/watch?v=C3U06olRmEk

quackyo · September 19, 2019, 11:52am

Well, issue with 100% cpu is because of lack of fasttrack… Because of 100% CPU and doing bridge VLAN (without HW acceleration), this affects my HDTV.

Posting a 36 minute long video doesn’t help me.

andriys · September 19, 2019, 12:00pm

Why did you do that? HW accelerated bridge VLAN filtering is only supported on CRS3xx series switches. For the rest of the the routerboards you should keep using the /switch menu.

quackyo · September 20, 2019, 5:56am

As I explained, because I couldn’t get a stable IPTV over separate VLAN with switch (HW accelerated) setup. Every 10 minutes or so I would experience distortion in signal. Don’t know why.

But that is beside the point and my question still remains - do anybody have some input on the “no fasttrack” question?
Is fasttracking between two VLAN interfaces supposed to work? (Input VLANXXX, NAT to VLANYYY) .

mkx · September 20, 2019, 12:56pm

Fasttrack works for firewall with connection tracking enabled. Which is pretty much default for routed traffic and it doesn’t care about underlying interface types. And has its own counters, so you can check whether it works or not.

However, I wonder about your setup … hAP ac should be able to bridge (that’s in SW) a few hundred Mbps. What kind of throughput are you running through the device? And how’s IPTV stream transported, is it unicast or multicast?

andriys · September 21, 2019, 10:58am

As far as I understand FastTrack is built on top of FastPath and requires that the underlying interface supports it. And I guess FastPath is immediately disabled as soon as bridge VLAN filtering is enabled on anything but CRS3xx.

mkx · September 21, 2019, 12:34pm

FastPath documentation is quite vague about when fastpath is enabled. It only states when fastpath is automatically enabled, but doesn’t state explicitly when it’s disabled. For example, it says

IPv4 fast path is automatically used if following conditions are met:

firewal rules are not configured;

firewall address lists are not configured;

and we all know fasttrack works just fine with firewall rules and address lists configured.

Further more, I have an RBD52G configured with VLAN filtering on bridge and fasttrack still works (counters increment)…

quackyo · September 23, 2019, 10:36am

Bridge itself (without HW) will do several hundred megabits, the problem the problem is that I try to bridge a bit of IPTV multicast traffic together with NATTING (without fasttrack) a few hundre megabits between WAN and Internal internet VLAN.

My theory is something along the line of the fastpath things mentioned here.
Next time I get some time to test I’ll try to exclude one port from bridge vlan and take WAN in directly on a port instead. Maybe that’ll get fasttrack to work.