hAP ac2 (ac^2) speed issue

RouterOS Beginner Basics
1

Hey,

I’m trying to use hAP ac2 as L3 router in my home lab.
As I can see from the diagram, the CPU is connected through 2x1gb links so I expect to get 2Gbps bandwidth.

My current home lab:

  • provider link: 1gb
  • hAp ac2
  • CRS226-24G-2S+
  • 8x2.5Gb + 10Gb switch from AliExpress

Connectivity:

  • hAp to provider: 1Gb
  • hAp to CRS226: bounding 2x1Gb
  • CRS226 to 2.5Gb switch: 10Gb sfp+ DAC
  • my PC: 2.5Gb to 2.5Gb switch
  • iperf server: 2.5Gb to 2.5Gb switch

There are several vlans:

  • tag 1 (home) with network 10.10.0.0/16
  • tag 2 (smart) with network 10.20.0.0/16
  • hAP has a simple config without bridges, just bounding and vlan over it
  • hAP is a router with IPs: 10.10.0.1 and 10.20.0.2
  • PC IP 10.10.0.2
  • iperf IPs: 10.10.0.15 and 10.20.0.15

If I run iperf client on PC and connect to 10.10.0.15 (packages go through 2.5Gb switch without any routing), I got over 1Gb speed (like 1.7gb~2.2gb).

If I connect to 10.20.0.15 (that means routing through hAP), the speed is limited by 1 GB.
However, the CPU load on hAP is ~50-60% (I suppose only half of the cores are used).
If I added NAT, the bandwidth would be lower. But for a simple test, I disabled NAT and simplified configuration to try only simple IPv4 package forwarding.
The result is the same: the limit is 1Gbps.
I’m thinking why? Is it possible to get 2Gbps?
Both ethernet links are utilised similar, about 450-500 MBps

hAP configuration (only important part)

2025-02-18 15:36:42 by RouterOS 7.17.2

model = RBD52G-5HacD2HnD

/interface bonding
add name=bonding slaves=ether3,ether4 transmit-hash-policy=layer-2-and-3

/interface vlan
add interface=bonding name=guest vlan-id=9
add interface=bonding name=home vlan-id=1
add interface=bonding name=lab vlan-id=3
add interface=bonding name=mgmt vlan-id=99
add interface=bonding name=smart vlan-id=2

/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-source-route=yes

/ip address
add address=10.10.0.1/16 comment=“main: home” interface=home network=10.10.0.0
add address=10.20.0.1/16 comment=“main: smart” interface=smart network=10.20.0.0
add address=10.0.0.2/24 comment=wan interface=ether5 network=10.0.0.0

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether5 src-address=10.10.0.0/16 to-addresses=10.0.0.2

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

There is some configs for DHCP, DNS but I skipped it.

Any ideas?

PS: As I can see, IPQ4018 has hardware NAT
RBD52G-5HacD2HnD-TC_180323.png

2

If I can understand your connections correctly:
You’re going from PC using 2.5Gb through switch, towards 2x1Gb hAP AC2, VLAN handling, again using 2x1Gb on AC2, back to switch and then other server acting as iperf server, right ?
So you pass that 2x1Gb bond on AC2 2 times incl VLAN handling.

Half total for all cores might very well be 1 or even 2 cores at 100%.
And then you’re at the max, whatever else you try.

3

Yes.

Yes, but in different directions: one RX and another TX. I expect a full duplex, so 2Gb for RX and TX together.

It’s 50% of the CPU load. I don’t know how to see a real top.

Why?

  • CPU has resources
  • bounding has resources (only half is used), and packages can be processed independently
  • CPU has a connection with 2Gb

PS: Right now it’s a theoretical question: if Mikrotik is not good in design or I made an mistake

4

50%-60% of total 4 cores can mean at least 1 core is at 100% (if it was only that one you would reach 25% total).

Tools / profile / all
And then you will see all cores separately.
Is 1 at or close to 100% ? Game over then.

5

you can try fasttrack also

6

Yes. But there are other cores.
The connection table in the kernel is a lock-free structure, and ALL cores can process packages without waiting for each other (except by inserting them into this table).
Also, SoC of this router has a hardware NAT

7

I thought about it but I don’t see it in actions.
Screenshot 2025-02-20 at 12.27.17.png

8

Fast track is in the filter rules menu not the NAT one

9

What if ROS doesn’t work the way you’d want it to but the way we have experienced in last decade or two? You can argue with us as much as you want (but that won’t change a thing, we’ll just ignore you) … or you can check things we suggest you to check and we’ll get to the bottom of it together.

10

(I already hit the “ignore” mode before responding to that last post :laughing: )

11

I don’t argue.
Of course, I profiled it before. I was able to see that only one or two CPU cores are used.
That is the reason why I wrote that only half of the cores were used. In this test, only one core was used.
However, I attached the screenshots.

Last test:

  • Only one CPU is used
  • Total CPU usage 25%
    Screenshot 2025-02-20 at 15.16.41.png
    Screenshot 2025-02-20 at 15.16.48.png
    Screenshot 2025-02-20 at 15.17.03.png
    Screenshot 2025-02-20 at 15.16.26.png
12

added, nothing changed

However, I got another one hAP, and started from initial to see difference