I got one problem with my Mikrotik router. I have a hAP ac at my home. Only few connections at a time. NAS, TV, PC, LAPTOP.
Since a couple of days I have a brand-new fiber connection with 400Mbit down → 200Mbit up.
My problem is now I can not reach the 400Mbit. The CPU of my router is hitting 100%. I am stuck at 300Mbit~.
The CPU profiler said almost 35% CPU is used for firewall. So I disabled all rules ony my IPv4 ruleset since the speedtest is using IPv4. No changes.
I disabled the IPv6 firewall rules. → I can reach the 400Mbit. The CPU is still at 95%. But I get full speed.
First question: When using IPv4 connection, why have the IPv6 rules so much impact even they are not used for this connection? I played a bit with the IPv6 rules. It doesn’t matter which rule I enable there. As long one rule is enabled I have the high CPU usage on “firewall” in the profiler.
Second question: Why do I have even with firewall rules disabled such a high CPU usage? Networking and Ethernet a taking both the most during a speedtest. ethernet around 30% and networking over 40%.
There are 2 CPU-consuming tasks: connection tracking and firewall filter evaluation. Connection tracking is needed for NAT as well, so in SOHO environment one can not really disable that. Firewall filter evaluation can be largely bypassed for IPv4 if fasttrack is properly configured. However, IPv6 doesn’t have fasttrack (yet). This doesn’t explain why IPv4 throughput increases when you disable IPv6 firewall though (are you sure you’re testing with IPv4 traffic?).
Re. capacity: my experience is that in real use, the most relevant figure from the table you linked is the one reading “Routing - 25 ip filter rules - 512 byte [packet size]” … and figure for hAP ac is around 320 Mbps. Surely you can get higher than this, but you have to hand-optimize firewall filter rules etc.
I use the ether1 port. SFTP port is not used right now.
EDIT: I just notice the queue is using around 10% of my CPU. It looks like my router is under powered for what I am trying to do. Do you have any ideas or do you think I should get a router with better performance?
For IPv4, connection tracking can be enabled, disabled or left automatic (a new default value), which according to manual “means that connection tracing is disabled until at least one firewall rule is added”. IPv6 doesn’t have this configurable, but it would make sense that it’s automatic there too. So without any rules, you may be skipping connection tracking completely and it would help for sure.
So it looks like everything is working as expected right?
Right now I only see one solution. I need a more powerful router. Which router would be able to handle a VPN tunnel with 1000Mbps?
I can only see one router on the Mikrotik website with wireless: MikroTik RB4011iGS+5HacQ2HnD-IN which reach 1500Mbps.
Any other options? Would it be better to get an Ethernet router and a separate access point for wireless?
Is the OpenVPN performance comparable to IPsec?
Price is not that important. As long its not a total overkill
Yes, at the moment separate out the Wifi, as MikroTik does not have a great all-in-one unit, today anyway. So, you’re looking at getting the RB4011 or the CCR1009 and then dangling a cAP AC off a free port.
Why do you recommend the RB4011 but without wireless?
I get the point it makes more sense to “outsource” the wireless stuff. But would prefer an “all in one” device over separate devices as long they don’t have disadvantages.
There is a very long thread about wifi, on the 5Ghz side, cutting out. Try one from a dealer you can return it to. I would prefer to recommend it if possible.
For IPv4, connection tracking can be enabled, disabled or left automatic (a new default value), which according to manual “means that connection tracing is disabled until at least one firewall rule is added”.
Actually there is no enable/disable option for fasttrack nor a checkbox that a user with a click of a button enables or disables… for fastpath yes there is… just in case someone looks for it…
Also fasttrack is fastpath + connection tracking… so if no firewall is used there is no point of fast track apparently…
