I just bought RB hEX to use it as a router at my home for FTTH ONT which works in bridge mode. hEX acts as home router and it’s configured in this way:
LAN1 → WAN
LAN2 → master port
LAN-3-5 → slave ports
There is also DHCP server and Masquerade. No filter rules in firewall, no queues. Really simple configuration.
This config was used with latest stable ROS v6.40.3 and after upgrading to newest rc version which has hw-offload in bridge it was also tested.
My question is about actual NAT performance between WAN<->LAN ports. How hEX should really perform? Because I cannot achieve more than 560-600 Mbps and I think this is a bit to small value for a two core 880 MHz CPU. Or am I wrong?
And yes – I also tested it bypassing the hEX and plugging in my computer just after FTTH ONT and then I’m nearly saturating GbE port achieving ~930 Mbps.
MT7621A include the PPE (Packet Processing Engine) but RouterOS can not work with it. So yes, hEX will limit of speed of network without fast tracking. And speed will be more limited if you will use any tunnels or many firewall rules. Ubiquiti ER-X will be better for network address translation on gigabyte speed - its EdgeOS can use HW_NAT (PPE) and CryptoEngine simultaneously. RouterOS can use only CryptoEngine for IPsec tunnels (and it is also great, but…).
So I have question for Mikrotik’s developers and managers - is there any chance that HW_NAT will be used by RouterOS in the future?
Fasttrack is, essentially, FastPath + connection tracking. But since fasttracked packets bypass firewall almost entirely, connection tracking becomes barely usable for anything except NAT and fasttrack itself.
