Hi,
I have a small home test environment and use a HEX S (6.45.
for routing and firewalling:
Bridge VLAN filtering setup
Vlan ~ 15 via Trunk on eth2 to a cisco sg200-08
IP Firewall Filter rules ~ 75
IP Mangle rules ~ 10
IP NAT rules ~ 10
Fasttrack is enabled but the max. throughput from vlan to vlan ~ 200 MBit/s.
Does anyone have some suggestions to improve the vlan to vlan performance or do I have to order a bigger router like Rb4011?
Thanks
best regards
75 filter rules, it sounds like the router needs a new admin!!!
Either router needs a new admin or admin needs a new router…
According to official test results (with a pinch of my experience) hEX S can route around 380 Mbps. But that’s with 25 IP filter rules. OP has got 75 IP filter rules … and 10 mangle rules which means that fast-track is out of picture (at least for some part of traffic).
So I’d say that OP is squeezing all the juice from the poor little device …
I am truly impressed with this many rules … WOW …
How may of these rules actually show activity?
If this many rules are needed then I suggest you consider RB3011 containing a dual Core CPU at 1.4Ghz, and because it has a superior switch chip that enables hardware accelerations for all LAN devices. The RB4011 has a much inferior switch chip but it does have a quad core CPU at 1.4Ghz … IMO a superior switch chip is far more desirable … with the RB3011 you would not need the CISCO SG200-8 
Thanks for response, sorry I’m not a network admin specialist, but I am not a stupid idiot.
And yes 80% of the rules had hitcounts!
It’s a small virtualization homelab (3x ESXi) with 2 internet connections, (workaround) dns forwarder and specified access rules 75 rules for more granularity for different network segments …
Regarding your recommendation I condeced the 75 rules to 20 and disabled the mangle/nat rules and the result was nearly the same … 180 - 230 MBit’s (fasttrack enabled and fasttrack disabled) via IPerf
Throughput in the same broadcast domain is working with full gigabit speed.
I use a seamless configuration (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering). I know this configuration has no hardware switching support.
So I think the HEX S is too small for my scenario.
best regards
Before purchasing a 4011 (I don’t think you need the switch chip features as you complain about inter-vlan routing, not switching), you may want to give a try to a CHR on your ESXi. The evaluation license is free.
Very NICE Lab …
I suspect that the RB3011 would work out well for your LAB.
If you are going to keep the SG200-8 then do consider the RB4011 with its quad core CPU … the combination of the RB4011 and the SG200-8 would provide you with the throughput you would like to have.
That‘s a good idea. As I started with one intel nuc esx hosted I used a chr, but the small nuc performance was to low for a chr in combination with some windows and linux VM‘. So I bought the HEX S to remove the load. Now with 3 host I will retry
RB3011 and RB4011 have nearly the same price (10€ difference), so if I decide to buy the a new hardware it would be better to buy the newer RB4011. In a previous job I used the RB3011 and it worked well, but I didn‘t tested the max throughtput. Thanks
HEX S has a max speed of about 385.4 Mbps for 25 IP firewall Rules…
If we add InterVLAN, mangles etc then i can tell this router’s performance is expected…
Haha Zach, you just woke up or sumptin. That ground has been covered LOL.