How to diagnose VLAN performance issues on RB3011

RouterOS Beginner Basics
1

With the guidance and help of everyone here I swapped out my RB2011 (without VLANs) with my new RB3011 with 3 VLANs. I learned a lot to say the least and networking is not my strong suit.

Having said that I am seeing some hiccups with the internet connection. I know there is a lot of pressure on the infrastructure in general but it feels like something is off. Kids are got kicked out of Zoom. Some of the Google Meet calls have been stuttering. Is there anything in particular that I should be spot checking? The only thing I have done so far is spot check Memory and CPU and those dont even seem to be affected any.

2

There’s /system profile cpu=all during hicups to see if some process is over-using resources. You can check the byte-counts on interfaces (if using GUI to connect there are nice graphs made from those numbers). Look into /log if there’s something logged when problems appear … perhaps some ether port drops a few frames, perhaps wireless gets noisy for a moment, …

3

/export hide-sensitive file=anynameyouwish

4

Really tried to get all my ducks in a row with as much info as I could. I was able to catch this in action this morning and what is interesting is that while I couldn’t access the internet in Chrome, I was also not able to get into the router at http://10.1.1.1 but apps like Slack continued without an issue on the laptop. Other devices running calls, streaming and accessing the internet were unaffected some of these were on the same SSID as me.


Network Diagram
network.png
Logs from the incident (happened around 9:21am)

08:42:20 system,info,account user admin logged in from 10.1.1.101 via web 
08:42:26 system,info,account user admin logged in via local 
08:55:04 system,info,account user admin logged in from 10.1.1.101 via web 
08:55:08 system,info,account user admin logged in from 10.1.1.101 via web 
08:55:10 system,info,account user admin logged in via local 
08:55:12 system,info,account user admin logged out via local 
08:56:21 system,info,account user admin logged out from 10.1.1.101 via web 
08:56:21 system,info,account user admin logged out via local 
08:57:21 system,info,account user admin logged out from 10.1.1.101 via web 
09:08:20 dhcp,info DHCP-Home deassigned 10.1.1.105 from 60:6B:FF:2E:B4:AF 
09:08:20 dhcp,info DHCP-Home assigned 10.1.1.105 to 60:6B:FF:2E:B4:AF 
09:12:40 system,info,account user admin logged in from 10.1.1.101 via web 
09:13:51 system,info,account user admin logged out from 10.1.1.101 via web 
09:14:51 system,info,account user admin logged out from 10.1.1.101 via web 
09:22:51 system,info,account user admin logged in from 10.1.1.101 via web 
09:27:48 system,info,account user admin logged in via local 
09:30:41 system,info,account user admin logged out via local 
09:37:35 system,info,account user admin logged in via local

Profile
profile.png
Config

/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
/interface vlan
add interface=bridge name=VLAN-Guest vlan-id=16
add interface=bridge name=VLAN-Home vlan-id=8
add interface=bridge name=VLAN-IoT vlan-id=32
/interface ethernet switch port
set 1 default-vlan-id=8 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=8 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=8 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=8 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=0 vlan-mode=fallback
set 6 default-vlan-id=0 vlan-mode=fallback
set 7 default-vlan-id=0 vlan-mode=fallback
set 8 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 vlan-mode=secure
set 11 default-vlan-id=0 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=8h-20h mon=8h-20h name=Kids sat=8h-20h sun=8h-20h thu=8h-20h tue=8h-20h wed=8h-20h
/ip pool
add name=Pool-Home ranges=10.1.1.100-10.1.1.199
add name=Pool-Guest ranges=10.1.16.100-10.1.16.199
add name=Pool-IoT ranges=10.1.32.100-10.1.32.199
/ip dhcp-server
add address-pool=Pool-Home disabled=no interface=VLAN-Home lease-time=3d name=DHCP-Home
add address-pool=Pool-Guest disabled=no interface=VLAN-Guest lease-time=12h name=DHCP-Guest
add address-pool=Pool-IoT disabled=no interface=VLAN-IoT lease-time=1d name=DHCP-IoT
/queue simple
add disabled=yes max-limit=20M/480M name=qos queue=pcq-upload-default/pcq-download-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=8
add independent-learning=yes ports=ether5,switch1-cpu switch=switch1 vlan-id=16
add independent-learning=yes ports=ether5,switch1-cpu switch=switch1 vlan-id=32
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-Guest list=LAN
add interface=VLAN-Home list=LAN
add interface=VLAN-IoT list=LAN
/ip address
add address=10.1.1.1/24 interface=VLAN-Home network=10.1.1.0
add address=10.1.16.1/24 interface=VLAN-Guest network=10.1.16.0
add address=10.1.32.1/24 interface=VLAN-IoT network=10.1.32.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=12h
/ip dhcp-server network
add address=10.1.1.0/24 gateway=10.1.1.1
add address=10.1.16.0/24 gateway=10.1.16.1
add address=10.1.32.0/24 gateway=10.1.32.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=10.1.1.0/24 list=adminaccess
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Admin Access" in-interface=VLAN-Home src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow home-guest access to internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Admin Access to Guest VLAN" in-interface=VLAN-Home out-interface=VLAN-Guest src-address-list=adminaccess
add action=accept chain=forward comment="Admin Access to IOT VLAN" in-interface=VLAN-Home out-interface=VLAN-IoT src-address-list=adminaccess
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip kid-control device
add mac-address=11:11:11:11:11:11 name=Switch1 user=Kids
add mac-address=11:11:11:11:11:11 name=Switch2 user=Kids
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set backlight-timeout=1m default-screen=interfaces read-only-mode=yes
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MikroTik
/tool e-mail
set address=smtp.gmail.com from=removed@gmail.com port=587 start-tls=yes user=removed@gmail.com
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=ether1
/tool graphing queue
add simple-queue=qos
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script="log error \"WAN is down for Quad9\"" host=9.9.9.9 interval=1m2s timeout=2s up-script=\
    "log error \"WAN is up for Quad9\"\
    \ntool e-mail send to=\"removed@gmail.com\" subject=\"\$[/system identity get name] WAN is up \$[/system clock get time] Quad9\""
add down-script="log error \"WAP is down\"" host=10.1.1.3 interval=1m3s up-script=\
    "log error \"WAP is up\"\
    \ntool e-mail send to=\"removed@gmail.com\" subject=\"\$[/system identity get name] WAP is up \$[/system clock get time]\""
add down-script="log error \"WAN is down for Cloudflare\"" host=1.1.1.1 interval=1m1s timeout=2s up-script=\
    "log error \"WAN is up for Cloudflare\"\
    \ntool e-mail send to=\"removed@gmail.com\" subject=\"\$[/system identity get name] WAN is up \$[/system clock get time] Cloudflare\""
5

Nice, unfortunately my switch knowledge is limited to the 260GS, so its zing above my head.
Suffice to say if the rb3011 is set properly, the issue is with the access point(s), or perhaps the inability of the unmanaged switch to pass the full vlans…
The best bet is to replace the unmanaged switch…

6

Actually that’s a good idea. I just use that switch to get the power to the WAP. I can test out your theory by just digging up a PoE Injector and cutting the switch out of the equation.

7

Even an unmanaged switch can cause problems on VLANs as well… @mkx told me that :astonished:
However your case seems a little different…
Have you applied any Quality of Service to your Router ?
If someone can use as much bandwidth as he wants then such problems can happen…

8

I turned off my simple QoS queue so I could get fast track back on. I thought that would help.

I was running the same setup less the VLANs on the RB2011. Switched to the RB3011 with the VLANs on Sunday night. I thought the beefier HW with the VLANs would be a wash but something is a miss. The big difference I noticed with the switch is that it takes longer to get an IP address when plugging in the cable.

Probably reaching but I’m looking at the packets dropped on the firewall rules. Pretty sure that’s normal but just throwing it out there.

9

On your Ubiquiti AP are you running the latest firmware?
UniFi firmware 4.0.80 for UAP-AC-Lite/LR/Pro/EDU/M/M-PRO/IW/IW-Pro
We have a 3011 working with no issues in a 10 story residential apartment using 10 24 port Cisco switches. Each switch is loaded at about 60% fill. The AP-LR is a robust AP to say the least. I would look at the config on the AP to see if there is anything that might be in conflict with the VLAN config on the 3011.

10

I turned off my simple QoS queue so I could get fast track back on. I thought that would help.

Help on what ?
What is your Internet Speed from your ISP ?

11

I was grasping and thought maybe this was getting caught up in the firewall rules somehow and QoS queue had me turn off Fasttrack. Internet connection is 500/20 but with everything going on I was getting like 60-100 down. Seems like they fixed the issue now.

12

3011 can do more that 500Mbps without fasttrack enabled, so either On or Off it would be the same as for the speed…
Also Queues (except the queue trees) do not work when fasttrack is enabled…

13

I added the Queue back in and turned off Fasttrack though I don’t think this will solve my issue.

14

Would it be possible to see your config on the Ubiquiti AP-LR?

15

@JazzMaster, is there an easy way to extract that kind of like /export? I did the settings backup but that looks like a binary file.

16

I would like to know if you have VLANS setup on the AP?

17

This issue is very interesting to me.

18

I’m keeping the changes on the AP to a minimum. Really not much there as far as I remember. i set this up years ago and it’s been solid, haven’t changed anything till the VLANs this weekend.

Nothing fancy, there are 3 SSIDs over 2.4/5GHz, all internal, and each one specifies a VLAN. It’s running the latest version.

19

Thank you, that is what I wanted to know. I’ll research your problem and get back to you.

20

Were you able to find anything? I revered back to my RB2011 without VLANs and all my WiFi issues went away.