I use RB450GX4 as my router and it’s running RouterOS 7.8. I have 3 WANs on ether2, ether3, ether5. ether1 and ether4 are connected to switches.
I get these speeds,
~930mbps(over IPv4) and ~900mbps(over IPv6) from device A connected to switch A to device B connected to switch B where both devices A and B are in the same VLAN,
~390-400mbps from device A connected to switch A to device B connected to switch B where both devices A and B are in different VLANs.
I am trying to figure out if 400mbps inter-vlan traffic is the limit for this device or if I have made an error and I can get more performance out of it?
The CPU usage is around ~5% when the devices are in the same VLAN and goes up to 30% when they are in different VLANs.
/interface bridge settings
set use-ip-firewall-for-vlan=yes
So if you’re not really sure why you actually need it (no, you don’t need it to push inter-vlan traffic through firewall), you should set it to no.
Other than that, your setup is pretty complex and I guess you can’t get RB450Gx4 much faster than what you see. I’d try to optimize firewall and mangle rules if possible, that would make setup a bit less demanding (and thus faster), but I can’t say if it’s possible at all.
A note on CPU utilization: your router has 4 CPU cores and one core fully loaded translates to 25% CPU load. You can see more details if you run CPU profiler. When it comes to firewalling/routing, ROS will push all packets, belonging to single connection, via same CPU core (to avoid out-of-order delivery). So what you see is likely to be expected, most real-life application protocols (e.g. SMB) use single connection between client and server. But you could run iperf3 in TCP mode and multiple (e.g. 8 or more) parallel streams, that should give you higher aggregate throughput as router would be able to engage more CPU cores.
It’s enabled by default for some reason but this setting only does any thing if use-ip-firewall is enabled on the bridge. I don’t have that setting enabled so the value for this flag is meaningless. I tried disabling it any way but it doesn’t work.
So if you’re not really sure why you actually need it (no, you don’t need it to push inter-vlan traffic through firewall), you should set it to no.
I have to since I have restrictions on each vlan and the networks they are allowed to talk to.
I tried running iperf with 4-8 threads and the speeds are roughly the same(around ~400mbps)
I’ll try optimizing mangle rules(and maybe check speeds after disabling mangle rules to see how much it’ll help)
Really?
I have the same device and ip firewall is not selected by default, nor could I find it in your config which is a big bloated thing more concerned with blocking stuff instead of
basically allowing traffic and drop all else.
It’s been reported in another thread (I’m not searching for it, you can do it if you don’t trust my word) that 7.8 has a bug that if setting is enabled, it doesn’t get inactive if use-ip-firewall is disabled. So you have to enable use-ip-firewall, disable use-ip-firewall-for-vlan and disable use-ip-firewall again.
The setting (when active) means that tagged traffic, passing bridge, will be subject to firewall rules … even for intra-vlan traffic. For inter-vlan traffic, IP firewall rules will get triggered in all cases because that traffic is handled by router’s IP layer.
That is a pretty bag bug.
Which coder was asleep at the wheel?
We should make him sleep with Viktors ( I heard he snores ) or get a bearded face rub for hours…
My firewall config is not quite right to work properly with fasttrack-connection.
The problem I have right now is,
If I use fasttrack-connection with my firewall rules, A lot of connections get stuck for 5-8seconds on receiving traffic from the other side and pretty much every thing feels very slow(DNS resolution over DoT takes forever & sites open really slow). I verified this with firefox profiler on multiple websites.
I tried,
Disabling allow fast path on bridge. It didn’t fix the problem and my speeds were the same(Around ~930mbps)
Disabling the filter rule for fast tracking connections and instantly, every thing feels faster(dns resolution is faster, sites don’t get stuck at the loading icon) but now speeds are down to 400mbps.
I tried re-arranging the fasttrack rule and I still have that problem. I am considering only fasttracking local traffic. My internet connection is ~120-130mbps so there is no point in fast tracking that anyway.
I am considering only fasttracking local traffic. My internet connection is ~120-130mbps so there is no point in fast tracking that anyway.
\
Indiscriminately fasttracking all established,related traffic causes weird issues with responsiveness. This yields ~930mbps speeds at ~5% CPU usage.
I have a interface list ALAN which consists of 2 more interfaces lists, LAN and LAB. I added restrictions like, in-interface-list=ALAN out-interface-list=ALAN.
This yielded ~650-750mbps speeds at ~25-28% CPU usage
I removed the constraints from step 2 and tried adding, src-address=10.0.0.0/16 dst-address=10.0.0.0/16.
With this, I get ~930mbps at around ~30-32% CPU Usage. (10.0.0.0/16 covers LAN and LAB)
As I wrote: your setup is pretty complex, so it’s hard to debug it. But one thing pops out: fast track is incompatible with mangling. So you have to exempt from fasttracking all traffic which is subject to mangling.
Noted! Thank you for taking time to clarify. Local traffic is not subject to mangle rules so I can fastrack that. I get great speeds now and I dont really care about cpu usage so right now everything looks/works well )
)