Low performance over EOIP tunnel

shady79 · February 21, 2018, 12:15pm

Hi

I have two mikrotik routers connected via 1Gbit/s link. One CCR1016 (6.41) and CCR1009 (6.40)
When I measure link speed using build in bandwidth test I get results about 970Mbps. Its OK.
I added some EOIP (no IPSEC) tunnels and VLAN’a on this connection and when I test bandwidth over tunnel I get very low performance.
Eoip interface has MTU 1458 and VLAN has MTU 1400.

Test between two stations connected to routers

Test between routers over EOIP

Can it be faster?

pcdwarf · February 21, 2018, 12:25pm

sending 1500 octet packets over an MTU of 1400 leads to fragmentation and poor performance.
Match the bw test to the mtu of the eoip link.
for normal trafic, add mangle rules to clamp tcp-mss to pmtu.

shady79 · February 23, 2018, 12:36pm

In both side I added a mangle rule like that

1 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes
tcp-flags=syn protocol=tcp log=no log-prefix=“”

and it doesn’t make no difference.

BlackVS · February 23, 2018, 1:25pm

It doesn’t make difference for UDP (I see UDP on second screenshot) due tcp clamp is tcp clamp.

shady79 · February 23, 2018, 1:34pm

but iperf uses tcp I guess.

shady79 · February 26, 2018, 10:15am

I created a test configuration like this:

Router1

feb/26/2018 10:43:17 by RouterOS 6.41.2

software id = 0J1H-G60E

model = 2011UiAS

[admin@TEST1] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 R ;;; LAN
ether1 ether 1500 2000 4074 4C:5E:0C:37:B3:BB
1 R ;;; To Test2 Router
ether2 ether 1500 2000 4074 4C:5E:0C:37:B3:BC
2 ether3 ether 1500 1598 4074 4C:5E:0C:37:B3:BD
3 ether4 ether 1500 1598 4074 4C:5E:0C:37:B3:BE
4 ether5 ether 1500 1598 4074 4C:5E:0C:37:B3:BF
5 ether6 ether 1500 1598 2028 4C:5E:0C:37:B3:C0
6 ether7 ether 1500 1598 2028 4C:5E:0C:37:B3:C1
7 ether8 ether 1500 1598 2028 4C:5E:0C:37:B3:C2
8 ether9 ether 1500 1598 2028 4C:5E:0C:37:B3:C3
9 X ether10 ether 1500 1598 2028 4C:5E:0C:37:B3:C4
10 sfp1 ether 1500 1598 4074 4C:5E:0C:37:B3:BA
11 R eoip-tunnel1 eoip 1458 65535 02:9A:7A:EB:49:E7
12 R vlan10 vlan 1500 65531 02:9A:7A:EB:49:E7

[admin@TEST1] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 X 10.10.1.30/24 10.10.1.0 ether1
1 192.168.20.1/24 192.168.20.0 ether2
2 192.168.22.1/24 192.168.22.0 eoip-tunnel1
3 D 10.10.1.92/24 10.10.1.0 ether1
4 10.20.30.1/24 10.20.30.0 vlan10

[admin@TEST1] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection log=no log-prefix=""

[admin@TEST1] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 10.10.1.1 1
1 ADC 10.10.1.0/24 10.10.1.92 ether1 0
2 ADC 10.20.30.0/24 10.20.30.1 vlan10 0
3 ADC 192.168.20.0/24 192.168.20.1 ether2 0
4 ADC 192.168.22.0/24 192.168.22.1 eoip-tunnel1 0

[admin@TEST1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

[admin@TEST1] /interface eoip> print
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:9A:7A:EB:49:E7 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0
remote-address=192.168.20.2 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes

Router2

feb/26/2018 10:42:47 by RouterOS 6.41.2

software id = B215-M847

model = 951G-2HnD

[admin@TEST2] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 ether1 ether 1500 1598 4074 4C:5E:0C:B6:4E:2A
1 R ;;; To test1 router
ether2 ether 1500 2000 4074 4C:5E:0C:B6:4E:2B
2 ;;; PC test
ether3 ether 1500 2000 4074 4C:5E:0C:B6:4E:2C
3 ether4 ether 1500 1598 4074 4C:5E:0C:B6:4E:2D
4 ether5 ether 1500 1598 4074 4C:5E:0C:B6:4E:2E
5 X wlan1 wlan 1500 1600 2290 4C:5E:0C:B6:4E:2F
6 R eoip-tunnel1 eoip 1458 65535 02:82:9B:9C:20:3E
7 R vlan10 vlan 1500 65531 02:82:9B:9C:20:3E
[admin@TEST2] /interface> eoip
[admin@TEST2] /interface eoip> print
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:82:9B:9C:20:3E arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0
remote-address=192.168.20.1 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes
[admin@TEST2] /interface eoip> /ip address
[admin@TEST2] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.20.2/24 192.168.20.0 ether2
1 192.168.21.254/24 192.168.21.0 ether3
2 192.168.22.2/24 192.168.22.0 eoip-tunnel1
3 10.20.30.2/24 10.20.30.0 vlan10
[admin@TEST2] /ip address> /ip firewall filter
[admin@TEST2] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection log=no log-prefix=""
[admin@TEST2] /ip firewall filter> /ip firewall nat
[admin@TEST2] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=vlan10 log=no log-prefix=""
[admin@TEST2] /ip firewall nat> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 10.20.30.1 1
1 ADC 10.20.30.0/24 10.20.30.2 vlan10 0
2 ADC 192.168.20.0/24 192.168.20.2 ether2 0
3 DC 192.168.21.0/24 192.168.21.254 ether3 255
4 ADC 192.168.22.0/24 192.168.22.2 eoip-tunnel1 0

When I test a connection between PC connected to TEST2 on ether3 and PC connected to LAN on TEST1 on ether1 I get results like: 234 Mbits/sec
In the same config but over EOIP not VLAN I get 787 Mbits/sec and without VLAN and EOIP only routing - 849 Mbits/sec

is it possible that VLAN causes such a performance loss? am I doing something wrong?

sebastia · February 26, 2018, 11:10am

It is possible depending on how vlans are configured, and can be caused by:

cpu limitation
bandwidth limitation of the cpu port

But you didn’t provide any info in that regard.

shady79 · February 26, 2018, 11:49am

I did not do anything with cpu limitation.

shady79 · February 26, 2018, 12:20pm

I was able to determine that the bandwidth problem occurs when the VLAN is on eoip tunel, when vilan is on ethernet interface speed is 822 Mbit/sec

sebastia · February 26, 2018, 1:04pm

by cpu limitation I meant processing limits of the cpu

shady79 · February 27, 2018, 8:27am

Where it sets? If it depends on the cpu limitation settings, why the speed is higher when the VLAN is not in the tunnel?

when I reduce MTU to 1400 on my ethernet interface - speed up to 845 Mbits/sec

sebastia · February 27, 2018, 9:51am

LOL, not a setting, just what the cpu can do, how fist it can go…

If the packets from your lan are not too large to fit in a single encapsulted packet, you get best performance. That’s what you’ve observed with 1400 mtu on lan, for traffic going tunnel