Low Speed Problem

Galas · February 6, 2025, 2:06am

Hello everyone.
Let me preface this, saying I’m a newbie into mikrotik. I do have some network expertise, but I’m currently trying to implement a RoaS aproach using a RB2011 router (yes, I know it’s an ancient device)

Started using this thread as reference: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I have a couple of VLANs, and I’m facing VERY slow inter-vlan traffic.

I searched and read various threads about it, but can’t manage to resolve it. Seems like a very simple setup, but can’t make it to work.

iperf result same VLAN from PC to NAS, getting ~900 Mbits/sec
iperf result different VLAN from PC to NAS, getting ~5 Mbits/sec

What I’m missing? thanks in advance

# feb/06/2025 02:50:27 by RouterOS 6.49.15
# software id = UV6S-7VJP
#
# model = 2011iLS
/interface bridge
add name=BR1 protocol-mode=none pvid=99 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 
/interface vlan
add interface=BR1 name=LAN-HOME vlan-id=10
add interface=BR1 name=LAN-LAB vlan-id=20
add interface=BR1 name=LAN-MGMT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HOME-POOL ranges=10.1.10.130-10.1.10.180
add name=LAB-POOL ranges=10.1.20.2-10.1.20.254
add name=MGMT-POOL ranges=10.1.0.130-10.1.0.190
/ip dhcp-server
add address-pool=HOME-POOL disabled=no interface=LAN-HOME name=HOME-DHCP
add address-pool=LAB-POOL disabled=no interface=LAN-LAB name=LAB-DHCP
add address-pool=MGMT-POOL disabled=no interface=LAN-MGMT name=MGMT-DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=ether4,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=pppoe-out1 list=WAN
add interface=LAN-MGMT list=VLAN
add interface=LAN-HOME list=VLAN
add interface=LAN-LAB list=VLAN
add interface=LAN-MGMT list=MGMT
/ip address
add address=10.1.0.2/24 interface=LAN-MGMT network=10.1.0.0
add address=10.1.10.1/24 interface=LAN-HOME network=10.1.10.0
add address=10.1.20.1/24 interface=LAN-LAB network=10.1.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=10.1.0.2 gateway=10.1.0.2
add address=10.1.10.0/24 dns-server=10.1.0.2 gateway=10.1.10.1
add address=10.1.20.0/24 dns-server=10.1.0.2 gateway=10.1.20.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment="Permito VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Permito LAN-MGMT Full " in-interface=\
    LAN-MGMT
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=Ping protocol=icmp
add action=drop chain=input comment="Drop lo que no sea de VLANs" \
    in-interface-list=!VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related
add action=accept chain=forward comment="Accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Montevideo
/system identity
set name=Galas-Router01
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

edit: some modifications and version

mainstay777 · February 6, 2025, 8:57am

Hi there, I am no expert in any way, but using very similar config. One thing you could consider is that your router may not have hardware offloading and the inter-vlan switching puts a load on a cpu which as you say may not be the latest. There is some information regarding this issue in the wiki:

Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the Basic VLAN switching guide. If an improper configuration method is used, your device can cause throughput issues in your network.

https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering

Hope this helps!

jaclaz · February 6, 2025, 10:14am

The RB2011 has also a particular internal setup:
https://cdn.mikrotik.com/web-assets/product_files/Block-RB2011UAS-2HnD_130546.pdf
with two separate bridge chips, one for the Gb ports and one for the 10/100 ones, mixing them in a single bridge may be part of the issue, it is usually advised to bridge them externally with a patch cable (losing two ports) to avoid having traffic go through the CPU and/or having the basic configuration “reversed” using the slower interfaces for internet connection and have all the Gb ports as switch ports (of course if the internet connection is below 100 Mb).
See this:
https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips

It is a complex matter, check also:
http://forum.mikrotik.com/t/rb2011-how-connect-ports-from-differ-hw-switch/155494/1

Galas · February 6, 2025, 3:06pm

Thanks for the responses.

@jaclaz

I came across with the same info about the two switches, and tried briding ONLY the GB interfaces.
Same results.

This might be an old device, but getting only 5% of the speed is ridiculous.

Maybe there is something else that I’m missing? Or there is a better way to achieve this?

jaclaz · February 6, 2025, 3:39pm

Your setup seens almost, but not quite, completely unlike the one specifically recommended for the 2011, here:
https://help.mikrotik.com/docs/spaces/ROS/pages/103841826/Basic+VLAN+switching
in the part titled:
Other devices with a built-in switch chip

Maybe you should start from that example (and/or the ones reference to there) as a base