Mangle rules hurts performance by 50% (Clear DF, change MSS)

leonset · July 25, 2013, 10:44am

Hello,

I’ve been doing some testing with a new IPSec deploypment using RB1000 with 20MBits WAN in one end and RB450G with 100/10 FTTH in the other. Enabling “Clear DF” in RB1000 cuts performance in halve, in my case from nearly 15MBits/s to somewhere around 8MBits/s. CPU at RB1000 sits below 5% and RB450g it’s below 35% (has no hardware acceleration for IPSec).

If I upload just one file using FTP I can see that ~50% performance drop, but if I upload more files at once the performace drop is LOWER, i.e. uploading 4 files sees only a ~35% reduction in upload speed.

Is that an expected behavior?
Thanks!

leonset · July 25, 2013, 12:41pm

Just to clarify some points:

Traffic is uploaded from RB1000 to RB450G: RB1000 encrypts IPSec and RB450G decrypts it.
The Magle rules decreases performance even if the traffic is not matched by the rule. Just having the rule there drops performance.
This probles ONLY affects IPSec flows. Using the same setup but accessing FTP using the external/real IP’s has no drop in performance.
The mangle rules are applied in only RB1000
I have no other settings in these routers beside the minimal setup for the IPSec tunnel, a couple of autocreated changeMSS and a masquerade rule in RB450G.

Thanks!

bysard · July 25, 2013, 12:44pm

What RoS version are you using?

leonset · July 25, 2013, 1:07pm

RB1000 v5.25
RB450g v6.0

I’ll upgrade RB1000 to v6 in a while and test again.

bysard · July 26, 2013, 7:20am

Frankly I wouldn’t. I would use 5.25 on both until further notice from Mikrtoik staff.

EDIT: I’m seeing the exact same problem on my RB1100U, I just couldn’t connect it to anything until now. If I disable all mangle rules except automatic ones router drops CPU load for cca. 25%. I could also get 100% CPU easily just by sending some data from one port to another (different subnets). Do you also have any firewall logging rules?

br,

bysaRD

leonset · July 26, 2013, 9:59am

Hi,

No, I have no logging rules, just te bare minumum for this test. As this is a test environment I can up or downgrade freely so I’m going to do it now and test it again.

thanks

leonset · July 26, 2013, 1:10pm

Update:

It works ok with RouterOS 6.0 in RB1000.
Downgraded to v5.25 with the same config and I got a performance drop of ~50%
Under v5.25, changed encryption algorithm from AES-128 to Camellia-128. There was NO performance drop at all (but CPU usage rised to ~20% as only AES is hardware accelerated)
Upgraded RB1000 to v6.0 again, Camellia-128 performance slightly lower than v5.25, AES-128 performance was perfect (no performance drop at all)

(my) Conclusions:

There’s a problem in v5.25 (and possibly with other v5.xx firmwares) with the hardware-accelerated encryption engine of the RB1000 when using AES algorithm for IPSec and Mangle rules (tested with Clear DF and Change MSS) which causes a performance drop of ~50% but it is solved in v6.0. Don’t use v6.1 for IPSec as it has some known bugs (which are announced to be resolved in v6.2).