Optimizing Inter-VLAN Routing Performance on RB3011

RouterOS General
1

Hi all,

I’ve been conducting some experiments with inter-VLAN routing on my RB3011 in my home lab and wanted to share my findings and solutions, especially regarding VLAN setup and performance optimization.

Background: In my setup, I have 3 VLANs primarily for organizational purposes. An interesting observation came up while testing speeds with “iperf3”. Speeds between servers within the same VLAN were near 1 Gbps (around 933 Mbit/s), but this dropped to about 383 Mbit/s when testing from a wired workstation across different VLANs.

Key Setup Details:
I am not using bridge VLAN filtering. This is because it disables hardware offload on interfaces, which is crucial for performance. Instead, I leverage switch-chip features.
My RB3011 has two separate switch groups. I created two bridges, each for a switch group, and connected them with a patch cable between eth5 and eth6.
Here you can find more Layer 2 misconfiguration

Troubleshooting and Solution:
Initial Check:
Noticed that fast path is not active on my bridges.

bridge-fast-path-active: no


/interface bridge settings print

Tweaking Settings:

  1. Disabling use IP firewall in bridge settings didn’t activate Fast Path as the packet sniffer for my EV charger was active, which is incompatible with Fast Path.
  2. Turning off the packet sniffer worked
> interface bridge settings print
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes

Performance Test:
Post-adjustment, iperf3 tests showed a substantial increase in speed, hitting between 890-900 Mbit/s.

Monitoring Setup:
To replace the packet sniffer, I implemented a mangle rule with a ‘sniff TZSP’ action. To ensure these packets were captured, I adjusted the FastTrack rule to exclude my EV charger’s IP.

Conclusion:
This approach allowed me to achieve nearly switch-chip level performance in inter-VLAN routing. It’s a great example of how, in environments where extensive VLAN firewall protections aren’t necessary, careful configuration can lead to significant performance gains.

Initially, I considered upgrading to a faster router and had my eyes on the RB5009. However, after resolving my VLAN routing issues, I no longer see the need for a more powerful device. Given the low traffic load in my home lab, I suspect the RB5009 would offer similar performance for my needs. :slight_smile: