jgerek
January 29, 2021, 8:30am
1
Hi Guys,
Can somebody with good mikrotik knowledge help me?
Is there any procedure how to setup the CRS1xx router using the internal switch chip instead of the CPU?
The router is 3 layer router
My ISP is working via PPPoE Client I’m also using the IPTV - which is connected to the router.
Before I bought that router I was hope, that CRS125 will solve my issue with overloading the CPU on old hEX router.
So we’ve setup PPPoE in the interface
600Mhz CPU is working in range 5 - 30%, when I measure the internet speed it can jump to 80%
In time when I measure the internet speed, IPTV lagging! Here I’m really wonder WHY? This router use the 3 switches - on each is separated chip
In first 8 ports I’ve connected ISP cable and IPTV ,
Here is my configuration export:
/interface bridge
add admin-mac=B8:69:F4:7A:5E:4D auto-mac=no name=bridge-dsi-iptv protocol-mode=none
add name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01-dsi
set [ find default-name=ether2 ] name=ether02-iptv
set [ find default-name=ether3 ] disabled=yes name=ether03
set [ find default-name=ether4 ] disabled=yes name=ether04
set [ find default-name=ether5 ] disabled=yes name=ether05
set [ find default-name=ether6 ] disabled=yes name=ether06
set [ find default-name=ether7 ] disabled=yes name=ether07
set [ find default-name=ether8 ] disabled=yes name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether01-dsi keepalive-timeout=60 name=pppoe-dsi-data password=XXXXXX use-peer-dns=yes user=XXXXXX
/interface vlan
add interface=ether01-dsi name=vlan1-dsi-iptv vlan-id=250
add disabled=yes interface=ether01-dsi name=vlan2 use-service-tag=yes vlan-id=1
/interface list
add name=dsi
add name=local
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-local ranges=10.0.0.200-10.0.0.249
/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=dhcp-local
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge-dsi-iptv interface=ether02-iptv learn=no pvid=250
add bridge=bridge-local interface=ether09
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-local interface=ether13
add bridge=bridge-local interface=ether14
add bridge=bridge-local interface=ether15
add bridge=bridge-local interface=ether16
add bridge=bridge-local interface=ether17
add bridge=bridge-local interface=ether18
add bridge=bridge-local interface=ether19
add bridge=bridge-local interface=ether20
add bridge=bridge-local interface=ether21
add bridge=bridge-local interface=ether22
add bridge=bridge-local interface=ether23
add bridge=bridge-local interface=ether24
add bridge=bridge-dsi-iptv interface=vlan1-dsi-iptv multicast-router=disabled
add bridge=bridge-dsi-iptv disabled=yes interface=ether01-dsi
/ip neighbor discovery-settings
set discover-interface-list=local
/interface bridge vlan
add bridge=bridge-dsi-iptv disabled=yes tagged=ether01-dsi untagged=ether02-iptv vlan-ids=250
/interface list member
add comment="2 switch" interface=ether09 list=local
add comment="1 switch" interface=ether01-dsi list=dsi
add interface=ether02-iptv list=dsi
add interface=ether10 list=local
add interface=ether11 list=local
add interface=ether12 list=local
add interface=ether13 list=local
add interface=ether14 list=local
add interface=ether15 list=local
add interface=ether16 list=local
add interface=ether17 list=local
add interface=ether18 list=local
add interface=ether19 list=local
add interface=ether20 list=local
add interface=ether21 list=local
add interface=ether22 list=local
add interface=ether23 list=local
add interface=ether24 list=local
/ip address
add address=10.0.0.1/24 interface=bridge-local network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
Can someone help me setup my CRS125-24G-1S-2HnD that it will use internal CHIP instead of CPU ?
THX
mada3k
January 29, 2021, 4:49pm
2
Well. The CRS125 is primarly a switch, and unfortunally all PPPoE encap/decap is done in software. PPPoE is very CPU heavy.
I also suspect that you are doing the switching in software as well. Do a /interface bridge port print and make sure it says “H ” on the right ports.
Is it Multicast IPTV?
jgerek
January 29, 2021, 5:02pm
3
Hi It’s Multicast IT, correct
but normally it seems now that everything is passing thought CPU
this is a scheme for this router:
so we need to know how to use hardware chip for Multicast or CPU, shortly: avoid the TV lagging when the CPU is overloaded by the PPPoE traffic
jgerek
January 29, 2021, 5:12pm
4
Well. The CRS125 is primarly a switch, and unfortunally all PPPoE encap/decap is done in software. PPPoE is very CPU heavy.
I also suspect that you are doing the switching in software as well. Do a /interface bridge port print and make sure it says “H ” on the right ports.
Is it Multicast IPTV?
Hi @mada3k
here you go this print:
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 H ether02-iptv bridge-dsi-iptv yes 250 0x80 10 10 none
1 I H ether09 bridge-local yes 1 0x80 10 10 none
2 I H ether10 bridge-local yes 1 0x80 10 10 none
3 I H ether11 bridge-local yes 1 0x80 10 10 none
4 I H ether12 bridge-local yes 1 0x80 10 10 none
5 H ether13 bridge-local yes 1 0x80 10 10 none
6 I H ether14 bridge-local yes 1 0x80 10 10 none
7 H ether15 bridge-local yes 1 0x80 10 10 none
8 I H ether16 bridge-local yes 1 0x80 10 10 none
9 I H ether17 bridge-local yes 1 0x80 10 10 none
10 I H ether18 bridge-local yes 1 0x80 10 10 none
11 H ether19 bridge-local yes 1 0x80 10 10 none
12 H ether20 bridge-local yes 1 0x80 10 10 none
13 I H ether21 bridge-local yes 1 0x80 10 10 none
14 H ether22 bridge-local yes 1 0x80 10 10 none
15 H ether23 bridge-local yes 1 0x80 10 10 none
16 I H ether24 bridge-local yes 1 0x80 10 10 none
17 vlan1-dsi-iptv bridge-dsi-iptv 1 0x80 10 10 none
18 XI ether01-dsi bridge-dsi-iptv 1 0x80 10 10 none
mada3k
January 29, 2021, 6:52pm
5
Yes, the IP-TV VLAN is unfortunally going via the CPU. For the CRS1xx series you have to configure the switching under /interface ethernet switch since the switching must take place before the CPU.
I did a bit of copy&paste and rewrite from my working CRS112 setup. Maybe it will help you on the way.
# egress tagging
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=ether1 vlan-id=250
# ingress tagging
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether1 # eth1: untagged as v20
add customer-vid=250 new-customer-vid=250 ports=ether1 # eth1: v250 as v250
add customer-vid=250 new-customer-vid=250 ports=ether2 # eth2: v250 as v250
add customer-vid=0 new-customer-vid=10 ports=ether3 # others on v10
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=10 ports=ether7
add customer-vid=0 new-customer-vid=10 ports=ether8
# active vlans
/interface ethernet switch vlan
add comment=LAN ports=switch1-cpu,ether3,ether4,ether5,ether7,ether8 vlan-id=10
add comment=Internet ports=switch1-cpu,ether1 vlan-id=20
add comment=IPTV ports=ether1,ether2 vlan-id=250
# vlan filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/ip dhcp-client
add add-default-route=yes interface=vlan20 use-peer-dns=yes
/ip address
add interface=vlan10 address=192.168.88.1/24
jgerek
January 31, 2021, 6:58pm
6
Hi @mada3k
We’ve setup my router similar as you advised. That principle of basic VLAN structure
But next to this, we’ve setup also PPPoE client , and set interface to vlan20
Next to this we’ve setup masquerade and set the Out . Interface to PPPoE client
Now PPPoE client is in status disconnected and cant connect.
When I’ve tested internet doesn’t work, also Multicast doesn’t work. Do you think we’ve forgot something? Bellow you can find the whole /export.Can you advice what to do?
/interface bridge
add admin-mac=B8:69:F4:7A:5E:4D auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b
/g
/n channel-width=20
/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-7A5E65 wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 keepalive-timeout=60 name=pppoe-dsi-data password=XXXXXXXX use-peer-dns=yes user=XXXXXXXX
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=servis-pool-levik ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=servis-pool-levik disabled=no interface=vlan10 name=levik
/interface bridge port
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=ether1 vlan-id=250
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether1
add customer-vid=250 new-customer-vid=250 ports=ether1
add customer-vid=250 new-customer-vid=250 ports=ether2
add customer-vid=0 new-customer-vid=10 ports=ether3
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=10 ports=ether7
add customer-vid=0 new-customer-vid=10 ports=ether8
/interface ethernet switch vlan
add comment=LAN ports=ether3,ether4,ether5,ether7,ether8,switch1-cpu vlan-id=10
add comment=Internet ports=ether1,switch1-cpu vlan-id=20
add comment=IPTV ports=ether1,ether2 vlan-id=250
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1
/24 interface=bridge network=192.168.88.0
add address=192.168.1.1
/24 interface=vlan10 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0
/24 gateway=192.168.1.1
add address=192.168.88.0
/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=pppoe-dsi-data
/system clock
set time-zone-name=Europe
/Bratislava
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you
mada3k
February 1, 2021, 9:29am
7
Now you have two bridges, not sure if thats want you want.
To be honest, I’m a bit unsure about the “hybrid” and translation port (translate untagged to a vlan, IPTV as tagged) - but I think it’s the most resonable instead of running the Internet and PPPoE client directly on VLAN1/default for the whole switch. See wiki-page for more information of “hybrid” ports.https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_2_.28Trunk_and_Hybrid_ports.29
Try to temporarly disable VLAN-filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=""
jgerek
February 1, 2021, 1:34pm
8
HEUREKA!
So we’ve changed the logic:
this is the last configuration, which is working well:
PPPoE is working FAST!
Multicast IP TV working now without LAG’s
Internal network working FANTASTIC
Here is the /export
/interface bridge
add name=bridge-dsi
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether01-dsi
set [ find default-name=ether2 ] name=ether02-tv
/interface pppoe-client
add add-default-route=yes disabled=no interface=bridge-dsi keepalive-timeout=60 name=pppoe-dsi-data password=XXX use-peer-dns=yes user=XXX
/interface vlan
add disabled=yes interface=bridge-dsi name=vlan20 vlan-id=20
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether02-tv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-server
add disabled=no name=dhcp
/ip pool
add name=pool-local ranges=10.0.0.100-10.0.0.254
/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=dhcp-local
/interface bridge port
add bridge=bridge-local interface=ether09
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-local interface=ether13
add bridge=bridge-local interface=ether14
add bridge=bridge-local interface=ether15
add bridge=bridge-local interface=ether16
add bridge=bridge-local interface=ether17
add bridge=bridge-local interface=ether18
add bridge=bridge-local interface=ether19
add bridge=bridge-local interface=ether20
add bridge=bridge-local interface=ether21
add bridge=bridge-local interface=ether22
add bridge=bridge-local interface=ether23
add bridge=bridge-local interface=ether24
add bridge=bridge-dsi interface=ether01-dsi
add bridge=bridge-dsi interface=ether02-tv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch egress-vlan-tag
add disabled=yes tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=ether01-dsi vlan-id=250
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 disabled=yes new-customer-vid=20 ports=ether01-dsi
add customer-vid=250 new-customer-vid=250 ports=ether01-dsi
add customer-vid=0 new-customer-vid=250 ports=ether02-tv
/interface ethernet switch vlan
add comment=Internet disabled=yes ports=ether01-dsi,switch1-cpu vlan-id=20
add comment="dsi iptv" ports=ether01-dsi,ether02-tv vlan-id=250
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether01-dsi list=WAN
/ip address
add address=192.168.1.1
/24 network=192.168.1.0
add address=10.0.0.1
/24 interface=bridge-local network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether01-dsi
/ip dhcp-server network
add address=10.0.0.0
/24 gateway=10.0.0.1
add address=192.168.1.0
/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-dsi-data src-address=10.0.0.0
/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0
/24
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe
/Bratislava
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
We will setup firewall as well, for better security, but this configuration is working super!
Thank you @mada3k
mada3k
February 1, 2021, 4:03pm
9
Well, now you are using VLAN1 as both Internet and LAN, but separating them at a CPU-level instead. Also no VLAN filtering on the WAN-interface. I can’t recommend this apporach, but it yes, it will probably work
I would at least put all your LAN ports on another VLAN
jgerek
February 1, 2021, 9:06pm
10
@mada3k
the solution you recommended we’ve tested, but was really hard for the CRS’s CPU, the internet speed was almost D-100Mbit ad upload almost 80, my link should run close to 300mbit.
