QoS and ipsec performance in CCR routers

miro · January 27, 2018, 11:31am

Hi guys,
I have questions how does QoS affect ipsec performance in CCR1009-7G-1C-1S+. I remember, that someone from Mikrotik once wrote, that if you are using queues on traffic which is encrypted, that then encryption is made only in one core of cpu - I can’t find that post.

So is that the case in all QoS options, or only if one is using queue simple..?
Queue tree and PCQ have same effect?
3.If one’s setup is using hardware encryption and QoS, does that one core which encrypt traffic, switch to software encryption, or does it still uses hardware encryption?

At the moment my setup looks like this:
In mangle I mark traffic, which is not encryted and then I limit it in queue tree. This is working vey good, from performance of IPSec point of view…

 > ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    
      chain=prerouting action=accept src-address-list=subnets_from_other_side_of_tunnel1 log=no log-prefix="" 

 2    
      chain=prerouting action=accept dst-address-list=subnets_from_other_side_of_tunnel1 log=no log-prefix="" 

 3    chain=prerouting action=mark-connection new-connection-mark=client_upload_CONN passthrough=yes protocol=!ipsec-esp dst-address-list=!DST_subnet_all_IPSec in-interface=LAN log=no log-prefix="upload" 

 4    chain=prerouting action=mark-connection new-connection-mark=client_download_CONN passthrough=yes protocol=!ipsec-esp src-address-list=!DST_subnet_all_IPSec in-interface=WAN log=no log-prefix="" 

 5    chain=prerouting action=mark-packet new-packet-mark=client_download_packet passthrough=no connection-mark=client_download_CONN log=no log-prefix="" 

 6    chain=prerouting action=mark-packet new-packet-mark=client_upload_packet passthrough=yes connection-mark=client_upload_CONN log=no log-prefix="" 

 
 > queue type print 


 5   name="pcq-up" kind=pcq pcq-rate=95M pcq-limit=50KiB pcq-classifier=src-address pcq-total-limit=2000KiB pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-src-address-mask=32 pcq-dst-address-mask=32 
     pcq-src-address6-mask=64 pcq-dst-address6-mask=64 

 6   name="pcq-down" kind=pcq pcq-rate=95M pcq-limit=50KiB pcq-classifier=dst-address pcq-total-limit=2000KiB pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-src-address-mask=32 pcq-dst-address-mask=32 
     pcq-src-address6-mask=64 pcq-dst-address6-mask=64 
 

..
 > queue tree print 
Flags: X - disabled, I - invalid 
 0   name="queue1-down" parent=global packet-mark=client_download_packet limit-at=0 queue=pcq-down priority=8 max-limit=95M burst-limit=0 burst-threshold=0 burst-time=0s bucket-size=0.1 

 1   name="queue2-up" parent=global packet-mark=client_upload_packet limit-at=0 queue=pcq-up priority=8 max-limit=95M burst-limit=0 burst-threshold=0 burst-time=0s bucket-size=0.1

sebastia · January 27, 2018, 12:46pm

Hi

Are you referring to the fact that queue tree on a CCR is processed by a single core? Therefore, for high bandwidth applications, Simple Queues are advised over queue tree as these can spread load over multiple cores.

miro · January 27, 2018, 4:51pm

Are you referring to the fact that queue tree on a CCR is processed by a single core.

Yes, but not only that, I’m thinking of that, if you are doing QoS on traffic, then also IPSec encryption and decryption on that same traffic is processed by single core…

sebastia · January 27, 2018, 6:16pm

Best source is MT itself. Suggest you open a support ticket with that question.
And post the response .