I’ve recently set up the following model:
Mikrotik CRS326-24G-2S+RM Cloud Router Switch 326-24G-2S+RM 24 Gigabit port switch with 2 x SFP+ cages in 1U rackmount case, Dual boot (RouterOS or SwitchOS)
When I connect my computer directly to my Modem I get 900Gbps. This is the model:
https://www.arris.com/surfboard/products/cable-modems/sb8200/
Now the fastest speed I can get from any computer connected to the Router is 400Mbps. How can I optimize the speed through the router?
I also wanted to mention the only NAT firewall rule I have is a srcnat 10.0.0.0/16 out interface ether01, action src-nat, ToAddress: My Modem Public IP
You need to include your “/export hide-sensitive” information (the config you are using) to get any meaningful reply to such questions.
However, you should understand that the router function of such devices is a lot slower than the switching function.
When you want to get the full performance of the device, you should use it as a switch, not as a router. Only with tricks like fasttrack it will
be possible to get anywhere near your modem speed.
Config Export:
# may/09/2020 07:41:59 by RouterOS 6.43.16
# software id = 3LKB-G05W
#
# model = CRS326-24G-2S+
# serial number = HIDDEN
/interface bridge
add name=bridge-LAN
add name=bridge-LAN2
/interface ethernet
set [ find default-name=ether1 ] name=ether01-WAN
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=10.0.0.10-10.0.0.254
add name=dhcp_pool2 ranges=10.0.1.10-10.0.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-LAN lease-time=1h name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge-LAN2 name=dhcp2
/interface bridge port
add bridge=bridge-LAN interface=ether09
add bridge=bridge-LAN2 interface=ether03
add bridge=bridge-LAN interface=ether04
add bridge=bridge-LAN interface=ether10
add bridge=bridge-LAN interface=ether11
add bridge=bridge-LAN2 interface=ether17
add bridge=bridge-LAN2 interface=ether18
add bridge=bridge-LAN2 interface=sfp-sfpplus1
add bridge=bridge-LAN2 interface=ether24
add bridge=bridge-LAN2 interface=ether19
add bridge=bridge-LAN2 interface=ether20
add bridge=bridge-LAN2 interface=ether21
add bridge=bridge-LAN2 interface=ether22
add bridge=bridge-LAN2 interface=ether23
/interface bridge vlan
add disabled=yes vlan-ids=""
/ip address
add address=10.0.0.1/24 interface=bridge-LAN network=10.0.0.0
add address=10.0.1.1/24 interface=bridge-LAN2 network=10.0.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether01-WAN
/ip dhcp-server lease
add address=10.0.0.25 client-id=1:8c:3b:ad:ae:48:58 mac-address=8C:3B:AD:AE:48:58 server=dhcp1
add address=10.0.0.40 client-id=1:c4:d6:55:33:dc:3f mac-address=C4:D6:55:33:DC:3F server=dhcp1
add address=10.0.0.53 client-id=1:0:10:75:25:a4:35 mac-address=00:10:75:25:A4:35 server=dhcp1
add address=10.0.0.23 client-id=1:3c:52:82:1e:52:77 mac-address=3C:52:82:1E:52:77 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.0.1.0/24 dns-server=10.0.1.1 gateway=10.0.1.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=1000 max-concurrent-tcp-sessions=200 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.0/16 comment="Local Networks" list="Local Networks"
/ip firewall filter
add action=reject chain=input dst-port=53 in-interface=ether01-WAN protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input dst-port=53 in-interface=ether01-WAN protocol=tcp reject-with=icmp-network-unreachable
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether01-WAN src-address=10.0.0.0/16 to-addresses=MY.PUBLIC.IP.ADDRESS
/ip firewall raw
add action=accept chain=prerouting
add action=accept chain=prerouting
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=cert.crt_0 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set boot-os=router-os
/tool graphing interface
add
/tool sniffer
set filter-port=http
Actually the routing speed you’re getting is more or less what your CRS is capable of. Any higher routing speed would mean sacrificing security (firewall) … which might be fine for routing between two LAN subnets without any limitations about connectivity (i.e. simple routing, no firewall), but when used as border fateway (between you and internet) it definitely has to run firewall.
Check official test results, number under “routing - 25 ip filter rules - 512 byte packets” resembles most real-life scenarios quite well.
It could work better when you included the fasttrack config in the firewall.
E.g. try this:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
Of course what mkx wrote also applies, but at the moment you have no firewall at all (apart from the block on port 53).
Note that it is unwise to connect a device directly to internet in such state, it would only be safe when your “modem” is actually a NAT router as well.
I did add the fast track Filters to the firewall, as described here:
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Still getting the same speeds after that change.
Also I still have the NAT rule enabled. Is that the one that is slowing down the speed? I know it needs to be there to connect the LANs to the WAN, but just trying to understand exactly where the bottleneck is.
Bottleneck is the fact that CRS devices are switches with low-capacity L3 functionality. Meaning they can route and firewall, but nowhere near wirespeed.
If you want to get decent routing speed, get a router. A low-cost candidate device is hAP ac2 (you can disable wireless) … or a RB450Gx4 - pricier because of more RAM and storage but CPU is the same in both devices.
The single most expensive job a statefull firewall has to perform is connection tracking. Since you have NAT enabled it means your CRS has to do it. The fact you don’t have many firewall rules only helps some - you said you’re reaching around 400Mbps while official test results indicate 270Mbps. So you do see higher numbers. I only guess that you’d have to remove all firewall configuration to make it route at around 1Gbps … but that means no NAT as well …
Thanks guys for the reality check on my hardware. I’ll look into getting a “real” router and put that in front of what I currently have - and just use it as a switch.
I think you meant 900Mbps?/
In any case, in terms of routers to maximize your ISP connection I would recommend for
(1) WIRED
a. RB450Gx4 routerboard and an enclosure etc (some places sell it already pre-assembled).
b. RB4011 wired only model (more than you need)
(2) WIFI Router
a. HAPAC2 - similar to the RB450Gx4 in performance
b. RB4011 with wifi (more than you need).
Note: I dont mention the 3011 wired as it only has 2 cores and for only $20 more bucks the 4011 screams.
I ll agree with @anav, RB4011 would be a good choice…
Yes I did mean 900Mbps, not Gbps. I just purchased this one from Amazon:
https://mikrotik.com/product/rb4011igs_rm
You ll get great performance results with this model…