Below is how I configured my network on my CRS312 running on latest firmware 6.48.3
Interface 1 - WAN —> Connects from modem to the router
Interface 2 - LAN 1 that has a Bridge 1 and gets DHCP from DHCP-pool-1 range — 192.168.1.1 - 192.168.1.254
Interfaces 3 & Interface 4 - LAN 2 that has a Bridge 2 and gets DHCP from DHCP-pool-2 range — 192.168.2.1 - 192.168.2.254
Interfaces 5,6,7,8 & Combo ports viz Interfaces 9,10,11,12 - LAN 3 that has a Bridge 3 and gets DHCP from DHCP-pool-3 range — 192.168.3.1 - 192.168.3.254
I am transferring a 15gig file within 192.168.3.x subnet. I am getting a max transfer of 50 Mb/s no matter how I change the configuration. I was expecting >100mb/sec atleast that I got with my previous Ubiquiti router. I have added fast track f/w filter & fastpath is disabled because I have another firewall filter rule as below. As soon as the file transfer starts ( inspected and its smb), the cpu usage goes up to 90%. I disabled & re-enabled both rstp and hardware offloading but nothing makes any difference. I have even changed the cables but no difference. I dont know what is causing this slow transfer as my primary motive to purchase this router was to increase the transfer rates. Am I missing some fw rules or any suggestions would be really helpful.. Thank You
PC1 - 192.168.3.5 → Link rate 1Gbps - 1500 MTU - Copy to this PC from PC3 or PC2 gives me only 25Mbps
PC2 - 192.168.3.6 → Link rate 1Gbps - 1500 MTU - Copy to this PC from PC3 gives me only 50Mbps
PC3 - 192.168.3.60 → Link rate 10 Gbps - 1500 MTU - Copy to this PC from PC2 gives me only 50Mbps
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=fasttrack-connection connection-state=established,related,new,untracked l
log-prefix=“”
2 chain=forward action=accept protocol=udp dst-address=192.168.3.190 in-interface=bridge2 dst-po
log-prefix=“”
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
1 chain=dstnat action=dst-nat to-addresses=192.168.3.190 to-ports=9 protocol=udp in-interface=bridge2 dst-port=9 log=no log-prefix=“”
Since you mention the transfer takes place within 192.168.3.0/24, it should be pure switching, so IP firewall rules and enabled/disabled fasttracking in particular are unrelated. However, setting hw=yes on an /interface bridge port row just permits the hardware forwading, it doesn’t force it. So since you have multiple separate bridges, it is possible that RouterOS has chosen to enable hardware acceleration on other bridge than you expect. What does /interface bridge port print show?
Ah, sorry, I’ve missed that the “HW” column in the /interface bridge port print only indicates the permission of hardware acceleration, not the actual use of it. The H letter between the row index and the interface name tells you whether it is really active on that port or not.
So use /interface bridge port set [find where !(bridge=bridge3)] hw=no to disable the hardware acceleration on bridge1 and bridge2, and you should see a change: 4 H ether6 bridge3 yes 1 0x80 10 10 none #PC2
9 H combo3 bridge3 yes 1 0x80 10 10 none #PC3
Thanks a lot Sindy..That did the magic. Now I am seeing >105Mb/s between PC2 <–>PC3 & >60Mb/sec between PC1<–>PC2. CPU usage gone down to 5-10% during the transfer.
What should I do if I want to get the same transfer rates between subnet 192.168.2.x to 192.168.3.x ? I tried setting hw for bridge2 to test. Once I set, transfer rate went down in subnet 3.x and cpu usage increased.
Whereas the switching is a hardware task, routing is done by CPU, and the CPU in this model is too weak so the total routing throughput will be below 500 Mbps. So whilst you can get wirespeed switching within each subnet if you use a single bridge with multiple VLANs rather than separate bridges (only one bridge can currently benefit from hardware acceleration). To get wirespeed routing, which the switch chips used in CRS3xx models are capable of themselves, you have to give a try to RouterOS v7, which supports hardware-accelerated routing on these devices, but it is currently only available as a beta version. And I am not sure whether it will work between VLANs. As I’ve got no CRS3xx, I could not test that myself so far.
Thanks for the explanation. I will give a try with the RouterOSv7.
1.x subnet takes the web traffic, 2.x is my wireless n/w and 3.x is local lan where I have all my servers. I had the single bridge configuration and its getting very hard to maintain the rules for controlling the access rules across the servers and I dont want the servers taking the web traffic to be in the same bridge where all my files are. Hence the need for different bridges.
The IP firewall rules controlling the flow between subnets are the same regardless whether each subnet lives on a separate bridge or whether each subnet lives in a VLAN on a common bridge, you just replace the interface names in the rules (if you use them) from bridgeX to vlanX. If you make all the ports just access ones and permit only untagged and priority tagged frames on ingress, the isolation of the port groups with tagged VLANs will be the same like with port-based VLANs (aka separate bridges).
Plus you’ve currently got just a single port (ether2) in bridge1, so you can as well attach the IP configuration directly to that port rather than making it a member port of the bridge.