I am very new to all this, so please believe me when I tell you I’m trying. I’ve only ever had un-managed switches in my setup, but recently purchased a CRS310-8G+2S+IN.
With my previous, ‘dumb’ switch, I simply plugged all my devices in and I get 1GbE download speeds across all clients.
With my new switch…it’s a bit all over the place, averaging in the 300mbs range. I am also running Pi-Hole+Unbound, set as my DNS in my router. On the old switch, it’s not an issue - on the Mikrotik, it gives me problems.
EDIT: Now also experiencing the same issue, regardless of my DNS settings. When I changed it to 8.8.8.8, it would work fine. Come back to it 30min later, and now it’s slow again across all my clients.
Here’s how I set it up:
Wiped config
Set device in ‘bridge’ mode
Created a bridge
Added all ports (2.5GbEx8, 10GbEx2) to bridge
Added DNS w/ allow remote access enabled
Added an IP to the Mikrotik
Here’s the config:
/interface bridge
add name="LAN Ports"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge="LAN Ports" interface=all
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=192.168.0.101 interface="LAN Ports" network=192.168.0.101
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
I also ran iperf and noticed that my devices are performing adequately. This is a 1GbE capable client:
But when I run an internet speed tests, I’m getting speeds as low as 150mbs. Swap back to my old switch, and I’m soaring at 950mbs.
If remove Pihole as my DNS in my router, I am seeing 950mbs again on the Mikrotik. Not sure why this is an issue. Anyone have any ideas?
No ideas, and possibly unrelated, but how did you have the pi-hole as DNS server with the old “dumb” switch?
Or if you prefer why do you need to specify it (and with the allow-remote-requests=yes) in the new setup?
192.168.0.1 Is the address of the gateway/router, right?
Would hardware offloading (the lack of it) be connected?
I updated this in my original post, but I’m now getting slow speeds regardless of the DNS. It wasn’t like this when I was testing - switching to something like 8.8.8.8 would give me fast results. Now it is no longer so, getting 150mbs down across clients.
To answer your question, I have PiHole running on a designated server - a SFF PC. That PC is then wired to the switch.
Here’s an illustration of my setup:
Yes, that is the address of the gateway/router. I set the DNS to my Pihole on my router, and point all clients to the router’s IP. Everything in my setup was works fine if you replace the Mikrotik with my un-managed switch. Granted, it’s only a 1Gb switch, but my Pihole works (ads are blocked), and my wired clients all get 950mbs down.
My results are really inconsistent. I thought I was on to something when switching DNS on to something else, like 8.8.8.8, but now (for some reason) that is also giving the identical results.
I did notice that sometimes removing my AP’s (that are wired to the Mikrotik) would increase the speed - but that’s also inconsistent. Sometimes it does, sometimes it doesn’t. I am not quite sure what to make of it all.
I used Pihole before, now I switched to Adguard and what I do is to under IP/DHCP Server/Networks in DNS Server field I input Adguard IP address and if there is VLAN for which I don’t want to use my DNS server I leave it blank.
Under IP/DNS/Settings i put 8.8.8.8 and 1.1.1.1 in dynamic servers and put allow remote requests to yes
Thay way networks for which i specified to use my dns get dns IP address and other networks get 8.8.8.8 and 1.1.1.1, for eg IoT devices, cameras etc.
Never had problem, with managed or unmanaged switches.
DNS IP is simply provided by DHCP so I can’t see any reason how could dumb switch interfere with that.
PiHole slows things down because the NAT element of the example container config forces all traffic thru the CPU. I expect the reason you’re seeing the same after switching back to Google DNS is that you’ve still got a NAT layer in there for veth1, edited out of your overly-sanitized configuration.
Rather than go round on this once more, try this simple test: does WinBox show the CPU pegged when you’re experiencing bandwidth constraints? If so, I’m right, and your traffic isn’t fully hardware-offloaded, as it should be, indicating that your CRS310 switch is being arm-twisted into the role of a router, which it is ill-suited for.
Don’t point me to the “R” in the product name to try and prove that the CRS310 is a “router”; facts are facts, and marketing is…marketing. Containers are best run on router-class devices, particularly if you expect gigabit class speeds out of them.
What I don’t understand is how the pi-hole is working with the “dumb” switch.
Surely you have nothing in that “dumb” switch pointing to 192.168.0.1 as the DNS server, so the corresponding setup on the CRS should be to have nothing in /ip dns.
I am not familiar at all with that device (nor actually with many other Mikrotik devices) but phylosophically, if you replace a “dumb” switch with that Mikrotik you should first thing try with the Mikrotik acting as well as a “dumb” switch.
Silly one here, but does your root.hints file auto-update, I think there was a server change late last year. https://www.iana.org/domains/root/files
In you pi…
This person also uses a Deco AP.
Support recommended that they turned off RSTP and set protocol to none, because there’s some bugs with RouterOS and these AP’s.
I did that and now everything works great. Internet speeds across all wired clients are pushing 950mbs consistently.
I still have one AP that was getting slow Wi-Fi speeds (about half of what it used to), but I’ll tinker with it some more to see what’s what.
It seems like an issue with the switch and AP’s, and not something to do with my DNS - as I initially thought.
I’m using my Pi-Hole DNS server, ads are blocked and queries are logged without any slow downs or issues.
I made a support ticket with Mikrotik and updated it with my current findings. Maybe it will lead to something.
But at least I’m not going crazy.
No, what that thread says is that the Deco creates a 1-2 second loop on the connection that RSTP is detecting and pinching off, as it is designed to do. An AP should not be looping traffic back like that at all. The bug is on the Deco, not in RouterOS. If RouterOS ever “fixes” it, it will be to patch around someone else’s bug.
I’m using my Pi-Hole DNS server, ads are blocked and queries are logged without any slow downs or issues.
I suppose that makes sense given that DNS is such a small fraction of the traffic, and it’s directed to a single veth IP.
I still recommend moving this function to a proper router-grade box, if possible.
If that failed, then I’d try to rework the NAT in terms of the bridge firewall. I put that last because I wouldn’t be surprised if VETH is incompatible with this feature.
Something to check: you wrote that with the old switch (1Gb/s), it was fine. The new one has 2.5Gb/s capability, so I am wondering whether that could wreak havoc.
Could you replace the ether1 with the name of the interface on the CRS310-8G+2S+IN that goes to the deco and see the rates advertised and selected?
/interface/ethernet/monitor [find name=ether1] once
Then check if you see any errors, again replacing the ether1
/interface/ethernet/print stats where name=ether1
And repeat with the interface to the Pi and to the machine you use for tests?
If you find one interface having errors, try lowering the permitted speeds. Again, replace ether1 with the correct interface name, and the advertised rates can be copied from the monitor output, removing the 2.5G entries.
