Switch VLAN, ROS 7.8, hAP AC2 [Solved]

ReNi · April 15, 2023, 6:17am

Good day or night.
I need help with Switching VLAN on my hAP AC2. This worked with 6.48.6, but I need some openVPN features and wireguard, so i upgraded my router. Now i see CPU loading over 40-50% just with copying files from NAS inside VLAN 10.
Wireless should be in VLAN 10, but i can’t understand, how should i do that without second bridge. Same problem with third bridge - EoIP tunnel for DLNA.

How should i do that right? CPU loading is too high for this functional.

# apr/15/2023 03:00:10 by RouterOS 7.8
# software id = GW2S-A05L
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=bridge_DLNA
add name=bridge_ether
add name=bridge_wifi
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_PC
set [ find default-name=ether3 ] name=eth3_TV
set [ find default-name=ether4 ] name=eth4_room
set [ find default-name=ether5 ] name=eth5_server
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1_WAN name=ISP_WAN use-peer-dns=yes user=*********
	/interface eoip
add mac-address=02:AF:B5:A6:CE:DB mtu=1500 name=EoIP_V remote-address=**** tunnel-id=1
/interface vlan
add comment=WAN_server interface=bridge_ether name=VLAN_9 vlan-id=9
add comment=home interface=bridge_ether name=VLAN_10 vlan-id=10
add comment=Vingapur interface=bridge_ether name=VLAN_11 vlan-id=11
add comment=Dima_server interface=bridge_ether name=VLAN_19 vlan-id=19
add comment=OpenWRT interface=bridge_ether name=VLAN_23 vlan-id=23
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridge_ether ingress-filtering=no interface=eth2_PC
add bridge=bridge_ether ingress-filtering=no interface=eth3_TV
add bridge=bridge_ether ingress-filtering=no interface=eth4_room
add bridge=bridge_ether ingress-filtering=no interface=eth5_server
add bridge=bridge_wifi interface=wlan1
add bridge=bridge_wifi interface=wlan2
add bridge=bridge_wifi interface=VLAN_10
add bridge=bridge_DLNA interface=EoIP_V
add bridge=bridge_DLNA interface=VLAN_11
/interface ethernet switch vlan
add comment=WAN_server independent-learning=no ports=eth5_server,switch1-cpu switch=switch1 vlan-id=9
add comment=Home independent-learning=no ports=\
    eth2_PC,eth3_TV,eth4_room,eth5_server,switch1-cpu switch=switch1 vlan-id=10
add comment=Vin independent-learning=no ports=eth5_server,switch1-cpu switch=switch1 vlan-id=11
add comment=2_server independent-learning=no ports=eth4_room,switch1-cpu switch=switch1 vlan-id=19
add comment=OpenWRT independent-learning=no ports=eth4_room,switch1-cpu switch=switch1 vlan-id=23
add comment=PXE independent-learning=no ports=eth5_server,eth4_room switch=switch1 vlan-id=99

anav · April 15, 2023, 10:36pm

I dont know the vlan way you have, just the following way.

/interface bridge add name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_PC
set [ find default-name=ether3 ] name=eth3_TV
set [ find default-name=ether4 ] name=eth4_room
set [ find default-name=ether5 ] name=eth5_server

/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1_WAN name=ISP_WAN use-peer-dns=yes user=*********

/interface eoip
add mac-address=02:AF:B5:A6:CE:DB mtu=1500 name=EoIP_V remote-address=**** tunnel-id=1

/interface vlan
add comment=WAN_server interface=bridge name=VLAN_9 vlan-id=9
add comment=home interface=bridge name=VLAN_10 vlan-id=10
add comment=Vingapur interface=bridge name=VLAN_11 vlan-id=11
add comment=Dima_server interface=bridge name=VLAN_19 vlan-id=19
add comment=OpenWRT interface=bridge name=VLAN_23 vlan-id=23

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=eth2_PC pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=eth3_TV pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=eth4_room
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=eth5_server
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge,eth4_room,eth5_server untagged=eth2_PC,eth3,wlan1,wlan2 vlan-ids=10
add bridge=bridge tagged=bridge,eth4_room,eth5_server vlan-ids=19,99
add bridge=bridge tagged=bridge,eth5_server vlan-ids=11
add bridge=bridge tagged=bridge,eth4_room vlan-ids=23

Notes:

Your diagram is missing vlan9 and thus not included in interface bridge port or vlan settings.
Not sure what your doing with EOIP…

mkx · April 16, 2023, 8:11am

Two things to check:

are ethernet ports marked as being HW-offloaded?
Check /interface/bridge/port/print output, flag column (2nd column, right after index numbers) should display “H”
which process does consume most of CPU cycles?
Run CPU profile with all CPUs selected … it should show both the process consuming cycles and if a particular CPU core is pegged to high consumption

Other than that, try to use single bridge. ROS can (in most cases) only HW offload single bridge. If there are multiple bridges, it may select wrong bridge to offload.

ReNi · April 21, 2023, 4:42pm

Thanks for your answer, mkx!

I see this:

/interface/bridge/port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE    BRIDGE        HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
0 IH eth2_PC      bridge_ether  yes     1  0x80             10  10  none   
1  H eth3_TV      bridge_ether  yes     1  0x80             10  10  none   
2  H eth4_room    bridge_ether  yes     1  0x80             10  10  none   
3  H eth5_server  bridge_ether  yes     1  0x80             10  10  none   
4    wlan1        bridge_wifi           1  0x80             10  10  none   
5    wlan2        bridge_wifi           1  0x80             10  10  none   
6    VLAN_10      bridge_wifi           1  0x80             10  10  none   
7 I  EoIP_Vyng    bridge_DLNA           1  0x80             10  10  none   
8    VLAN_11      bridge_DLNA           1  0x80             10  10  none

It looks like everything is OKay with HW offload.

In attached screenshot I see utilization of two cores and CPU burst to 900 MHz.

I disabled HW offload option on other interface, but problem is still here. And /interface/bridge/port print looks same to previous.

I tried disable two other bridges and ports for test. When i tried Iperf in Vlan10 (eth3<->eth5) CPU utilization was the same…

ReNi · April 21, 2023, 4:53pm

Thanks for you answer, anav!
I’m just a newbie and wanna have some experience at home with MikroTik routers. This way i want to isolate different VM on my home server. Home server has SMB and NFS share’s, so i need hadware switching for this local traffic.

This means using CPU for VLAN tagging. CPU utilization is the same. I tested that with my 750GL (it has same Switch chip - Atheros 8327).

Vlan 9 is routed to ISP, it works fine.
EOIP has shares for DLNA server, that is in VLAN 11.

ReNi · April 23, 2023, 11:32am

It seems, i find a reason of CPU utilization. Problem was not in bridge or switch settings.

I have 192.168.10.x/24 network in VLAN_10 and after removing nat rule problem was solved.

it was:

/ip firewall nat
add action=masquerade chain=srcnat comment=Home src-address=192.168.10.0/24

Now it is

/ip firewall nat
add action=masquerade chain=srcnat comment=Home out-interface-list=WAN src-address=192.168.10.0/24

It’s pretty strange, that with 6.48.6 that works well.

I hope, that Atheros 8327 would have hardware bridge filtering in the future.