Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Hi,

I have a 10 Gbps fiber connection at home and a CRS328-24P-4S+ router/switch.

When connected directly on the modem with my laptop and a 1 Gbps Ethernet adaptor, I get around 1.2 Gbps when testing with fast.com.

When connected directly on the switch, I get around only 600-700 Mbps and CPU usage on the switch reaches 100%.

The switch is connected through a 10 Gbps SFP+ to the modem. The bridge on the switch has various VLANs and has “vlan-filtering=yes”.

The CRS328-24P-4S+ and all the APs were on 6.x long-term. I read this post about http://forum.mikrotik.com/t/fastpath-fasttrack-l2hw-l3hw-clarification/155333/1 6x not having support for fast-path, so I upgraded everything to 7.15.

After reading https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading, I set “l3-hw-offloading=yes” on the switch chip and on all the port EXCEPT the WAN port because I enable it there, Internet access doesn’t work anymore (websites just hang).

I’m still seeing high CPU usage when testing with fast.com and I’m still around 600-700 Mbps. The fast-path stats on the bridge are not zero anymore contrary to RouterOS 6.x, however, they are not increasing when testing with fast.com, so clearly the WAN connections are not fast-path’ed. However, the fast track counters on the firewall appear to show that fast.com is being fast-tracked.

What am I doing wrong? Why are all the packets still going through the CPU once a connection LAN ↔ WAN has been established by the firewall?

Thank you so much for your help!

PS: Here are all the relevant parts in the config:

# 2024-06-03 11:29:04 by RouterOS 7.15
# software id = HZIZ-7WJZ
#
# model = CRS328-24P-4S+

/interface bridge
add admin-mac=2C:C8:1B:38:B5:21 arp=proxy-arp auto-mac=no igmp-snooping=yes ingress-filtering=no name=LAN vlan-filtering=yes

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=WAN
set [ find default-name=ether2 ] name=ether2-hAP-AC3
set [ find default-name=ether3 ] name=ether3-cAP-AC
set [ find default-name=ether4 ] name=ether4-cAP-AC
set [ find default-name=ether5 ] name=ether5-cAP-AC
set [ find default-name=ether6 ] name=ether6-cAP-XL-AC
set [ find default-name=ether7 ] name=ether7-cAP-AC
set [ find default-name=ether8 ] name=ether8-wAP-AC
set [ find default-name=ether10 ] name=ether10-cAP-AC
set [ find default-name=ether11 ] name=ether11-IOT
set [ find default-name=ether12 ] name=ether12-cAP-Lite
set [ find default-name=ether13 ] name=ether13-SECURE
set [ find default-name=ether14 ] name=ether14-IOT-GS116PP
set [ find default-name=ether15 ] name=ether15-IOT
set [ find default-name=ether16 ] name=ether16-IOT
set [ find default-name=ether18 ] name=ether18-IOT
set [ find default-name=ether19 ] name=ether19-SECURE poe-out=off
set [ find default-name=ether20 ] name=ether20-IOT
set [ find default-name=ether21 ] name=ether21-IOT
set [ find default-name=ether22 ] name=ether22-IOT
set [ find default-name=ether23 ] name=ether23-IOT
set [ find default-name=ether24 ] name=ether24-IOT
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes

/interface vlan
add interface=LAN name=GuestNet vlan-id=100
add interface=LAN name=IOTNet vlan-id=200
add interface=LAN name=SecureNet vlan-id=250

/interface ethernet switch port
set 24 l3-hw-offloading=no

/ip pool
add name=LAN ranges=192.168.2.150-192.168.2.250
add name=GuestNet ranges=192.168.100.150-192.168.100.250
add name=IOTNet ranges=192.168.200.150-192.168.200.250
add name=SecureNet ranges=192.168.250.150-192.168.250.250

/ip dhcp-server
add address-pool=LAN authoritative=after-2sec-delay bootp-support=none interface=LAN lease-time=1h name=LAN
add address-pool=GuestNet authoritative=after-2sec-delay bootp-support=none interface=GuestNet lease-time=1h name=GuestNet
add address-pool=IOTNet authoritative=after-2sec-delay bootp-support=none interface=IOTNet lease-time=1h name=IOTNet
add address-pool=SecureNet authoritative=after-2sec-delay bootp-support=none interface=SecureNet lease-time=1h name=SecureNet

/interface bridge filter
(There are 8 filters here, but all disabled)

/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether4-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether5-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether6-cAP-XL-AC
add bridge=LAN ingress-filtering=no interface=ether7-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether8-wAP-AC
add bridge=LAN ingress-filtering=no interface=ether9
add bridge=LAN ingress-filtering=no interface=ether10-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether11-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether12-cAP-Lite
add bridge=LAN ingress-filtering=no interface=ether13-SECURE pvid=250
add bridge=LAN ingress-filtering=no interface=ether14-IOT-GS116PP pvid=200
add bridge=LAN ingress-filtering=no interface=ether15-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether16-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether17
add bridge=LAN ingress-filtering=no interface=ether18-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether19-SECURE pvid=250
add bridge=LAN ingress-filtering=no interface=ether20-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether21-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether22-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether23-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether24-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether2-hAP-AC3
add bridge=LAN ingress-filtering=no interface=ether1

/interface ethernet switch l3hw-settings
set autorestart=yes

/ip firewall connection tracking
set udp-timeout=10s

/ip settings
set max-neighbor-entries=8192 rp-filter=strict

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=LAN tagged=LAN,ether2-hAP-AC3,ether3-cAP-AC,ether4-cAP-AC,ether5-cAP-AC,ether6-cAP-XL-AC,ether7-cAP-AC,ether8-wAP-AC,ether10-cAP-AC,ether12-cAP-Lite untagged=\
    ether11-IOT,ether14-IOT-GS116PP,ether15-IOT,ether16-IOT,ether18-IOT,ether20-IOT,ether21-IOT,ether22-IOT,ether23-IOT,ether24-IOT vlan-ids=200
add bridge=LAN tagged=LAN,ether2-hAP-AC3,ether3-cAP-AC,ether4-cAP-AC,ether5-cAP-AC,ether6-cAP-XL-AC,ether7-cAP-AC,ether8-wAP-AC,ether10-cAP-AC,ether12-cAP-Lite vlan-ids=100
add bridge=LAN tagged=LAN untagged=ether19-SECURE,ether13-SECURE vlan-ids=250

/interface ethernet switch
set 0 l3-hw-offloading=yes

/ip address
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
add address=192.168.100.1/24 interface=GuestNet network=192.168.100.0
add address=192.168.200.1/24 interface=IOTNet network=192.168.200.0
add address=10.0.2.1/30 interface=ipip-lausanne network=10.0.2.0
add address=192.168.250.1/24 interface=SecureNet network=192.168.250.0
add address=192.168.0.2/30 interface=WAN network=192.168.0.0

/ip dhcp-server network
add address=192.168.2.0/24 comment=LAN dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.100.0/24 comment=GuestNet dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
add address=192.168.200.0/24 comment=IOTNet dns-server=192.168.200.1 gateway=192.168.200.1 netmask=24
add address=192.168.250.0/24 comment=SecureNet dns-server=192.168.250.1 gateway=192.168.250.1 netmask=24

/ip firewall filter
add action=accept chain=input comment="Accept established and related connections" connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid log=yes log-prefix=INVALID
add action=drop chain=input comment="Drop broadcast packets" dst-address=255.255.255.255
add action=drop chain=input comment="Drop packets which are not destined to local addresses" dst-address-type=!local log=yes log-prefix=NOT_LOCAL
add action=accept chain=input comment="Accept packets from LAN" in-interface=LAN
add action=accept chain=input comment="Accept packets from GuestNet" in-interface=GuestNet
add action=accept chain=input comment="Accept packets from IOTNet" in-interface=IOTNet
add action=accept chain=input comment="Accept packets from PPP" in-interface=all-ppp
add action=accept chain=input comment="Allow packets from IPIP tunnel" in-interface=ipip-lausanne
add action=drop chain=input comment="Drop packets from WAN which should not exist in public network" in-interface=WAN log=yes log-prefix=FROM_WAN_NOT_PUBLIC src-address-list=NOT_PUBLIC
add action=accept chain=input comment="Allow SSH from WAN" dst-port=7513 in-interface=WAN protocol=tcp
add action=accept chain=input comment="Allow IPSec (IKE) from WAN" dst-port=500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (NAT-Traversal) from WAN" dst-port=4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (ESP) from WAN" in-interface=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow L2TP over IPSec from WAN" dst-port=1701 in-interface=WAN ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="Allow IPIP from WAN (lausanne.latour.info only)" in-interface=WAN protocol=ipencap src-address-list=lausanne.latour.info
add action=drop chain=input comment="Drop Bittorrent UDP traffic for Download Station" dst-port=16881 in-interface=WAN protocol=udp
add action=drop chain=input comment="Drop everything else" log=yes log-prefix=INPUT
add action=fasttrack-connection chain=forward comment="Fasttrack established and related connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established and related connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid log=yes log-prefix=INVALID_CONNECTION
add action=drop chain=forward comment="Drop new connections from WAN which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN log=yes log-prefix=NOT_DST_NATTED
add action=accept chain=forward comment="Allow packets from LAN to modem" dst-address=192.168.0.1
add action=drop chain=forward comment="Drop packets to WAN which should not exist in public network" dst-address-list=NOT_PUBLIC log=yes log-prefix=TO_WAN_NOT_PUBLIC out-interface=WAN
add action=accept chain=forward comment="Allow packets from GuestNet to WAN" in-interface=GuestNet out-interface=WAN
add action=reject chain=forward comment="Reject packets from GuestNet" in-interface=GuestNet log=yes log-prefix=GUEST_NET reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Allow packets from IOTNet to WAN" in-interface=IOTNet out-interface=WAN
add action=accept chain=forward comment="Allow packets from IOTNet to SecureNet" in-interface=IOTNet out-interface=SecureNet
add action=reject chain=forward comment="Reject packets from IOTNet" in-interface=IOTNet log=yes log-prefix=IOT_NET reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Allow packets from SecureNet to WAN (NTP only)" dst-port=123 in-interface=SecureNet protocol=udp
add action=reject chain=forward comment="Reject packets from SecureNet" in-interface=SecureNet log=yes log-prefix=SECURE_NET reject-with=icmp-network-unreachable

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=ipip-lausanne new-connection-mark=ipip-lausanne-IN passthrough=no
add action=mark-connection chain=postrouting new-connection-mark=ipip-lausanne-OUT out-interface=ipip-lausanne passthrough=no
add action=mark-connection chain=prerouting in-interface=IOTNet new-connection-mark=IOTNet-IN passthrough=no
add action=mark-connection chain=postrouting new-connection-mark=IOTNet-OUT out-interface=IOTNet passthrough=no
add action=mark-connection chain=prerouting in-interface=SecureNet new-connection-mark=SecureNet-IN passthrough=no
add action=mark-connection chain=postrouting new-connection-mark=SecureNet-OUT out-interface=SecureNet passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade everything to WAN" out-interface=WAN
add action=dst-nat chain=dstnat comment="Synology NVR (WebServer - HTTP)" dst-port=80 in-interface=WAN protocol=tcp to-addresses=192.168.200.60
add action=dst-nat chain=dstnat comment="Synology NVR (DSM - HTTPS)" dst-port=443 in-interface=WAN protocol=tcp to-addresses=192.168.200.60 to-ports=5001
add action=dst-nat chain=dstnat comment="Synology NVR (DSM)" dst-port=5000-5001 in-interface=WAN protocol=tcp to-addresses=192.168.200.60
add action=dst-nat chain=dstnat comment="Synology NVR (Download Station - Bittorrent)" dst-port=16881 in-interface=WAN protocol=tcp to-addresses=192.168.200.60
add action=dst-nat chain=dstnat dst-port=6881 in-interface=WAN protocol=udp to-addresses=192.168.200.60
add action=masquerade chain=srcnat comment="Hairpin NAT (Synology NVR DSM)" dst-address=192.168.200.60 dst-port=5000-5001 out-interface=LAN protocol=tcp
add action=dst-nat chain=dstnat dst-address=192.168.2.1 dst-port=5000-5001 in-interface=LAN protocol=tcp to-addresses=192.168.200.60
add action=dst-nat chain=dstnat dst-address=192.168.2.1 dst-port=443 in-interface=LAN protocol=tcp to-addresses=192.168.200.60 to-ports=5001
add action=redirect chain=dstnat comment="Redirect DNS Requests" dst-port=53 in-interface=LAN protocol=udp
add action=redirect chain=dstnat dst-port=53,853 in-interface=LAN protocol=tcp

/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=ipip-lausanne pref-src=192.168.2.1

/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=WAN upstream=yes
add alternative-subnets=0.0.0.0/0 interface=LAN

Side note: contrary to what is documented in https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-AdvancedMonitor, the advanced monitor doesn’t show the extra info such as “fasttrack-queue-size”:

/interface/ethernet/switch/l3hw-settings/advanced> monitor once
        ipv4-routes-total: 33
           ipv4-routes-hw: 32
          ipv4-routes-cpu: 1
  ipv4-shortest-hw-prefix: 0
               ipv4-hosts: 53
         route-queue-size: 0
         route-queue-rate: 0
       route-process-rate: 0
              nexthop-cap: 4096
            nexthop-usage: 137

Did it ever occur to you that you bought a switch not a router. Sure it can be used as a router, RoS is fantastically flexible, but still, there are limits on throughput for WAN connectivity.
I am actually shocked that you managed to over 500 Mbps. You must not have many rules… ( dont want to see the config now LOL).
…

…

(1) /ip settings
set max-neighbor-entries=8192 rp-filter=strict

would set this to loose…

(2) Why do you have a LAN attached to the bridge? I dont see any ports using LAN??

(3) HORRIBLE idea to name your bridge= LAN, its already nomenclature used by the router for various things and its very confusing.

(4) Firewall rules are crap…

(5) Why are you mangling?? What is the requirement. Also means your fastrack rule should probably be disabled.
This can cause a real slowdown in traffic ( when fastrack is not disabled and mangling is happening ).

(6) Is your WANIP a static public IP or a dynamic public IP ??? Will determine the correct path for dstnat format.

(7) Why hairpinat? Only required for when users are using dyndns URL ( like the ipcloud mynetname) to reach the server vice the direct LANIP of the server AND
when the users are in the same subnet/vlan as the Server.
So which subnet is this occurring in???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CONCLUSION: Purchase an RB5009 ROUTER and then attach to the CRS328 via the sfp+ ports.

Thanks for your answers!

Yes, it’s a switch, but I figured since it’s quite powerful for home use, it would be able to handle this WAN ↔ LAN bandwidth… I will look into buying a dedicated router, but hopefully, I can extract more bandwidth from this setup still. Note that I don’t need the full 10 Gbps WAN, I’m going to downgrade my fiber to 1Gbps.

I changed “rp-filter” to “loose”.

I’m always willing to learn more, could give more specifics if you don’t mind about some stuff being bad in the firewall rules?

Mangling was just to tag some connections so I could identify them in the firewall connection list. I deleted that.

I have a dynamic public IP.

I set up hairpin NAT so that I can use the same domain name like server.example.com to reach my home server from inside the house (i.e. LAN) or outside the house (and avoid all sort of annoying issues). This server is running on the 192.168.200.x subnet (vlan 200).

Hi,

CRS328-24P-4S+ does not support FastTrack and NAT connection hardware-offloading (as stated on the L3HW Device Support page). Hence, all traffic requiring NAT (LAN<=>WAN) goes through the CPU, which has a limited performance because the device is a manageable switch (not a router) to begin with.

Got it, thanks again.

So to be clear, inter-VLAN routing on the switch can be fast-tracked? It’s only when going to WAN which requires NAT’ing that we have to go through CPU no matter what? This means that if I purchase a router, it’s only to do LAN ↔ WAN routing and not also inter-VLAN routing?

Not quite.
The Router will do all the routing bits, including
setting up all the VLANs, giving out DHCP etc.
The switch will only need to get an IP address from the management vlan, and then receive all the vlans from the router on one trunk port,
and then distribute the vlans out the rest of the ports as required. THe only vlan that needs to be identified ( as entry with interface bridge is the management vlan ).

The real power and purpose of managed switches like this is for intervlan trafffic ( not traffic to and fro WAN).

CRS328-24P-4S+ doesn’t support FastTrack offloading, but I suppose you’ve meant Inter-VLAN Hardware Routing - and yes, CRS328-24P-4S+ supports that. In other words, you should get wire speed between VLANs on CRS328-24P-4S+ (but not between WAN and LAN).

Yes, unless inter-VLAN routing requires the packets to pass the stateful firewall.

True that, so basically cross vlan traffic ( L3 firewall rule ) is what is meant here. But all traffic within vlans is more of what I was getting at.

So I purchased a MikroTik RB5009UG+S+IN and set it all up. I have a 10 Gbps Ethernet / SFP+ connection between it and the CRS328-24P-4S+ and I use the 2.5Gbps port for the fiber modem. I’m now measuring 1Gbps+ between LAN and WAN so all good.

The router has all the DHCP servers / VLANs / VPN / Capsman / etc… set up. The switch now just does switching and nothing else. The question I’m unclear about is if inter-VLAN routing can happen on the switch or not? My understanding of my set up is that any packet that needs to go from one VLAN to another will have to go through the router, even if both hosts are physically connected to that switch.

You stated above “Yes, unless inter-VLAN routing requires the packets to pass the stateful firewall.” and that’s where I’m confused. How could this note be the case? Each VLAN has its IP subnet + DHCP server and the router controls all this.

Here are the relevant part of the switch config:

/interface bridge
add admin-mac=2C:C8:1B:38:B5:21 auto-mac=no igmp-snooping=yes ingress-filtering=no name=LAN protocol-mode=none vlan-filtering=yes

/interface ethernet
set [ find default-name=ether2 ] name=ether2-hAP-AC3
set [ find default-name=ether3 ] name=ether3-cAP-AC
set [ find default-name=ether4 ] name=ether4-cAP-AC
set [ find default-name=ether5 ] name=ether5-cAP-AC
set [ find default-name=ether6 ] name=ether6-cAP-XL-AC
set [ find default-name=ether7 ] name=ether7-cAP-AC
set [ find default-name=ether8 ] name=ether8-wAP-AC
set [ find default-name=ether10 ] name=ether10-cAP-AC
set [ find default-name=ether11 ] name=ether11-IOT
set [ find default-name=ether12 ] name=ether12-cAP-Lite
set [ find default-name=ether13 ] name=ether13-SECURE
set [ find default-name=ether14 ] name=ether14-IOT-GS116PP
set [ find default-name=ether15 ] name=ether15-IOT
set [ find default-name=ether16 ] name=ether16-IOT
set [ find default-name=ether18 ] name=ether18-IOT
set [ find default-name=ether19 ] name=ether19-SECURE poe-out=off
set [ find default-name=ether20 ] name=ether20-IOT
set [ find default-name=ether21 ] name=ether21-IOT
set [ find default-name=ether22 ] name=ether22-IOT
set [ find default-name=ether23 ] name=ether23-IOT
set [ find default-name=ether24 ] name=ether24-IOT
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] name=trunk

/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether4-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether5-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether6-cAP-XL-AC
add bridge=LAN ingress-filtering=no interface=ether7-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether8-wAP-AC
add bridge=LAN ingress-filtering=no interface=ether9
add bridge=LAN ingress-filtering=no interface=ether10-cAP-AC
add bridge=LAN ingress-filtering=no interface=ether11-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether12-cAP-Lite
add bridge=LAN ingress-filtering=no interface=ether13-SECURE pvid=250
add bridge=LAN ingress-filtering=no interface=ether14-IOT-GS116PP pvid=200
add bridge=LAN ingress-filtering=no interface=ether15-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether16-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether17
add bridge=LAN ingress-filtering=no interface=ether18-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether19-SECURE pvid=250
add bridge=LAN ingress-filtering=no interface=ether20-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether21-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether22-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether23-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether24-IOT pvid=200
add bridge=LAN ingress-filtering=no interface=ether2-hAP-AC3
add bridge=LAN ingress-filtering=no interface=ether1
add bridge=LAN ingress-filtering=no interface=trunk

/interface ethernet switch l3hw-settings
set autorestart=yes

/ip settings
set max-neighbor-entries=8192 rp-filter=loose

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=LAN comment=IOTNet tagged=trunk,ether2-hAP-AC3,ether3-cAP-AC,ether4-cAP-AC,ether5-cAP-AC,ether6-cAP-XL-AC,ether7-cAP-AC,ether8-wAP-AC,ether10-cAP-AC,ether12-cAP-Lite untagged=\
    ether11-IOT,ether14-IOT-GS116PP,ether15-IOT,ether16-IOT,ether18-IOT,ether20-IOT,ether21-IOT,ether22-IOT,ether23-IOT,ether24-IOT vlan-ids=200
add bridge=LAN comment=GuestNet tagged=trunk,ether2-hAP-AC3,ether3-cAP-AC,ether4-cAP-AC,ether5-cAP-AC,ether6-cAP-XL-AC,ether7-cAP-AC,ether8-wAP-AC,ether10-cAP-AC,ether12-cAP-Lite \
    vlan-ids=100
add bridge=LAN comment=SecureNet tagged=trunk untagged=ether19-SECURE,ether13-SECURE vlan-ids=250

/interface ethernet switch
set 0 l3-hw-offloading=yes

/ip dhcp-client
add interface=LAN use-peer-ntp=no

That is my understanding.
If you have traffic that has to go from one vlan to the other, then it will be a layer3 transaction, hence router is involved.
So you will be limited to 1gig traffic vice much faster speeds within the same vlan anywhere on the switch ( assuming ports greater than1gig throughput. 2.5 or 10gig for example )