Upgrade from hAP ac²? (single core bottleneck)

lapsio · July 7, 2020, 10:16pm

Hi

I’m currently using hAP ac² as edge router at home. Unfortunately it seems that I reached its performance limits. My load is really uneven and mostly 1 core is loaded (cpu3) which constantly sits at 100% while other cores closer to 40%. Nevertheless I’m getting packet drops when traffic exceeds around 80 mbps. Profiler shows 50% core load on firewall. The other 50% is spread across other stuff, notably networking and queues.

I’m using probably all most resource intense functions like heavy per-packet mangling, PBR, bridge-ip-firewall, global parent queue-tree etc etc. No fasttrack obviously and that’s probably not gonna change.

What are my upgrade options? I’d prefer something with hardware switch (with VLANs support) because I’m also using this router as bypass-switch in order to allow bypassing inline IPS and transparent proxy if any of them is down. Mikrotik has severe issues with NAT when the sane packets go several times through connection tracking.

lapsio · July 7, 2020, 10:27pm

I’m getting impression that RB3011 is the only device that checks all those boxes… But there’s no desktop variant… Does 3011 physically fit RB2011-IN enclosure? Because I have one spare RB2011 that i don’t use anyways around

whatever · July 8, 2020, 6:15am

I went from hAP ac² to RB4011iGS+RM in order to achieve gigabit speed IPv6 routing with stateful firewall, which isn’t possible on hAP ac² due to the lack of IPv6 fasttrack.
My workaround for the lack of hardware switching with vlan filtering is to use one of the switch groups with vlan filtering completely disabled and connect it to a bunch of hAP ac²s which serve as combined wifi access point and vlan filtering access switch. You might be able to find similar workarounds for your use case.

And although it is disappointing that the rb4011 cannot do vlan filtering in hardware, its CPU is indeed fast enough to do it in software which is probably fine for most use cases as well.

krafg · July 8, 2020, 6:55pm

Or try with hEX (880 Mhz)

Regards.

lapsio · July 8, 2020, 9:11pm

According to wiki hEX also doesn’t have proper switch chip. Just like hEX S
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

lapsio · July 8, 2020, 9:34pm

I thought about using external switch but I don’t think it’s this simple in my case. Because I have scripted VLAN filtering that is reconfigured dynamically with 20ms switch time in order to detect whether master proxy is up. This script is executed evey 13 seconds:

/ip arp
    
    :local primary [find comment="lb-primary"]
    :local backup  [find comment="lb-backup"]
    
    /interface ethernet
    
    :local primaryif [find name="ether2-f5"]
    :local backupif [find name="ether3-opi"]
    :local uplinkif [find name="ether4-gw-ccr"]
    
    /interface ethernet switch vlan
    
    :local vlangwlan [find vlan-id=82]
    :local vlangwwan [find vlan-id=81]
    
    :if ([:len [/system script environment find name="lbha#lastfail"]] = 0) do={ 
        :global "lbha#lastfail"
        :set $"lbha#lastfail" false 
    }
    
    :global "lbha#lastfail"
    
    :if ([:ping address=192.168.0.9 count=30 interval=400ms interface=br-gw-ccr] = 0) do={                                                            
        :if ([/interface ethernet switch vlan get $vlangwwan ports] = {"switch1-cpu",[/interface ethernet get $primaryif name]}) do={
            :put "woooooooo1"
            /interface ethernet switch vlan set $vlangwwan ports="switch1-cpu,$backupif"
            /interface ethernet switch vlan set $vlangwlan ports="$backupif,$uplinkif"
            /ip arp remove [find interface=br-gw-ccr]
            :if ($"lbha#lastfail" = false) do={
                /log error message="DEFAULT LOAD BALANCER IS DOWN, ENABLING_BACKUP"
            }
        } else={
            :put "woooooooo2"
            :if ($"lbha#lastfail" = false) do={
                :set $"lbha#lastfail" true
                /log error message="BOTH LOAD BALANCERS ARE DOWN, WE'RE FUCKED"
            }
            #try another
            /interface ethernet switch vlan set $vlangwwan ports="switch1-cpu,$primaryif"
            /interface ethernet switch vlan set $vlangwlan ports="$primaryif,$uplinkif"
            /ip arp remove [find interface=br-gw-ccr]
        }
    } else={
        :put woooooooo3
        :if ($"lbha#lastfail" = true) do={
            :set $"lbha#lastfail" false
            /log warning message="ONE OF LOAD BALANCERS RESPONDED - GIT GUD"
        }
        :if ([/interface ethernet switch vlan get $vlangwwan ports] = {"switch1-cpu",[/interface ethernet get $backupif name]}) do={
            #super quick probe, should work fine - direct connect
            /interface ethernet switch vlan set $vlangwwan ports="switch1-cpu,$primaryif"
            /interface ethernet switch vlan set $vlangwlan ports="$primaryif,$uplinkif"
            :delay 20ms
            /ip arp remove [find interface=br-gw-ccr]
            :delay 20ms
            /ip arp remove [find interface=br-gw-ccr]
            :if ([:ping address=192.168.0.9 count=4 interval=50ms interface=br-gw-ccr] = 0) do={
                /interface ethernet switch vlan set $vlangwwan ports="switch1-cpu,$backupif"
                /interface ethernet switch vlan set $vlangwlan ports="$backupif,$uplinkif"
                /ip arp remove [find interface=br-gw-ccr]
            } else={
                /log warning message="DEFAULT LOAD BALANCER IS UP, DISABLING BACKUP"
            }
        }
    }
    
    :log debug "script-exit: lbha2""

If i remember correctly changing VLANs on switch chip is the only way to reliably change traffic path for 20ms. Reconfiguring software VLAN interfaces had significantly higher latency. And monitoring proxy on switch would be quite tricky (this script is actually supposed to switch VLANs when proxy hangs / there’s misconfiguration on proxy side. Not only when device is completely down. Proxy also doesn’t support VRRP nor any other clustering protocols since It’s HA cluster of 2 completely different proxies - F5 and Nginx)

krafg · July 9, 2020, 1:40am

So, you need an enterprise router that comes with all that you need. Your requirements most probably are not compatible with “home line” devices.

If RB3011 have all your hardware requirement, choose it, or better choose some CCR for other requirements on the future.

Regards.

lapsio · July 11, 2020, 7:14am

It’s just.edge router for low bandwidth traffic. I hoped it’s gonna be fine xD. I’m using CCR1009 as primary router for LAN.

Surprisingly “enterprise routers” don’t provide such functionality since in most cases they’re not so easily scripted. I’d need to get some legit load balancer with monitoring capabilities and HA, eg second F5 but this hAP is set up exactly to avoid getting second load balancer which costs 3 kidneys.

RB3011 looks fine but form factor is suboptimal. In fact if it wasn’t rackmount-only I’d buy it time long ago. Thus I’m interested whether it’s possible to mod 3011 into 2011 enclosure? (assuming I have 2011-IN laying around to use as enclosure donor)

lapsio · July 11, 2020, 7:51am

Eh, looks similar. Should be good enough.

lapsio · July 11, 2020, 7:54am

Ok that answers my question https://www.reddit.com/r/mikrotik/comments/d39ll7/rb3011_in_2011_enclose_running_70_beta/