Upload issue on CCR-1036-12G-4S

gius64 · September 19, 2014, 6:26pm

Hello everyone,
I’ve just configured a CCR1036 to replace my old router but I have a big issue.

There is internet connection on SFP1, and on the ethernet ports there are other devices.

If I try to upload something I reach max 20mbps per port.
It means that if I start an upload from three ports (and three different devices) at the same time I reach 60mbps, but my internet connection is 300mbps in upload.

I can’t understand why I can’t reach 300mbps… With the old router I had 300mbps.

Can you help me?

RouterOS version is 6.19

gius64 · September 19, 2014, 7:26pm

Update: Rebooting the router gave me max speed for 3 minutes… And then 20mbps

IntrusDave · September 19, 2014, 7:32pm

We need the config to see what’s going on. post an /export compact

gius64 · September 19, 2014, 7:40pm

Super simple configuration:

SFP1 to an ADM
Ether1 to Ether12 bridged on bridge1
Public IP on SFP1
Private IP on Ether1
NAT on IP class 10.0.0.0/8

My computer connected directly to the ADM: full speed
My computer connected to one of the port ether1-12: 20mbps max (per port!!!)

gius64 · September 20, 2014, 1:26pm

Here is export compact:

/interface bridge
add mtu=1500 name=my-bridged-network protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=\
    ether1-bridged
set [ find default-name=sfp1 ] auto-negotiation=no comment="Fiber" \
    l2mtu=9600 name=sfp1-wan
set [ find default-name=sfp2 ] auto-negotiation=no comment="Bridged Network" \
    name=sfp2-bridged
set [ find default-name=sfp3 ] auto-negotiation=no
set [ find default-name=sfp4 ] auto-negotiation=no
/interface bridge port
add bridge=my-bridged-network interface=ether1-bridged
add bridge=my-bridged-network interface=sfp2-bridged
add bridge=my-bridged-network interface=ether3
add bridge=my-bridged-network interface=ether4
add bridge=my-bridged-network interface=ether5
add bridge=my-bridged-network interface=ether6
add bridge=my-bridged-network interface=ether7
add bridge=my-bridged-network interface=ether8
add bridge=my-bridged-network interface=ether9
add bridge=my-bridged-network interface=ether10
add bridge=my-bridged-network interface=ether11
add bridge=my-bridged-network interface=ether12
add bridge=my-bridged-network interface=ether2
add bridge=my-bridged-network interface=sfp3
add bridge=my-bridged-network interface=sfp4
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip address
add address=10.0.2.254/24 comment="Local IP" interface=sfp2-bridged \
    network=10.0.2.0
add address=XXXXXXXX/30 interface=sfp1-wan network=XXXXXXXX
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-udp-packet-size=512 \
    servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1-wan src-address=\
    10.0.0.0/8 to-addresses=MY_WAN_IP
/ip route
add distance=1 gateway=MY_GATEWAY_WAN_IP
add distance=1 dst-address=MY_WAN_IP gateway=MY_GW_WAN_IP

I have a bridged wireless network, 100% mikrotik.
I can attach my bridged network to the CCR via SFP or Ethernet, but the results are the same.

I can attach my WAN network directly to my Fiber ADM via SFP or through an SFP switch and then ethernet, but the results are the same.

zyzelis · September 20, 2014, 4:32pm

Hello,

Maybe the issue is here?:

set [ find default-name=sfp1 ] auto-negotiation=no comment=“Fiber”
l2mtu=9600 name=sfp1-wan

If ros is v.6.19, then set autonegotiation to yes

and why second route?
add distance=1 dst-address=MY_WAN_IP gateway=MY_GW_WAN_IP

IntrusDave · September 20, 2014, 4:51pm

I would guess that it’s the L2MTU=9600. Even if your ISP is delivering via fiber, i doubt they are using anything more than 1500. So your MTU should be 1500 and L2 MTU should be 1590.

Also on the auto-negotiation, You have it disabled, but you are not setting the link. at the very least it should be:

set [ find default-name=sfp1 ] advertise=1000M-full auto-negotiation=no rx-flow-control=auto tx-flow-control=auto

gius64 · September 20, 2014, 5:38pm

Thank you for your answer!

Do you think I should edit my MTU on all interfaces?
Because I have the same issue using ethernet to connect to my ISP instead of SFP (passing through a switch)!

The export doesn’t say nothing about auto-negotiation because I used the default settings, they are the same you reported but with Flow Control off (my ISP told me to turn it off).

Here’s interface data:

----Actual Gateway (x86 machine with RouterOS 6.19)----

LAN (Ethernet to bridged network)
MTU: 1500
L2 MTU: 9200 (not editable)

WAN (Ethernet to a switch that has both SFP and Ethernet port)
MTU: 1500
L2 MTU: 7152 (not editable)

Bridge
MTU: 1500
L2 MTU: 9200 (not editable)

----New CCR Gateway----

SFP1 to Fiber (instead of old WAN)
MTU: 1500
L2 MTU: 9600

SFP2 to bridged network (instead of old LAN)
MTU: 1500
L2 MTU: 9600

All other interfaces
MTU: 1500
L2 MTU: 1590

Bridge
MTU: 1500
L2 MTU: 1590 (not editable)

As I said, I have the same issue using SFP or using Ethernet, both for bridged network and fiber…

I had to use auto-negotiation=no and set it to 1gbps-full because it’s the only way to make it work.
My ISP told me to do this.
About the second route you’re right, it’s not needed, I don’t remember why is there, maybe because all my attempts to solve the problem

I noticed also that on the Old Gateway in Firewall → Mangle there are these two values, and there are not in the new one:

MANGLE
Flags: X - disabled, I - invalid, D - dynamic
 0  D chain=forward action=change-mss new-mss=1370 passthrough=yes
      tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1371-65535
      log=no log-prefix=""

 1  D chain=forward action=change-mss new-mss=1420 passthrough=yes
      tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1421-65535
      log=no log-prefix=""

But they are dynamic, where are they from?

zyzelis · September 20, 2014, 6:18pm

Do you use any tunnel protocol like pppoe for wan connection?

gius64 · September 20, 2014, 6:26pm

No, my users connect to the access points (on the bridged network) using pppoe but on the gateway I’m not using it…

zyzelis · September 20, 2014, 7:02pm

So the problem can be
a) with the nat rule
b) L2MTU size

try to lower l2mtu size to 1590

gius64 · September 20, 2014, 7:08pm

What NAT rule?

zyzelis · September 20, 2014, 7:18pm

This rule
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1-wan src-address=
10.0.0.0/8 to-addresses=MY_WAN_IP

in general this rule looks ok. but who knows.
remove src address and to-addresses

and if not helps, write here

gius64 · September 20, 2014, 7:50pm

SRC is needed because I NAT only users with private IP.
There are users with public IP which are not natted.

I can remove to-address but it seems strange to me that a NAT rule creates these problems!

I would like to have as more advice as possible because the gateway is 100km far from home so I’ll go there only if I’m pretty sure I can solve the problem Or at least I have some suggestions from you

TrollMan · October 3, 2014, 10:18am

I cant solve your issue, but you should set the IP not on the port but on the bridge. And you forgot to add a firewall rule to drip DNS reflection attack.

gius64 · October 3, 2014, 10:21am

Thank you for your support!
What rule for DNS reflection?
Why IPs on the bridge?

TrollMan · October 3, 2014, 11:57am

Since the ports are added to the bridge the bridge should have the ip and not one of the ports.

DNS, its a DNS amplification attack that you want to stop, http://forum.mikrotik.com/t/firewall-filter-rules-for-dns/77695/1 . Not closing the DNS from WAN side could consume all your outgoing bandwidth by someone doing the attack.