VLANs over single ethernet port on x86 RouterOS.. Low ISP throughput

Hello guys .. I have a very basic hotspot configuration Open wifi network service. I created VLANs to isolate the Access points from seeing each other along with the client isolation option enabled on each AP to isolate connected clients. APs used on my network are NSM2 bridge mode.

APs are connected directly to normal unmanaged switch and from the switch to the LAN ethernet interface port on x86 RouterOS. I don’t have a budget to buy managed switch for now and it’s working great to protect the network from scanning tools.

Each VLAN is configured with it’s own DHCP - HOTSPOT - NAT settings. Take a look at the code below:

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383
mac-address=xxx mtu=1500 name=LAN speed=1Gbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383
mac-address=xxx mtu=1500 name=WAN speed=1Gbps

/interface vlan
add arp=enabled disabled=no interface=LAN l2mtu=16379 mtu=1500 name=VLAN_A use-service-tag=no vlan-id=11
add arp=enabled disabled=no interface=LAN l2mtu=16379 mtu=1500 name=VLAN_B use-service-tag=no vlan-id=12
add arp=enabled disabled=no interface=LAN l2mtu=16379 mtu=1500 name=VLAN_C use-service-tag=no vlan-id=13

/ip address
add address=192.168.2.1/24 disabled=no interface=LAN network=192.168.2.0
add address=192.168.11.1/24 disabled=no interface=VLAN_A network=192.168.11.0
add address=192.168.12.1/24 disabled=no interface=VLAN_B network=192.168.12.0
add address=192.168.13.1/24 disabled=no interface=VLAN_C network=192.168.13.0
add address=10.0.0.1/24 disabled=no interface=WAN network=10.0.0.0

/ip dhcp-server
add address-pool=VLAN_A authoritative=after-2sec-delay bootp-support=static disabled=no interface=VLAN_A lease-time=4w2d name=VLAN_A
add address-pool=VLAN_B authoritative=after-2sec-delay bootp-support=static disabled=no interface=VLAN_B lease-time=4w2d name=VLAN_B
add address-pool=VLAN_C authoritative=after-2sec-delay bootp-support=static disabled=no interface=VLAN_C lease-time=4w2d name=VLAN_C

/ip dhcp-server network
add address=192.168.11.0/24 dhcp-option=“” dns-server=“” gateway=192.168.11.1 ntp-server=“” wins-server=“”
add address=192.168.12.0/24 dhcp-option=“” dns-server=“” gateway=192.168.12.1 ntp-server=“” wins-server=“”
add address=192.168.13.0/24 dhcp-option=“” dns-server=“” gateway=192.168.13.1 ntp-server=“” wins-server=“”

/ip pool
add name=VLAN_A ranges=192.168.11.2-192.168.11.254
add name=VLAN_B ranges=192.168.12.2-192.168.12.254
add name=VLAN_C ranges=192.168.13.2-192.168.13.254

/ip hotspot profile
set [ find default=yes ] dns-name=www.bytezone.net hotspot-address=192.168.2.1 html-directory=hotspot http-cookie-lifetime=3d http-proxy=
0.0.0.0:0 login-by=cookie,http-chap,https,http-pap name=default nas-port-type=wireless-802.11 radius-accounting=yes
radius-default-domain=“” radius-interim-update=received radius-location-id=“” radius-location-name=“” radius-mac-format=
XX:XX:XX:XX:XX:XX rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no ssl-certificate=none use-radius=yes

/ip hotspot
add disabled=no idle-timeout=5m interface=LAN keepalive-timeout=none name=LAN profile=default
add disabled=no idle-timeout=5m interface=VLAN_A keepalive-timeout=none name=VLAN_A profile=default address-pool=none
add disabled=no idle-timeout=5m interface=VLAN_B keepalive-timeout=none name=VLAN_B profile=default address-pool=none
add disabled=no idle-timeout=5m interface=VLAN_C keepalive-timeout=none name=VLAN_C profile=default address-pool=none

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default
on-login=“” on-logout=“” rate-limit=180k/450k shared-users=1 status-autorefresh=1m transparent-proxy=no

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=192.168.2.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=192.168.11.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=192.168.12.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN src-address=192.168.13.0/24

=====================================

Guys i know the configuration is very simple but truely i have a very strange problem. the speed of internet connection is horrible it’s very low almost 50% of my ISP actual speed and sometimes go a little above that. I downgraded the RouterOS version from 6.x to 5.21 and nothing changed.. where can be the problem exactly ??

If you need more details, i can post my APs settings in order to get a very clear idea of my question.
Thank you for sharing your experience to help solve my issue..

Instead of using vlans, just use split horizon bridge. Put hotspot IP on local bridge, along with DHCP server, etc. connect each AP interface to the bridge as ports, and set horizon=1 on each interface that has an AP plugged into it.

EDIT: I just realized you’re using a trunk interface on the Mikrotik router, so instead of bridging physical interfaces, bridge the three vlan sub-interfaces, but still just use a single flat IP scheme as I suggested above.

Thank you so much ZeroByte, i’m a big fan of you and enjoy learning and reading your guide information every time i take a tour at this forum

and yes exactly I followed your guides i created a bridge, added vlans and sat split horizon to 1 on each, created hotspot dhcp of that
bridge, the result is ports are isolated successfully but still suffer from the same issue as i see the bandwidth throughput is totally down almost 50% and even more less !

where can be the problem exactly? cpu is almost 2% i’m using x86 dual core pc the memory 2GB , just 2 mangle rules with queue trees for facebook and whatsapp QoS, firewall filter are no more than the basic customer protection writtin down on wiki

One more question do i have to assign vlans to the physical eth interface or to the bridge itself ? maybe i’m doing something wrong, here is the refined code:


/interface ethernet
set 0 name=LAN
set 1 name=WAN
/interface bridge
add name=bridge1
/interface vlan
add interface=LAN name=VLAN_A vlan-id=11
add interface=LAN name=VLAN_B vlan-id=12
add interface=LAN name=VLAN_C vlan-id=13
/interface bridge port
add bridge=bridge1 horizon=1 interface=VLAN_A
add bridge=bridge1 horizon=1 interface=VLAN_B
add bridge=bridge1 horizon=1 interface=VLAN_C


hotspot, dhcp, nat assigned to bridge1

It depends on what you want to do.
If you put vlan interfaces onto a bridge, and then connect etherX interfaces as ports to the bridge, then you’re going to have several ports which act as “trunk” type interfaces. They will be forwarding tagged and untagged traffic alike. The tagged traffic will reach the vlan interfaces, and the untagged traffic will reach the bridge interface itself.

If you put vlan interfaces on a physical interface, then generally you do not want to assign the physical interface as a port of any bridges. Instead, you will have a different bridge for each “vlan”
So if you have vlan interfaces 10,20,and 30 all on interface ether1 - then you could make a bridge10, bridge20, and bridge30 - each bridge connects to one of those three vlan interfaces, and then to other physical interfaces - e.g. bridge10 has ports vlan10 and ether2.
This means that whatever is connected to ether2 doesn’t use vlan tags, but it communicates with other devices via ether1, which sends/receives traffic for that bridge using vlan tag 10.

A strange thing to do would be to have multiple vlan interfaces on the same physical interface, and then to add all of them as ports of the same bridge.
This does have some usefulness in a host isolation scenario, but it does have some drawbacks because it can drastically multiply your broadcast traffic on a trunk. Suppose a broadcast frame enters the bridge on vlan10 - the bridge will forward that to all other ports - in this case vlan20, vlan30, etc… so however many vlan interfaces there are on the bridge is how many copies of the broadcast frame will be transmitted - and since these are all on the same physical interface… you get that many copies all going across the same physical interface.

Here’s a drawing of this last behavior:

Note that the vlan interfaces function by accepting traffic from the physical side (in this case, ether1) with the same vlan ID, and then strip off the tag and forward it to whatever the “back side” is.

By default, the “back side” of a VLAN interface is the CPU, but in this “host isolation” example, the backs of the vlan interfaces are connected to a single bridge- so the broadcast frame enters the bridge w/o any vlan header. The bridge simply sees all ports as interfaces where a broadcast should be forwarded, and sends a copy to all attached ports. The remaining vlan interfaces each add their own 802.1q vlan header and transmit the resulting tagged frame onto the wire they’re connected to - in this case, it’s all ether1.

Vlan50 could just as easily be stacked on ether2 instead of ether1, so that “purple” copy of the broadcast wouldn’t go on ether1, but onto ether2 instead.

The illustration should make it obvious what one drawback of per-host vlan isolation can be.
(It also has merits, so I’m not saying to never use this kind of solution - I’m just usually not in favor of it)

As for your speed issues, I’m not sure what might be behind this, but vlan tagging / split horizon shouldn’t be slowing you down. Perhaps it’s the queue type on your interfaces.

Ok if i understand you precisely, so in principle this way of doing the host isolation could affect the traffic in case of using low features RB or having so many vlans in the network but in my case it should not affect the performance although it’s not professional way of doing host isolation (to be honest this is the way came to my mind after having a long hard time with facing network scanning tool and mac spoofing used by the clients)

As for your speed issues, I’m not sure what might be behind this, but vlan tagging / split horizon shouldn’t be slowing you down. Perhaps it’s the queue type on your interfaces.[/quote]

Sure just like what you said i seriously started thinking it may be something else other than dynamic simple queues is only used for shaping the traffic along with the 2 queues for facebook, whatsapp up/down. to be honest i’m thinking even to replace the rj45 i used for cat5e with the rj45 used for cat6 cables as i just relieazed this redicioulus mistake i did when i first ran my wifi network 2 years ago !!

Also i’m on my way to get CCR1009-8G-1S-1S+ to replace the ~300Watt x86 and i will see how it will differs as i believe my optiplex780 is not doing very well in Qos and load balancing.

Thank you for the deep valuable information ZeroByte

I highly doubt that switching to Cat6 is going to give you any improvement.
If you were doing 10Gig links and had lots of potential interference sources, then yeah, cat6, but for 10/100/1000 links… unless you’ve got runs going length-wise along flourescent tubes or something like that - you’re not going to get any help there IMO.

sure i’m not the only wisp in my area. it’s full of 2.4 ghz ubiquiti APs and suffer from the interference and i have some APs 60 mt away from the switch.

If you connect a PC directly to Ethernet 2 (temporary disable the VLAN). What speed do you get? The expected speed of your ISP?

the main point as ZeroByte said maybe it’s not related to vlans neither bridge settings. just looking at the configuration it’s very basic nothing out of the line. the other point unfortunately i can’t do any further test on the server it’s a production one working 24/7 so i will get the CCR1009 by Saturday to do a complete fresh setup and see how it’s gonna differ in the performance i will inform you with the results thanks for your support @haik01