Hello,
Why Mikrotik does not produce the routers on x86 processors?
Dual-core Skylake can handle 10Gbit/s aes-gcm ipsec tunnel (CCR cannot).
Have you checked Cloud Host Router ? http://wiki.mikrotik.com/wiki/Manual:CHR
CHR is OS for virtual machine.
My question about hardware router in 1U rackmount formfactor
http://www.mini-itx.com/store/?c=112
with ESXi and CHR.
Works perfectly.
YUP - That’s been my beef for several years now.
Please don’t get me wrong, but I feel Mikrotik uses whimpy / slow / weak / underpowered CPUs in most of their motherboards.
- I have not found a Mikrotik product that can route and/or firewall and/or bridge and/or NAT and/or VPN and/or Tunnel EoIP all ports at the same time.
- Even on a simple less than 10 k NV2 WDS AC mimo link, it is impossible to get much above 400 meg wireless throughput without driving the CPU up above 50 percent or much higher.
- A simple test to check if your router is under-powered. Multiply the number of Ethernet ports you have by the maximum speed of each port then multiply this number by 2 (the 2 is for full duplex) then add the maximum speeds of your wireless - now you have a speed your CPU needs to be able to handle. Now perform a speedtest to your loopback 127.0.0.1 using the tools-bandwidth test with UDP/both. You will quickly discover you are not even be close to being able to route at network speed to all ports. Example - lets say a board has 3 gig Ethernet ports and a 3x3 mimo NV2 wireless card - your math should result somewhere higher than 7 gig. A btest to the 127.0.0.1 loopback will not even come close to the calculated throughput needed.
Another example of a seriously underpowered motherboard… Lets say you need a two port 10-gig Ethernet router/firewall device. A two port 10-gig per port router should able to layer 3 process up to 40 gig per second. A btest to 127.0.0.1 on a mikrotik anything motherboard will not even come close to the maximum L3 speeds you may need.
Hey IntrusDave,
I assume CHR can’t talk directly to wireless cards (NV2) (and no CD ISO to boot/install from). Have you had the opportunity to test x86 32-bit ROS with any Mikrotik wirless cards ? I am especially interested in trying to find a solution to handle WDS NV2 mimo 3x3 AC microwave links at the upper throughput limits of what the wireless protocol speeds are supposed to support. I am aiming for near 1-gig wireless throughput - the best I can get right now is just over 500 meg peak on MT anything before the MT CPU starts a melt-down.
North Idaho Tom Jones
I’ve never tried any wireless on the CHR or x86 RouterOS. You can look in the hardware list to find out what is supported
@TomjNorthIdaho Your test method is flawed on multicore systems because BW test works on single core.
Yea I will agree - I may be very flawed.
Is it safe to assume that a captive-portal configuration with bandwidth limits on some interfaces to some customers while routing & firewalling & natting & bridging all use multi-core if multi-cores are available ?
A basic configuration I use here at my ISP utilizes a 10-gig internet upstream connection where my local core routers use multiple 10-gig routed interfaces with around 100 Vlans to different customer home/business networks where each customer has unique up/down bandwidths anywhere from 10-meg up to 5 gig accounts - and all accounts use firewalls to filter/block all RFC-1918 traffic and a few other firewall rules to prevent IP spoofing. Is this something a CHR should be able to reliably work with ?
If host hardware is powerful enough then CHR should handle your mentioned configuration.
What about using Ryzen? It has incredible crypto performance:
How fast is a Ryzen processor board compared to a Xeon processor board compared to a CHR for 10-Gig core routing/bridging/FireWall/NAT/Vlan/Simple-Queue functions - a high-throughput busy ISP environment with 1,000 or greater customers? It would be interesting to find out (cost of performance vs flat-out-performance).
North Idaho Tom Jones
as far as i understand mikrotik had take the virtualization path on x86 to avoid dealing with the variety of hardware available on x86 platforms, integrating drivers and certifying hardware working with routeros.
using virtualization that task is taken by hypervisor developer keeping routeros image as light as it has always been
in the near future virtualization features are closing the gap on latency making it perfect for networking implementations
taking this in count i think the virtualization path is the smartest one to board x86 platforms
I use virtual machines for everything (VMware ESXi) . Management, maintenance, full-image-backup/full-image-recovery and tuning throughput is so much easier. And a big positive feature is that one physical computer can host many independent/isolated virtual machines with many different operating systems on many different networks at the same time and all virtual machines can share isolated HDD file systems on the same local physical hard disk or network NAS system(s).
i would liket to know that too.
what is the performance of Ryzen processor board with 10G port.
very hard to know
testing at 10gigagit ethernet speeds is very complicated and require a lot of equipment
plus simulate 1000’s customer real behavior makes this more difficult
I think is very difficult to predict the performance because each configuration and scenario is different
Because that mikrotik test equipment using the same configs and scenario to stablish a comparison, then you have to translate that comparison to your specific scenario known results
with x86 hardware the comparison goes beyond cpu and ram configuration, because the system parts selection can lead to bottlenecks making the same cpu ram combination to perform different.
I think the main topic assembling an x86 machine for networking is getting the NICS on the CPU direct pci express lanes to avoid bottlenecks, dont use NICs connected to motherboard chipset oversubscribed and slower pci express lanes
yes you are right. our environment like this: we have over 5,000 users connected our network we are checking every ones ip with our firewall rules. We have E5-2670 and our total cpu usage is 15% when we have over 4K active user connected our network. Our only problem is that we experience 100% cpu load when we get attack by one ip. So we need better cpu performance. Btw, we get spoof attacks with thousands ips but no cpu load then it is strange only one ip saturate all our network.
We are thinking to buy CCR1072-1G-8S+ or build our x86 machine. we can test i7770k mikrotik performence w/o buying CCR1072 if it suits we will countinue.
i7700k with intel x520 nic is it good combination ?
What would you recommend us ?
With your environment, a CCR will literally fall over. It simply can not deal with BGP, Firewall Rules, and Traffic in high quantities. High traffic and maybe 100 firewall rules, will be enough to stop the CCR dead in it’s tracks. It’s definitely not the ‘flagship’ that MT is making it out to be.
After how many thousands of US$, how many failed CCR devices (power suppliers), and how many days, weeks, months of bad performance, we are replacing all our CCRs with CHRs (against our wishes as x86 support is dying).
Question: With full BGP tables and maybe 100 firewall rules as you describe where a CCR simply can not deal … Is a CHR on a high end XEON system good enough to do the job in real life with decent throughput with throughput speeds greater than 1-gig ? How well can a CHR handle 10-Gig interfaces with what kind of typical throughputs ?
North Idaho Tom Jones
Mikrotik continues to ignore fast x86, and still releases routers on old slow cores from the past:
CCR2116 (Annapurna Labs Alpine AL73400, based on ARM Cortex-A72 from 2016)
CCR2004 (Annapurna Labs Alpine AL324, based on ARM Cortex-A57 from 2012)
CCR10XX (Tilera TILE-Gx from 2012)
RB5009 (Marvell Armada 7040, based on ARM Cortex-A72 from 2016)
RB4011, RB1100AHx4 (Annapurna Labs Alpine AL21400, based on ARM Cortex-A15 from 2011)
RB3011 (Qualcomm IPQ8064, based on Qualcomm Krait 300 from 2012)
for example RB1100AHx4 can only 530 Mbps with GRE+IPsec tunnel http://forum.mikrotik.com/t/rb1100ahx4-ipsec-site-to-site-performance/153552/1