Community discussions

MikroTik App
 
tallica
just joined
Topic Author
Posts: 2
Joined: Mon Apr 20, 2020 6:31 pm

Inter-vlan routing speed issues (RB750Gr3 + CSS326-24G-2S+RM)

Sun Jun 21, 2020 6:32 pm

Hello,
I have a Mikrotik router hEX RB750Gr3 (RouterOS 6.47) and switch CSS326-24G-2S+RM (SwOS 2.11).

I'm playing with VLANs setup for my homelab. When devices are on the same VLAN (all traffic is going through switch only) I get 1Gbps throughput without issues.

Router is connected to switch via a single 1Gbps VLAN trunk port (ether2 <---> port2).

Lets focus on two VLANs: 10 (Trusted) and 20 (Services). I want to do a routing between a device on Trusted VLAN and a device on Services VLAN (basically my PC and a server).
I have added rule to the router's firewall:
add action=accept chain=forward comment="allow Snuffy -> Nassy" connection-state=new dst-address=10.133.20.10 protocol=tcp src-address=10.133.10.10

Unfortunately the speeds I'm getting are rather low (wired connection):
$ iperf3 -c 10.133.20.10
Connecting to host 10.133.20.10, port 5201
[  5] local 10.133.10.10 port 51700 connected to 10.133.20.10 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  38.9 MBytes   327 Mbits/sec
[  5]   1.00-2.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   2.00-3.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   3.00-4.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   4.00-5.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   5.00-6.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   6.00-7.00   sec  39.0 MBytes   328 Mbits/sec
[  5]   7.00-8.00   sec  39.1 MBytes   328 Mbits/sec
[  5]   8.00-9.00   sec  39.0 MBytes   327 Mbits/sec
[  5]   9.00-10.00  sec  39.1 MBytes   328 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec   390 MBytes   327 Mbits/sec                  sender
[  5]   0.00-10.00  sec   390 MBytes   327 Mbits/sec                  receiver

iperf Done.

I'm sure that one of the bottlenecks is a single link between router and switch. I can easily add a second cable, but I'm not sure how to handle it on the software side? I was thinking of having all VLANs on the ether2 trunk port, except the VLAN 20 and then add a second ether3 trunk port with only VLAN 20. Unfortunately I was unable to get it to work, connections were not stable, were loosing packets and so on...

What are my other options here? Should I use a link aggregation?

Can you please take a look at my config? Current setup with only single VLAN trunk port:
# jun/21/2020 16:47:37 by RouterOS 6.47
# software id = XYZ
#
# model = RB750Gr3
# serial number = XYZ
/interface ethernet
set [ find default-name=ether1 ] comment="WAN"
set [ find default-name=ether2 ] comment="VLAN Trunk Port" loop-protect=on
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface bridge
add name=Bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add comment="Guests WiFi" interface=Bridge name=Guests_VLAN vlan-id=22
add interface=Bridge name=Management_VLAN vlan-id=99
add comment="TV / MiBox / PS4" interface=Bridge name=Media_VLAN vlan-id=50
add comment="Services like NAS" interface=Bridge name=Services_VLAN vlan-id=20
add comment="Trusted LAN/WiFi (personal devices)" interface=Bridge name=Trusted_VLAN vlan-id=10
/interface list
add name=MNGMT
add name=VLANs
add name=WAN
/ip pool
add name=Trusted_POOL ranges=10.133.10.2-10.133.10.254
add name=Services_POOL ranges=10.133.20.2-10.133.20.254
add name=Media_POOL ranges=10.133.50.2-10.133.50.254
add name=Guests_POOL ranges=10.133.22.2-10.133.22.254
add name=Management_POOL ranges=10.133.99.2-10.133.99.254
/ip dhcp-server
add address-pool=Trusted_POOL disabled=no interface=Trusted_VLAN lease-time=1d name=Trusted_DHCP
add address-pool=Services_POOL disabled=no interface=Services_VLAN lease-time=1d name=Services_DHCP
add address-pool=Media_POOL disabled=no interface=Media_VLAN lease-time=1d name=Media_DHCP
add address-pool=Guests_POOL disabled=no interface=Guests_VLAN lease-time=1d name=Guests_DHCP
add address-pool=Management_POOL disabled=no interface=Management_VLAN lease-time=1d name=Management_DHCP
/interface bridge port
add bridge=Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=MNGMT
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2 vlan-ids=10
add bridge=Bridge tagged=Bridge,ether2 vlan-ids=20
add bridge=Bridge tagged=Bridge,ether2 vlan-ids=22
add bridge=Bridge tagged=Bridge,ether2 vlan-ids=50
add bridge=Bridge tagged=Bridge,ether2 vlan-ids=99
/interface list member
add interface=Management_VLAN list=MNGMT
add interface=Guests_VLAN list=VLANs
add interface=Trusted_VLAN list=VLANs
add interface=Services_VLAN list=VLANs
add interface=Media_VLAN list=VLANs
add interface=ether1 list=WAN
/ip address
add address=10.133.99.1/24 interface=Management_VLAN network=10.133.99.0
add address=10.133.20.1/24 interface=Services_VLAN network=10.133.20.0
add address=10.133.50.1/24 interface=Media_VLAN network=10.133.50.0
add address=10.133.22.1/24 interface=Guests_VLAN network=10.133.22.0
add address=10.133.10.1/24 interface=Trusted_VLAN network=10.133.10.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.133.10.10 client-id=1:68:5:ca:1d:3e:dc comment="Snuffy Wired" mac-address=68:05:CA:1D:3E:DC server=Trusted_DHCP
add address=10.133.10.11 client-id=1:88:63:df:c1:6e:4d comment="Snuffy Wireless" mac-address=88:63:DF:C1:6E:4D server=Trusted_DHCP
add address=10.133.10.20 client-id=1:48:d7:5:d4:b:63 comment="Michal's laptop" mac-address=48:D7:05:D4:0B:63 server=Trusted_DHCP
add address=10.133.10.30 client-id=1:9c:f4:8e:68:54:4d comment="Michal's iPhone" mac-address=9C:F4:8E:68:54:4D server=Trusted_DHCP
add address=10.133.10.40 client-id=1:ac:d5:64:90:df:83 comment="Kasia's laptop" mac-address=AC:D5:64:90:DF:83 server=Trusted_DHCP
add address=10.133.10.50 client-id=1:60:d9:c7:36:7:c9 comment="Kasia's iPhone" mac-address=60:D9:C7:36:07:C9 server=Trusted_DHCP
add address=10.133.20.10 comment="Nassy Main" mac-address=0C:C4:7A:03:32:72
add address=10.133.50.10 client-id=1:0:e:c6:c0:eb:a6 comment="Mi Box" mac-address=00:0E:C6:C0:EB:A6 server=Media_DHCP
add address=10.133.50.9 client-id=1:bc:60:a7:2f:46:e6 comment="PlayStation 4" mac-address=BC:60:A7:2F:46:E6 server=Media_DHCP
add address=10.133.50.8 client-id=1:a8:13:74:a1:ad:45 comment="Panasonic TV" mac-address=A8:13:74:A1:AD:45 server=Media_DHCP
add address=10.133.99.99 client-id=1:e8:80:2e:e7:28:c2 comment="Apple USB Ethernet" mac-address=E8:80:2E:E7:28:C2 server=Management_DHCP
/ip dhcp-server network
add address=10.133.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.133.10.1
add address=10.133.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.133.20.1
add address=10.133.22.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.133.22.1
add address=10.133.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.133.50.1
add address=10.133.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.133.99.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid/malformed packets" connection-state=invalid
add action=accept chain=input comment=Temporary in-interface-list=VLANs
add action=accept chain=input comment="accept connections from Management interface" in-interface-list=MNGMT
add action=accept chain=input comment="accept ICMP" protocol=icmp src-address-list="trusted hosts"
add action=drop chain=input comment="drop port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="add port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="block everything else" log-prefix=action:drop
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid/malformed packets" connection-state=invalid log-prefix=drop:invalid/malformed
add action=accept chain=forward comment="allow VLANs to access WAN" connection-state=new in-interface-list=VLANs out-interface-list=WAN
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow Snuffy -> Nassy" connection-state=new dst-address=10.133.20.10 protocol=tcp src-address=10.133.10.10
add action=accept chain=forward comment="allow Michal's laptop -> Nassy" connection-state=new dst-address=10.133.20.10 protocol=tcp src-address=10.133.10.20
add action=accept chain=forward comment="allow Kasia's laptop -> Nassy" connection-state=new dst-address=10.133.20.10 protocol=tcp src-address=10.133.10.40
add action=reject chain=forward comment="reject everything else" log=yes log-prefix=action:reject
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MNGMT
/tool mac-server mac-winbox
set allowed-interface-list=MNGMT

Thanks in advance!
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter-vlan routing speed issues (RB750Gr3 + CSS326-24G-2S+RM)

Sun Jun 21, 2020 11:56 pm

According to official speed tests this is more or less what hEX router can do (my experience is that number under "Routing - 25 ip filter rules - 512 byte packet size" resembles best the real-life performance).
BR,
Metod
 
tallica
just joined
Topic Author
Posts: 2
Joined: Mon Apr 20, 2020 6:31 pm

Re: Inter-vlan routing speed issues (RB750Gr3 + CSS326-24G-2S+RM)

Sun Jun 28, 2020 7:38 pm

Thanks! So I guess all I can do is to put these devices on the same vlan or invest in RB4011. Are there any other options?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1693
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Inter-vlan routing speed issues (RB750Gr3 + CSS326-24G-2S+RM)

Sun Jun 28, 2020 10:50 pm

If hex is not in a "switched" configuration, and depending on your internet connection speed and usage, you might get a bit more between VLAN's.
Make ether1 your WAN interface, ether2 for "Trusted" vlan and ether3 for "Services" vlan.
That way you will have 2 X 1gb/s paths between ethers 2, 3 & CPU
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: Geyonk, haj3s29a, Hominidae, Shy and 32 guests