I've got an RB4011 and a CRS309.
I'm trying to replace my pfsense with a RB4011 and improve intervlan routing speed.
vlan:
1901 MGT 172.19.1.1/24
1902 WIFI 172.19.2.1/24
* RB4011 gets internet thanks to PPPOE ( modem connected to ether2)
* RB4011.SFP1 is connected to CRS309.SFP8
*. vlan MGT and WIFI are tagged on the "trunk" and vlan1 is untagged
on crs309, port 3 is configured as trunk and connected to a proxmox server hosting 2 vm
* vm1 on vlan 1901 with IP 172.19.1.199
* vm2 on vlan 1902 with IP 172.19.2.199
both vm. are running iperf3 -s
on crs309, port 7 is configured as access port on vlan 1901 and connected to a linux workstation ( where I run the iperf3 -c)
I first tried to use a "bridge" on rb4011 containing the sfpplus interface and the eth10 ( for future Access point connection)
With this setup, the iperf3 caps at +/- 1.5GIBITS ( when crossing subnets)
I then tried to configure the vlan directly on the sfpplus 1 on RB4011. like in (1)
And then, I have Almost 10GBITS even while crossing vlan
QUESTION:
How can I can get full perf while using a bridge ? ( else, I can't use POE out on eth10 to connect my access point.)
If I keep the config using SFPplus, will I be able to configure intervaln filtering ( DMZ like without any "surprise" ?)
Thanks a lot for your feedback and your help
(1) https://blog.kroy.io/2019/09/13/10-giga ... ik-rb4011/
RB4011 WITH BRIDGE
Code: Select all
# mar/21/2021 09:38:07 by RouterOS 7.1beta5
# software id = FDJ9-XPWG
#
# model = RB4011iGS+
# serial number = XXXXXXX
/interface bridge
add name=trunk vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 max-mtu=1480 name=\
PROXIMUS user=xxxxxxxxxxxx
/interface vlan
add interface=trunk name=mgt vlan-id=1901
add interface=trunk name=wifi vlan-id=1902
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=MGT
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_1901 ranges=172.19.1.100-172.19.1.199
add name=dhcp_1902 ranges=172.19.2.100-172.19.2.199
/ip dhcp-server
add address-pool=dhcp_1901 disabled=no interface=mgt name=dhcp_1901
add address-pool=dhcp_1902 disabled=no interface=wifi name=dhcp_1902
/interface bridge port
add bridge=trunk interface=sfp-sfpplus1
add bridge=trunk interface=ether1 pvid=1901
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=trunk tagged=trunk,sfp-sfpplus1 vlan-ids=1901
add bridge=trunk tagged=trunk,sfp-sfpplus1 vlan-ids=1902
/interface list member
add interface=PROXIMUS list=WAN
add list=LAN
add list=MGT
add list=MGT
/ip address
add address=192.168.1.192/24 interface=ether2 network=192.168.1.0
add address=172.19.2.1/24 interface=wifi network=172.19.2.0
add address=172.19.1.1/24 interface=mgt network=172.19.1.0
/ip dhcp-server network
add address=172.19.1.0/24 dns-server=172.19.1.1 gateway=172.19.1.1
add address=172.19.2.0/24 dns-server=172.19.2.1 gateway=172.19.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=172.19.1.0/24 list=MGT
add address=172.19.2.0/24 list=LAN
/ip firewall filter
add action=fasttrack-connection chain=input comment=\
"accept established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=PROXIMUS \
in-interface-list=WAN protocol=icmp
add action=drop chain=input in-interface=!mgt port=22 protocol=tcp \
src-address-list=""
add action=drop chain=input comment="block everything else" in-interface=\
PROXIMUS
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PROXIMUS
/ip service
set telnet disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RB-01
/system package update
set channel=development
Code: Select all
4: enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:52:29:ad brd ff:ff:ff:ff:ff:ff
inet 172.19.1.252/24 brd 172.19.1.255 scope global noprefixroute enp1s0d1
valid_lft forever preferred_lft forever
inet6 fe80::1440:69be:8944:7821/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Connecting to host 172.19.1.199, port 5201
[ 5] local 172.19.1.252 port 54888 connected to 172.19.1.199 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.07 GBytes 9.19 Gbits/sec 46 1.14 MBytes
[ 5] 1.00-2.00 sec 1.09 GBytes 9.35 Gbits/sec 23 409 KBytes
[ 5] 2.00-3.00 sec 1.09 GBytes 9.34 Gbits/sec 20 402 KBytes
[ 5] 3.00-4.00 sec 1.09 GBytes 9.36 Gbits/sec 17 1.24 MBytes
[ 5] 4.00-5.00 sec 1.09 GBytes 9.35 Gbits/sec 18 1.38 MBytes
[ 5] 5.00-6.00 sec 1.09 GBytes 9.36 Gbits/sec 17 1.15 MBytes
[ 5] 6.00-7.00 sec 1.09 GBytes 9.35 Gbits/sec 18 1.10 MBytes
[ 5] 7.00-8.00 sec 1.09 GBytes 9.35 Gbits/sec 11 795 KBytes
[ 5] 8.00-9.00 sec 1.09 GBytes 9.35 Gbits/sec 14 520 KBytes
[ 5] 9.00-10.00 sec 1.08 GBytes 9.31 Gbits/sec 18 1011 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 10.9 GBytes 9.33 Gbits/sec 202 sender
[ 5] 0.00-10.01 sec 10.9 GBytes 9.32 Gbits/sec receiver
iperf Done.
Connecting to host 172.19.2.199, port 5201
[ 5] local 172.19.1.252 port 45798 connected to 172.19.2.199 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 164 MBytes 1.38 Gbits/sec 36 370 KBytes
[ 5] 1.00-2.00 sec 166 MBytes 1.39 Gbits/sec 5 382 KBytes
[ 5] 2.00-3.00 sec 165 MBytes 1.38 Gbits/sec 17 368 KBytes
[ 5] 3.00-4.00 sec 164 MBytes 1.38 Gbits/sec 56 293 KBytes
[ 5] 4.00-5.00 sec 165 MBytes 1.38 Gbits/sec 23 400 KBytes
[ 5] 5.00-6.00 sec 164 MBytes 1.38 Gbits/sec 39 284 KBytes
[ 5] 6.00-7.00 sec 165 MBytes 1.38 Gbits/sec 2 410 KBytes
[ 5] 7.00-8.00 sec 163 MBytes 1.37 Gbits/sec 19 406 KBytes
[ 5] 8.00-9.00 sec 166 MBytes 1.39 Gbits/sec 18 389 KBytes
[ 5] 9.00-10.00 sec 164 MBytes 1.37 Gbits/sec 61 368 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.61 GBytes 1.38 Gbits/sec 276 sender
[ 5] 0.00-10.01 sec 1.61 GBytes 1.38 Gbits/sec receiver
iperf Done.
WITH SFPPLUS
Code: Select all
# mar/21/2021 09:47:28 by RouterOS 7.1beta5
# software id = FDJ9-XPWG
#
# model = RB4011iGS+
# serial number = fdgsdfg
/interface bridge
add name=trunk vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 max-mtu=1480 name=\
PROXIMUS user=xxxxxxx
/interface vlan
add interface=sfp-sfpplus1 name=mgt vlan-id=1901
add interface=sfp-sfpplus1 name=wifi vlan-id=1902
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=MGT
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_1901 ranges=172.19.1.100-172.19.1.199
add name=dhcp_1902 ranges=172.19.2.100-172.19.2.199
/ip dhcp-server
add address-pool=dhcp_1901 disabled=no interface=mgt name=dhcp_1901
add address-pool=dhcp_1902 disabled=no interface=wifi name=dhcp_1902
/interface bridge port
add bridge=trunk interface=ether1 pvid=1901
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=PROXIMUS list=WAN
add list=LAN
add list=MGT
add list=MGT
/ip address
add address=192.168.1.192/24 interface=ether2 network=192.168.1.0
add address=172.19.2.1/24 interface=wifi network=172.19.2.0
add address=172.19.1.1/24 interface=mgt network=172.19.1.0
/ip dhcp-server network
add address=172.19.1.0/24 dns-server=172.19.1.1 gateway=172.19.1.1
add address=172.19.2.0/24 dns-server=172.19.2.1 gateway=172.19.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=172.19.1.0/24 list=MGT
add address=172.19.2.0/24 list=LAN
/ip firewall filter
add action=fasttrack-connection chain=input comment=\
"accept established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=PROXIMUS \
in-interface-list=WAN protocol=icmp
add action=drop chain=input in-interface=!mgt port=22 protocol=tcp \
src-address-list=""
add action=drop chain=input comment="block everything else" in-interface=\
PROXIMUS
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PROXIMUS
/ip service
set telnet disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RB-01
/system package update
set channel=development
-------------------------
Code: Select all
4: enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:52:29:ad brd ff:ff:ff:ff:ff:ff
inet 172.19.1.252/24 brd 172.19.1.255 scope global noprefixroute enp1s0d1
valid_lft forever preferred_lft forever
inet6 fe80::1440:69be:8944:7821/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Connecting to host 172.19.1.199, port 5201
[ 5] local 172.19.1.252 port 54936 connected to 172.19.1.199 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.05 GBytes 8.99 Gbits/sec 19 1.27 MBytes
[ 5] 1.00-2.00 sec 1.08 GBytes 9.30 Gbits/sec 17 607 KBytes
[ 5] 2.00-3.00 sec 1.09 GBytes 9.35 Gbits/sec 7 1.05 MBytes
[ 5] 3.00-4.00 sec 1.09 GBytes 9.32 Gbits/sec 14 1.07 MBytes
[ 5] 4.00-5.00 sec 1.09 GBytes 9.33 Gbits/sec 10 708 KBytes
[ 5] 5.00-6.00 sec 1.09 GBytes 9.32 Gbits/sec 10 1021 KBytes
[ 5] 6.00-7.00 sec 1.09 GBytes 9.32 Gbits/sec 11 1.14 MBytes
[ 5] 7.00-8.00 sec 1.09 GBytes 9.36 Gbits/sec 14 1.27 MBytes
[ 5] 8.00-9.00 sec 1.09 GBytes 9.35 Gbits/sec 15 1.15 MBytes
[ 5] 9.00-10.00 sec 1.08 GBytes 9.31 Gbits/sec 12 1.28 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 10.8 GBytes 9.30 Gbits/sec 129 sender
[ 5] 0.00-10.01 sec 10.8 GBytes 9.29 Gbits/sec receiver
iperf Done.
Connecting to host 172.19.2.199, port 5201
[ 5] local 172.19.1.252 port 45846 connected to 172.19.2.199 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.06 GBytes 9.10 Gbits/sec 60 468 KBytes
[ 5] 1.00-2.00 sec 1.08 GBytes 9.27 Gbits/sec 12 670 KBytes
[ 5] 2.00-3.00 sec 1.09 GBytes 9.34 Gbits/sec 16 658 KBytes
[ 5] 3.00-4.00 sec 1.09 GBytes 9.32 Gbits/sec 19 962 KBytes
[ 5] 4.00-5.00 sec 1.08 GBytes 9.30 Gbits/sec 49 913 KBytes
[ 5] 5.00-6.00 sec 1.08 GBytes 9.31 Gbits/sec 80 923 KBytes
[ 5] 6.00-7.00 sec 1.09 GBytes 9.35 Gbits/sec 53 928 KBytes
[ 5] 7.00-8.00 sec 1.09 GBytes 9.32 Gbits/sec 19 981 KBytes
[ 5] 8.00-9.00 sec 1.09 GBytes 9.35 Gbits/sec 83 1.08 MBytes
[ 5] 9.00-10.00 sec 1.09 GBytes 9.34 Gbits/sec 37 1.02 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 10.8 GBytes 9.30 Gbits/sec 428 sender
[ 5] 0.00-10.01 sec 10.8 GBytes 9.29 Gbits/sec receiver
iperf Done.