Specific questions:
- 'networking' uses quite some CPU as well, is that any sign of misconfiguration?
- is there a faster way to use fewer buckets for simple queues?
- are certain firewall rules notoriously slow?
My configuration:
- Firewall: 15 (filter) + 8 (NAT - srcnat + dstnat port forwarding) + 13 (mangle - for QoS) = 36 firewall rules, copied below
- Queue: 2 simple queues (1 on sfp1 up/ 1 on bridge1 down) with 2x8 sub-buckets for each DSCP, copied below.
- VLAN aware network
Profile during speedtest (2 tests):
- Firewall: 9.5-16.5%
- Queueing: 11-16%
- Networking: 14-8.5%
- Ethernet: 4.5-3.5%
- Bridging: 4-2.5%
- Other: 4-2.5%
- Total: 47-49.5%
Queue config
Code: Select all
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add disabled=yes max-limit=48M/48M name=sfq-default queue=\
sfq-default/sfq-default target=172.16.0.0/16
/queue tree
add comment="Uplink QoS" max-limit=48M name=QoS_sfp1 parent=sfp1 queue=\
wireless-default
add comment="Queue Priority 1" name=\
"IP Precedence 7. Network Control (Top Priority) - sfp1" packet-mark=\
ip_precedence_7 parent=QoS_sfp1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name=\
"IP Precedence 6. Internetwork Control (High Priority) - sfp1" \
packet-mark=ip_precedence_6 parent=QoS_sfp1 priority=2 queue=\
wireless-default
add comment="Queue Priority 3" name=\
"IP Precedence 5. Voice (Medium-High Priority) - sfp1" packet-mark=\
ip_precedence_5 parent=QoS_sfp1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name=\
"IP Precedence 4. Interactive Video (Medium Priority) - sfp1" \
packet-mark=ip_precedence_4 parent=QoS_sfp1 priority=4 queue=\
wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Si\
gnaling (Medium-Low Priority) - sfp1" packet-mark=ip_precedence_3 parent=\
QoS_sfp1 priority=5 queue=wireless-default
add comment="Queue Priority 6" name=\
"IP Precedence 0. Best Effort (Low Priority) - sfp1" packet-mark=no-mark \
parent=QoS_sfp1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name=\
"IP Precedence 2. Background (Very Low Priority) - sfp1" packet-mark=\
ip_precedence_2 parent=QoS_sfp1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name=\
"IP Precedence 1. Scavenger (Bottom Priority) - sfp1" packet-mark=\
ip_precedence_1 parent=QoS_sfp1 queue=wireless-default
add comment="Downlink QoS" max-limit=48M name=QoS_bridge1 parent=bridge1 \
queue=wireless-default
add comment="Queue Priority 1" name=\
"IP Precedence 7. Network Control (Top Priority) - bridge1" packet-mark=\
ip_precedence_7 parent=QoS_bridge1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name=\
"IP Precedence 6. Internetwork Control (High Priority) - bridge1" \
packet-mark=ip_precedence_6 parent=QoS_bridge1 priority=2 queue=\
wireless-default
add comment="Queue Priority 3" name=\
"IP Precedence 5. Voice (Medium-High Priority) - bridge1" packet-mark=\
ip_precedence_5 parent=QoS_bridge1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name=\
"IP Precedence 4. Interactive Video (Medium Priority) - bridge1" \
packet-mark=ip_precedence_4 parent=QoS_bridge1 priority=4 queue=\
wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Si\
gnaling (Medium-Low Priority) - bridge1" packet-mark=ip_precedence_3 \
parent=QoS_bridge1 priority=5 queue=wireless-default
add comment="Queue Priority 6" name=\
"IP Precedence 0. Best Effort (Low Priority) - bridge1" packet-mark=\
no-mark parent=QoS_bridge1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name=\
"IP Precedence 2. Background (Very Low Priority) - bridge1" packet-mark=\
ip_precedence_2 parent=QoS_bridge1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name=\
"IP Precedence 1. Scavenger (Bottom Priority) - bridge1" packet-mark=\
ip_precedence_1 parent=QoS_bridge1 queue=wireless-default
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow all LAN and VPN clients to access DNS" dst-port=53 protocol=udp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Allow all LAN and VPN clients to access DNS" dst-port=53 protocol=tcp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Allow BASE VLAN router access" in-interface-list=BASE
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=\
!0
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN2WAN \
out-interface-list=WAN
add action=accept chain=forward comment="Allow IoT_VLAN -> server in BASE_VLAN" connection-state=new dst-address=\
192.168.99.2 in-interface=IoT_VLAN out-interface=BASE_VLAN
add action=accept chain=forward comment="Allow BASE_VLAN -> IoT_VLAN" connection-state=new in-interface=BASE_VLAN \
out-interface=IoT_VLAN
add action=accept chain=forward comment="Allow port forwarding to network" connection-nat-state=dstnat \
connection-state=new
add action=drop chain=forward comment="Prevent logging filling up" in-interface-list=!VLAN2WAN out-interface-list=WAN
add action=drop chain=forward comment=Drop log=yes log-prefix="fwd drop"
/ip firewall mangle
add action=set-priority chain=postrouting comment="Respect DSCP tagging" new-priority=from-dscp-high-3-bits \
passthrough=yes
add action=set-priority chain=postrouting comment="Prioritize ACKs" new-priority=6 packet-size=0-123 passthrough=yes \
protocol=tcp tcp-flags=ack
add action=accept chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 0 - Best Effort (Low Priority) (default)" priority=0
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 1 - Scavenger (Bottom Priority) (apply packet mark ip_precedence_1)" \
new-packet-mark=ip_precedence_1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 2 - Background (Very Low Priority) (apply packet mark ip_precedence_2)" \
new-packet-mark=ip_precedence_2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 3 - Critical Data or Call Signalin\
g (Medium-Low Priority) (apply packet mark ip_precedence_3)" new-packet-mark=ip_precedence_3 passthrough=no \
priority=3
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 4 - Interactive Video (Medium Priority) (apply packet mark ip_precedence_4)" \
new-packet-mark=ip_precedence_4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 5 - Voice (Medium-High Priority) (apply packet mark ip_precedence_5)" \
new-packet-mark=ip_precedence_5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 6 - Internetwork Control (High Priority) (apply packet mark ip_precedence_6)" \
new-packet-mark=ip_precedence_6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment=\
"IP Precedence (aka Packet Priority) 7 - Network Control (Top Priority) (apply packet mark ip_precedence_7)" \
new-packet-mark=ip_precedence_7 passthrough=no priority=7
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT https://www.steveocee.co.uk/mikrotik/hairpin-nat/" dst-address=\
192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forward HTTPS from WAN to server" dst-port=443 in-interface=WAN_VLAN \
protocol=tcp to-addresses=192.168.99.2
add action=dst-nat chain=dstnat comment="Forward HTTP from WAN to server" dst-port=80 in-interface=WAN_VLAN protocol=\
tcp to-addresses=192.168.99.2 to-ports=9080
add action=dst-nat chain=dstnat comment="Forward SSH from WAN to server" dst-port=10022 in-interface=WAN_VLAN \
protocol=tcp to-addresses=192.168.99.2 to-ports=22
add action=dst-nat chain=dstnat comment="Forward MQTT(S) from WAN to server" dst-port=8883 in-interface=WAN_VLAN \
protocol=tcp to-addresses=192.168.99.2 to-ports=1883
add action=dst-nat chain=dstnat comment="Forward IKEv2 ESP from WAN to server" dst-port=500 in-interface=WAN_VLAN \
protocol=udp to-addresses=192.168.99.2
add action=dst-nat chain=dstnat comment="Forward IKEv2 AH from WAN to server" dst-port=4500 in-interface=WAN_VLAN \
protocol=udp to-addresses=192.168.99.2