Community discussions

MikroTik App
 
Spe
just joined
Topic Author
Posts: 7
Joined: Sun Jun 28, 2020 4:15 pm

Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Sat Jun 26, 2021 11:37 am

I'm a happy user of the RB2011, but I'm wondering if my performance is reasonable. I have a 50/50 internet connection, and while testing (e.g. fast.com or dslreports.com) the router uses 50% CPU, such that max speed would be ~100MBps @ 100%. Is this expected RB2011 NAT-firewall-queue performance or am I making some rookie mistakes? It's currently not a problem, but I'm thinking to upgrade ISP to 100MBps and I don't want my router to be the bottleneck 🙂

Specific questions:
  1. 'networking' uses quite some CPU as well, is that any sign of misconfiguration?
  2. is there a faster way to use fewer buckets for simple queues?
  3. are certain firewall rules notoriously slow?

My configuration:
  • Firewall: 15 (filter) + 8 (NAT - srcnat + dstnat port forwarding) + 13 (mangle - for QoS) = 36 firewall rules, copied below
  • Queue: 2 simple queues (1 on sfp1 up/ 1 on bridge1 down) with 2x8 sub-buckets for each DSCP, copied below.
  • VLAN aware network

Profile during speedtest (2 tests):
  • Firewall: 9.5-16.5%
  • Queueing: 11-16%
  • Networking: 14-8.5%
  • Ethernet: 4.5-3.5%
  • Bridging: 4-2.5%
  • Other: 4-2.5%
  • Total: 47-49.5%

Queue config
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add disabled=yes max-limit=48M/48M name=sfq-default queue=\
    sfq-default/sfq-default target=172.16.0.0/16
/queue tree
add comment="Uplink QoS" max-limit=48M name=QoS_sfp1 parent=sfp1 queue=\
    wireless-default
add comment="Queue Priority 1" name=\
    "IP Precedence 7. Network Control (Top Priority) - sfp1" packet-mark=\
    ip_precedence_7 parent=QoS_sfp1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name=\
    "IP Precedence 6. Internetwork Control (High Priority) - sfp1" \
    packet-mark=ip_precedence_6 parent=QoS_sfp1 priority=2 queue=\
    wireless-default
add comment="Queue Priority 3" name=\
    "IP Precedence 5. Voice (Medium-High Priority) - sfp1" packet-mark=\
    ip_precedence_5 parent=QoS_sfp1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name=\
    "IP Precedence 4. Interactive Video (Medium Priority) - sfp1" \
    packet-mark=ip_precedence_4 parent=QoS_sfp1 priority=4 queue=\
    wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Si\
    gnaling (Medium-Low Priority) - sfp1" packet-mark=ip_precedence_3 parent=\
    QoS_sfp1 priority=5 queue=wireless-default
add comment="Queue Priority 6" name=\
    "IP Precedence 0. Best Effort (Low Priority) - sfp1" packet-mark=no-mark \
    parent=QoS_sfp1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name=\
    "IP Precedence 2. Background (Very Low Priority) - sfp1" packet-mark=\
    ip_precedence_2 parent=QoS_sfp1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name=\
    "IP Precedence 1. Scavenger (Bottom Priority) - sfp1" packet-mark=\
    ip_precedence_1 parent=QoS_sfp1 queue=wireless-default
add comment="Downlink QoS" max-limit=48M name=QoS_bridge1 parent=bridge1 \
    queue=wireless-default
add comment="Queue Priority 1" name=\
    "IP Precedence 7. Network Control (Top Priority) - bridge1" packet-mark=\
    ip_precedence_7 parent=QoS_bridge1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name=\
    "IP Precedence 6. Internetwork Control (High Priority) - bridge1" \
    packet-mark=ip_precedence_6 parent=QoS_bridge1 priority=2 queue=\
    wireless-default
add comment="Queue Priority 3" name=\
    "IP Precedence 5. Voice (Medium-High Priority) - bridge1" packet-mark=\
    ip_precedence_5 parent=QoS_bridge1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name=\
    "IP Precedence 4. Interactive Video (Medium Priority) - bridge1" \
    packet-mark=ip_precedence_4 parent=QoS_bridge1 priority=4 queue=\
    wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Si\
    gnaling (Medium-Low Priority) - bridge1" packet-mark=ip_precedence_3 \
    parent=QoS_bridge1 priority=5 queue=wireless-default
add comment="Queue Priority 6" name=\
    "IP Precedence 0. Best Effort (Low Priority) - bridge1" packet-mark=\
    no-mark parent=QoS_bridge1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name=\
    "IP Precedence 2. Background (Very Low Priority) - bridge1" packet-mark=\
    ip_precedence_2 parent=QoS_bridge1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name=\
    "IP Precedence 1. Scavenger (Bottom Priority) - bridge1" packet-mark=\
    ip_precedence_1 parent=QoS_bridge1 queue=wireless-default
Firewall config
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow all LAN and VPN clients to access DNS" dst-port=53 protocol=udp \
    src-address=192.168.0.0/16
add action=accept chain=input comment="Allow all LAN and VPN clients to access DNS" dst-port=53 protocol=tcp \
    src-address=192.168.0.0/16
add action=accept chain=input comment="Allow BASE VLAN router access" in-interface-list=BASE
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=\
    !0
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN2WAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Allow IoT_VLAN -> server in BASE_VLAN" connection-state=new dst-address=\
    192.168.99.2 in-interface=IoT_VLAN out-interface=BASE_VLAN
add action=accept chain=forward comment="Allow BASE_VLAN -> IoT_VLAN" connection-state=new in-interface=BASE_VLAN \
    out-interface=IoT_VLAN
add action=accept chain=forward comment="Allow port forwarding to network" connection-nat-state=dstnat \
    connection-state=new
add action=drop chain=forward comment="Prevent logging filling up" in-interface-list=!VLAN2WAN out-interface-list=WAN
add action=drop chain=forward comment=Drop log=yes log-prefix="fwd drop"

/ip firewall mangle
add action=set-priority chain=postrouting comment="Respect DSCP tagging" new-priority=from-dscp-high-3-bits \
    passthrough=yes
add action=set-priority chain=postrouting comment="Prioritize ACKs" new-priority=6 packet-size=0-123 passthrough=yes \
    protocol=tcp tcp-flags=ack
add action=accept chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 0 - Best Effort (Low Priority) (default)" priority=0
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 1 - Scavenger (Bottom Priority) (apply packet mark ip_precedence_1)" \
    new-packet-mark=ip_precedence_1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 2 - Background (Very Low Priority) (apply packet mark ip_precedence_2)" \
    new-packet-mark=ip_precedence_2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 3 - Critical Data or Call Signalin\
    g (Medium-Low Priority) (apply packet mark ip_precedence_3)" new-packet-mark=ip_precedence_3 passthrough=no \
    priority=3
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 4 - Interactive Video (Medium Priority) (apply packet mark ip_precedence_4)" \
    new-packet-mark=ip_precedence_4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 5 - Voice (Medium-High Priority) (apply packet mark ip_precedence_5)" \
    new-packet-mark=ip_precedence_5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 6 - Internetwork Control (High Priority) (apply packet mark ip_precedence_6)" \
    new-packet-mark=ip_precedence_6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment=\
    "IP Precedence (aka Packet Priority) 7 - Network Control (Top Priority) (apply packet mark ip_precedence_7)" \
    new-packet-mark=ip_precedence_7 passthrough=no priority=7

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT https://www.steveocee.co.uk/mikrotik/hairpin-nat/" dst-address=\
    192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forward HTTPS from WAN to server" dst-port=443 in-interface=WAN_VLAN \
    protocol=tcp to-addresses=192.168.99.2
add action=dst-nat chain=dstnat comment="Forward HTTP from WAN to server" dst-port=80 in-interface=WAN_VLAN protocol=\
    tcp to-addresses=192.168.99.2 to-ports=9080
add action=dst-nat chain=dstnat comment="Forward SSH from WAN to server" dst-port=10022 in-interface=WAN_VLAN \
    protocol=tcp to-addresses=192.168.99.2 to-ports=22
add action=dst-nat chain=dstnat comment="Forward MQTT(S) from WAN to server" dst-port=8883 in-interface=WAN_VLAN \
    protocol=tcp to-addresses=192.168.99.2 to-ports=1883
add action=dst-nat chain=dstnat comment="Forward IKEv2 ESP from WAN to server" dst-port=500 in-interface=WAN_VLAN \
    protocol=udp to-addresses=192.168.99.2
add action=dst-nat chain=dstnat comment="Forward IKEv2 AH from WAN to server" dst-port=4500 in-interface=WAN_VLAN \
    protocol=udp to-addresses=192.168.99.2
Thanks!
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Sat Jun 26, 2021 4:14 pm

The fix is to just switch to the RB4011 which is literally orders of magnitude more powerful and a lot newer than the RB2011.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Sat Jun 26, 2021 6:13 pm

Seems reasonably. You have 36 firewall rules, no fast path and use queues. An upgrade may be in order.

The RB4011, already mentioned here, will do it without even noticing. (https://mikrotik.com/product/rb4011igs_rm)
If You want something cheaper, You could get the hAP AC2 or hAP AC3 - they are almost the same, but not quite.

The AC2 is cheaper and will not get all the wireless benefits from the RoS V7. (https://mikrotik.com/product/hap_ac2)
The AC3 costs more, but will get the wireless benefits from RoS V7 - and its storage and RAM are bigger too. (https://mikrotik.com/product/hap_ac3)

They are slower than the RB4011, and have only 5 ethernet ports total. But one of them costs US$ 69 and the other US$ 99. The RB4011 goes for US$ 199. All of them should be able to do more than 300 Mbps easily.
 
Spe
just joined
Topic Author
Posts: 7
Joined: Sun Jun 28, 2020 4:15 pm

Re: Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Sun Jun 27, 2021 9:46 am

Thanks for the quick replies! I remember having trouble with fastpath/fasttrack because queues are not supported. Is that correct? Is there a way to implement?

I was indeed considering 3011 or 4011, but was hoping to tweak my config a bit before having to upgrade :)
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Sun Jun 27, 2021 2:40 pm

No, You can't use queues and fastpath at the same time.
 
Spe
just joined
Topic Author
Posts: 7
Joined: Sun Jun 28, 2020 4:15 pm

Re: Is 50% CPU @ 50 MBps reasonable for RB2011 firewall/NAT/queue?

Mon Jun 28, 2021 4:22 pm

Ok clear, thanks @Paternot :)

Who is online

Users browsing this forum: wsantos and 36 guests