Community discussions

MikroTik App
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Tue Aug 31, 2021 2:10 pm

[Please read carefully. I don't have enough hardware to really test bandwidth, so at some point I stopped investigating. I am very satisfied with Mikrotik hardware].

Dear all,

First I would like to thank Mikrotik and the community for these nice products.
I purchased a couple of Mikrotik products for my home lab (I am not a professional) :
1 x CCR2004-1G-12S+2XS
1 x CRS326-24G-2S
1 x CRS305-1G-4S+IN

Here are my questions :
* How can I disconnect from webfig?
* Is Mikrotik bootloader secure and signed?
* Are Mikrotik packages signed when downloading and upgrading?
* Is Mikrotik software open-source and reviewed by the community (Github like)?

Kind regards,
French Fries
Last edited by ffries on Thu Oct 28, 2021 1:31 pm, edited 5 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik: a few questions

Tue Aug 31, 2021 3:44 pm

1. dont use webconfig, I use winbox
2. bootloader no idea, what that is, I get stuff straight from their website, so assuming its Latvian super protected.
3. packages signed........... no ideas I get stuff straight from their website I certainly dont have to sign anything to get them.
4. Open source, no friggen way. RouterOS is proprietary, only Normis and Putin have that access. ;-)
If such a fraidy cat, suggest you go pfsense

Okay being a tad sarcastic, but only because I have zero interest in answering that type of question AFTER a purchase.
If this had been, I am thinking to get MT but would like some information first, that would have deserved a straight answer.
Also how do you know they are excellent products if not used yet??
I prefer tators anyway.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik: a few questions

Tue Aug 31, 2021 5:01 pm

Disconnect from WebFig: there's an icon (kind of a blue left arrow on brownish background) in the upper right corner of page which causes you to log out.

Is bootloader secure and signed: Bootloader is included in side RouterOS install images. If one deems ROS install package to be safe, then one doesn't have to care about security of bootloader.

Are mikrotik packages signed: I can only guess. File format (.npk) is more or less proprietary. When ROS reads them, they do perform some checking (if package is corrupt, installation mostly fails with appropriate error message). How easy is it to construct a custom package which includes malware? That's everybody's guess. Only support@mikrotik.com could answer this question with confidence.

Is mikrotik software opensource: No, ROS is closed source.

@anav: I answered the questions despite having gut feeling that the post is a smartly disguised troll.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik: a few questions

Tue Aug 31, 2021 6:50 pm

Haha okay,

In that case I will redirect your questions and ask the op to contact NORMIS at the following address
WELETANYTWAT@ONMTFORUMS.STEWPID
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Tue Aug 31, 2021 7:36 pm

Thank you for your answers.
All I read is guess, if you don't know I will contact support and ask.

Don't tell Putin has access to a Latvian router, Latvia is part of the EU. This is one reason because I am supporting Mikotik : this is a European company and I don't want to invest into foreing products (I am French and France is part of the EU). Same Country.

I am also witching from OPNsense to Mikrotik because of hardware acceleration and I need to go 10gb and I don't want to use a computer as router.
From my point of view, ROS is based on Linux as most routers, switches and firewalls are (except Cisco which has its own OS).

My home lab has several VLANs and I am wondering how to filter inter VLAN traffic on 10Gb lines, these are my needs.
I will get back to you when I reach this point.

Thanks for Webfig.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik: a few questions

Tue Aug 31, 2021 9:31 pm

Good to know, here is one excellent reference for setting up vlans on Router OS.
Although for 10G networks and switches there is another way to configure vlans.

REF for vlan filtering
viewtopic.php?f=23&t=143620

Ref for switch chip method.
https://www.youtube.com/watch?v=Rj9aPoyZOPo

Gluck!
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Fri Sep 03, 2021 10:35 pm

Thanks. Will test.

One question : I did a simple test in router mode with NAT between a 10Gb LAN and 10Gb WAN and output is only 500Mb/s. What is wrong with NAT?

FF
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 12:10 am

There is nothing wrong with NAT ;-)
What device is performing the NAT ? CCR ? CRS ?
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 2:00 am

Thanks. I am testing the CCR2004 first:
Here is my configuration
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.90.21.100-10.90.21.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=main
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.90.21.254/24 interface=bridge1 network=10.90.21.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.90.21.0/24 dns-server=192.168.1.254 gateway=10.90.21.254 netmask=24 ntp-server=192.168.1.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Paris
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 3:19 am

Without context, not helpful
Need network diagram to show the relationship ahead, behind, and in line with the device.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 8:33 am

How did you perform this "test" ? What is the traffic-pattern ? (1 client/IP or some traffic generator sourcing from 100's of different source IP's ?, packet sizes etc)
So by 500Mb/s you mean "500 megabits per second" right ? ( which is indeed not much for a box like CCR2004)

During NAT, can you provide info on the CPU-utilisation ?

https://wiki.mikrotik.com/wiki/Manual:Tools/[b]Profiler[/b]
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 9:49 am

Thank you.

Network pattern :
RouterOS 7.x latest, with eth1 network admin
spf+ 1 : WAN connected to 2.5 Gb ethernet connector of fiber line (speed is 2.5Gb)
spf+ 2 : bridge 10.90.21.254 with one port providing DHCP 10.90.21.x (tested with 1Gb and 5Gb same results).
Fiber box providing DNS
NAT[/list]
Gb = Gigabit

I can browse the Internet connecting to spf+ 2.
I did not perform a precise iperf3 test, only a speedtest.
Speed with NAT is around 500Gb/s.
Direct connection to fiber box gives maximum speed.
/tool profile 
Columns: NAME, USAGE
NAME          USAGE
www           0%   
ethernet      2.8% 
console       0%   
firewall      2.5% 
networking    5.1% 
management    0%   
routing       1%   
profiling     0%   
bridging     0.7% 
unclassified  2.3% 
iperf3 -p 9225 -c iperf.par2.as49434.net
Connecting to host iperf.par2.as49434.net, port 9225
[  5] local 10.90.21.200 port 36218 connected to 193.177.162.41 port 9225
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  82.9 MBytes   695 Mbits/sec    0   3.00 MBytes       
[  5]   1.00-2.00   sec  80.0 MBytes   671 Mbits/sec    0   3.00 MBytes       
[  5]   2.00-3.00   sec  80.0 MBytes   671 Mbits/sec    3   1.56 MBytes       
[  5]   3.00-4.00   sec  80.0 MBytes   671 Mbits/sec    0   1.65 MBytes       
[  5]   4.00-5.00   sec  80.0 MBytes   671 Mbits/sec    0   1.72 MBytes       
[  5]   5.00-6.00   sec  80.0 MBytes   671 Mbits/sec    0   1.77 MBytes       
[  5]   6.00-7.00   sec  80.0 MBytes   671 Mbits/sec    1   1.58 MBytes       
[  5]   7.00-8.00   sec  81.2 MBytes   682 Mbits/sec    0   1.35 MBytes       
[  5]   8.00-9.00   sec  80.0 MBytes   671 Mbits/sec    0   1.42 MBytes       
[  5]   9.00-10.00  sec  80.0 MBytes   671 Mbits/sec    0   1.46 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   804 MBytes   675 Mbits/sec    4             sender
[  5]   0.00-10.02  sec   802 MBytes   672 Mbits/sec                  receiver

iperf Done.
There must be something wrong in my config as Hardware spec is much higher.

Same results when using two thread:
iperf3 -P2 -p 9225 -c iperf.par2.as49434.net
Connecting to host iperf.par2.as49434.net, port 9225
[  5] local 10.90.21.200 port 36278 connected to 193.177.162.41 port 9225
[  7] local 10.90.21.200 port 36280 connected to 193.177.162.41 port 9225
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  47.0 MBytes   394 Mbits/sec   48   1.27 MBytes       
[  7]   0.00-1.00   sec  39.0 MBytes   327 Mbits/sec   84   1.02 MBytes       
[SUM]   0.00-1.00   sec  86.0 MBytes   721 Mbits/sec  132             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   1.00-2.00   sec  43.8 MBytes   367 Mbits/sec    1   1004 KBytes       
[  7]   1.00-2.00   sec  37.5 MBytes   315 Mbits/sec    0   1.14 MBytes       
[SUM]   1.00-2.00   sec  81.2 MBytes   682 Mbits/sec    1             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   2.00-3.00   sec  31.2 MBytes   262 Mbits/sec    1    761 KBytes       
[  7]   2.00-3.00   sec  48.8 MBytes   409 Mbits/sec    0   1.23 MBytes       
[SUM]   2.00-3.00   sec  80.0 MBytes   671 Mbits/sec    1             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   3.00-4.00   sec  30.0 MBytes   252 Mbits/sec    0    806 KBytes       
[  7]   3.00-4.00   sec  50.0 MBytes   419 Mbits/sec    0   1.30 MBytes       
[SUM]   3.00-4.00   sec  80.0 MBytes   671 Mbits/sec    0             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   4.00-5.00   sec  30.0 MBytes   252 Mbits/sec    1    592 KBytes       
[  7]   4.00-5.00   sec  51.2 MBytes   430 Mbits/sec    2    979 KBytes       
[SUM]   4.00-5.00   sec  81.2 MBytes   682 Mbits/sec    3             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   5.00-6.00   sec  30.0 MBytes   252 Mbits/sec    0    641 KBytes       
[  7]   5.00-6.00   sec  50.0 MBytes   419 Mbits/sec    0   1.02 MBytes       
[SUM]   5.00-6.00   sec  80.0 MBytes   671 Mbits/sec    0             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   6.00-7.00   sec  33.8 MBytes   283 Mbits/sec    0    672 KBytes       
[  7]   6.00-7.00   sec  46.2 MBytes   388 Mbits/sec    2    785 KBytes       
[SUM]   6.00-7.00   sec  80.0 MBytes   671 Mbits/sec    2             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   7.00-8.00   sec  31.2 MBytes   262 Mbits/sec    1    512 KBytes       
[  7]   7.00-8.00   sec  48.8 MBytes   409 Mbits/sec    0    839 KBytes       
[SUM]   7.00-8.00   sec  80.0 MBytes   671 Mbits/sec    1             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   8.00-9.00   sec  30.0 MBytes   252 Mbits/sec    0    554 KBytes       
[  7]   8.00-9.00   sec  50.0 MBytes   419 Mbits/sec    0    874 KBytes       
[SUM]   8.00-9.00   sec  80.0 MBytes   671 Mbits/sec    0             
- - - - - - - - - - - - - - - - - - - - - - - - -
[  5]   9.00-10.00  sec  32.5 MBytes   273 Mbits/sec    0    597 KBytes       
[  7]   9.00-10.00  sec  47.5 MBytes   398 Mbits/sec    0    897 KBytes       
[SUM]   9.00-10.00  sec  80.0 MBytes   671 Mbits/sec    0             
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   339 MBytes   285 Mbits/sec   52             sender
[  5]   0.00-10.02  sec   336 MBytes   282 Mbits/sec                  receiver
[  7]   0.00-10.00  sec   469 MBytes   393 Mbits/sec   88             sender
[  7]   0.00-10.02  sec   467 MBytes   391 Mbits/sec                  receiver
[SUM]   0.00-10.00  sec   809 MBytes   678 Mbits/sec  140             sender
[SUM]   0.00-10.02  sec   804 MBytes   673 Mbits/sec                  receiver
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 10:38 am

NAT is done from the CPU, all packet must be modified and recalculated.
Both CRS can do at max near 600Mbit/s of NAT traffic, because mainly are Switches, not Routers.
Instead the CCR can achieve a NAT speed of near 4,5Gbit/s

If you need 10Gbit/s NAT speed, you must buy at least one CCR1036.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 1:28 pm

He is testing with a CCR2004, I believe that has plenty of juice for NAT..at least 5gigs worth and 1500 for ipsec..........
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 7:09 pm

Maybe that I should use VLANs to have LAN and WAN on the bridge so I can use switch hardware offloading?
However,
/interface ethernet switch print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING
0 switch1  Marvell-98PX1012  no   
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Sat Sep 04, 2021 7:24 pm

I don' t see any solution to reach 10Mbit/s routing as per spec.
For sure, I am quite surprised by the lack of hardware offloading of firewall rules and switching.

The router has spf+ interfaces, there must be something that I don't understand.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: CCR2004-1G-12S+2XS slow NAT performance

Sat Sep 04, 2021 7:46 pm

You could enable fasttrack, it works for NAT as well. CCR should handle gigabit with ease without it, but may be worth trying out.

/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related

Also, disable internet-detect. Is is rather useless and unpredictable (adds dynamic dhcp client etc..).

/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none

If your device is shipped with v7, you may want to upgrade to v7.1rc2 as it contains the latest fixes in this branch.

Also, you're talking about 500Gb/s which is not really possible with SFP+ and 10 Mbit/s, which is easily achievable :)
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sat Sep 04, 2021 9:01 pm

Thank a lot!

Please note that WAN is not part of the bridge.

Same output, here is my detailed configuration, still far from 10Gb/s.
/export
# sep/04/2021 19:58:36 by RouterOS 7.1rc2
# software id = L1XN-2BCQ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F00E00064E
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.90.21.100-10.90.21.200
add name=dhcp_pool1 ranges=10.90.21.100-10.90.21.200
add name=dhcp_pool2 ranges=10.90.21.100-10.90.21.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.90.21.254/24 interface=bridge1 network=10.90.21.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.90.21.0/24 dns-server=192.168.1.254 gateway=10.90.21.254 netmask=24 ntp-server=192.168.1.254
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.254
iperf3 -p 9225 -c iperf.par2.as49434.net
Connecting to host iperf.par2.as49434.net, port 9225
[  5] local 10.90.21.200 port 44914 connected to 193.177.162.41 port 9225
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  82.7 MBytes   694 Mbits/sec    0   3.00 MBytes       
[  5]   1.00-2.00   sec  80.0 MBytes   671 Mbits/sec    0   3.00 MBytes       
[  5]   2.00-3.00   sec  81.2 MBytes   682 Mbits/sec    3   1.54 MBytes       
[  5]   3.00-4.00   sec  80.0 MBytes   671 Mbits/sec    0   1.64 MBytes       
[  5]   4.00-5.00   sec  80.0 MBytes   671 Mbits/sec    1   1.21 MBytes       
[  5]   5.00-6.00   sec  80.0 MBytes   671 Mbits/sec    0   1.29 MBytes       
[  5]   6.00-7.00   sec  80.0 MBytes   671 Mbits/sec    0   1.35 MBytes       
[  5]   7.00-8.00   sec  80.0 MBytes   671 Mbits/sec    0   1.39 MBytes       
[  5]   8.00-9.00   sec  81.2 MBytes   682 Mbits/sec    0   1.42 MBytes       
[  5]   9.00-10.00  sec  80.0 MBytes   671 Mbits/sec    0   1.43 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   805 MBytes   675 Mbits/sec    4             sender
[  5]   0.00-10.02  sec   803 MBytes   672 Mbits/sec                  receiver

iperf Done.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Sat Sep 04, 2021 9:41 pm

Solved, I feel ashamed : the router speed is limited by my ISP. I am supposed to have 5G/s now and 10G/s later and I only have 600Mb/s. Sorry for the confusion.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Sat Sep 04, 2021 10:42 pm

I measured NAT speed using Mikrotik speedtest : around 160Gbit/s
Quite and impressing speed indeed compared to my last firewall based on OPNsense.

Seems like I bought the right hardware buying a CCR2004...
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Sun Sep 05, 2021 11:14 am

Furthermore downloading test with iperf3 need -R for reverse. My ISP router is 2.5Gb/s and is being upgraded to 10Gb/s, so those results are normal:
iperf3 -R -p 9225 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9225
Reverse mode, remote host paris.testdebit.info is sending
[  5] local 10.90.21.199 port 41044 connected to 89.84.1.186 port 9225
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   238 MBytes  2.00 Gbits/sec                  
[  5]   1.00-2.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   2.00-3.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   3.00-4.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   4.00-5.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   5.00-6.00   sec   278 MBytes  2.33 Gbits/sec                  
[  5]   6.00-7.00   sec   275 MBytes  2.31 Gbits/sec                  
[  5]   7.00-8.00   sec   127 MBytes  1.07 Gbits/sec                  
[  5]   8.00-9.00   sec   131 MBytes  1.10 Gbits/sec                  
[  5]   9.00-10.00  sec   261 MBytes  2.19 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.39 GBytes  2.05 Gbits/sec  2271             sender
[  5]   0.00-10.00  sec  2.38 GBytes  2.04 Gbits/sec                  receiver
Thank you all for your kind help.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Sun Sep 05, 2021 11:30 am

I measured NAT speed using Mikrotik speedtest : around 160Gbit/s
Quite and impressing speed indeed compared to my last firewall based on OPNsense.

Seems like I bought the right hardware buying a CCR2004...
160Gbit/s NAT ?!
Ain't gonna happen with a CCR2004 :lol: let alone with any Mikrotik product 8)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: New to Mikrotik: a few questions

Sun Sep 05, 2021 11:59 am

I already wrote that, but the user never read what do not like to read...

NAT is done from the CPU, all packet must be modified and recalculated.
Both CRS can do at max near 600Mbit/s of NAT traffic, because mainly are Switches, not Routers.
Instead the CCR can achieve a NAT speed of near 4,5Gbit/s

If you need 10Gbit/s NAT speed, you must buy at least one CCR1036.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Fri Sep 17, 2021 11:32 pm

My setup is nearly complete, for some reason the CCR2004 downloading speed is limited around 1G/s with 10% CPU activity, so there must be a misconfiguration somewhere.

IP > Settings show that IPV4 fasttrack is not active.
I guess that this is something related to VLANs but I cannot fix it.

Any help appreciated.
 sep/19/2021 17:56:20 by RouterOS 7.1rc3
# software id = L1XN-2BCQ
#
# model = CCR2004-1G-12S+2XS
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=vlan20-secure vlan-id=20
add interface=BR1 name=vlan30-admin vlan-id=30
add interface=BR1 name=vlan40-nas vlan-id=40
add interface=BR1 name=vlan50-vpn vlan-id=50
add interface=BR1 name=vlan60-freebox vlan-id=60
add interface=BR1 name=vlan70-famille vlan-id=70
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan30-pool ranges=10.90.30.1-10.90.30.253
add name=vlan20-pool ranges=10.90.20.1-10.90.20.253
add name=vlan40-pool ranges=10.90.40.1-10.90.40.253
add name=vlan50-pool ranges=10.90.50.1-10.90.50.253
add name=vlan70-pool ranges=10.90.70.1-10.90.70.253
/ip dhcp-server
add address-pool=vlan30-pool interface=vlan30-admin name=vlan30-dhcp
add address-pool=vlan40-pool interface=vlan40-nas name=vlan40-dhcp
add address-pool=vlan50-pool interface=vlan50-vpn name=vlan50-dhcp
add address-pool=vlan70-pool interface=vlan70-famille name=vlan70-dhcp
add address-pool=vlan20-pool interface=vlan20-secure name=vlan20-dhcp
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=70
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus12 pvid=60
/interface bridge vlan
add bridge=BR1 tagged=sfp-sfpplus10,BR1 untagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=70
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus10 vlan-ids=30
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=40
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=50
add bridge=BR1 tagged=sfp-sfpplus10,BR1 untagged=sfp-sfpplus12 vlan-ids=60
/interface list member
add interface=vlan60-freebox list=WAN
add interface=vlan20-secure list=VLAN
add interface=vlan40-nas list=VLAN
add interface=vlan50-vpn list=VLAN
add interface=vlan70-famille list=VLAN
add interface=vlan30-admin list=BASE
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=10.90.30.254/24 interface=vlan30-admin network=10.90.30.0
add address=10.90.40.254/24 interface=vlan40-nas network=10.90.40.0
add address=10.90.50.254/24 interface=vlan50-vpn network=10.90.50.0
add address=192.168.1.250/24 interface=vlan60-freebox network=192.168.1.0
add address=10.90.70.254/24 interface=vlan70-famille network=10.90.70.0
add address=10.90.20.254/24 interface=vlan20-secure network=10.90.20.0
/ip dhcp-server network
add address=10.90.20.0/24 dns-server=10.90.20.254 gateway=10.90.20.254 netmask=24
add address=10.90.30.0/24 dns-server=10.90.30.254 gateway=10.90.30.254 netmask=24
add address=10.90.40.0/24 dns-server=10.90.40.254 gateway=10.90.40.254 netmask=24
add address=10.90.50.0/24 dns-server=10.90.50.254 gateway=10.90.50.254 netmask=24
add address=10.90.70.0/24 dns-server=10.90.70.254 gateway=10.90.70.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.254,8.8.8.8,1.1.1.1,1.0.0.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow vlan30-admin Full Access" in-interface=vlan30-admin
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="vlan30-admin Internet Access" connection-state=new in-interface=vlan30-admin out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR2004-1G-12S-2XS
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.1.254
/tool bandwidth-server
set allocate-udp-ports-from=1000 authenticate=no max-sessions=1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sun Sep 19, 2021 7:55 pm

Using multithreading performance ie better, still not fasttrack;
Any solution to enable fasttrack? Seems like it does not work with VLANs.
iperf3 -P 15 -R  -p 9226 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9226
Reverse mode, remote host paris.testdebit.info is sending
[  5] local 10.90.30.253 port 60108 connected to 89.84.1.186 port 9226
[  7] local 10.90.30.253 port 60110 connected to 89.84.1.186 port 9226
[  9] local 10.90.30.253 port 60112 connected to 89.84.1.186 port 9226
[ 11] local 10.90.30.253 port 60114 connected to 89.84.1.186 port 9226
[ 13] local 10.90.30.253 port 60116 connected to 89.84.1.186 port 9226
[ 15] local 10.90.30.253 port 60118 connected to 89.84.1.186 port 9226
[ 17] local 10.90.30.253 port 60120 connected to 89.84.1.186 port 9226
[ 19] local 10.90.30.253 port 60122 connected to 89.84.1.186 port 9226
[ 21] local 10.90.30.253 port 60124 connected to 89.84.1.186 port 9226
[ 23] local 10.90.30.253 port 60126 connected to 89.84.1.186 port 9226
[ 25] local 10.90.30.253 port 60128 connected to 89.84.1.186 port 9226
[ 27] local 10.90.30.253 port 60130 connected to 89.84.1.186 port 9226
[ 29] local 10.90.30.253 port 60132 connected to 89.84.1.186 port 9226
[ 31] local 10.90.30.253 port 60134 connected to 89.84.1.186 port 9226
[ 33] local 10.90.30.253 port 60136 connected to 89.84.1.186 port 9226
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  17.8 MBytes   149 Mbits/sec                  
[  7]   0.00-1.00   sec  15.5 MBytes   130 Mbits/sec                  
[  9]   0.00-1.00   sec  21.0 MBytes   176 Mbits/sec                  
[ 11]   0.00-1.00   sec  9.40 MBytes  78.9 Mbits/sec                  
[ 13]   0.00-1.00   sec  13.6 MBytes   114 Mbits/sec                  
[ 15]   0.00-1.00   sec  16.5 MBytes   139 Mbits/sec                  
[ 17]   0.00-1.00   sec  13.8 MBytes   116 Mbits/sec                  
[ 19]   0.00-1.00   sec  21.1 MBytes   177 Mbits/sec                  
[ 21]   0.00-1.00   sec  15.3 MBytes   128 Mbits/sec                  
[ 23]   0.00-1.00   sec  15.0 MBytes   125 Mbits/sec                  
[ 25]   0.00-1.00   sec  17.9 MBytes   150 Mbits/sec                  
[ 27]   0.00-1.00   sec  2.72 MBytes  22.9 Mbits/sec                  
[ 29]   0.00-1.00   sec  10.8 MBytes  91.0 Mbits/sec                  
[ 31]   0.00-1.00   sec  18.3 MBytes   154 Mbits/sec                  
[ 33]   0.00-1.00   sec  12.4 MBytes   104 Mbits/sec                  
[SUM]   0.00-1.00   sec   221 MBytes  1.86 Gbits/sec    
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sun Sep 19, 2021 8:09 pm

I cannot spot anything wrong in the configuration, what is the output of /ip/firewall/connection/print where srcnat ? I'm not interested in the addresses, just in the flags, there should be s everywhere for src-nat and F for fasttracking.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sun Sep 19, 2021 8:58 pm

Thank you for your help.
You are right, fasttracking is enabled.
So why is snat so slow?

Is that because I am using a VLAN for output (I need to send TV to another switch).
 /ip/firewall/connection/print where srcnat
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT
 #       PRO  SRC-ADDRESS        DST-ADDRESS           TCP-STATE    TIMEOUT  
 0 SACFs tcp  10.90.70.3:59555   17.57.146.69:5223     established  23h52m29s
 1 SACFs tcp  10.90.40.1:48144   216.58.198.202:443    established  23h59m22s
 2 SACFs tcp  10.90.40.1:39088   34.253.21.159:443     established  23h59m48s
 3 SACFs tcp  10.90.70.10:51688  162.159.138.232:443   established  23h58m10s
 4 SACFs tcp  10.90.70.2:57080   142.250.13.108:993    established  23h59m10s
 5 SACFs tcp  10.90.40.1:35152   142.250.110.188:5228  established  23h59m26s
 6 SACFs tcp  10.90.40.2:43235   3.214.18.147:6126     established  23h59m46s
 7 SACFs tcp  10.90.70.2:51327   178.21.176.100:8080   established  23h17m21s
 8 SACFs tcp  10.90.70.2:57079   195.83.96.19:993      established  23h59m9s 
 9 SACFs tcp  10.90.70.4:53000   151.101.121.229:443   established  23h59m9s 
10 SACFs tcp  10.90.40.1:35136   142.250.110.188:5228  established  23h52m52s
11 SACFs tcp  10.90.70.4:57744   51.15.150.228:443     established  23h59m54s
12 SACFs tcp  10.90.70.6:59923   34.107.247.156:443    established  23h52m30s
13 SACFs tcp  10.90.70.3:59656   142.250.178.142:443   established  23h59m50s
14 SACFs tcp  10.90.70.10:51684  162.159.138.232:443   established  23h58m8s 
15 SACFs tcp  10.90.70.10:51682  80.241.60.199:143     established  23h58m7s 
16 SACFs tcp  10.90.70.3:59680   173.194.190.167:443   close        2s       
17 SACFs tcp  10.90.40.1:41062   142.250.179.74:443    established  23h59m22s
18 SACFs tcp  10.90.40.1:36104   216.58.198.195:80     established  23h59m25s
19 SACFs tcp  10.90.70.4:41806   34.107.221.82:80      established  23h59m59s
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sun Sep 19, 2021 9:27 pm

Oh, I've noticed only now you're using the bandwidth test on the Mikrotik itself. The manual explicitly states that you cannot use a bandwidth test running on a given machine to test the routing capacity of that same machine, as the bandwidth test itself consumes a lot of CPU resources.

So if you run the bandwidth test on the CCR, the results are flawed, plus the traffic doesn't pass through the forward chain, so no fasttracking is applicable to it.

If you run the bandwidth test on the CRS, a 1 Gbit/s is an incredibly high figure, given how weak the CPUs in CRSes are.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Sun Sep 19, 2021 11:53 pm

No this is a different topic, here it is about the CCR2004 routing capacity.
I am using iperf3 to measure bandwidth (see previous messages in thread).

I think figures could be linked of VLAN for WAN.
I purchased a Mikrtik sfp+ module for adding the VLAN on a different port.

When I connected directly on the CCR2004 with a 10Gb module I could reach 2,5 Mb which is the speed of my Fiber box.
I don't have this module any longer, so I purchased a new one.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance

Wed Sep 22, 2021 3:01 pm

In reply to this post, I migrated WAN to a normal sfp+ port and removed WAN VLAN from the bridge.
I could reach 2,5 Mb/s which is the maximum of my fiber provider:
iperf3 -R -p 9204 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9204
Reverse mode, remote host paris.testdebit.info is sending
[  5] local 10.90.40.5 port 54270 connected to 89.84.1.186 port 9204
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   269 MBytes  2.26 Gbits/sec                  
[  5]   1.00-2.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   2.00-3.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   3.00-4.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   4.00-5.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   5.00-6.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   6.00-7.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   7.00-8.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   8.00-9.00   sec   281 MBytes  2.35 Gbits/sec                  
[  5]   9.00-10.00  sec   281 MBytes  2.35 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.74 GBytes  2.35 Gbits/sec  192             sender
[  5]   0.00-10.00  sec  2.73 GBytes  2.34 Gbits/sec                  receiver
So never us a VLAN for WAN ... It kills performance.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: CCR2004-1G-12S+2XS slow NAT performance

Wed Sep 22, 2021 4:57 pm

So never us a VLAN for WAN ... It kills performance.
I suggest that you open a support Ticket with MikroTik and report your findings .... Using VLAN for WAN is very common and should not have any negative impact on performance deiverd by your ISP. I have not checked your configuration so I cannot comment on that but I have done many WAN connections using VLAN and performance was excellent.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Sep 30, 2021 3:32 pm

It is too late for me to open a ticket but I will keep it in mind for future reference. Thank you all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Sep 30, 2021 6:01 pm

MY ISP uses a vlan to pass internet traffic and a different vlan to pass TV traffic.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Wed Oct 27, 2021 8:32 pm

Just a quick note that I am back to a WAN on a VLAN as I wanted to test L3 Hardware acceleration on the switch.

The problem is that I am now limited in speed on the WAN:
iperf3 -R -p 5204 -c ping.online.net
Connecting to host ping.online.net, port 5204
Reverse mode, remote host ping.online.net is sending
[ 5] local xxxxxxxxxxxxxxxx port 36789 connected to 62.210.18.40 port 5204
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 176 MBytes 1.48 Gbits/sec
[ 5] 1.00-2.00 sec 206 MBytes 1.73 Gbits/sec
[ 5] 2.00-3.00 sec 191 MBytes 1.60 Gbits/sec
[ 5] 3.00-4.00 sec 214 MBytes 1.79 Gbits/sec
[ 5] 4.00-5.00 sec 209 MBytes 1.75 Gbits/sec
[ 5] 5.00-6.00 sec 210 MBytes 1.76 Gbits/sec
[ 5] 6.00-7.00 sec 211 MBytes 1.77 Gbits/sec
[ 5] 7.00-8.00 sec 213 MBytes 1.78 Gbits/sec
[ 5] 8.00-9.00 sec 213 MBytes 1.79 Gbits/sec
[ 5] 9.00-10.00 sec 210 MBytes 1.76 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.01 GBytes 1.73 Gbits/sec 296 sender
[ 5] 0.00-10.00 sec 2.00 GBytes 1.72 Gbits/sec receiver
So I will get back to WAN on normal ethernet port.
Speed should be around 2.4 Gbit/s.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: New to Mikrotik: a few questions

Wed Oct 27, 2021 10:02 pm

If you need 10Gbit/s NAT speed, you must buy at least one CCR1036.
True the CCR1036-8G-2S+EM with two SFP+ can make the job.

The CCR2004-1G-12S+2XS with tagged and untagged VLANs is far from Mikrotik benchmark:
https://mikrotik.com/product/ccr2004_1g ... estresults

Mikrotik benchmarking is probably done without VLAN.
CCR1036-8G-2S+EM router lacks a switch chip ...
Tagging and untagging is probably done by CPU.

To achieve full speed, I probably need a small switch and connect each VLAN with a direct attach cable.
Not very nice, but it should do the job ...

Image
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Oct 28, 2021 1:29 pm

I am going to stop investigating as I don't have enough tools to test bandwidth.

* My ISP fiber line is offering 2.5Gbit downstream, which is far from 10Gbit.
* I am using 2 x 5Gbit USB3 dongles. Testing from one dongle to another shows 3.5 Gbit speed, not 5Gib.
* One computer with 10Gb network card.

I need at least one small 10Gb switch and two computers with 10Gb NICs.
So I am stopping here and I am very satisfied with CCR2004-1G-12S+2XS performance.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Oct 28, 2021 4:20 pm

Just a quick note that the CCR2004-16G-2S+ is out !!!
It has two switch chip with 16 GB connectors and two SFP+ for uplink, but no passive cooling.

The SFP+ cases are not linked to a switch chip so tagging/untagging probably happens in CPU.

Image
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Dec 02, 2021 6:46 pm

I am getting back on this issue because I received new hardware for testing with true 10Gb cards.
I can confirm a NAT speed on one thread of 2Gbit/s on the CCR2004-1G-12S+2XS on a fiber line of 2.5Gbit/s
On multiple threads I can reach the limit of 2.5 Gbit/s without problem.

So this is okay for me. On the converse, inter VLAN speed is slow and I will open a different thread for it.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Thu Feb 03, 2022 11:46 pm

Inter-vlan speed was fixed in latest RouterOS release.
The CCR2004 can now reach wire speed in inter-lan.
As a result, routing is also faster.

I could not measure the real speed for lack of proper hardware.
But it seems now rock-solid.

Thank you Mikrotik team.
 
glow
newbie
Posts: 29
Joined: Sun Dec 05, 2021 1:56 am

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

Fri Feb 04, 2022 2:12 am

I am going to stop investigating as I don't have enough tools to test bandwidth.

* My ISP fiber line is offering 2.5Gbit downstream, which is far from 10Gbit.
* I am using 2 x 5Gbit USB3 dongles. Testing from one dongle to another shows 3.5 Gbit speed, not 5Gib.
* One computer with 10Gb network card.

I need at least one small 10Gb switch and two computers with 10Gb NICs.
So I am stopping here and I am very satisfied with CCR2004-1G-12S+2XS performance.
Re: 3.5Gbit speed. USB 3.2 Gen 1 (a.k.a. 5Gbps) is the max supported speed by the Marvell AQtion chip commonly used in "5Gbps/5GbE USB adapters" - https://www.marvell.com/content/dam/mar ... -brief.pdf. The USB3 "5Gbps" protocol has ~20% overhead for line encoding (8/10b), so the actual datarate is 4Gbps. Add in other overheads (whatever they may be), and 3.5Gbps is a realistic throughput.



I am also witching from OPNsense to Mikrotik because of hardware acceleration and I need to go 10gb and I don't want to use a computer as router.
Outside of the CCR2116, I don't believe the other CCRs have HW acceleration. There are still other benefits w.r.t. using a CCR (form factor, cost, whatever it may be...), but unless if your existing OPNsense was a massive power hog, I'd just stick with it.

Who is online

Users browsing this forum: Bing [Bot], outtahere and 31 guests