/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.90.21.100-10.90.21.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=main
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.90.21.254/24 interface=bridge1 network=10.90.21.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.90.21.0/24 dns-server=192.168.1.254 gateway=10.90.21.254 netmask=24 ntp-server=192.168.1.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Paris
/tool profile
Columns: NAME, USAGE
NAME USAGE
www 0%
ethernet 2.8%
console 0%
firewall 2.5%
networking 5.1%
management 0%
routing 1%
profiling 0%
bridging 0.7%
unclassified 2.3%
Connecting to host iperf.par2.as49434.net, port 9225
[ 5] local 10.90.21.200 port 36218 connected to 193.177.162.41 port 9225
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 82.9 MBytes 695 Mbits/sec 0 3.00 MBytes
[ 5] 1.00-2.00 sec 80.0 MBytes 671 Mbits/sec 0 3.00 MBytes
[ 5] 2.00-3.00 sec 80.0 MBytes 671 Mbits/sec 3 1.56 MBytes
[ 5] 3.00-4.00 sec 80.0 MBytes 671 Mbits/sec 0 1.65 MBytes
[ 5] 4.00-5.00 sec 80.0 MBytes 671 Mbits/sec 0 1.72 MBytes
[ 5] 5.00-6.00 sec 80.0 MBytes 671 Mbits/sec 0 1.77 MBytes
[ 5] 6.00-7.00 sec 80.0 MBytes 671 Mbits/sec 1 1.58 MBytes
[ 5] 7.00-8.00 sec 81.2 MBytes 682 Mbits/sec 0 1.35 MBytes
[ 5] 8.00-9.00 sec 80.0 MBytes 671 Mbits/sec 0 1.42 MBytes
[ 5] 9.00-10.00 sec 80.0 MBytes 671 Mbits/sec 0 1.46 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 804 MBytes 675 Mbits/sec 4 sender
[ 5] 0.00-10.02 sec 802 MBytes 672 Mbits/sec receiver
iperf Done.
iperf3 -P2 -p 9225 -c iperf.par2.as49434.net
Connecting to host iperf.par2.as49434.net, port 9225
[ 5] local 10.90.21.200 port 36278 connected to 193.177.162.41 port 9225
[ 7] local 10.90.21.200 port 36280 connected to 193.177.162.41 port 9225
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 47.0 MBytes 394 Mbits/sec 48 1.27 MBytes
[ 7] 0.00-1.00 sec 39.0 MBytes 327 Mbits/sec 84 1.02 MBytes
[SUM] 0.00-1.00 sec 86.0 MBytes 721 Mbits/sec 132
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 1.00-2.00 sec 43.8 MBytes 367 Mbits/sec 1 1004 KBytes
[ 7] 1.00-2.00 sec 37.5 MBytes 315 Mbits/sec 0 1.14 MBytes
[SUM] 1.00-2.00 sec 81.2 MBytes 682 Mbits/sec 1
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 2.00-3.00 sec 31.2 MBytes 262 Mbits/sec 1 761 KBytes
[ 7] 2.00-3.00 sec 48.8 MBytes 409 Mbits/sec 0 1.23 MBytes
[SUM] 2.00-3.00 sec 80.0 MBytes 671 Mbits/sec 1
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 3.00-4.00 sec 30.0 MBytes 252 Mbits/sec 0 806 KBytes
[ 7] 3.00-4.00 sec 50.0 MBytes 419 Mbits/sec 0 1.30 MBytes
[SUM] 3.00-4.00 sec 80.0 MBytes 671 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 4.00-5.00 sec 30.0 MBytes 252 Mbits/sec 1 592 KBytes
[ 7] 4.00-5.00 sec 51.2 MBytes 430 Mbits/sec 2 979 KBytes
[SUM] 4.00-5.00 sec 81.2 MBytes 682 Mbits/sec 3
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 5.00-6.00 sec 30.0 MBytes 252 Mbits/sec 0 641 KBytes
[ 7] 5.00-6.00 sec 50.0 MBytes 419 Mbits/sec 0 1.02 MBytes
[SUM] 5.00-6.00 sec 80.0 MBytes 671 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 6.00-7.00 sec 33.8 MBytes 283 Mbits/sec 0 672 KBytes
[ 7] 6.00-7.00 sec 46.2 MBytes 388 Mbits/sec 2 785 KBytes
[SUM] 6.00-7.00 sec 80.0 MBytes 671 Mbits/sec 2
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 7.00-8.00 sec 31.2 MBytes 262 Mbits/sec 1 512 KBytes
[ 7] 7.00-8.00 sec 48.8 MBytes 409 Mbits/sec 0 839 KBytes
[SUM] 7.00-8.00 sec 80.0 MBytes 671 Mbits/sec 1
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 8.00-9.00 sec 30.0 MBytes 252 Mbits/sec 0 554 KBytes
[ 7] 8.00-9.00 sec 50.0 MBytes 419 Mbits/sec 0 874 KBytes
[SUM] 8.00-9.00 sec 80.0 MBytes 671 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 9.00-10.00 sec 32.5 MBytes 273 Mbits/sec 0 597 KBytes
[ 7] 9.00-10.00 sec 47.5 MBytes 398 Mbits/sec 0 897 KBytes
[SUM] 9.00-10.00 sec 80.0 MBytes 671 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 339 MBytes 285 Mbits/sec 52 sender
[ 5] 0.00-10.02 sec 336 MBytes 282 Mbits/sec receiver
[ 7] 0.00-10.00 sec 469 MBytes 393 Mbits/sec 88 sender
[ 7] 0.00-10.02 sec 467 MBytes 391 Mbits/sec receiver
[SUM] 0.00-10.00 sec 809 MBytes 678 Mbits/sec 140 sender
[SUM] 0.00-10.02 sec 804 MBytes 673 Mbits/sec receiver
/interface ethernet switch print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME TYPE L3-HW-OFFLOADING
0 switch1 Marvell-98PX1012 no
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/export
# sep/04/2021 19:58:36 by RouterOS 7.1rc2
# software id = L1XN-2BCQ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F00E00064E
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.90.21.100-10.90.21.200
add name=dhcp_pool1 ranges=10.90.21.100-10.90.21.200
add name=dhcp_pool2 ranges=10.90.21.100-10.90.21.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.90.21.254/24 interface=bridge1 network=10.90.21.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.90.21.0/24 dns-server=192.168.1.254 gateway=10.90.21.254 netmask=24 ntp-server=192.168.1.254
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.254
iperf3 -p 9225 -c iperf.par2.as49434.net
Connecting to host iperf.par2.as49434.net, port 9225
[ 5] local 10.90.21.200 port 44914 connected to 193.177.162.41 port 9225
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 82.7 MBytes 694 Mbits/sec 0 3.00 MBytes
[ 5] 1.00-2.00 sec 80.0 MBytes 671 Mbits/sec 0 3.00 MBytes
[ 5] 2.00-3.00 sec 81.2 MBytes 682 Mbits/sec 3 1.54 MBytes
[ 5] 3.00-4.00 sec 80.0 MBytes 671 Mbits/sec 0 1.64 MBytes
[ 5] 4.00-5.00 sec 80.0 MBytes 671 Mbits/sec 1 1.21 MBytes
[ 5] 5.00-6.00 sec 80.0 MBytes 671 Mbits/sec 0 1.29 MBytes
[ 5] 6.00-7.00 sec 80.0 MBytes 671 Mbits/sec 0 1.35 MBytes
[ 5] 7.00-8.00 sec 80.0 MBytes 671 Mbits/sec 0 1.39 MBytes
[ 5] 8.00-9.00 sec 81.2 MBytes 682 Mbits/sec 0 1.42 MBytes
[ 5] 9.00-10.00 sec 80.0 MBytes 671 Mbits/sec 0 1.43 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 805 MBytes 675 Mbits/sec 4 sender
[ 5] 0.00-10.02 sec 803 MBytes 672 Mbits/sec receiver
iperf Done.
iperf3 -R -p 9225 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9225
Reverse mode, remote host paris.testdebit.info is sending
[ 5] local 10.90.21.199 port 41044 connected to 89.84.1.186 port 9225
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 238 MBytes 2.00 Gbits/sec
[ 5] 1.00-2.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 2.00-3.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 3.00-4.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 4.00-5.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 5.00-6.00 sec 278 MBytes 2.33 Gbits/sec
[ 5] 6.00-7.00 sec 275 MBytes 2.31 Gbits/sec
[ 5] 7.00-8.00 sec 127 MBytes 1.07 Gbits/sec
[ 5] 8.00-9.00 sec 131 MBytes 1.10 Gbits/sec
[ 5] 9.00-10.00 sec 261 MBytes 2.19 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.39 GBytes 2.05 Gbits/sec 2271 sender
[ 5] 0.00-10.00 sec 2.38 GBytes 2.04 Gbits/sec receiver
160Gbit/s NAT ?!I measured NAT speed using Mikrotik speedtest : around 160Gbit/s
Quite and impressing speed indeed compared to my last firewall based on OPNsense.
Seems like I bought the right hardware buying a CCR2004...
NAT is done from the CPU, all packet must be modified and recalculated.
Both CRS can do at max near 600Mbit/s of NAT traffic, because mainly are Switches, not Routers.
Instead the CCR can achieve a NAT speed of near 4,5Gbit/s
If you need 10Gbit/s NAT speed, you must buy at least one CCR1036.
sep/19/2021 17:56:20 by RouterOS 7.1rc3
# software id = L1XN-2BCQ
#
# model = CCR2004-1G-12S+2XS
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=vlan20-secure vlan-id=20
add interface=BR1 name=vlan30-admin vlan-id=30
add interface=BR1 name=vlan40-nas vlan-id=40
add interface=BR1 name=vlan50-vpn vlan-id=50
add interface=BR1 name=vlan60-freebox vlan-id=60
add interface=BR1 name=vlan70-famille vlan-id=70
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan30-pool ranges=10.90.30.1-10.90.30.253
add name=vlan20-pool ranges=10.90.20.1-10.90.20.253
add name=vlan40-pool ranges=10.90.40.1-10.90.40.253
add name=vlan50-pool ranges=10.90.50.1-10.90.50.253
add name=vlan70-pool ranges=10.90.70.1-10.90.70.253
/ip dhcp-server
add address-pool=vlan30-pool interface=vlan30-admin name=vlan30-dhcp
add address-pool=vlan40-pool interface=vlan40-nas name=vlan40-dhcp
add address-pool=vlan50-pool interface=vlan50-vpn name=vlan50-dhcp
add address-pool=vlan70-pool interface=vlan70-famille name=vlan70-dhcp
add address-pool=vlan20-pool interface=vlan20-secure name=vlan20-dhcp
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=70
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus12 pvid=60
/interface bridge vlan
add bridge=BR1 tagged=sfp-sfpplus10,BR1 untagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=70
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus10 vlan-ids=30
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=40
add bridge=BR1 tagged=sfp-sfpplus10,BR1 vlan-ids=50
add bridge=BR1 tagged=sfp-sfpplus10,BR1 untagged=sfp-sfpplus12 vlan-ids=60
/interface list member
add interface=vlan60-freebox list=WAN
add interface=vlan20-secure list=VLAN
add interface=vlan40-nas list=VLAN
add interface=vlan50-vpn list=VLAN
add interface=vlan70-famille list=VLAN
add interface=vlan30-admin list=BASE
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=10.90.30.254/24 interface=vlan30-admin network=10.90.30.0
add address=10.90.40.254/24 interface=vlan40-nas network=10.90.40.0
add address=10.90.50.254/24 interface=vlan50-vpn network=10.90.50.0
add address=192.168.1.250/24 interface=vlan60-freebox network=192.168.1.0
add address=10.90.70.254/24 interface=vlan70-famille network=10.90.70.0
add address=10.90.20.254/24 interface=vlan20-secure network=10.90.20.0
/ip dhcp-server network
add address=10.90.20.0/24 dns-server=10.90.20.254 gateway=10.90.20.254 netmask=24
add address=10.90.30.0/24 dns-server=10.90.30.254 gateway=10.90.30.254 netmask=24
add address=10.90.40.0/24 dns-server=10.90.40.254 gateway=10.90.40.254 netmask=24
add address=10.90.50.0/24 dns-server=10.90.50.254 gateway=10.90.50.254 netmask=24
add address=10.90.70.0/24 dns-server=10.90.70.254 gateway=10.90.70.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.254,8.8.8.8,1.1.1.1,1.0.0.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow vlan30-admin Full Access" in-interface=vlan30-admin
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="vlan30-admin Internet Access" connection-state=new in-interface=vlan30-admin out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR2004-1G-12S-2XS
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.1.254
/tool bandwidth-server
set allocate-udp-ports-from=1000 authenticate=no max-sessions=1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
iperf3 -P 15 -R -p 9226 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9226
Reverse mode, remote host paris.testdebit.info is sending
[ 5] local 10.90.30.253 port 60108 connected to 89.84.1.186 port 9226
[ 7] local 10.90.30.253 port 60110 connected to 89.84.1.186 port 9226
[ 9] local 10.90.30.253 port 60112 connected to 89.84.1.186 port 9226
[ 11] local 10.90.30.253 port 60114 connected to 89.84.1.186 port 9226
[ 13] local 10.90.30.253 port 60116 connected to 89.84.1.186 port 9226
[ 15] local 10.90.30.253 port 60118 connected to 89.84.1.186 port 9226
[ 17] local 10.90.30.253 port 60120 connected to 89.84.1.186 port 9226
[ 19] local 10.90.30.253 port 60122 connected to 89.84.1.186 port 9226
[ 21] local 10.90.30.253 port 60124 connected to 89.84.1.186 port 9226
[ 23] local 10.90.30.253 port 60126 connected to 89.84.1.186 port 9226
[ 25] local 10.90.30.253 port 60128 connected to 89.84.1.186 port 9226
[ 27] local 10.90.30.253 port 60130 connected to 89.84.1.186 port 9226
[ 29] local 10.90.30.253 port 60132 connected to 89.84.1.186 port 9226
[ 31] local 10.90.30.253 port 60134 connected to 89.84.1.186 port 9226
[ 33] local 10.90.30.253 port 60136 connected to 89.84.1.186 port 9226
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 17.8 MBytes 149 Mbits/sec
[ 7] 0.00-1.00 sec 15.5 MBytes 130 Mbits/sec
[ 9] 0.00-1.00 sec 21.0 MBytes 176 Mbits/sec
[ 11] 0.00-1.00 sec 9.40 MBytes 78.9 Mbits/sec
[ 13] 0.00-1.00 sec 13.6 MBytes 114 Mbits/sec
[ 15] 0.00-1.00 sec 16.5 MBytes 139 Mbits/sec
[ 17] 0.00-1.00 sec 13.8 MBytes 116 Mbits/sec
[ 19] 0.00-1.00 sec 21.1 MBytes 177 Mbits/sec
[ 21] 0.00-1.00 sec 15.3 MBytes 128 Mbits/sec
[ 23] 0.00-1.00 sec 15.0 MBytes 125 Mbits/sec
[ 25] 0.00-1.00 sec 17.9 MBytes 150 Mbits/sec
[ 27] 0.00-1.00 sec 2.72 MBytes 22.9 Mbits/sec
[ 29] 0.00-1.00 sec 10.8 MBytes 91.0 Mbits/sec
[ 31] 0.00-1.00 sec 18.3 MBytes 154 Mbits/sec
[ 33] 0.00-1.00 sec 12.4 MBytes 104 Mbits/sec
[SUM] 0.00-1.00 sec 221 MBytes 1.86 Gbits/sec
/ip/firewall/connection/print where srcnat
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT
# PRO SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 SACFs tcp 10.90.70.3:59555 17.57.146.69:5223 established 23h52m29s
1 SACFs tcp 10.90.40.1:48144 216.58.198.202:443 established 23h59m22s
2 SACFs tcp 10.90.40.1:39088 34.253.21.159:443 established 23h59m48s
3 SACFs tcp 10.90.70.10:51688 162.159.138.232:443 established 23h58m10s
4 SACFs tcp 10.90.70.2:57080 142.250.13.108:993 established 23h59m10s
5 SACFs tcp 10.90.40.1:35152 142.250.110.188:5228 established 23h59m26s
6 SACFs tcp 10.90.40.2:43235 3.214.18.147:6126 established 23h59m46s
7 SACFs tcp 10.90.70.2:51327 178.21.176.100:8080 established 23h17m21s
8 SACFs tcp 10.90.70.2:57079 195.83.96.19:993 established 23h59m9s
9 SACFs tcp 10.90.70.4:53000 151.101.121.229:443 established 23h59m9s
10 SACFs tcp 10.90.40.1:35136 142.250.110.188:5228 established 23h52m52s
11 SACFs tcp 10.90.70.4:57744 51.15.150.228:443 established 23h59m54s
12 SACFs tcp 10.90.70.6:59923 34.107.247.156:443 established 23h52m30s
13 SACFs tcp 10.90.70.3:59656 142.250.178.142:443 established 23h59m50s
14 SACFs tcp 10.90.70.10:51684 162.159.138.232:443 established 23h58m8s
15 SACFs tcp 10.90.70.10:51682 80.241.60.199:143 established 23h58m7s
16 SACFs tcp 10.90.70.3:59680 173.194.190.167:443 close 2s
17 SACFs tcp 10.90.40.1:41062 142.250.179.74:443 established 23h59m22s
18 SACFs tcp 10.90.40.1:36104 216.58.198.195:80 established 23h59m25s
19 SACFs tcp 10.90.70.4:41806 34.107.221.82:80 established 23h59m59s
iperf3 -R -p 9204 -c paris.testdebit.info
Connecting to host paris.testdebit.info, port 9204
Reverse mode, remote host paris.testdebit.info is sending
[ 5] local 10.90.40.5 port 54270 connected to 89.84.1.186 port 9204
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 269 MBytes 2.26 Gbits/sec
[ 5] 1.00-2.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 2.00-3.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 3.00-4.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 4.00-5.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 5.00-6.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 6.00-7.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 7.00-8.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 8.00-9.00 sec 281 MBytes 2.35 Gbits/sec
[ 5] 9.00-10.00 sec 281 MBytes 2.35 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.74 GBytes 2.35 Gbits/sec 192 sender
[ 5] 0.00-10.00 sec 2.73 GBytes 2.34 Gbits/sec receiver
I suggest that you open a support Ticket with MikroTik and report your findings .... Using VLAN for WAN is very common and should not have any negative impact on performance deiverd by your ISP. I have not checked your configuration so I cannot comment on that but I have done many WAN connections using VLAN and performance was excellent.So never us a VLAN for WAN ... It kills performance.
So I will get back to WAN on normal ethernet port.iperf3 -R -p 5204 -c ping.online.net
Connecting to host ping.online.net, port 5204
Reverse mode, remote host ping.online.net is sending
[ 5] local xxxxxxxxxxxxxxxx port 36789 connected to 62.210.18.40 port 5204
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 176 MBytes 1.48 Gbits/sec
[ 5] 1.00-2.00 sec 206 MBytes 1.73 Gbits/sec
[ 5] 2.00-3.00 sec 191 MBytes 1.60 Gbits/sec
[ 5] 3.00-4.00 sec 214 MBytes 1.79 Gbits/sec
[ 5] 4.00-5.00 sec 209 MBytes 1.75 Gbits/sec
[ 5] 5.00-6.00 sec 210 MBytes 1.76 Gbits/sec
[ 5] 6.00-7.00 sec 211 MBytes 1.77 Gbits/sec
[ 5] 7.00-8.00 sec 213 MBytes 1.78 Gbits/sec
[ 5] 8.00-9.00 sec 213 MBytes 1.79 Gbits/sec
[ 5] 9.00-10.00 sec 210 MBytes 1.76 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.01 GBytes 1.73 Gbits/sec 296 sender
[ 5] 0.00-10.00 sec 2.00 GBytes 1.72 Gbits/sec receiver
True the CCR1036-8G-2S+EM with two SFP+ can make the job.If you need 10Gbit/s NAT speed, you must buy at least one CCR1036.
Re: 3.5Gbit speed. USB 3.2 Gen 1 (a.k.a. 5Gbps) is the max supported speed by the Marvell AQtion chip commonly used in "5Gbps/5GbE USB adapters" - https://www.marvell.com/content/dam/mar ... -brief.pdf. The USB3 "5Gbps" protocol has ~20% overhead for line encoding (8/10b), so the actual datarate is 4Gbps. Add in other overheads (whatever they may be), and 3.5Gbps is a realistic throughput.I am going to stop investigating as I don't have enough tools to test bandwidth.
* My ISP fiber line is offering 2.5Gbit downstream, which is far from 10Gbit.
* I am using 2 x 5Gbit USB3 dongles. Testing from one dongle to another shows 3.5 Gbit speed, not 5Gib.
* One computer with 10Gb network card.
I need at least one small 10Gb switch and two computers with 10Gb NICs.
So I am stopping here and I am very satisfied with CCR2004-1G-12S+2XS performance.
Outside of the CCR2116, I don't believe the other CCRs have HW acceleration. There are still other benefits w.r.t. using a CCR (form factor, cost, whatever it may be...), but unless if your existing OPNsense was a massive power hog, I'd just stick with it.I am also witching from OPNsense to Mikrotik because of hardware acceleration and I need to go 10gb and I don't want to use a computer as router.