Community discussions

MikroTik App
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Sun Nov 11, 2018 11:34 am

Model: 2011UiAS-2HnD
RouterOS: 6.44beta28
Routerboard firmware: 6.44beta28

Dear All,
I have GRE tunnel with policy based routing (PBR) enabled. Essentially what I do, is I'm sending HTTP and HTTPS traffic over GRE tunnel. PBR is enabled with MANGLE the way it should be. MTU on GRE tunnel is set to 1456 and "Clamp TCP MSS" is enabled. Everything seem to be done by the book. Unfortunately when Fast Path is enabled - performance is SEVERELY downgraded. I have 30/15M asymetric link and with FastPath I'm getting below 1M upload/download. Once I turn it off and CPU is handling packets processing I'm getting 10M/10M - much better but still not perfect. I think that something is broken i microcode when GRE+PBR+FastPath is enabled.

All hints are welcome,
Seb
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 5:47 pm

Is there anyone who's using policy based routing (PBR) with GRE tunnels?
What I'm experiencing looks like serious bug in hw microcode.
Seb
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 5:59 pm

You have done everything by the book and the way it should be, so it must be a serious hw microcode bug and we cannot help you.

..or could it be a configuration related issue?

Post config (/export hide-sensitive) if you want assistance on this forum.

Perhaps you enabled ipsec and did not exclude ipsec from fasttrack ( https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass ).
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 6:25 pm

Here's my config with WAW GRE tunnel disabled at the moment so please ignore that.
Please ignore also FRA tunnel as well. Once I get WAW up and running properly as expected I'll take care of FRA.


```
# nov/12/2018 17:06:56 by RouterOS 6.44beta28
# software id = GQCV-GDDT
#
# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=E4:8D:8C:37:5B:2E auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors mode=ap-bridge ssid=XXXXX wireless-protocol=802.11
/interface gre
add disabled=yes !keepalive mtu=1456 name=gre-tunnel-FRA remote-address=xxx.xxx.xxx.xxx
add allow-fast-path=no disabled=yes !keepalive mtu=1456 name=gre-tunnel-WAW remote-address=xxx.xxx.xxx.xxx
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=xxx-xxx-xxx
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.99
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=30m name=default
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface sstp-client
add connect-to=xxx.xxx.xxx.xxx disabled=no mrru=1600 name=brki profile=default-encryption user=XXXXX
/queue tree
add name=Total parent=global queue=default
add limit-at=5M max-limit=5M name=DX80 packet-mark=DX80-Packets parent=Total priority=1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
add addresses=192.168.0.1/32 name=XXXX security=XXXXX
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=*2000015
/ip settings
set allow-fast-path=no
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=brki list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=sfp1 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=ether1-gateway list=WAN
add interface=sfp1
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=wlan1
add interface=bridge-local
add interface=brki
add interface=gre-tunnel-WAW
add interface=gre-tunnel-FRA
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=ether2-master-local network=192.168.0.0
add address=xxx.xxx.xxx.xxx/24 interface=ether1-gateway network=xxx.xxx.xxx.0
add address=xxx.xxx.192.57/30 interface=gre-tunnel-WAW network=xxx.xxx.192.56
add address=xxx.xxx.192.61/30 interface=gre-tunnel-FRA network=xxx.xxx.192.60
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.0.116 always-broadcast=yes client-id=1:1c:6a:7a:e0:a7:33 comment=xxxxx mac-address=1C:6A:7A:E0:A7:33 server=default
add address=192.168.0.112 client-id=1:54:75:d0:d5:a8:4e comment=XXXX mac-address=54:75:D0:D5:A8:4E server=default
add address=192.168.0.121 client-id=1:0:d0:55:e:53:8b comment=xxxx mac-address=00:D0:55:0E:53:8B server=default
add address=192.168.0.115 client-id=1:bc:5f:f4:1c:41:7b comment=xxxx mac-address=BC:5F:F4:1C:41:7B server=default
add address=192.168.0.117 always-broadcast=yes client-id=1:98:f1:70:e:0:39 comment=xxxx mac-address=98:F1:70:0E:00:39 server=default
add address=192.168.0.130 client-id=1:3c:4a:92:c0:d1:7e comment=Printer mac-address=3C:4A:92:C0:D1:7E server=default
add address=192.168.0.33 client-id=ff:65:cb:d:36:0:1:0:1:1e:f6:91:f7:0:1e:65:cb:d:36 comment=xxxxx mac-address=00:1E:65:CB:0D:36 server=default
add address=192.168.0.140 client-id=1:0:c:29:ba:be:e comment=xxxxx mac-address=00:0C:29:BA:BE:0E server=default
add address=192.168.0.150 client-id=cisco-0021.552d.cbca-Fa0 comment=xxxxxx mac-address=00:21:55:2D:CB:CA server=default
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.8
/ip dns static
add address=192.168.0.1 name=router
add address=192.168.0.33 name=xxxx
add address=192.168.0.140 name=xxxx
add address=192.168.0.121 name=xxxx
/ip firewall address-list
add address=192.168.0.121 list=xxxxx
/ip firewall filter
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=DX80 passthrough=yes src-address=192.168.0.116
add action=mark-connection chain=prerouting new-connection-mark=DX80 passthrough=yes src-address=192.168.0.117
add action=mark-connection chain=prerouting new-connection-mark=xxxx passthrough=yes src-address=192.168.0.121
add action=mark-packet chain=prerouting connection-mark=DX80 new-packet-mark=DX80-Packets passthrough=no
add action=change-mss chain=forward new-mss=1416 out-interface=gre-tunnel-WAW passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=mark-routing chain=prerouting dst-port=80,443 new-routing-mark="ZS Tunnel" passthrough=yes protocol=tcp src-address=192.168.0.0/24
/ip firewall nat
add action=accept chain=srcnat log-prefix=Tunnel-Test out-interface=gre-tunnel-WAW packet-mark="" src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" log-prefix=Masq out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add comment="ZS Tunnel -> WAW" distance=10 gateway=gre-tunnel-WAW routing-mark="ZS Tunnel"
add distance=1 gateway=xxx.xxx.xxx.xxx
add distance=1 dst-address=192.168.10.0/24 gateway=brki
/ip route rule
add dst-address=0.0.0.0/0 interface=gre-tunnel-WAW routing-mark="ZS Tunnel" src-address=192.168.0.0/24 table="ZS Tunnel"
/lcd
set default-screen=interfaces time-interval=daily
/lcd interface
set sfp1 disabled=yes
set ether1-gateway max-speed=50.0Mbps
set ether2-master-local disabled=yes
set ether3-slave-local disabled=yes
set ether4-slave-local disabled=yes
set ether5-slave-local disabled=yes
set ether6-master-local disabled=yes
set ether7-slave-local disabled=yes
set ether8-slave-local disabled=yes
set ether9-slave-local disabled=yes
set ether10-slave-local disabled=yes
set wlan1 disabled=yes
/lcd interface pages
set 0 interfaces=ether1-gateway,wlan1
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ppp secret
add name=xxx
/system identity
set name=XXXXX
/system ntp client
set enabled=yes primary-ntp=213.199.225.30 secondary-ntp=62.148.67.62 server-dns-names=0.pl.pool.ntp.org,1.pl.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set cpu-frequency=750MHz silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
/tool sniffer
```
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 6:52 pm

Can you disable the route rule? I think it is pointing to a non existing table.
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 7:08 pm

Can you disable the route rule? I think it is pointing to a non existing table.
I disabled it but it's not that. I was playing around with route rules during my troubleshooting process.
Can you confirm configuration accuracy besides route rules?
Seb
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 8:43 pm

Cannot reproduce the problem here.

Kind of funny that fast path is problematic here as it should be disabled as you are breaking breaking the following conditions:
- firewal rules are not configured;
- Simple and queue trees with parent=global are not configured;
- connection tracking is not active;

The problem may be MTU related (try different settings), or try to add a fasttrack rule for established connections.

(Or.. did you think ip firewall filter was irrelevant to this issue therefore excluded it from export?)
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 8:54 pm

MTU is fine as when I disable Fastpath performance is 10x better :)
Yes, I excluded firewal rules as they’re not relevant in my understanding.
Seb
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Mon Nov 12, 2018 9:53 pm

Do we know if anyone from Mikrotik development/product team on this forum?
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Tue Nov 13, 2018 10:20 pm

Anyone?
 
callmeseb
just joined
Topic Author
Posts: 8
Joined: Sun Nov 11, 2018 11:13 am

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Wed Nov 14, 2018 9:13 pm

This seem to be serious issue. Unless someone proves me wrong that config I created is not correct, I'm assuming that microcode responsible for HW acceleration is broken. Did anyone was able to recreate it? Simple ping is not enough, you need to push some real stuff through the router to notice serious performance deterioration with FastPath.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Wed Nov 14, 2018 10:51 pm

I've spent enough time with a (as it turned out) partial config. You may have better luck with MT Support self (via mail), be sure to generate a supout.rif when the device is behaving badly and attach it.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

Sat Nov 17, 2018 2:21 am

All fastpath/track traffic will bypass mangling. your setup relies on mangling for policy based routing, so you need to disable FP for that traffic.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], holvoetn, karlisi and 98 guests