Community discussions

 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 4:40 pm

Hello
I have one customer with a 1000/300 FTTH Line.
I have installed to him one Hap AC 2, with latest long-term firmware.
I have a plain bridge, with hardware offload on it, I have enabled IP Fasttrack on the router.
Plain IP masquerade on it.

On the ETH1 is connected the ONU, and I tag the VLAN on it.
No PPPoE, only plain dhcp-client.
If I do the bandwidth test with the core router (at the end of the FTTH Line), I am able to transfer 900/300Mbps UDP traffic.
If I do a public speedtest from a PC connected at 1Gbit, I am not able to do more than 450mbps.
If I replace the MT with a AVM 5490, I easily reach 900Mbps/300

How can I verify the problem?
thank you
Last edited by Maggiore81 on Thu Aug 22, 2019 5:19 pm, edited 1 time in total.
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 4:47 pm

could you post the config?
 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 5:12 pm

/interface bridge
add dhcp-snooping=yes name=bridge1-LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add comment=vlan_openfiber interface=ether1 name=835_openfiber_ra_cos0 vlan-id=835
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=protetto supplicant-identity="" wpa2-pre-shared-key=zzzzzzzzzzzzz
/interface wireless
[omitted]
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=LAN ranges=192.168.0.11-192.168.0.39
/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge1-LAN name=LAN
/system logging action
set 0 memory-lines=4096
/interface bridge port
add bridge=bridge1-LAN interface=ether3
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=wlan1
add bridge=bridge1-LAN interface=ether2
add bridge=bridge1-LAN interface=wlan2
add bridge=bridge1-LAN interface=ether5
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=1024
/ip address
add address=192.168.0.254/24 interface=bridge1-LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=835_openfiber_ra_cos0
/ip dhcp-server lease
add address=192.168.0.36 client-id=1:f4:81:39:32:53:22 mac-address=F4:81:39:32:53:22 server=LAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.254 gateway=192.168.0.254
/ip dns
set allow-remote-requests=yes cache-size=4096KiB
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=reject chain=forward comment="Regole in uscita" dst-port=135,139,445,593,4444 in-interface=bridge1-LAN protocol=tcp reject-with=icmp-admin-prohibited
add action=reject chain=forward dst-port=137-139,593,1900 in-interface=bridge1-LAN protocol=udp reject-with=icmp-admin-prohibited
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=835_openfiber_ra_cos0
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=835_openfiber_ra_cos0 protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=835_openfiber_ra_cos0 protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=udp
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set port=8081
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1-LAN type=internal
add interface=835_openfiber_ra_cos0 type=external
/ipv6 address
add address=::1 from-pool=poolclient interface=bridge1-LAN
/ipv6 dhcp-client
add add-default-route=yes interface=835_openfiber_ra_cos0 pool-name=poolclient request=prefix
/ipv6 firewall raw
add action=passthrough chain=prerouting
/ipv6 nd
set [ find default=yes ] advertise-dns=yes managed-address-configuration=yes other-configuration=yes ra-interval=5s-10s
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="MT OF cl. 3933"
/system ntp client
set enabled=yes primary-ntp=193.204.114.105 secondary-ntp=46.249.42.15
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add store-on-disk=no
/tool graphing resource
add store-on-disk=no
Last edited by krisjanisj on Thu Aug 22, 2019 5:17 pm, edited 1 time in total.
Reason: Please post configs/code in [code] blocks to save peoples scroll wheels
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 5:33 pm

The only thing that draw my attention was dhcp-snooping on bridge, but its supposed to be done in hardware on AR8327...
some other thoughts
* check that counters for FastPath are "moving"
* check cpu usage during transfer
* do you test with multiple streams?
* check bridge ports have "H" flag
 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 5:46 pm

I tried also without bridge, with the IP on the eth port directly. no differences.
I tried with the dhcp-snooping disabled, hardware offload always enabled and H present.
CPU usage 5%
Counters in fasttrack moving quickly!
Everything looks fine but no throughput.

bandwidth test UDP between router and core router 900/300 Mbps.
The difference is after "NAT" masquerade, I tried multiple speedtest.net with multiple streams and different servers.
The server I test with is in direct peering with our network... so 2hop from us in fiber.
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1437
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 11:56 pm

I think the firewall rules can be improved on, I.e order by moving established/related rules to top of chain

Have you tried by setting flow control to off?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Thu Aug 22, 2019 11:58 pm

Tried with no avail.
With the fasttrack the forwarding traffic is very fast and the cpu is very very low.
No apparent issues, but no throughput. The customers complains that in speedtest doesnt see 900mbps as his neighbour with AVM Fritzbox 4040...

Both of them are my customers, one with MT, the other with 4040... I am quite embarassed.

Maybe the problem in tagging the VLAN on the wan port (eth1) ?
I cannot do different.
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1437
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Sat Aug 24, 2019 1:46 am

I don't think it is the device, but maybe the config or something in the environment.
My suggestion will be go back to basics, the beginning, do factory default the device and test.
Pending results, you should do further troubleshooting and keep support@mikrotik.com in the loop.

Also post updates here, maybe as you go through steps, someone might notice something skew
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 4024
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hap Ac 2, not capable of 1Gbit transfer

Sat Aug 24, 2019 9:24 pm

I remember I was doing a throughput test on the hAP ac² and it could reach 900 Mbit/s while routing between LAN and PPPoE client as WAN with NAT. So the hardware as such is fine, the question is why the throughput is so limited in your particular configuration. What does /interface ethernet monitor ether1 show - could it be that it has negotiated 1000 Mbit/s half-duplex?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Sat Aug 24, 2019 9:38 pm

hello
he has negotiated correctly 1000 full.

maybe the problem is related to VLAN tagging?
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
sindy
Forum Guru
Forum Guru
Posts: 4024
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hap Ac 2, not capable of 1Gbit transfer

Sat Aug 24, 2019 10:05 pm

It should not be unless there's a bug. You can try to create an /interface bridge name=br-wan protocol-mode=none, then switch on safe mode, and send the following line:
/interface bridge port add bridge=br-wan interface=ether1 ; /interface vlan set [find name~"openfiber"] interface=br-wan
This will change the VLAN processing a little bit so if there is an issue when /interface vlan is attached directly to an ethernet interface, this may help. But I somehow hesitate to believe it.

But there's another question - do we talk about IPv6 testing or IPv4 testing? I have never tried IPv6 routing throughput, so if the test PC uses IPv6, it may change a lot - first, the hAP ac² itself may have some issue with IPv6 throughput, and second, something else upstream may have such issue whereas the Fritzbox client doesn't use IPv6.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Maggiore81
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Hap Ac 2, not capable of 1Gbit transfer

Sat Aug 24, 2019 10:26 pm

Hello.
I have ipv6 both enabled on fritz and mikrotik but the tests are done in ipv4.

I am not able to do that test right now.
I have the latest stable on it with no difference
Dott. Elia Spadoni
---
Network Administrator,
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

Who is online

Users browsing this forum: No registered users and 55 guests