Community discussions

MUM Europe 2020
 
fouinix
just joined
Topic Author
Posts: 6
Joined: Wed Feb 10, 2016 10:13 am

HAP AC2 IPv6 performance

Fri Nov 01, 2019 11:35 pm

Hello,
I have a HAP AC2 with the latest stable version (6.45.7). I notice CPU is saturated with a simple ipv6 speedtest (http://ipv6-test.com/speedtest/).
I can reach ~800Mb/s in IPv4 with one CPU core@5%, but I can't go up to 400Mb/s in IPv6, the core 3 is saturated at 100% and associated irq at 100% too.

If I disable all IPv6 filter rules I reach same throughput as IPv4. But if I re-enable only one rule, throughput fall down to 400Mb/s. Even a simple rule, for example:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked


Here is the setup:
Internet on wan1 port
Bridge with wlan interfaces (on vlan5) and a trunk interface connected to another switch.

My latop is connected on a switch on vlan5. I had to use a bridge in order to have wireless network on vlan5.


Here is my configuration:

Code: Select all

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=12 band=2ghz-b/g/n channel-width=20/40mhz-XX country=france disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain hide-ssid=yes installation=indoor mode=ap-bridge ssid=1987 \
tx-power=6 tx-power-mode=all-rates-fixed vlan-id=5 vlan-mode=use-tag wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=france disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain hide-ssid=yes installation=indoor mode=ap-bridge ssid=\
1986 vlan-id=5 vlan-mode=use-tag wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=trunk2
set [ find default-name=ether1 ] name=wan1
/interface vlan
add interface=bridge1 name=vlan5 vlan-id=5
add interface=bridge1 name=vlan6 vlan-id=6
/interface ethernet switch port
set 1 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=6 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=5 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add name=VLAN6
add name=VLAN5
add include=VLAN5,VLAN6 name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="vlan5" name=pool1 ranges=192.168.1.10-192.168.1.50
/ip dhcp-server
add add-arp=yes address-pool=pool1 always-broadcast=yes disabled=no interface=vlan5 lease-time=12h name=local src-address=192.168.1.5 use-framed-as-classless=no
/interface bridge port
add bridge=bridge1 interface=trunk2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN6
/ipv6 settings
set accept-router-advertisements=yes
/interface ethernet switch vlan
add independent-learning=yes ports=trunk2,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=yes ports=trunk2,ether3,switch1-cpu switch=switch1 vlan-id=6
/interface list member
add interface=vlan5 list=VLAN6
add comment=defconf interface=wan1 list=WAN
add interface=vlan6 list=VLAN6
/ip address
add address=192.168.2.1/24 interface=ether5 network=192.168.2.0
add address=192.168.10.1/24 interface=vlan6 network=192.168.10.0
add address=192.168.1.5/24 interface=vlan5 network=192.168.1.0
add address=10.1.0.26/30 network=10.1.0.24
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.67.169.12,80.67.169.40,80.67.188.188 gateway=192.168.1.5
/ip dns
set servers=80.67.169.12,80.67.169.40
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=reject chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="defconf: drop all not coming from LAN" reject-with=icmp-network-unreachable
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=reject chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=bridge1
add action=masquerade chain=srcnat disabled=yes dst-address=!192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Masquerade vlan5" dst-address=!192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Masquerade vlan6" dst-address=!192.168.10.0/24 src-address=192.168.10.0/24
add action=dst-nat chain=dstnat dst-address=82.64.133.118 dst-port=80 in-interface=vlan5 protocol=tcp to-addresses=192.168.10.16 to-ports=80
add action=dst-nat chain=dstnat dst-address=82.64.133.118 dst-port=443 in-interface=vlan5 protocol=tcp to-addresses=192.168.10.16 to-ports=443
/ipv6 address
add address=2a01:x:x:x::2 advertise=no interface=wan1
add address=2a01:x:x:x::1 interface=vlan5
add address=2a01:x:x:x::1 advertise=no interface=vlan6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=log chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 log=yes log-prefix=fezfef protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add hop-limit=64 interface=wan1
add hop-limit=64 interface=vlan5
/system clock
set time-zone-name=Europe/Paris
/system logging
set 3 action=memory
add topics=dhcp
add topics=firewall
add topics=event
/system ntp client
set enabled=yes primary-ntp=151.80.19.218 secondary-ntp=129.250.35.250 server-dns-names=0.fr.pool.ntp.org,1.fr.pool.ntp.org,2.fr.pool.ntp.org,3.fr.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=VLAN6
/tool mac-server mac-winbox
set allowed-interface-list=VLAN6
/tool sniffer
Do you have any idea why the CPU is saturated?
Thanks!
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: HAP AC2 IPv6 performance

Sat Nov 02, 2019 1:17 pm

There is no fast-track for IPv6 (yet). Which means every IPv6 packet needs to pass normal firewall filter rule chain.

Even if IPv6 firewall is almost non-existant, it still needs to keep connection states current. With firewall completely disabled that's not necessary ... and with IPv4 fast-track it's greatly simplified.
BR,
Metod
 
fouinix
just joined
Topic Author
Posts: 6
Joined: Wed Feb 10, 2016 10:13 am

Re: HAP AC2 IPv6 performance

Sat Nov 02, 2019 1:32 pm

Thanks, I hope Mikrotik will release routers with hardware acceleration in IPv6 too...
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 23, 2019 1:04 pm

Re: HAP AC2 IPv6 performance

Sat Nov 02, 2019 1:33 pm

That still doesn't explain why only one core is saturated and the rest sit idle (I have the same device, encountered the same with IPv6), there may be room for optimization maybe.
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: HAP AC2 IPv6 performance

Sat Nov 02, 2019 1:47 pm

Single IP connection is handled by single CPU core. And that's true for all Mikrotik devices (including CCR1072 with its massive 72 CPU cores). Perhaps you could launch multiple speed tests in parallel (speedtest.net recently launched multi-connection testing, but it's only IPv4) to verify if this is indeed the problem.

There's a good reason for this limitation: ordered delivery of packets. TCP can handle out-of-order delivery, but doesn't like it much ... UDP itself doesn't handle OOO delivery at all, it's up to app to cope with it.
BR,
Metod
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 23, 2019 1:04 pm

Re: HAP AC2 IPv6 performance

Sat Nov 02, 2019 1:55 pm

I've done tests with multiple sessions.. same core (3) busy doing all the work: network, firewall. I'll redo this weekend some tests and compare it to how a 750Gr3 deals with this.
Weird thing is that with lower load (speed/connections), all the cores seem to do a little bit of something. Only when throughput increases core3 goes to 100% and the rest go down to 0% so some kind of bottleneck is reached, don't know.
 
whatever
Member Candidate
Member Candidate
Posts: 117
Joined: Thu Jun 21, 2018 9:29 pm

Re: HAP AC2 IPv6 performance

Sun Nov 03, 2019 10:36 am

My routing hap ac2 has cpu0 @ ~70% and cpu3 @ ~30% when running a single wget IPv6 download at 420 Mbit/s. I'm running latest long-term and would expect it to max out at 500-600 Mbit/s.
profile_ipv6-speedtest.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 108 guests