Community discussions

MikroTik App
 
xtaz
just joined
Topic Author
Posts: 4
Joined: Wed Sep 08, 2021 9:45 pm

hAP ac3 IPv6 firewall throughput issue

Wed Sep 08, 2021 9:57 pm

I have a hAP ac3 router connected to a 1Gbit PPPoE connection and a laptop via ethernet. IPv4 works fine and I get around 950Mbit/s on a speedtest however IPv6 only gets around 420Mbit/s on the same speedtest. If I disable all firewall rules in IPv6/Firewall and retest then it gets the full 950Mbit/s the same as IPv4. If I enable one single firewall rule, even something simple like "allow all ICMPv6" then the speed immediately drops down to 420Mbit/s.

I'm assuming that when all rules are disabled the firewall is being disabled and adding a single rule enables it, but why would the speed drop that much. I know there is no fasttrack on IPv6 but it should still be capable of routing over 1Gbit shouldn't it? Somebody else that I know who owns a routerboard does not have the same problem.

I don't have any queues or anything like that configured. Any ideas?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP ac3 IPv6 firewall throughput issue

Thu Sep 09, 2021 9:19 am

Default configuration in IPv4 firewall includes rule with action=fasttrack ... fasttrack greatly reduces processing overhead and thus greatly improves throughput. There is no such thing as fasttrack in IPv6, hence IPv6 firewalling performance is way lower than IPv4 firewalling performance on very same hardware.
Keep in mid that connection tracking is single most expensive task of firewall. If you disable all firewall rules, connection tracking doesn't take place. And fasttracked packets largely skip the connection tracking as well (only a few are taking the slow path to update connection tracking state ... hence need for accept rule matching fasttrack rule).

To verify this indeed bottleneck in your case, disable (don't remove) the fasttrack rule in IPv4 firewall, restart device (to make sure all IPv4 connections over router are re-established, and re-test IPv4 ... the result should be similar to what you're seeing for IPv6 currently (give or take a few percent, depending on complexity of your IPv4 firewall setup).
 
xtaz
just joined
Topic Author
Posts: 4
Joined: Wed Sep 08, 2021 9:45 pm

Re: hAP ac3 IPv6 firewall throughput issue

Thu Sep 09, 2021 9:51 pm

OK. It seems that you are right. With fasttrack disabled on IPv4 it gets around 550Mbit which is still faster than IPv6 but that is a significant drop from when fasttrack is enabled.

I did know about fasttrack but I didn't think it could be this as the routers CPU shows 25% use on both IPv4 and IPv6 during a speedtest, and a friend of mine who has a routerboard says he can almost reach the full 1Gbit even using IPv6. I'm guessing then he must have one which is far higher performance than the hAP ac3.

Is there ever likely to be fasttrack support on v6 in a later version of routeros?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP ac3 IPv6 firewall throughput issue

Fri Sep 10, 2021 11:22 am

... the routers CPU shows 25% use on both IPv4 and IPv6 during a speedtest

Since hAP ac3 has a 4-core CPU, CPU load pegged at 25% likely indicates only single core is used. You can verify that by running CPU profiler during speedtesting.

Make sure you're running speedtest with multi-thread option enabled. ROS will keep using same CPU core to process all packets belonging to same connection to improve possibility of in-order delivery. If using multiple (independent) connections, load should be spread over all cores more evenly and throughput increased.

I think MT said they'll look into implementing fasttrack for IPv6 ... probably for ROSv7.

Who is online

Users browsing this forum: CGGXANNX, elbob2002, godel0914, K0NCTANT1N, mkx, qatar2022 and 84 guests