I've just got a RB5009, and am having issues with intervlan routing. My default is my access vlan, and my server, and NAS is on VLAN 40. All connection to the internal network is over the SFP+ port, and ether 1 for WAN.
When my desktop is on the sever vlan, I can get more or less wirespeed iperf tests, and ~400MB/s from my NAS. However, when my desktop is on the Access Vlan (same port on the switch, different PVID), performance drops to ~200MB/s, and IPerf tests to about 2Gb/s.
Looking at the profile when these tests are running, the "Networking" section is around 60% CPU - and minimal usage on the firewall. Is anyone able to give me a steer on where to look for this issue, my sanitized config is below, along with a diagram of the key bits of my network layout. As the tests when it's on the same vlan are traversing right back to the CRS309, I'm steering away from any hardware issues in that part of the network. As it's in the networking area, I'm wondering if it's around my bridge configuration, rather than my firewall configuration. Any help would be greatly appreciated.
Code: Select all
# sep/18/2021 19:16:43 by RouterOS 7.1rc3
# software id = KKAD-4BXT
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=2C:C8:1B:DB:5A:B4 auto-mac=no comment=defconf name=bridge pvid=30 vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-wan user=xxxxxxx
/interface vlan
add interface=bridge name=cameras vlan-id=60
add interface=bridge name=guest vlan-id=50
add interface=bridge name=iot vlan-id=70
add interface=bridge name=servers vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=RESTRICTED
/ip ipsec profile
add dpd-interval=1m enc-algorithm=aes-128 name=profile01 nat-traversal=no
/ip ipsec peer
add address=xxxxxx local-address=xxxxxx name=USG-01 profile=profile01
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr lifetime=0s
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=mgmt-dhcp ranges=192.168.100.100-192.168.100.200
add name=access ranges=192.168.250.50-192.168.250.250
add name=servers ranges=192.168.251.100-192.168.251.200
add name=guest ranges=192.168.252.100-192.168.252.200
add name=cameras ranges=192.168.253.50-192.168.253.250
add name=iot ranges=192.168.254.100-192.168.254.200
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add address-pool=mgmt-dhcp interface=ether8 name=mgmt
add address-pool=access interface=bridge lease-time=6h name=access
add address-pool=servers interface=servers lease-time=6h name=servers
add address-pool=cameras interface=cameras lease-time=6h name=cameras
add address-pool=iot interface=iot lease-time=6h name=iot
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 pvid=30
add bridge=bridge comment=defconf interface=ether5 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=30
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1,bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=60
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=70
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-wan list=WAN
add interface=ether8 list=LAN
add interface=guest list=LAN
add interface=servers list=LAN
add interface=iot list=RESTRICTED
add interface=cameras list=RESTRICTED
add interface=iot list=LAN
add interface=cameras list=LAN
add list=LAN
/ip address
add address=192.168.100.1/24 interface=ether8 network=192.168.100.0
add address=192.168.250.1/24 interface=bridge network=192.168.250.0
add address=192.168.251.1/24 interface=servers network=192.168.251.0
add address=192.168.252.1/24 interface=guest network=192.168.252.0
add address=192.168.253.1/24 interface=cameras network=192.168.253.0
add address=192.168.254.1/24 interface=iot network=192.168.254.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.250.0/24 dns-server=192.168.250.1 gateway=192.168.250.1
add address=192.168.251.0/24 dns-server=192.168.251.1 gateway=192.168.251.1
add address=192.168.252.0/24 dns-server=192.168.252.1 gateway=192.168.252.1
add address=192.168.253.0/24 dns-server=192.168.253.1 gateway=192.168.253.1
add address=192.168.254.0/24 dns-server=192.168.254.1 gateway=192.168.254.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-address=192.168.240.0/24 src-address=192.168.250.0/24
add action=accept chain=input src-address=xxxxxx
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.240.0/24 src-address=192.168.250.0/24
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=tcp to-addresses=192.168.251.174 \
to-ports=443
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.251.174 \
to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=7000 protocol=tcp to-addresses=192.168.251.157 \
to-ports=7000
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=5500 protocol=tcp to-addresses=192.168.251.153 \
to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=10022 protocol=tcp to-addresses=192.168.251.8 \
to-ports=22
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=444 protocol=tcp to-addresses=192.168.251.157 \
to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.251.174 out-interface=servers protocol=tcp src-address=\
192.168.250.0/23
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-wan
/ip ipsec identity
add peer=USG-01
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.242.0/24 level=unique peer=USG-01 src-address=192.168.250.0/23 tunnel=yes
add dst-address=192.168.240.0/24 peer=USG-01 src-address=192.168.250.0/23 tunnel=yes
add dst-address=192.168.241.0/24 peer=USG-01 src-address=192.168.250.0/23 tunnel=yes
/ip traffic-flow
set active-flow-timeout=1m
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN