Community discussions

MikroTik App
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 12:28 am

I have my RGB4011 setup with all its VLANs on sfp-sfpplus1, it's also the uplink to my switch. Internet comes in on ether1. For some reason routing between VLANs is super slow. Any ideas on what could cause this, or is it due to the fact that I do not have a bridge setup?

Config here.
# jan/18/2002 23:56:34 by RouterOS 7.1rc4
# software id = 
#
# model = RB4011iGS+
# serial number = 
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes poe-out=off
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
    no@no.no
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=42 name=NTPVMs value="'172.16.20.1'"
add code=42 name=NTPLAN value="'172.16.6.1'"
add code=42 name=NTPIoT value="'172.16.10.1'"
add code=42 name=NTPWifi value="'172.16.7.1'"
add code=42 name="NTPGuest Wifi" value="'172.16.200.1'"
/ip dhcp-server option sets
add name=Wifi options=NTPWifi
add name=LAN options=NTPLAN
add name=VMs options=NTPVMs
add name="Guest Wifi" options="NTPGuest Wifi"
add name=IoT options=NTPIoT
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
    aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-gcm lifetime=0s pfs-group=\
    modp2048
/ip pool
add name=IoT_pool ranges=172.16.10.100-172.16.10.254
add name=LAN_pool ranges=172.16.6.100-172.16.6.254
add name="Guest Wifi_pool" ranges=172.16.200.2-172.16.200.254
add name=VMs_pool ranges=172.16.20.100-172.16.20.254
add name=Wifi_pool ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=IoT_pool dhcp-option-set=IoT interface=IoT lease-time=1w \
    name=IoT
add address-pool=LAN_pool dhcp-option-set=LAN interface=sfp-sfpplus1 \
    lease-time=1w name=LAN
add address-pool="Guest Wifi_pool" dhcp-option-set="Guest Wifi" interface=\
    "Guest Wifi" lease-time=1w name="Guest Wifi"
add address-pool=VMs_pool dhcp-option-set=VMs interface=VMs lease-time=1w \
    name=VMs
add address-pool=Wifi_pool dhcp-option-set=Wifi interface=Wifi lease-time=1w \
    name=Wifi
/queue simple
add burst-limit=2M/2M burst-threshold=2M/2M burst-time=10s/10s comment=\
    "Guest Wifi" limit-at=1M/1M max-limit=1M/1M name="Guest Wifi" priority=\
    6/6 queue=default/default target="Guest Wifi"
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing table
add fib name=""
/system logging action
set 3 remote=172.16.6.2
add bsd-syslog=yes name=unRAID remote=172.16.6.2 src-address=172.16.6.1 \
    target=remote
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity="dd" name=zt1 \
    port=9993
/zerotier interface
add instance=zt1 mac-address=dd name=zerotier1 network=\
    dd
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
add interface=pppoe-out list=WAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
add address=192.168.254.253/24 interface=ether1 network=192.168.254.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.10.2 client-id=HeidiNightstand mac-address=\
    60:38:E0:F1:C8:71
add address=172.16.10.5 client-id=HueBridge mac-address=dd
add address=172.16.7.5 client-id=erx mac-address=04:18:D6:06:18:6F
add address=172.16.7.15 mac-address=70:2C:09:69:FF:88
add address=172.16.10.4 client-id=1:b0:be:76:46:b9:92 mac-address=\
    B0:BE:76:46:B9:92 server=IoT
add address=172.16.7.4 client-id=1:44:90:bb:5:c0:cd mac-address=\
    44:90:BB:05:C0:CD server=Wifi
add address=172.16.10.3 client-id=1:2c:aa:8e:d6:93:4c mac-address=\
    2C:AA:8E:D6:93:4C server=IoT
add address=172.16.7.3 client-id=1:dc:52:85:d4:15:9f mac-address=\
    DC:52:85:D4:15:9F server=Wifi
add address=172.16.20.3 client-id=1:52:54:0:c8:d0:49 mac-address=\
    52:54:00:C8:D0:49 server=VMs
add address=172.16.20.4 client-id=1:52:54:0:be:8c:1c mac-address=\
    52:54:00:BE:8C:1C server=VMs
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 domain=mccloud.lan gateway=\
    172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 domain=mccloud.lan gateway=\
    172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 domain=mccloud.lan gateway=\
    172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 domain=mccloud.lan gateway=\
    172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 domain=mccloud.lan \
    gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=172.16.6.2 name=transmission.no.no
add address=172.16.6.2 name=unimus.no.no
add address=172.16.6.2 name=airsonic.no.no
add address=172.16.6.2 name=home.no.no
add address=172.16.6.2 name=jackett.no.no
add address=172.16.20.3 name=jenkins.no.no
add address=172.16.6.2 name=lidarr.no.no
add address=172.16.6.2 name=nzbget.no.no
add address=172.16.6.2 name=omada.no.no
add address=172.16.6.2 name=ombi.no.no
add address=172.16.6.2 name=paperless.no.no
add address=172.16.6.2 name=piwigo.no.no
add address=172.16.6.2 name=plex.no.no
add address=172.16.6.2 name=radarr.no.no
add address=172.16.6.2 name=sonarr.no.no
add address=172.16.6.2 name=speedtest.no.no
add address=172.16.6.2 name=subversion.no.no
add address=172.16.6.2 name=syncthing.no.no
add address=172.16.6.2 name=tautulli.no.no
add address=172.16.6.2 name=tdarr.no.no
add address=172.16.20.3 name=jumpbox
add address=172.16.6.2 name=bb-8
add address=172.16.20.3 name=jumpbox.mccloud.lan
add address=172.16.6.2 name=bb-8.mccloud.lan
/ip firewall filter
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=output connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface="Guest Wifi" out-interface=IoT
add action=drop chain=forward in-interface="Guest Wifi" out-interface=VMs
add action=drop chain=forward in-interface="Guest Wifi" out-interface=Wifi
add action=drop chain=forward in-interface="Guest Wifi" out-interface=\
    sfp-sfpplus1
add action=drop chain=forward in-interface=IoT out-interface="Guest Wifi"
add action=drop chain=forward in-interface=VMs out-interface="Guest Wifi"
add action=drop chain=forward in-interface=Wifi out-interface="Guest Wifi"
add action=drop chain=forward in-interface=sfp-sfpplus1 out-interface=\
    "Guest Wifi"
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
    connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=input connection-mark=!ipsec \
    connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=output connection-mark=!ipsec \
    connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="all from WAN DSTNATed" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment=SSH in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=HTTP in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=HTTPS in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=RDP in-interface=pppoe-out port=no \
    protocol=tcp to-addresses=172.16.20.3 to-ports=no
add action=dst-nat chain=dstnat comment=RDP in-interface=pppoe-out port=no \
    protocol=udp to-addresses=172.16.20.3 to-ports=no
add action=dst-nat chain=dstnat comment=Plex in-interface=pppoe-out port=\
    no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Syncthing in-interface=pppoe-out \
    port=no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Syncthing port=no protocol=udp \
    to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment=Transmission dst-address=172.16.6.2 \
    in-interface=pppoe-out port=no protocol=tcp to-addresses=172.16.6.2 \
    to-ports=no
add action=dst-nat chain=dstnat comment=Transmission dst-address=172.16.6.2 \
    in-interface=pppoe-out port=no protocol=udp to-addresses=172.16.6.2 \
    to-ports=no
add action=dst-nat chain=dstnat comment="Resilio Sync" in-interface=pppoe-out \
    port=no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment="Resilio Sync" in-interface=pppoe-out \
    port=no protocol=tcp to-addresses=172.16.6.2 to-ports=no
add action=dst-nat chain=dstnat comment="Resilio Sync" in-interface=pppoe-out \
    port=no protocol=udp to-addresses=172.16.6.2 to-ports=no
add action=masquerade chain=srcnat comment="nat to modem" dst-address=\
    192.168.254.254 out-interface=ether1
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=router disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl certificate=router tls-version=only-1.2
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/snmp
set contact=smccloud@no.no enabled=yes location="Mechanical  Room"
/system clock
set time-zone-name=America/Chicah
/system identity
set name=RB4011iGS+RM
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes mode=multicast
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=128.101.101.101
add address=134.84.84.84
/system package update
set channel=development
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 1:10 am

Firewall and NAT aren't Perfect (Duplicates, sequence, etc..)
But shouldn't make a big difference!


How Slow is your Routing ?
Copying a File from one PC to another ?
Less then 100 MBytes/s ?
During the Transfer, how high is you CPU-Usage on the Mirkotik ?
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 1:48 am

I get the same speed if I stay on the same VLAN or go between them in file transfers. Between VLANs I get around 25% CPU usage on the RB4011. The main slowdown I see is accessing services on my home server from Wifi across VLANs. i.e. my home-automation takes forever to connect when it doesn't from my desktop.

What would you recommend to fix the Firewall & NAT?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 2:04 am

I marked the duplicates in "Bold"

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=output connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface="Guest Wifi" out-interface=IoT
add action=drop chain=forward in-interface="Guest Wifi" out-interface=VMs
add action=drop chain=forward in-interface="Guest Wifi" out-interface=Wifi
add action=drop chain=forward in-interface="Guest Wifi" out-interface=sfp-sfpplus1
add action=drop chain=forward in-interface=IoT out-interface="Guest Wifi"
add action=drop chain=forward in-interface=VMs out-interface="Guest Wifi"
add action=drop chain=forward in-interface=Wifi out-interface="Guest Wifi"
add action=drop chain=forward in-interface=sfp-sfpplus1 out-interface="Guest Wifi"
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=input connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=output connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="all from WAN DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 2:12 am

I get the same speed if I stay on the same VLAN or go between them in file transfers. Between VLANs I get around 25% CPU usage on the RB4011. The main slowdown I see is accessing services on my home server from Wifi across VLANs. i.e. my home-automation takes forever to connect when it doesn't from my desktop.

What would you recommend to fix the Firewall & NAT?
So if i understand you correctly ,
Inter-VLAN Routing is only Slow,
when a Device connected to a Wireless-Access Point, communicated with another VLAN ?

Are your Wireless-AccessPoints Mikrotik ?
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 2:26 am

I get the same speed if I stay on the same VLAN or go between them in file transfers. Between VLANs I get around 25% CPU usage on the RB4011. The main slowdown I see is accessing services on my home server from Wifi across VLANs. i.e. my home-automation takes forever to connect when it doesn't from my desktop.

What would you recommend to fix the Firewall & NAT?
So if i understand you correctly ,
Inter-VLAN Routing is only Slow,
when a Device connected to a Wireless-Access Point, communicated with another VLAN ?

Are your Wireless-AccessPoints Mikrotik ?
It’s between any VLAN, but wireless is what I notice the most. My access point is not a MikroTik, it’s a TP-Link Omada series. Worked fine on pfSense, so I’m 99% certain it’s a mistake I made.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 3:36 am

I didnt look indepth but a shallow looks everything seems to be in order, for at least what I an understand...
Did you try changing this to the sfp+ interface..........

/ip neighbor discovery-settings
set discover-interface-list=none

First time Ive ever seen this rule suggest you remove it
add action=accept chain=output connection-state=established,related,untracked

Your firewall rules can be severely improved in terms of efficiency but likely not the problem.


Finally I dont understand any of your DESTINATION NAT Rules as they have NO TO PORTS ???????????????
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 4:33 am

I didnt look indepth but a shallow looks everything seems to be in order, for at least what I an understand...
Did you try changing this to the sfp+ interface..........

/ip neighbor discovery-settings
set discover-interface-list=none

First time Ive ever seen this rule suggest you remove it
add action=accept chain=output connection-state=established,related,untracked

Your firewall rules can be severely improved in terms of efficiency but likely not the problem.


Finally I dont understand any of your DESTINATION NAT Rules as they have NO TO PORTS ???????????????
They do, just don’t want everyone to know the from and to ports.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 3:21 pm

I didnt look indepth but a shallow looks everything seems to be in order, for at least what I an understand...
Did you try changing this to the sfp+ interface..........

/ip neighbor discovery-settings
set discover-interface-list=none

First time Ive ever seen this rule suggest you remove it
add action=accept chain=output connection-state=established,related,untracked

Your firewall rules can be severely improved in terms of efficiency but likely not the problem.


Finally I dont understand any of your DESTINATION NAT Rules as they have NO TO PORTS ???????????????
They do, just don’t want everyone to know the from and to ports.
haha okay next time just put in sample ports, because its going to confuse the heck out of folks.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 8:29 pm

Given that this is a home setup, am I just making my life too difficult with VLANs? i.e. should I just flatten my network out and not care about it as much?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: RB4011 Slow Inter-VLAN Routing

Sun Sep 26, 2021 10:18 pm

Given that this is a home setup, am I just making my life too difficult with VLANs? i.e. should I just flatten my network out and not care about it as much?
That's a question, only you can answer ! =)
The Mikrotik RB4011 is more than capable to handel Multi-VLAN Routing, Firewall, QoS, etc...

If you don't have many devices and don't need "separation" between Devices and/ot Networks
There is nothing wrong not having VLAN's in your Home-Network
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 12:11 am

Personally if you setup your router using this fine article you wouldnt be having any of your issues
Hint take the subnet and put it on a vlan like the other vlans
Put your ports on a bridge
and use the reference.

viewtopic.php?f=23&t=143620
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 1:10 am

Personally if you setup your router using this fine article you wouldnt be having any of your issues
Hint take the subnet and put it on a vlan like the other vlans
Put your ports on a bridge
and use the reference.

viewtopic.php?f=23&t=143620
Does the SFP+ port on a RB4011 work correctly on a bridge?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 2:07 am

Yes, no reason why it shouldnt, if it works now with your modules and connections it will work fine on the bridge.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 2:09 am

Yes, no reason why it shouldnt, if it works now with your modules and connections it will work fine on the bridge.
Will a bridge help performance at all though?
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 3:03 am

I get the same speed if I stay on the same VLAN or go between them in file transfers.
Surprised no ones picked up on this yet

In order for you to go to the same VLAN, this means you either have a switch behind one of your ports, or if both devices were connected to the RB4011 you'd need a bridge setup
I'm going to assume the former, you have a switch you are sending traffic through. This means traffic doesn't even go through the 4011 hence its not at fault (check your port speeds, maybe a port is running at 100mbit? or even 10mbit?)
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 3:18 am

I get the same speed if I stay on the same VLAN or go between them in file transfers.
Surprised no ones picked up on this yet

In order for you to go to the same VLAN, this means you either have a switch behind one of your ports, or if both devices were connected to the RB4011 you'd need a bridge setup
I'm going to assume the former, you have a switch you are sending traffic through. This means traffic doesn't even go through the 4011 hence its not at fault (check your port speeds, maybe a port is running at 100mbit? or even 10mbit?)
My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 3:30 am

My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it.
I'm not sure that your router is actually being slow at inter-VLAN routing. Have you actually done throughput tests with iPerf?

You say it is slow because accessing your server is slow from another VLAN, but maybe there is another reason for this. Perhaps it is a wrong firewall rule that is blocking traffic and it fails over.

Also, do not look at the overall CPU performance, look at the performance per core under System->Resources->CPU. You can have a bottleneck if one core is maxed out, and 25% CPU usage could be from one core maxed out. If this is the case you can use Tools->Profile to see what the cause is.

How much bandwidth are you sending over this? i.e. when you are doing things that cause the 25% CPU usage, what is the traffic going through the interfaces at that time?
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 4:18 am

The initial connect is super slow. Once it’s done, performance is ok but sometimes unstable.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 4:26 am

The initial connect is super slow. Once it’s done, performance is ok but sometimes unstable.
Again, there are multiple reasons this could happen - from the scant info you have provided, this issue could be caused by anything. Please answer the other questions (and try the other suggestions) from my previous post.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 4:34 am

Just navigated to two IPs on my VM VLAN. My Dude VM and my unRAID server's IP on that VLAN. The Dude VM responded immediately while the unRAID server took a while to respond. Both with no real increase in CPU load on the RB4011. A 1.1GB file transfer across VLANs will max out the 1G connection on my desktop and pin a core on the RB4011. So I guess the issue is something with my unRAID server and not the RB4011 like I thought it was. Now to figure out why it is having an issue.
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 12:52 pm


My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it.
Traffic staying on the same VLAN won't be going through the router, its staying on that switch. Ergo if your performance is slow within the same VLAN, the router (and thus firewall rules, NAT etc) is COMPLETELY irrelevant as its not even being used
You might not be using the switch correctly, are all ports in the bridge and with the 'H' flag under the 'ports' tab? If not then its going through the CPU of that switch and will be slow as balls
Check the actual port speeds, don't just assume. Ethernet cabling going to a PC might be running at 10mbit or 100mbit. Check the stats, there might be a bunch of CRC errors again indicating bad cabling (or bad NIC). Check the log for duplex mismatch, ARP conflicts or other issues

Don't just assume your switch is perfect, cause right now if what you say is true, I can guarantee you it isn't (or its just a PC issue like a dying HDD)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 1:59 pm


My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it.
If not then its going through the CPU of that switch and will be slow as balls
Slow as balls? Cannot recall hearing that expression.
Sperm in balls travel rather quickly though. :-)
With some research
Refers to the snail'space at which the testicles are retracted upward into the groin area when exposed to cool temperatures. Dangit, this dataconnection is slow as balls!
Slow as molasses I can relate to but thanks learned a new one!
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 5:01 pm


My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it.
Traffic staying on the same VLAN won't be going through the router, its staying on that switch. Ergo if your performance is slow within the same VLAN, the router (and thus firewall rules, NAT etc) is COMPLETELY irrelevant as its not even being used
You might not be using the switch correctly, are all ports in the bridge and with the 'H' flag under the 'ports' tab? If not then its going through the CPU of that switch and will be slow as balls
Check the actual port speeds, don't just assume. Ethernet cabling going to a PC might be running at 10mbit or 100mbit. Check the stats, there might be a bunch of CRC errors again indicating bad cabling (or bad NIC). Check the log for duplex mismatch, ARP conflicts or other issues

Don't just assume your switch is perfect, cause right now if what you say is true, I can guarantee you it isn't (or its just a PC issue like a dying HDD)
Keep in mind, the setup had no issues with pfSense. Only started with the RB4011. I did just try adding the SFP+ port to a bridge, but it isn't hardware accelerated. If I do 1Gbe ports, will the VLAN switching happen on the bridge or back to the CPU?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB4011 Slow Inter-VLAN Routing

Mon Sep 27, 2021 6:34 pm

If I do 1Gbe ports, will the VLAN switching happen on the bridge or back to the CPU?
Where? On the 4011? "VLAN switching" means L2 forwarding within the same VLAN, so it is irrelevant for inter-VLAN routing, where the CPU has to strip the VLAN tag of the source VLAN to get to the IP packet, route it, and assign another VLAN tag to it prior to sending it into the destination VLAN. So the VLAN switching is not related to inter-VLAN routing. CRS3xx is another story, there the switch chip can handle routing as well, but this is not (yet?) the case with the switch chip of the 4011. Since your switch is a CSS, it cannot do that either.

Who is online

Users browsing this forum: eworm, raiod and 92 guests