Page 1 of 1

Tunnel get only 400Mbps on CCR1036

Posted: Fri Mar 13, 2015 2:44 am
by eternal0
Two CCR1036 connet directly to each other. 1000Mbps link speed. Bandwith test can get 990Mbps result.
If we set up an EoIP/IPIP/GRE tunnel between them, no encryption, the maximum throughput in tunnel is 400Mbps. The usage of cpu1 is 100% and the others is idle.

Is there any problem?

Re: Tunnel get only 400Mbps on CCR1036

Posted: Sat Mar 14, 2015 10:56 am
by Petzl
2 Bonding tunnels ?

Re: Tunnel get only 400Mbps on CCR1036

Posted: Sat Mar 14, 2015 1:51 pm
by eternal0
2 Bonding tunnels ?
No bonding, only 1 EoIP/IPIP/GRE tunnel.
We also tested 2 EoIP and 2 EoIP as bonding slave(balance-rr). It seems like all tunnels share 400Mbps throughput.

Maybe the tunnel module of RouterOS is single threaded, CCR series is not suitable for VPN tunnel, and we need a x86 device to get a higher performance.

Re: Tunnel get only 400Mbps on CCR1036

Posted: Thu Jul 09, 2015 2:44 pm
by Pe3ucTop
Any news ?

Is it solved , any people reports?

Re: Tunnel get only 400Mbps on CCR1036

Posted: Thu Jul 09, 2015 3:27 pm
by mrz
What traffic is this? TCP? How many connections? Packet size? All of that can influence max BW.

Re: Tunnel get only 400Mbps on CCR1036

Posted: Fri Jul 10, 2015 5:38 pm
by doneware
Hi, as you play with EoIP/GRE tunnels (and basically any other tunnels) there is encapsulation in the game. with GRE it's 24 bytes overhead. e.g. if you transmit a normal ip packet which carries data, it will be added to the default 1500 bytes of IP MTU. this results a packet size bigger than the default MTU of the ethernet interfaces in most routers.
so after a packet has been GRE-encapsulated, the resulted packet must be fragmented. e.g. the second part will get a new IP header, and the two (or more in extreme cases) segments will be transmitted sequentially.
this is a cpu intensive task, and definitely will halve the packet forwarding rate.

if you can increase the MTU of the ethernet interfaces to accommodate bigger (baby giant) packets, it can be a solution. but you can't guarantee it throughout an uncontrolled network segment, say internet. so if it's just about "normal" ip traffic, which is in most cases TCP, you should make sure, that no big packets are transmitted.

you should decrease the MTU on the tunnel interfaces, but that's only the half of the job. you should lower the TCP max segment size (MSS) to a value which is low enough to be transmitted without fragmentation.
Say, 1460bytes of MSS + 20 bytes TCP header + 20 bytes IP header = 1500 byte.
if GRE is in the game, we start from 1500-24 bytes GRE header - 20 bytes original IP header - 20 bytes TCP header = 1436 bytes MSS. or to be safe, 1420. this can be accomplished on any side of the tunnel using firewall mangle rules, or if you run something post 6.26, clamp-mss=yes option is available on the tunnel interfaces. in this case you have to set the mtu of the tunnel down to 1476 so "auto-clamping" will choose the right MSS size.

Re: Tunnel get only 400Mbps on CCR1036

Posted: Sun Jul 12, 2015 10:49 pm
by atilla74
Looks like one more important candidate (along with BGP tables population) for multithreading for 7.0...

Re: Tunnel get only 400Mbps on CCR1036

Posted: Mon Jul 13, 2015 2:49 pm
by mrz
What? Ipsec and packet forwarding already has multi threading support.

Re: Tunnel get only 400Mbps on CCR1036

Posted: Wed Sep 23, 2015 10:56 pm
by Maggiore81
Hello.

so a plain GRE tunnel (no encryption) over a fiber link (MTU1500) between a central CCR and a remote RB2011 or 1100AHx2. what are the expected performance?

on a central HQ I plan to use a CCR 1009 and have 3 tunnels via fiber link to three remote sites:
a 10mb, b 30mb, c 300mb full duplex.

can the 1009 keep 500+ rate in a plain GRE tunnels?

Re: Tunnel get only 400Mbps on CCR1036

Posted: Thu Sep 24, 2015 10:14 am
by dada
Hello.

so a plain GRE tunnel (no encryption) over a fiber link (MTU1500) between a central CCR and a remote RB2011 or 1100AHx2. what are the expected performance?

on a central HQ I plan to use a CCR 1009 and have 3 tunnels via fiber link to three remote sites:
a 10mb, b 30mb, c 300mb full duplex.

can the 1009 keep 500+ rate in a plain GRE tunnels?
I have tested RB2011iLS recently. Two RB2011 were connected via 1gbps ethernet (ether1), EoIP between them, MTU on ether1 set to 1550. Two RB750GL were used to do UDP BW test through the RB2011 EoIP link. It showed slightly over 850mbps (one direction test). CPU on RB2011 was on 100%.
Results with default MTU on ether1 was much much worse (about 100mbps). So you definitely need to avoid fragmentation of encapsulated packets ...

I would expect CCR is more powerfull than RB2011...

Re: Tunnel get only 400Mbps on CCR1036

Posted: Mon Oct 05, 2015 10:46 am
by Maggiore81
Well.

the default MTU of all the path is 1500 (I mean the path trough my carrier to my remote router)

The MTU of all my phisical interfaces is 1500..

but when I create the tunnel, the tunnel the default MTU of the tunnel is 1476 (since GRE is 24byte header) 1476+1500 is perfect..

Re: Tunnel get only 400Mbps on CCR1036

Posted: Mon Oct 05, 2015 11:01 am
by dada
Well.

the default MTU of all the path is 1500 (I mean the path trough my carrier to my remote router)

The MTU of all my phisical interfaces is 1500..

but when I create the tunnel, the tunnel the default MTU of the tunnel is 1476 (since GRE is 24byte header) 1476+1500 is perfect..
but if the device with tunnel is a router then it receives 1500B packet from ethernet and then it must fragment the packet to 2 pieces when forwarding through the tunnel... You can try to manipulate TCP's MSS segment size to avoid the fragmentation but you have no such workaround for UDP and other packets..

Re: Tunnel get only 400Mbps on CCR1036

Posted: Mon Oct 05, 2015 4:29 pm
by Maggiore81
Well the LAN side of my router towards a routed networks to my internal LAN has MTU 1500. Everywhere on my network the MTU is 1500.

The WAN side of the router goes through a carrier's cloud (mtu 1500) towards my final router.

What are your suggestion for the MTU?