Community discussions

MikroTik App
 
WitekB
just joined
Topic Author
Posts: 6
Joined: Sun Oct 27, 2013 1:43 am

NAT performance on CCR1009-8G-1S-1S+

Thu Mar 03, 2016 10:35 pm

Hi,

I am happy long time user of three RB493G boards, acting as WiFi access points, but also as SNAT/DNAT boxes and simple firewalls, and some GRE tunneling boxes.

I just found out, that I cannot do more than 250Mbps one way NAT (Masquerading) on it, without hitting 100% CPU. Even removing all the firewall rules, and using fasttrack, I was only able to achieve 300Mbps one way.

I know CCR1036 is able to push 1Gbps with NAT, with less than 10% CPU usage, so I was wondering, if I could do something similar cheaper on CCR1009 or CCR1016, with relatively small firewall ruleset? Do I need to use fasttrack, or could it still handle 2Gbps full duplex in software, with reasonably small firewall, SNAT/MASQUERADE, maybe few DNAT rules (some IP based, some port or port range based), and bridging between most of the Ethernet ports. I will also be doing native IPv6 routing (with some custom vlan on some ports), up to 2Gbps full duplex. I might also be doing some GRE and OpenVPN tunneling, but that would be less than 30Mbps probably on average. but still peak could be close to 1Gbps.

How many PPS I can NAT between two ports on 1009 ? How much more on 1016? Will it scale well if all packets belong to one flow, or do I need to have multiple flows (i.e. multiple UDP, TCP connections) to utilize all cores well?

I can do that pretty easily on a PC with few years old CPU (NAT between two Gigabit ethernet ports) and a bunch of bash script, but would love a compactness of CCR and nice built-in management and configuration. Not to mention more Ethernet ports and lower power consumption, and probably better latency.

Thanks.
 
WitekB
just joined
Topic Author
Posts: 6
Joined: Sun Oct 27, 2013 1:43 am

Re: NAT performance on CCR1009-8G-1S-1S+

Thu Mar 03, 2016 10:37 pm

BTW. Another reason for CCR over PC, is that it have a built in SFP and few more ports, so I can connect my fiber connection directly, instead of using external media converter or connect to my backup network provider with automatic failover, but really even CCR with just 3-4 RJ45 ports would be enough for me, if it can do 2Gbps or more of NAT for reasonably small packets.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1773
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: NAT performance on CCR1009-8G-1S-1S+

Thu Mar 03, 2016 11:12 pm

i think you are on the right point of a frequently asked question at the forum and their respective consequences of someone buying a device which in the field do not meet their expectations

i think mikrotik has to document and establish device performance beyond the actually published performance:

Bridging (fast path)
Bridging 25 bridge filter rules
Routing (fast path)
Routing 25 simple queues
Routing 25 ip filter rules

For example CISCO for ISR routers (direct competitor of some mikrotik products) has published documents about

iPsec Maximum performance per platform
Firewall performance throughput and concurrent sessions
QoS performance test using mixed size packets at 75% CPU usage
Nat performance test using mixed size packets at 75% CPU usage

Beyond That CISCO establish recommendations to position the device by:

IPSEC performance
Nat + QoS +ACL performance at 75% CPU usage with mixed size packets

All this information are consolidated in a more simple and GLobal Performance positioning:
WAN Circuit Speed with services enabled recommended for the device
 
WitekB
just joined
Topic Author
Posts: 6
Joined: Sun Oct 27, 2013 1:43 am

Re: NAT performance on CCR1009-8G-1S-1S+

Thu Mar 03, 2016 11:28 pm

Right I heard that complex HTB queueing, traffic shapping and qos, with additional use of ipmarks, or complex matching, doesn't scale very well in mikrotik/routeros, and probably not much better in the Linux kernel either. I was doing that on Linux boxes in the past (almost 15 years ago), but that was in the times where just 20Mbps was luxury where I live, so Linux worked really well, never tested HTB and complex shaping over 100Mbps (maybe 10 years ago), so do not know what is the current state of the art or how mikrotik hardware handles that.

I agree with you, it would be really really awesome to see these performance numbers for different use cases, at 75% CPU load.
 
WitekB
just joined
Topic Author
Posts: 6
Joined: Sun Oct 27, 2013 1:43 am

Re: NAT performance on CCR1009-8G-1S-1S+

Thu Mar 03, 2016 11:44 pm

I just checked CIsco's "Cisco Integrated Services Routers—Performance Overview" from 2010, and indeed it is really nice, showing how different features in semi-realistic test conditions affect performance. And it nicely shows that even high end routers that could route 8Gbps of traffic, will only deliver about 350Mbps when using NAT/PAT + hierarchical QoS + ACLs. That really helps determining which device to buy.
 
boxpik
just joined
Posts: 7
Joined: Fri Jul 29, 2016 1:28 am

Re: NAT performance on CCR1009-8G-1S-1S+

Fri Jul 29, 2016 2:02 am

Maybe somebody had experience with CCR1009 and could advice me, please.
In my case: 500 active clients, 500 mbit/s NAT, 20 firewall rules, mangle rules for traffic shaping, simple queue tree - nothing special.
Will the CCR1009-8G-1S-1S+ be more than enough for such purpose or it's better to choose the CCR1016-12G?

Kind regards
 
hashbang
Member Candidate
Member Candidate
Posts: 164
Joined: Sat Jul 26, 2014 6:38 pm

Re: NAT performance on CCR1009-8G-1S-1S+

Fri Aug 05, 2016 8:50 pm

queues are resource hungry. As soon as traffic passes beyond a cetain limit the consumption of cpus goes up to alarming levels
CCR-1036 : max 200kpps passing though a single queue is enuff to take all 36 cores to 100%
iptables mangle rules like change tos, packet marking are resource hungry
it really depends on how much traffic is passing through these rules/queues.
Please read my other posts related to CCRs
Go for 1016 on 1009 you may reach the threshold point

Who is online

Users browsing this forum: Bing [Bot] and 37 guests