Page 1 of 1

hEX NAT performance

Posted: Tue Oct 03, 2017 8:25 am
by Raf
Hi,

I just bought RB hEX to use it as a router at my home for FTTH ONT which works in bridge mode. hEX acts as home router and it's configured in this way:
LAN1 -> WAN
LAN2 -> master port
LAN-3-5 -> slave ports
There is also DHCP server and Masquerade. No filter rules in firewall, no queues. Really simple configuration.

This config was used with latest stable ROS v6.40.3 and after upgrading to newest rc version which has hw-offload in bridge it was also tested.

My question is about actual NAT performance between WAN<->LAN ports. How hEX should really perform? Because I cannot achieve more than 560-600 Mbps and I think this is a bit to small value for a two core 880 MHz CPU. Or am I wrong? :?
And yes – I also tested it bypassing the hEX and plugging in my computer just after FTTH ONT and then I'm nearly saturating GbE port achieving ~930 Mbps.

Is hEX really that slow?

Re: hEX NAT performance

Posted: Tue Oct 03, 2017 9:02 am
by darkprocess
Is fasttrack activated? If no you need to put the fw rules

Re: hEX NAT performance

Posted: Tue Oct 03, 2017 9:16 am
by Raf
Oh. Totally forgot about Fasttrack. I've activated it and yes the performance hit nearly 2X. Now it works like it should.

BTW – MT Wiki says:
Fasttracked packets bypass firewall, connection tracking
So now with Fasttrack conntrack works or not?

Re: hEX NAT performance

Posted: Tue Oct 03, 2017 7:13 pm
by vadimbn
MT7621A include the PPE (Packet Processing Engine) but RouterOS can not work with it. So yes, hEX will limit of speed of network without fast tracking. And speed will be more limited if you will use any tunnels or many firewall rules. Ubiquiti ER-X will be better for network address translation on gigabyte speed - its EdgeOS can use HW_NAT (PPE) and CryptoEngine simultaneously. RouterOS can use only CryptoEngine for IPsec tunnels (and it is also great, but...).

So I have question for Mikrotik's developers and managers - is there any chance that HW_NAT will be used by RouterOS in the future?

Re: hEX NAT performance

Posted: Sun Oct 08, 2017 1:25 pm
by troffasky
BTW – MT Wiki says:
Fasttracked packets bypass firewall, connection tracking
So now with Fasttrack conntrack works or not?
Connection tracking is essential for NAT, so either that page is wrong, or there is a subtlety to the phrase "connection tracking" as they use it.

Re: hEX NAT performance

Posted: Sun Oct 08, 2017 1:44 pm
by andriys
Connection tracking is essential for NAT, so either that page is wrong, or there is a subtlety to the phrase "connection tracking" as they use it.
Fasttrack is, essentially, FastPath + connection tracking. But since fasttracked packets bypass firewall almost entirely, connection tracking becomes barely usable for anything except NAT and fasttrack itself.