MikroTik

Hello,
I just got the RB4011iGS+RM and there are no switch settings on the WinBOX or on webfig. I have tried to upgrade to the new 6.43.4 version and downgrade it to 6.43.3 and install 6.43.4 via netinstall. No luck. I have a RB1100 that uses the same CPU and switch chips. The switch settings are there.
Does this mean this is an indication of hardware malfunction?

Use CLI to alter switch settings. Not all features are supported though.

I tried already. So far it can't accept any settings. I tried to set VLAN mode and to add some rules. No luck. Is this problem due to a switch chip limitation, a hardware implementation limitation, or hardware failure? Is the fact that Winbox can't show the settings for the switch deliberate or it just an indication of faulty hardware? This unit is brand new and no match information available. My assumption is that it has to be similar to the RB1100. RB1100 accepts the rules and VLAN settings. It has the same CPU and the same switch chip.

The RB4011 uses the RTL8367 switch chip.

It means:

Feature RTL8367
Port Switching: yes
Port Mirroring: yes
TX limit: no
RX limit: no
Host table: 2048 entries
Vlan table : no
Rule table: no

Yes I know. The question is if the MK implemented this chip in the same way as on RB1100?

On 1100AHx4 is possible configure VLAN and add rules on switch chip?

RB1100 has the same chip and the switch settings are there in Winbox. In my case the settings are not there. That fact the settings are not there can indicate the hardware malfunction or it was done deliberately by Mikrotik?

You speak about RB1100AHx4 with RTL8367
or RB1100AHx2 with Atheros8327
or RB1100 with Atheros8316

These are three different models. Everyone with another switch chip. Only AHx4 have same switch chip

RB1100AHx4 with RTL8367

RB1100AHx4 with RTL8367

I have not this model in network. Can you make screen of switch menu in winbox? Thanks

The switch tab is missing

This is RB1100. The switch tab is there

The switch tab is missing

Yes, I know. In my rb4011 is switch menu also missing. Why do you need this menu? Switch chip in rb4011 is only for switching and mirroring. It is possbile configure via winbox...

On rb1100AHx4 - what is inside switch menu? You can in rb1100AHx4 configure VLAN in switch menu?

My assumption is that the RB4011 is similar to the RB1100. Same SPU, switch chip and firmware. That fact the switch tab is not there may indicate the following: MK implemented that chip differently on the RN4011 unit or it is a hardware malfunction. This is the nature of my inquiry. If it is a hardware malfunction, the unit needs to be replaced regardless if you are using these settings or not. It may lead to different problems. If it was made deliberately by MK, it means the hardware is functioning properly and we don't have to do anything.

I have at least 7 different MK devices in my company. Only CCR1009 has no switch chip settings because it has no switch chip. All others have this settings tab.

In the past, it has already happened with new routerboards. And it does not matter to anything
RB4011 is simply "too much" new.
Personally, I think the "switch tab" will come in the new versions of ROS

I really hope so

But it still worth to discover if this is the case

The switch tab is missing

Note, I have the RB4011 too, and the switch tab is not present.

Same here, no Switch tab present wit ROS 6.43.4, should not matter much anyways.

Hi. Same here. RB4011iGS+5HacQ2HnD - no Switch menu. Software and firmware - 6.43.7. Winbox - 3.18

*) winbox - show "Switch" menu on RB4011iGS+5HacQ2HnD and RB4011iGS+;

Added in 6.43.8

I don't know much about router hardware but I came from a computer hardware enthusiast background. In that circle, Realtek ethernet = crap (we want Intel).

So I'm interested in RB4011 as a low-cost SOHO router. Should I be worried about the fact that it uses a Realtek made switch chip?

Also, I can find no serous reviews of this product most likely because it's relatively new. From the posts in this forum, my impression is that wireless performance is not good, probably much worse than a $200 consumer grade ASUS Wi-Fi router.

However, if we look past Wi-Fi, how are the routing and switching capabilities of this unit? Mikrotik's performance spec sheet for this model has some pretty impressive numbers for this unit, but is it really as good as what the paper says? I have some small business clients who don't want to spend more than $200 on a router, and oftentimes they'd turn to the consumer grade stuff. If the RB4011 is truly a solid performer as a router, we can probably live with the slower Wi-Fi in exchange for RouterOS.

What do you think of this product overall? Any competitors' models to compare it to?

Yes, Realtek is indeed a sad choice. But my guess is that Mikrotik isn't using the RTL8367 for the purpose of a ethernet-switch, it's used for "port extender/splitter" for the 2.5Gbps SGMII channels and are not actually performing any switching port-to-port.

If you need to move data in non-blocking wirespeed all day long with low overhead, get a "real" switch with the proper hardware (chipset) for it.

Yes, Realtek is indeed a sad choice. But my guess is that Mikrotik isn't using the RTL8367 for the purpose of a ethernet-switch, it's used for "port extender/splitter" for the 2.5Gbps SGMII channels and are not actually performing any switching port-to-port.

I guess the intention is to have RTL8367 perform port-to-port switching or else full wire-speed wouldn't be possible. Probably it actually does work when HW offload is active.

The sad thing (but that's true for all but the highest-end devices) is that any advanced stuff (VLAN filtering included) is done in software and then it doesn't really matter which switch chip is used, it'll be the interconnects between switch chip and device's CPU that will become bottleneck. Even more sad is the fact that new ROS versions, moving things from hardware to software, actually degrade performance of otherwise decent devices (such as RB951G).

The sad thing (but that's true for all but the highest-end devices) is that any advanced stuff (VLAN filtering included) is done in software and then it doesn't really matter which switch chip is used, it'll be the interconnects between switch chip and device's CPU that will become bottleneck.

True but there's an interesting observation to be made here:

Take a hAP ac unit which is a 720MHz single core MIPS device and the RB4011iGS+5HacQ2HnD-IN which boasts a quad core 1.4GHz Cortex A15.
If you have a few VLANs in place, i.e. one for hosts (PCs), one for each CPE (internet gateways), one for VMs and one for servers (NAS units, Hypervisors, UPS devices, Raspberry Pis, etc) - then you most likely would want to have some mangle rules running 24/7, thus requiring you to keep the "Use IP Firewall" and "Use IP Firewall for VLAN" bridge settings on.

Let's say that we want to move a big file from our NAS, such as a Linux Distribution iso, to one of the hosts so we can create a bootable USB installation media.
On the hAP ac the processor will instantly shoot to 100% and our transfer speed will not be able to surpass 110MB/s.
On the RB4011 the processor will instantly shoot to 25% (100% on one core) and our transfer speed will still not be able to surpass 110MB/s. Even though that one core offers double the frequency compared to the older model's CPU.
I wouldn't personally believe (as the transfer is single threaded) that it's because that the MIPS processor is twice as efficient - simply because the RB4011's CPU can greatly outperform the hAP ac in intensive tasks such as packet marking, and with about 30 times less CPU usage too. (Test was conducted with 4 packet marking rules and 9 queue trees)

The hAP ac can achieve 125MB/s transfer speed with tolerable or minimal CPU load, if the "Use IP Firewall" option is disabled.. but that would render the whole mangle table useless, as every interface is basically a bridge slave.

So my closing statement is the following:
I'm okay with doing things in software, as it makes them a tad easier to configure and nowadays devices have enough power that indeed (performance-wise) makes it no different than what the hardware could've instead offered. But even though the hardware is becoming more powerful, in many orders of magnitude, why do we still have to pay such a ridiculous performance penalty for basic things?

And to anyone that's about to go ahead and do it, please don't kid yourself by saying that: a 230EUR device shouldn't be used for VLANs, mangle and routing combined.

Do you expect full gigabit with IP-firewall enabled trough a $45 device?

As someone mentioned, the RB4011 is not a switch, it will never be good at it.

Do you expect full gigabit with IP-firewall enabled trough a $45 device?

As someone mentioned, the RB4011 is not a switch, it will never be good at it.

Pardon me, but do 230€ convert to $45? If not, then yes, I am expecting it (but not in the sense you may assume).
PS: I refer to it's sibling, the RB4011iGS5HacQ2HnD-IN. But even the RB4011iGS+RM costs around 170€ (including VAT).

Even if you buy a switch, you still need a router for interVLAN routing - which throws you back at square one.
L3 switches don't fit the bill either, assuming you can even do advanced mangle stuff there - they won't even have the juice to do them proper.

IP-Firewall means that all bridge traffic goes through the CPU. The switching chip is irrelevant at this point, so this is not a necessarily a rant about RTL8367.
There is absolutely no reason for a device with at least twice as much compute power, to still perform exactly the same, sorry.

a device for VLANs, mangle and routing combined.

Agree, this is not an unreasonable request. The future has arrived, and it's lots of tiny IoT devices that have zero security and need to be quarantined off from each other and most definitely my network. They'll probably connect over wifi and 5G, so we need a 5G router/switch to keep all this nonsense at bay.

I have 72 ports available at one particular network I manage, maybe 10 physical ports are in use. We need router/switch (switch = vlan) units managing wifi and fiber links, type devices. No one is complaining about MikroTik hardware costs.

Bad choice of switch chips plague Mikrotik devices for some time. It's really bad decision to not spend maybe a few $ more on a chip that would do all the VLAN stuff and not suffer from port flopping either. On $250 device you expect some level of functionality and if using proper switch chip meant the device would cost $10, I would happily pay the extra if it meant it would work properly.
Just see the table of features here: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
RTL8367 is one of the worst chips you can find in your RB device. Totally not fit for a high performance device like RB4011.

If one acceprs shitty switch chip in a multi-port device because allports will be routed, then all interfaces need wire-speed connectivity to CPU without bottlenecks. Which is not the case with RB devices ...

If one acceprs shitty switch chip in a multi-port device because allports will be routed, then all interfaces need wire-speed connectivity to CPU without bottlenecks. Which is not the case with RB devices ...

I don't believe that my initial rant reeks of acceptable.. but do you have a better alternative in mind? Because I don't.
Then there's no choice but to eventually accept it. Because for that specific class and feature set, that's the only device available to us.
We (the customers) are clearly not even taken into consideration when it comes to hardware choice decisions, so let's not beat that dead horse further.
I personally wouldn't mind ponying up significantly more cash and getting a more complete product with proper switching chips, 5G interconnects, wire-speed to the CPU, a USR led and a beeper. (And if a v2 comes along that satisfies those things, you'd bet I'd be the first in line to get it)

Otherwise true, I just ran a test from one switch chip to the other and the speed is 113MB/s at best, so definitely not wire-speed.
But why does the lack of it necessarily translate to 100% utilization on one core? This one still evades me.

But why does the lack of it necessarily translate to 100% utilization on one core? This one still evades me.

My guess: driver is exchanging data with switch chip in a busy loop, polling for next chunk of data in Rx path and polling for opportunity to deliver next chunk of data in Tx path.

I agree that Mikrotik sometimes goes in to unnecessary low-price warfare. It would be better to spend some $ to use proper components for the pure non-consumer products.

I'm still curious what the future holds for the CCR line, they are an very important product, and is less price-sensitive.

Otherwise true, I just ran a test from one switch chip to the other and the speed is 113MB/s at best, so definitely not wire-speed.

And now that I think of this, another question comes to mind..
According to the hardware diagrams here and here, there's supposed to be a 2.5Gb/s interconnect from the switching chips to the CPU.
So how come that not even 1 true Gbps could not be achieved?

Or is it that each port can reach up to 113MB/s, meaning that I can have 4 ports (two from each chip) talking to each other and still be fine? Confused.

113MB/s equates to approx 1Gb/s, and that is the interface limit

113MB/s equates to approx 1Gb/s, and that is the interface limit

Okay, that's a relief - at least in terms of what I want to do.

One last question and I'll stop derailing this topic:

Do different switch chips (i.e. RTL8367 vs QCA8337) offer different interface limits?
Because without "IP-Firewall" enabled, I was able to see 125MB/s instead, on the hAP ac units. (Different VLANs so traffic went through the CPU for routing)

Hello,

According to my searchs, it seems that RTL8367 is able to do lots of programmable things:

RTL8367N tells:

In order to support flexible traffic classification, the RTL8367N supports 64-entry ACL rule check and multiple action options. Each port can optionallyenable or disable the ACL rule check function. The ACL rule key can bebased on packet physical port, Layer2, Layer3, and Layer4 information.When an ACL rule matches, the action taken is configurable toDrop/Permit/Redirect/Mirror, change priority value in 802.1q/Q tag, and ratepolicing. The rate policing mechanism supports from 8Kbps to 1Gbps (in8Kbps steps)

But lots of other RTL8367 variants say similar facts.

So i wonder if the real limitation is related to RealTek, or if that's only related to Mikrotik:
- considering CPU is powerful enough not to try to fully expose hardware function to RouterOS
- because they have no time/priority to give to expose all these functions
or both

Do somebody have more information on this?

On my side, i think that the lack of homogeneous hardware functions with growing bugs on bridge filtering is a real pain...
- bridge filter 802.1p tagging is no more functioning when vlan filtering is active => no fixes from Mikrotik for months
- 802.1p tags are lost when packets are forwarded between ports => no fixes nor workarounds from Mikrotik for months (bridge filter would be a workaround if not buggy)
- no L2 functions on newest routers switches (RB110AHx4, RB4011...)
- ARM devices performance is suboptimal
That becomes quite difficult to get a high performance router with advanced VLAN and VLAN priority with so much bugs limitations.

To get as much L2 functions on RTL based routers as on older routers would be great while waiting for mikrotik to solve all RouterOS bridge issues, if they, one day do...

Thank you for your comments.