Page 1 of 1

Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 3:05 pm
by formerandroider
Hi,

Does anyone know if the hardware in a hAP ac^2 is capable of high-bandwidth loads? I have an ethernet port capable of 500Mbps, and if I connect my laptop to this directly, I get that (or nearly that), but when connecting through my hAP ac^2, I consistently get 200Mbps.

Liam

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 3:54 pm
by formerandroider
Hmm, I've tested both cables I'm using by hooking them directly to the ethernet port, and I get >400Mbps, but only ~200Mbps through the hAP ac^2... the online performance testing shows a much higher routing speed, so I have no idea what the bottleneck is here...

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 3:57 pm
by normis
Please post your configuration and other details.

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 4:00 pm
by formerandroider
Pretty simple (mostly default) configuration, ethernet cable connecting the building's ethernet port to the router's WAN port (Ether1), and another cable connecting the router to my MacBook, with a firewall rule to Masquerade the IP through the WAN port.

All ethernet ports are showing as connected at 1G full duplex.

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 4:34 pm
by Exiver
Nobody is able to guess what you have really configured. If you refuse to post the actual configuration everyone will be only able to guess thus consuming your and our time.. So please be so gentle and post your configuration export (/export hide-sensitive)

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 4:40 pm
by formerandroider
Nobody is able to guess what you have really configured. If you refuse to post the actual configuration everyone will be only able to guess thus consuming your and our time.. So please be so gentle and post your configuration export (/export hide-sensitive)
Apologies, didn't know of the export feature. It's below.

Code: Select all

# sep/12/2019 14:40:21 by RouterOS 6.45.6
# software id = K2WC-KK43
#
# model = RBD52G-5HacD2HnD
# serial number = A6490ADBCCFC
/interface bridge
add comment=defconf mtu=1500 name=bridge
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] mtu=1280
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country="united kingdom" distance=indoors frequency=auto \
frequency-mode=regulatory-domain installation=indoor mode=ap-bridge ssid=\
LL2.4 wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no \
frequency=auto frequency-mode=regulatory-domain hide-ssid=yes \
installation=indoor mode=ap-bridge mtu=1280 ssid="Liam's LAN" wps-mode=\
disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=aaisp next-pool=dhcp ranges=81.187.73.210-81.187.73.214
add name=as ranges=45.92.42.2-45.92.42.253
/ip dhcp-server
add add-arp=yes address-pool=as always-broadcast=yes bootp-support=dynamic \
disabled=no interface=bridge lease-time=2m30s name=defconf
/ipv6 pool
add name=as prefix=2a0e:1cc0:1::/48 prefix-length=64
/ppp profile
add change-tcp-mss=yes interface-list=WAN name=aaisp only-one=yes \
use-compression=no use-encryption=no use-upnp=no
add change-tcp-mss=yes interface-list=LAN local-address=45.92.42.1 name=\
local_server only-one=no remote-address=as remote-ipv6-prefix-pool=as \
use-compression=yes use-encryption=required use-upnp=no
add change-tcp-mss=yes interface-list=WAN name=vultr
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=78.141.203.226 \
keepalive-timeout=disabled max-mru=1280 max-mtu=1280 name=l2tp-vultr \
profile=vultr use-ipsec=yes user=liam
/routing bgp instance
set default as=208295 client-to-client-reflection=no disabled=yes out-filter=\
to_R1 redistribute-other-bgp=yes redistribute-static=yes
/system logging action
add name=firewall target=memory
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes arp-timeout=1m icmp-rate-limit=15
/ipv6 settings
set accept-router-advertisements=no
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=1
/interface l2tp-server server
set caller-id-type=number default-profile=local_server enabled=yes max-mru=\
1280 max-mtu=1280 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=45.92.42.1/24 interface=bridge network=45.92.42.0
add address=45.92.42.254/24 interface=bridge network=45.92.42.0
/ip dhcp-client
add default-route-distance=3 dhcp-options=hostname,clientid disabled=no \
interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=45.92.42.2 mac-address=A8:60:B6:14:31:BF
/ip dhcp-server network
add address=45.92.42.0/24 dns-server=45.92.42.1 gateway=45.92.42.1 netmask=24
add address=81.187.73.208/29 dns-server=81.187.73.209 gateway=81.187.73.209 \
netmask=29
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=45.92.42.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow Plex from WAN" dst-address=\
45.92.42.2 dst-port=32400 protocol=tcp
add action=drop chain=forward comment=\
"Only allow LAN to talk to other LAN hosts" in-interface-list=!LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix="Invalid IN: "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 in-interface-list=!WAN
# l2tp-vultr not ready
add action=accept chain=input dst-address=45.92.42.254 in-interface=\
l2tp-vultr protocol=ipsec-esp
# l2tp-vultr not ready
add action=accept chain=input dst-address=45.92.42.254 dst-port=500 \
in-interface=l2tp-vultr protocol=udp
# l2tp-vultr not ready
add action=accept chain=input dst-address=45.92.42.254 dst-port=4500 \
in-interface=l2tp-vultr protocol=udp
# l2tp-vultr not ready
add action=accept chain=input dst-address=45.92.42.254 dst-port=1701 \
in-interface=l2tp-vultr protocol=udp
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input disabled=yes dst-port=53 protocol=tcp
add action=reject chain=input in-interface-list=!LAN reject-with=\
icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=!45.92.42.1 dst-port=53 protocol=\
udp src-address=!45.92.42.1 to-addresses=45.92.42.1
add action=dst-nat chain=dstnat dst-address=!45.92.42.1 dst-port=53 protocol=\
tcp src-address=!45.92.42.1 to-addresses=45.92.42.1
/ip route
add distance=1 dst-address=169.254.169.254/32 gateway=192.168.42.1
/ipv6 address
add address=::764d:28ff:feb4:fc6e eui-64=yes from-pool=as interface=bridge
/ipv6 dhcp-relay
add interface=bridge name=relay1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes mtu=1280
/ipv6 route
add distance=1 dst-address=fe80::54:1234/128 gateway=l2tp-vultr
/ppp aaa
set accounting=no
/ppp secret
add name=liam profile=local_server service=l2tp
/routing bgp network
add network=45.92.42.0/24
/routing bgp peer
add address-families=ip,ipv6 disabled=yes multihop=yes name=vultr \
remote-address=192.168.42.1 remote-as=208295 remove-private-as=yes ttl=\
default update-source=l2tp-vultr
/routing filter
add action=discard chain=to_R1 invert-match=yes prefix=45.92.42.0/24
/system clock
set time-zone-name=Europe/London
/system identity
set name=as208295
/system leds settings
set all-leds-off=immediate
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:08 pm
by Exiver
Great, now we can see what you have configured. To understand your problem better there are a few things you need to clear up:

- Are you connected to one of the ether2-ether5 ports and you are trying to measure the internet speed or are you testing your internal network speed?
- Since you have "use-ip-firewall" enabled under /int bridge settings every packet transferred on your bridge has to travel through your firewall rules.
- If you are testing the internet speed you should not forget that you are masquerading every packet with your first rule under /ip firewall nat

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:14 pm
by formerandroider
Great, now we can see what you have configured. To understand your problem better there are a few things you need to clear up:

- Are you connected to one of the ether2-ether5 ports and you are trying to measure the internet speed or are you testing your internal network speed?
- Since you have "use-ip-firewall" enabled under /int bridge settings every packet transferred on your bridge has to travel through your firewall rules.
- If you are testing the internet speed you should not forget that you are masquerading every packet with your first rule under /ip firewall nat
I'm connected using via an ethernet port. I've disabled the bridge IP firewall, as it wasn't needed. Hasn't had an affect though. I need to masquerade, as I'm behind NAT already through the ethernet cable, but would firewall masquerade really cause a 60% bandwidth loss?

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:23 pm
by Exiver
There are a few options to check your processors usage. First one would be the Profiler: https://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
As second option you could check the cpu usage with /system resource cpu print interval=0.5

The profiler may be even able to tell you where the bottleneck is. Since we have only a handful hap ac^2 provisioned and none of our users has this speed as uplink i cannot say for sure if nat and your firewall rules (even with fasttrack) are too much for that device. Imho it should be able to transfer more than 200Mbit with that processor (quadcore ARM).

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:31 pm
by formerandroider
Ok, this is strange. I used the profiler, and the total value peaked at only 10%. Same when I used the CPU resource command as well (peak at just over 10% usage)...

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:52 pm
by Exiver
How are you testing the speed? Are you using direct http-downloads or some specific tools? Is there any other traffic flowing through the hap ac^2? The switch chipset is limited to 2Gbit when transferring data to or from the CPU.

Re: Hardware bandwidth limitation?

Posted: Thu Sep 12, 2019 5:56 pm
by formerandroider
I'm using two speedtest websites, the same ones I used when testing with the computer directly connected to the room's ethernet port. The only other traffic on the hAP would be some background WiFi traffic.

500Mbps is significantly less than 2Gbps, so I doubt I'm reaching that limit.

Re: Hardware bandwidth limitation?  [SOLVED]

Posted: Thu Sep 12, 2019 6:55 pm
by savage
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] mtu=1280

Why are you running a 1280 MTU? Set flow-control to off too.

This isn't a standard config, there's a LOT of "other" stuff here.

Re: Hardware bandwidth limitation?

Posted: Fri Sep 13, 2019 12:40 am
by formerandroider
I've since reset the MTU, it was set to a lower value as I have an L2TP tunnel I put everything through, but I've disabled it while I figure out why the bandwidth was so low.

Setting flow-control to off seems to have solved it... I have no idea why it wasn't off, is off the default?

Thanks!

Liam

Re: Hardware bandwidth limitation?

Posted: Fri Sep 13, 2019 7:59 am
by chechito
for complex configuration and 500mbps better use rb4011 (no wifi version ), use the hap ac2 for wifi as access-point

hap ac2 can do up to 1gbps but with very optimal configuration

for complex configurations you can expect around 200mbps i think is normal and a very good result for a 70 usd device who includes gigabit ports and dual band wifi

Re: Hardware bandwidth limitation?

Posted: Fri Sep 13, 2019 8:50 am
by lambert
Setting flow-control to off seems to have solved it... I have no idea why it wasn't off, is off the default?
Flow control is supposed to be a good thing, if you have a limited speed (less than ethernet line rate), limited buffer depth device between you and the next hop.

Whether that works out or not depends a lot on the limited speed device and how it has implemented flow control and its buffers. Its one of the settings you toggle to see if things get better or worse.

Re: Hardware bandwidth limitation?

Posted: Fri Sep 13, 2019 9:05 am
by savage
Setting flow-control to off seems to have solved it... I have no idea why it wasn't off, is off the default?
Flow control is supposed to be a good thing, if you have a limited speed (less than ethernet line rate), limited buffer depth device between you and the next hop.
http://virtualthreads.blogspot.com/2006 ... ntrol.html

Just one of the many, many sites giving decent explanations and inner workings of flow-control. In short, I never use flow-control on intermediate routers, only on the end-user devices.

Bad things can, and does happen (as is evident on this very post) with flow-control enabled on routers.