Hi,
i have a simple PCC load balancing configuration on a RB3011 router, i cannot get more than 750 Mb/s of throughput, i see one of the two CPUs 80/90% tops, is there anything i can do to improve (i known i can't activate FastTrask because of mangle rules)?
Here is the configuration:
/interface bridge
add name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
/ip address
add address=192.168.5.1/24 interface=bridge-lan network=192.168.5.0
add address=192.168.0.150/24 interface=ether1-WAN1 network=192.168.0.0
add address=192.168.10.150/24 interface=ether2-WAN2 network=192.168.10.0
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=\
bridge-lan
add action=accept chain=prerouting dst-address=192.168.10.0/24 in-interface=\
bridge-lan
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=bridge-lan new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=bridge-lan new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=WAN1: out-interface=ether1-WAN1
add action=masquerade chain=srcnat log-prefix=WAN2: out-interface=ether2-WAN2
/ip route
add disabled=yes distance=1 gateway=192.168.0.1 routing-mark=to_WAN1
add disabled=yes distance=1 gateway=192.168.10.1 routing-mark=to_WAN2
add disabled=yes distance=1 gateway=192.168.0.1
add disabled=yes distance=2 gateway=192.168.10.1
Re: RB3011 max throughput
You can fasttrack 50 % of the connections if you add matching on connection-mark=WAN1_conn to the action=fasttrack-connection rule.
Since the preferred route in routing table main is the one via WAN1, you don't need a routing-mark to be assigned to the packets to take this route (when WAN 1 is up), so these packets don't need to pass through mangle.
Since the preferred route in routing table main is the one via WAN1, you don't need a routing-mark to be assigned to the packets to take this route (when WAN 1 is up), so these packets don't need to pass through mangle.
Re: RB3011 max throughput
If you want to save every single CPU cycle, you can also slightly rearrange the rules in chain prerouting of mangle:
chain=prerouting connection-mark=WAN2_conn in-interface=bridge-lan dst-address-list=!local-subnets action=mark-routing new-routing-mark=to-WAN2 passthrough=no
chain=prerouting connection-state=!new action=accept
chain=prerouting in-interface=ether2-WAN2 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
chain=prerouting in-interface=bridge-lan per-connection-classifier=both-addresses:2/1 new-connection-mark=WAN2_conn passthrough=yes
chain=prerouting connection-mark=WAN2_conn in-interface=bridge-lan dst-address-list=!local-subnets action=mark-routing new-routing-mark=to-WAN2
With this order of rules, the packets that should go out via WAN2 hit only a single rule; all other mid-connection packets that make it to mangle hit two. So on average 1.5 mangle rule per packet for WAN 2 connections, and on average 0 mangle rules for WAN 1 connections thanks to fasttracking. The rest of the rules only handles the initial packet of each connection, which is a normally a negligible part of the total traffic volume.
It is a popular misconception that dst-address-type=local matches on all addresses in connected networks; actually, it only matches on own addresses of the router. But packets to the own IP address of the router are not affected by the routing-mark. So the dst-address-list=!local-subnets match condition is only required if you have multiple LAN subnets, because packets between hosts in the same subnet are not routed at all.
chain=prerouting connection-mark=WAN2_conn in-interface=bridge-lan dst-address-list=!local-subnets action=mark-routing new-routing-mark=to-WAN2 passthrough=no
chain=prerouting connection-state=!new action=accept
chain=prerouting in-interface=ether2-WAN2 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
chain=prerouting in-interface=bridge-lan per-connection-classifier=both-addresses:2/1 new-connection-mark=WAN2_conn passthrough=yes
chain=prerouting connection-mark=WAN2_conn in-interface=bridge-lan dst-address-list=!local-subnets action=mark-routing new-routing-mark=to-WAN2
With this order of rules, the packets that should go out via WAN2 hit only a single rule; all other mid-connection packets that make it to mangle hit two. So on average 1.5 mangle rule per packet for WAN 2 connections, and on average 0 mangle rules for WAN 1 connections thanks to fasttracking. The rest of the rules only handles the initial packet of each connection, which is a normally a negligible part of the total traffic volume.
It is a popular misconception that dst-address-type=local matches on all addresses in connected networks; actually, it only matches on own addresses of the router. But packets to the own IP address of the router are not affected by the routing-mark. So the dst-address-list=!local-subnets match condition is only required if you have multiple LAN subnets, because packets between hosts in the same subnet are not routed at all.