Community discussions

MikroTik App
 
Fiberguy
just joined
Topic Author
Posts: 3
Joined: Thu Jun 23, 2022 8:44 am

RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 8:47 am

Hello all!

I am fairly new tot he RouterOS world - but willing to learn. I am coming from the poorly-built SOHO equipment of Ubiquiti.

I have a CCR1036-8G-2S+EM paired with my 6 Gbps symmetrical fiber. The ISP supplied me a Juniper ACX2100 to terminate their fiber.

In testing, I had it setup like this.

Juniper ACX2100 > Ubiquiti Dream Machine Pro > Ubiquiti Aggregation Switch > CCR1036-8G-2S+EM

I was able to pull a full 6 Gbps on both upload and download without issue. I changed the two SFP+ ports to 10G, flow control off. I also enabled Fasttrack.

Since I have enabled my NAT rules (dst-nat) for about 70 rules, I now get the full upload speed, but my download speed is around 2 Gbps instead of 6 Gbps.

Any help would be appreciated.
 
Fiberguy
just joined
Topic Author
Posts: 3
Joined: Thu Jun 23, 2022 8:44 am

Re: RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 9:37 am

# jun/23/2022 02:36:19 by RouterOS 7.1.3
# software id = PLVM-1CNL
#
# model = CCR1036-8G-2S+
# serial number = <CENSORED>
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no l2mtu=9000 mtu=9000
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no l2mtu=9000 mtu=9000
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=50.219.136.150/30 interface=sfp-sfpplus1 network=50.219.136.148
/ip dhcp-client
add disabled=yes interface=sfp-sfpplus1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=1 protocol=tcp to-addresses=10.0.0.10 to-ports=1
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=20 protocol=tcp to-addresses=10.0.0.10 to-ports=20
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=21 protocol=tcp to-addresses=10.0.0.10 to-ports=21
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=22 protocol=tcp to-addresses=10.0.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=25 protocol=tcp to-addresses=10.0.0.10 to-ports=25
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=26 protocol=tcp to-addresses=10.0.0.10 to-ports=26
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=37 protocol=tcp to-addresses=10.0.0.10 to-ports=37
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=43 protocol=tcp to-addresses=10.0.0.10 to-ports=43
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=53 protocol=tcp to-addresses=10.0.0.10 to-ports=53
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=53 protocol=udp to-addresses=10.0.0.10 to-ports=53
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=80 protocol=tcp to-addresses=10.0.0.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=110 protocol=tcp to-addresses=10.0.0.10 to-ports=110
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=113 protocol=tcp to-addresses=10.0.0.10 to-ports=113
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=443 protocol=tcp to-addresses=10.0.0.10 to-ports=443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=465 protocol=tcp to-addresses=10.0.0.10 to-ports=465
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=579 protocol=tcp to-addresses=10.0.0.10 to-ports=579
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=587 protocol=tcp to-addresses=10.0.0.10 to-ports=587
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=783 protocol=tcp to-addresses=10.0.0.10 to-ports=783
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=783 protocol=udp to-addresses=10.0.0.10 to-ports=783
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=873 protocol=udp to-addresses=10.0.0.10 to-ports=873
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=873 protocol=tcp to-addresses=10.0.0.10 to-ports=873
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=993 protocol=tcp to-addresses=10.0.0.10 to-ports=993
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=995 protocol=tcp to-addresses=10.0.0.10 to-ports=995
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2077 protocol=tcp to-addresses=10.0.0.10 to-ports=2077
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2078 protocol=tcp to-addresses=10.0.0.10 to-ports=2078
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2079 protocol=tcp to-addresses=10.0.0.10 to-ports=2079
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2080 protocol=tcp to-addresses=10.0.0.10 to-ports=2080
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2082 protocol=tcp to-addresses=10.0.0.10 to-ports=2082
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2083 protocol=tcp to-addresses=10.0.0.10 to-ports=2083
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2086 protocol=tcp to-addresses=10.0.0.10 to-ports=2086
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2087 protocol=tcp to-addresses=10.0.0.10 to-ports=2087
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2089 protocol=tcp to-addresses=10.0.0.10 to-ports=2089
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2095 protocol=tcp to-addresses=10.0.0.10 to-ports=2095
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2096 protocol=tcp to-addresses=10.0.0.10 to-ports=2096
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2195 protocol=tcp to-addresses=10.0.0.10 to-ports=2195
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2703 protocol=tcp to-addresses=10.0.0.10 to-ports=2703
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=6277 protocol=tcp to-addresses=10.0.0.10 to-ports=6277
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=6277 protocol=udp to-addresses=10.0.0.10 to-ports=6277
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8088 protocol=udp to-addresses=10.0.0.10 to-ports=8088
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8088 protocol=tcp to-addresses=10.0.0.10 to-ports=8088
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=7080 protocol=tcp to-addresses=10.0.0.10 to-ports=7080
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=7080 protocol=udp to-addresses=10.0.0.10 to-ports=7080
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=24441 protocol=udp to-addresses=10.0.0.10 to-ports=24441
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=24441 protocol=tcp to-addresses=10.0.0.10 to-ports=24441
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=443 protocol=udp to-addresses=10.0.0.10 to-ports=443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=5656 protocol=udp to-addresses=10.0.0.20 to-ports=80
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=5656 protocol=tcp to-addresses=10.0.0.20 to-ports=80
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=5657 protocol=tcp to-addresses=10.0.0.20 to-ports=443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=5657 protocol=udp to-addresses=10.0.0.20 to-ports=443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8443 protocol=udp to-addresses=10.0.0.20 to-ports=8443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8443 protocol=tcp to-addresses=10.0.0.20 to-ports=8443
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8081 protocol=tcp to-addresses=10.0.0.20 to-ports=8081
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8081 protocol=udp to-addresses=10.0.0.20 to-ports=8081
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2022 protocol=udp to-addresses=10.0.0.20 to-ports=2022
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=25601 protocol=udp to-addresses=10.0.0.20 to-ports=25601
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=25601 protocol=tcp to-addresses=10.0.0.20 to-ports=25601
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=9987-10099 protocol=tcp to-addresses=10.0.0.20 to-ports=9987-10099
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=9987-10099 protocol=udp to-addresses=10.0.0.21 to-ports=9987-10099
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=10101-10199 protocol=udp to-addresses=10.0.0.21 to-ports=10101-10199
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=10101-10199 protocol=udp to-addresses=10.0.0.21 to-ports=10101-10199
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=30301-30399 protocol=udp to-addresses=10.0.0.21 to-ports=30301-30399
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8083 protocol=tcp to-addresses=10.0.0.21 to-ports=8083
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8083 protocol=udp to-addresses=10.0.0.21 to-ports=8083
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2024 protocol=udp to-addresses=10.0.0.21 to-ports=2024
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2025 protocol=tcp to-addresses=10.0.0.22 to-ports=2025
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=2025 protocol=udp to-addresses=10.0.0.22 to-ports=2025
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8085 protocol=udp to-addresses=10.0.0.22 to-ports=8085
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=8085 protocol=tcp to-addresses=10.0.0.22 to-ports=8085
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=30120-30220 protocol=tcp to-addresses=10.0.0.22 to-ports=30120-30220
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=30120-30220 protocol=udp to-addresses=10.0.0.22 to-ports=30120-30220
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=40120-40220 protocol=udp to-addresses=10.0.0.22 to-ports=40120-40220
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=40120-40220 protocol=tcp to-addresses=10.0.0.22 to-ports=40120-40220
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=25565-25600 protocol=tcp to-addresses=10.0.0.22 to-ports=25565-25600
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=33250-33300 protocol=udp to-addresses=10.0.0.22 to-ports=33250-33300
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=3306 protocol=tcp to-addresses=10.0.0.30 to-ports=3306
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=3306 protocol=udp to-addresses=10.0.0.30 to-ports=3306
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=7500 protocol=udp to-addresses=10.0.0.30 to-ports=7500
add action=dst-nat chain=dstnat dst-address=50.219.136.150 dst-port=7500 protocol=tcp to-addresses=10.0.0.30 to-ports=7500
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/lcd
set time-interval=hour
/system clock
set time-zone-name=America/New_York
/system identity
set name=NOCMAIN
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 6:41 pm

try using
tools profile
at the moment you test download speed to see if there is a cpu usage rise and the source of it
cpu-usage-profile.png
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 7:13 pm

Of course the first optmize option for that long list of dst-nat rules is to put a single rule in chain dstnat matching dst-address=50.219.136.150 with a jump to a new chain, e.g. dstnat150, and then put all the rules you now have for that address in the chain dstnat150. There you can remove the dst-address=50.219.136.150 check.
That will at least cut half of the times this ruleset is evaluated.
Another possibility would be to further split it in dstnat150tcp and dstnat150udp.
 
r00t
Long time Member
Long time Member
Posts: 672
Joined: Tue Nov 28, 2017 2:14 am

Re: RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 8:08 pm

Also you can use comma to separate multiple port values, there is really no need to have so many rules, each for one port. Ommit the to-ports so destination port is the same as source.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS NAT Rules Enabled now speed cut 50%

Thu Jun 23, 2022 8:41 pm

Someone may like separate counters.

Who is online

Users browsing this forum: Amazon [Bot], itsbenlol and 25 guests