Community discussions

MikroTik App
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Sun Oct 03, 2021 6:39 pm

Hello,

I've just noticed that when enabling bridge vlan filtering on both RB4011 and RB5009 running 7.1rc4 FastTrack does not work.

this basically makes the switch on both RB's unusable.

with and without screenshots below:
with-vlan-filtering.png
without-vlan-filtering.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Oct 04, 2021 8:50 am

FastTrack does not support Inter-VLAN routing on a bridge with VLAN filtering enabled. It never did. It is not a bug but an unimplemented feature, which is currently in development.

Edit: Updated to mention L3.
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Oct 04, 2021 9:08 am

I'm pretty sure that both RB4011 and hAP ac2 had fasttrack working with bridge vlan filtering on, when running rOS 6.x and I could get 900+ Mbps (IPv4 w fasttrack, no bridge hw acceleration).
650-680 mbps is way to low for the RB4011.

How I'm supposed to configure a port in a particular vlan on RB5009 or RB4011 and still have usable performance?
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Oct 04, 2021 9:36 am

Here is a testing that I've done that shows that even L2 traffic is not getting via fastpath on RB5009, both ports have the same vlan as untagged.
L2-fastpath-not-working.png
 /interface/bridge/vlan/print 
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge        88  bridge          ether1          
                                      ether4          
You do not have the required permissions to view the files attached to this post.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Oct 04, 2021 9:55 am

L2 traffic should get on fastpath. Moreover, in most cases, L2 traffic gets offloaded to the hardware (switch chip), which is capable of forwarding L2 traffic at wire-speed.
Inter-VLAN routing (L3) is the one that is not implemented on the fastpath yet.

Please, export the interface and IP configuration, so we can check it on our side.
/interface export
/ip export
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Oct 04, 2021 12:45 pm

The last test on RB5009 was using it as a switch, as both ports were on vlan 88, that comes from the upstream RB4011. I've noted that when transferring data on line rate, the CPU on RB5009 was about 10%

Please find the config below, note that some part of it is not being used, like PPPoE:
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=6200 mtu=6000 name=10g-sfp+1
set [ find default-name=ether1 ] l2mtu=6200 mtu=6000
set [ find default-name=ether2 ] l2mtu=6200 mtu=6000
set [ find default-name=ether3 ] l2mtu=6200 mtu=6000
set [ find default-name=ether4 ] l2mtu=6200 mtu=6000
set [ find default-name=ether5 ] l2mtu=6200 mtu=6000
set [ find default-name=ether6 ] l2mtu=6200 mtu=6000
set [ find default-name=ether7 ] l2mtu=6200 mtu=6000
set [ find default-name=ether8 ] l2mtu=6200 mtu=6000
/interface vlan
add disabled=yes interface=bridge mtu=4088 name=DMZ_vlan vlan-id=70
add interface=bridge name=Guest_vlan vlan-id=75
add interface=bridge mtu=4088 name=Home88_vlan vlan-id=88
add interface=bridge mtu=4088 name=Home_vlan vlan-id=10
add interface=bridge name=IoT_vlan vlan-id=80
add interface=bridge name=NoT_vlan vlan-id=85
add interface=bridge name=Transit_vlan vlan-id=200
add disabled=yes interface=bridge mtu=1600 name=WAN_vlan vlan-id=35
add disabled=yes interface=bridge name=vlan838 vlan-id=838
add disabled=yes interface=bridge name=vlan839 vlan-id=839
/interface pppoe-client
add disabled=yes add-default-route=yes interface=WAN_vlan name=PPPoEv4 user=****
add disabled=yes interface=WAN_vlan name=PPPoEv6 user=*****/ipv6
/interface list
add name=LAN
add name=WAN
add name=LOCAL
add name=Trusted
add name=Untrusted
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface=10g-sfp+1
add bridge=bridge interface=ether1 pvid=88
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=88
add bridge=bridge disabled=yes interface=ether5 pvid=88
add bridge=bridge interface=ether6 pvid=88
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8
add bridge=bridge disabled=yes interface=*1D pvid=88
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=88
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=35
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=70
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=100
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=110
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=120
add bridge=bridge tagged=bridge,10g-sfp+1 vlan-ids=200
/interface list member
add interface=PPPoEv4 list=WAN
add interface=PPPoEv6 list=WAN
add interface=Home_vlan list=Trusted
add interface=IoT_vlan list=Untrusted
add interface=NoT_vlan list=Untrusted
/ip dhcp-server option
add code=119 name=domain-search-option value="'lan'"
add code=26 name=mtu4088 value="'4088'"
/ip dhcp-server option sets
add name=Defconf options=domain-search-option
add name=Home_vlan options=domain-search-option,mtu4088
/ip pool
add name=Guest_Pool ranges=10.42.20.20-10.42.20.250
add name=IoT_Pool ranges=10.42.11.20-10.42.11.250
add name=NoT_Pool ranges=10.42.12.20-10.42.12.250
add name=ovpn-pool ranges=10.250.250.2-10.250.250.6
add name=DMZ_pool ranges=172.22.70.5-172.22.70.100
add name=Home_pool ranges=10.42.10.10-10.42.10.250
/ip dhcp-server
add address-pool=Home_pool dhcp-option-set=Home_vlan interface=Home_vlan \
    lease-time=4w2d10m name=Home_DHCP
add address-pool=Guest_Pool dhcp-option-set=Defconf interface=Guest_vlan \
    lease-time=3d10m name=Guest_DHCP
add address-pool=IoT_Pool dhcp-option-set=Defconf interface=IoT_vlan \
    lease-time=4w2d10m name=IoT_DHCP
add address-pool=NoT_Pool dhcp-option-set=Defconf interface=NoT_vlan \
    lease-time=4w2d10m name=NoT_DHCP
add address-pool=DMZ_pool interface=DMZ_vlan lease-time=2w6d name=DMZ_dhcp
/ip address
add address=10.42.10.1/24 interface=Home_vlan network=10.42.10.0
add address=10.42.20.1/24 interface=Guest_vlan network=10.42.20.0
add address=10.42.11.1/24 interface=IoT_vlan network=10.42.11.0
add address=10.42.12.1/24 interface=NoT_vlan network=10.42.12.0
add address=172.22.70.1/24 interface=DMZ_vlan network=172.22.70.0
add address=10.42.200.1/29 disabled=yes interface=Transit_vlan network=\
    10.42.200.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=Home88_vlan use-peer-dns=no
/ip dhcp-server network
add address=10.42.10.0/24 dns-server=172.20.70.4,172.20.70.3 domain=\
    .lan.wawi.local gateway=10.42.10.1
add address=10.42.11.0/24 dns-server=172.22.70.4,172.22.70.3 domain=\
    .IoT.wawi.local gateway=10.42.11.1
add address=10.42.12.0/24 dns-server=172.22.70.4,172.22.70.3 domain=\
    .NoT.wawi.local gateway=10.42.12.1
add address=10.42.20.0/24 dns-server=172.22.70.4,172.22.70.3 domain=\
    .guest.wawi.local gateway=10.42.20.1
add address=172.22.70.0/24 dns-server=172.22.70.4,172.22.70.3 gateway=\
    172.22.70.1
/ip dns
set servers=9.9.9.9,1.1.1.2
/ip dns static
/ip firewall address-list
add address=1.1.1.1 list=DNS_servers
add address=1.0.0.1 list=DNS_servers
add address=1.0.0.2 list=DNS_servers
add address=1.1.1.2 list=DNS_servers
add address=8.8.8.8 list=DNS_servers
add address=8.8.4.4 list=DNS_servers
add address=9.9.9.9 list=DNS_servers
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall filter
add action=drop chain=forward in-interface-list=WAN src-address-list=\
    ssh_blacklist
add action=drop chain=input in-interface-list=WAN src-address-list=\
    ssh_blacklist
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes log-prefix=ftrak
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=Trusted out-interface-list=\
    Untrusted
# PPPoEv4 not ready
add action=accept chain=input dst-port=43231 in-interface=PPPoEv4 protocol=\
    udp
add action=drop chain=forward dst-address-list=DNS_servers \
    in-interface=DMZ_vlan protocol=!icmp src-address=!172.22.70.1-172.22.70.5
add action=drop chain=forward dst-address-list=DNS_servers \
    in-interface=!DMZ_vlan protocol=!icmp src-address=!10.42.88.1-10.42.88.20
add action=accept chain=input comment="accept ICMP" protocol=icmp \
    src-address-list=!ssh_blacklist
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow WAN connections" in-interface=\
    !NoT_vlan out-interface-list=WAN
add action=drop chain=forward in-interface-list=Untrusted out-interface-list=\
    Trusted
add action=drop chain=input comment="drop invalid" connection-state=invalid \
    log-prefix=Test
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop the rest" in-interface-list=WAN \
    log-prefix=Test
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Wed Oct 06, 2021 10:07 pm

I just made a test with my hAP-ac2 running the latest stable rOS.

and fasttrack does work with bridge vlan filtering on, as you can see on the attached screenshots.
# oct/06/2021 20:52:50 by RouterOS 6.48.4
# software id = *********
#
# model = RBD52G-5HacD2HnD
# serial number = *************
/interface bridge
add name=br-lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=6200 mtu=6200
set [ find default-name=ether2 ] l2mtu=6200 mtu=6200
set [ find default-name=ether3 ] l2mtu=6200 mtu=6200
set [ find default-name=ether4 ] l2mtu=6200 mtu=6200
set [ find default-name=ether5 ] l2mtu=6200 mtu=6200
/interface vlan
add interface=br-lan name=Guest_vlan vlan-id=100
add interface=br-lan mtu=1600 name=vlan35 vlan-id=35
/interface pppoe-client
add add-default-route=yes interface=vlan35 name=PPPoEv4 user=*****
add add-default-route=yes interface=vlan35 name=PPPoEv6 user=*****
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=br-lan name=dhcp1
/ipv6 dhcp-server
add interface=br-lan name=server1
add interface=Guest_vlan name=server2
/interface bridge port
add bridge=br-lan interface=ether2
add bridge=br-lan interface=ether3 pvid=100
add bridge=br-lan interface=ether4
add bridge=br-lan interface=ether5
add bridge=br-lan interface=wlan2
add bridge=br-lan interface=wlan1
add bridge=br-lan frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=br-lan tagged=br-lan,ether1 vlan-ids=35
/interface list member
add interface=PPPoEv4 list=WAN
add interface=br-lan list=LAN
/ip address
add address=192.168.88.1/24 interface=br-lan network=192.168.88.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
# PPPoEv4 not ready
add action=accept chain=forward out-interface=PPPoEv4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ipv6 dhcp-client
add add-default-route=yes interface=PPPoEv6 pool-name=v6 request=prefix
/system clock
set time-zone-name=Europe/Warsaw
hAPac2 - with FastTrak.png
hAPac2 - without FastTrak.png
You do not have the required permissions to view the files attached to this post.
 
dmfr
newbie
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Sun Apr 10, 2022 7:55 pm

Even if there is no vlan filtering, just bridge filter rules, fasttrack doesn't enable on 7.1.x / 7.2 stable, on both RB4011 & RB5009.
Well.. it shows enabled (/ip/settings/print), but no packets processed and IPv4 single-thread maxes at 600-700 Mbps on RB4011.

Same configuration (bridge filters + fasttrack) was working fine with ROS 6.xx.
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)  [SOLVED]

Sun Apr 10, 2022 10:13 pm

On my RB5009 and RB4011 the fasttrack is working since the support for it was introduced back on some v7.1.sth. maybe you have something on your config preventing the fasttrack to work.
if you could post your config will be easier...
 
dmfr
newbie
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Thu Jun 23, 2022 7:58 pm

As of 7.4beta / 7.3.1 : NOT SOLVED

On my RB5009 and RB4011 the fasttrack is working since the support for it was introduced back on some v7.1.sth. maybe you have something on your config preventing the fasttrack to work.
if you could post your config will be easier...

Sure, consider simplest :
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridgeLocal protocol-mode=none
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridgeTest protocol-mode=none
/interface vlan
add interface=ether10 name=ether10.832 vlan-id=832
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp \
    mac-protocol=ip new-priority=6 out-bridge=bridgeTest passthrough=yes \
    src-port=68
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeTest interface=ether10.832
/ip address
add address=192.168.88.1/24 interface=bridgeLocal network=192.168.88.0
add address=192.168.99.1/24 interface=bridgeTest network=192.168.99.0
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
Traffic 88.x <=> 99.x flowing :
   ipv4-fasttrack-active: yes
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0
Fastrack shows active, but no traffic counted & cpu usage clearly consistent with no fasttrack active.

Then,
/interface/bridge/filter/set 0 disabled=yes
Now :
   ipv4-fasttrack-active: yes
  ipv4-fasttrack-packets: 103
    ipv4-fasttrack-bytes: 14355
And CPU usage drops.
 
jookraw
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Mon Aug 19, 2019 3:06 pm

Re: Bridge vlan filter breaks Fasttrack in 7.1rc4 (RB4011/RB5009)

Mon Jun 27, 2022 4:51 pm

on 7.3 works perfertcly on my RB5009.

I see that you have multiple bridges, you should have just one, only CRS devices can have multiple bridges.

note that this topic is about Bridge Vlan filtering, not bridge filtering. check your devices capabilities here: https://help.mikrotik.com/docs/display/ ... p+Features

Who is online

Users browsing this forum: No registered users and 21 guests