Community discussions

MikroTik App
  4. RouterOS
  5. General

Help! 3011 Capped at 150Mbps

Post Reply
 
vaiost
just joined
Topic Author
Posts: 15
Joined: Fri May 13, 2016 8:12 pm
Location: Greece

Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 11:47 am

Hello,
my ISP recently upgraded my speed to 200/20Mbps (PPPoE VDSL).
I have been using a 3011 since 2016, and I never had any speed issues.
But now, running a simple speedtest or download test, I can see the CPU *almost* maxing out while getting 140-160 Mbps.

The reasons I am NOT using fast track or fastpath are:
- that I need to have queues for almost every interface
- that when I enabled it, the TCP MSS NAT rule was not honored and I had a lot of problems with the devices losing packets

The below screenshot is from a simple download test running in background and getting around 130Mbps
Screenshot 2022-03-24 112619.jpg
I am posting a full export of my settings:
Code: Select all
# mar/24/2022 11:13:48 by RouterOS 7.1.5
# software id = RPP7-BQU5
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=E4:8D:8C:78:EC:FD auto-mac=no fast-forward=no igmp-snooping=yes \
    name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=WAN speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] comment="Building B" speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "Unifi Switch8-150"
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-server
/interface vlan
add comment="APTS VLAN" interface=bridge-local name=Apts-VLAN vlan-id=214
add comment="ASTARTI GUESTS VLAN" interface=bridge-local name=\
    Astarti-Guests-VLAN vlan-id=216
add comment="ATRIUM GUESTS VLAN" interface=bridge-local name=\
    Atrium-Guests-VLAN vlan-id=209
add arp=disabled comment="ATRIUM MAIN VLAN" interface=bridge-local name=\
    Atrium-Main-VLAN vlan-id=9
add comment="MANAGEMENT VLAN" interface=bridge-local name=Mgmt-VLAN vlan-id=\
    172
/interface pppoe-client
add add-default-route=yes comment="VDSL PPPoE" disabled=no interface=WAN \
    keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 \
    service-name=COSMOTE user=**@otenet.gr
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=zerotier
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB3011
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_1
/ip ipsec peer
add address=***.duckdns.org comment=HOME name=HOME profile=profile_1
add address=***.duckdns.org comment=OFFICE name=OFFICE profile=\profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=site-to-site pfs-group=modp2048
/ip pool
add name=astarti_lan_pool ranges=192.168.16.101-192.168.16.200
add name=astarti_guests_pool ranges=192.168.216.16-192.168.216.249
add name=vpn_pool ranges=192.168.16.208/28
add name=atrium_guests_pool ranges=192.168.209.9-192.168.209.249
add name=atrium_lan_pool ranges=192.168.9.101-192.168.9.200
add name=apts_lan_pool ranges=192.168.14.129-192.168.14.190
add name=mgmt_vlan_pool ranges=172.16.16.101-172.16.16.199
/ip dhcp-server
add add-arp=yes address-pool=astarti_lan_pool bootp-support=none interface=\
    bridge-local lease-time=2w1d name=Astarti-Lan-dhcp
add address-pool=astarti_guests_pool bootp-support=none interface=\
    Astarti-Guests-VLAN lease-time=1d name=Astarti-Guest-dhcp
add address-pool=atrium_guests_pool interface=Atrium-Guests-VLAN lease-time=\
    1d name=Atrium-Guest-dhcp
add add-arp=yes address-pool=atrium_lan_pool bootp-support=none interface=\
    Atrium-Main-VLAN lease-time=2w1d name=Atrium-Lan-dhcp
add add-arp=yes address-pool=apts_lan_pool interface=Apts-VLAN lease-time=1d \
    name=Apts-Lan-dhcp
add add-arp=yes address-pool=mgmt_vlan_pool interface=Mgmt-VLAN lease-time=\
    2w1d name=Mgmt-vlan-dhcp
/port
set 0 name=serial0
/ppp profile
set *0 change-tcp-mss=default on-up=DUCKDNS use-encryption=yes
set *FFFFFFFE bridge=bridge-local dns-server=192.168.16.1 local-address=\
    192.168.16.1 remote-address=vpn_pool use-encryption=required
/queue simple
add max-limit=20M/185M name=TOTAL target="192.168.16.0/24,192.168.14.128/26,As\
    tarti-Guests-VLAN,Atrium-Guests-VLAN,Atrium-Main-VLAN"
add disabled=yes max-limit=5M/10M name=atrium-lan parent=TOTAL target=\
    Atrium-Main-VLAN
add disabled=yes limit-at=1M/3M max-limit=5M/90M name=astarti-lan parent=\
    TOTAL priority=2/2 target=192.168.16.0/24
/queue type
add kind=sfq name=sfq-guests sfq-perturb=8
add kind=fq-codel name=fq_codel
set 7 pcq-limit=25KiB
set 8 pcq-limit=30KiB
/queue simple
add max-limit=7M/65M name=astarti-guests parent=TOTAL queue=\
    sfq-guests/sfq-guests target=Astarti-Guests-VLAN total-queue=fq_codel
add max-limit=7M/65M name=atrium-guests parent=TOTAL queue=\
    sfq-guests/sfq-guests target=Atrium-Guests-VLAN total-queue=fq_codel
add max-limit=2M/20M name=apts-guests parent=TOTAL queue=\
    sfq-guests/sfq-guests target=192.168.14.128/26 total-queue=fq_codel
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add name=ha policy="local,read,write,policy,test,api,rest-api,!telnet,!ssh,!ft\
    p,!reboot,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes identity="f***2" name=zt1 port=9993
add disabled=yes disabled=yes identity="d***b" name=zt2-oci port=9994
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=yes instance=\
    zt1 mac-address=82:38:5F:54:C7:C1 name=my-zt-net network=***
add allow-default=no allow-global=no allow-managed=no disabled=yes instance=\
    zt2-oci mac-address=FA:7F:21:9A:59:75 name=oci network=***
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2
add bridge=bridge-local ingress-filtering=no interface=ether6
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1
add bridge=bridge-local ingress-filtering=no interface=ether4
add bridge=bridge-local ingress-filtering=no interface=ether3
add bridge=bridge-local ingress-filtering=no interface=ether5
add bridge=bridge-local ingress-filtering=no interface=ether7
add bridge=bridge-local ingress-filtering=no interface=ether8
add bridge=bridge-local ingress-filtering=no interface=ether9
add bridge=bridge-local ingress-filtering=no interface=ether10
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=1024
/interface bridge vlan
add bridge=bridge-local vlan-ids=9,14,216,209
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=Astarti-Guests-VLAN list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=ether10 list=mactel
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10 list=mac-winbox
add interface=bridge-local list=mactel
add interface=sfp1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=my-zt-net list=zerotier
add interface=oci list=zerotier
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes128,aes256 keepalive-timeout=120 \
    require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.99.51/32 comment=vaios-OfficePC interface=\
    WG-server public-key="***"
add allowed-address=192.168.99.50/32 comment=vaios-iPhone interface=WG-server \
    public-key="***"
/ip address
add address=192.168.16.1/24 comment="Astarti LAN" interface=bridge-local \
    network=192.168.16.0
add address=192.168.216.1/24 comment="Astarti Guest VLAN" interface=\
    Astarti-Guests-VLAN network=192.168.216.0
add address=192.168.1.250/24 comment="Access xDSL Modem" interface=WAN \
    network=192.168.1.0
add address=192.168.209.1/24 comment="Atrium Guest VLAN" interface=\
    Atrium-Guests-VLAN network=192.168.209.0
add address=192.168.9.1/24 comment="Atrium LAN" interface=Atrium-Main-VLAN \
    network=192.168.9.0
add address=192.168.14.1/24 comment="Apts LAN" interface=Apts-VLAN network=\
    192.168.14.0
add address=192.168.99.1/24 comment=Wireguard interface=WG-server network=\
    192.168.99.0
add address=172.16.16.1/24 comment="Mgmt VLAN" interface=Mgmt-VLAN network=\
    172.16.16.0
    
/ip cloud
set ddns-enabled=yes update-time=no

/ip dhcp-client
add comment="default configuration" disabled=yes interface=WAN

/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
    
/ip dns static
add address=192.168.16.1 name=router

/ip firewall address-list
add address=192.168.100.0/24 list="Owned IP"
add address=192.168.0.0/24 list="Owned IP"
add address=192.168.30.0/24 list="Owned IP"
add address=192.168.89.0/24 list="Owned IP"
add address=164.52.24.171 list="IPSec Penetrators"
add address=146.88.240.4 list="IPSec Penetrators"
add address=178.128.255.8 list="IPSec Penetrators"
add address=192.168.2.0/24 list="Owned IP"
add address=39.98.157.27 list="IPSec Penetrators"
add address=50.126.86.253 list="IPSec Penetrators"
add address=107.173.193.198 list="IPSec Penetrators"
add address=37.192.170.101 list="IPSec Penetrators"
add address=92.246.84.199 list="IPSec Penetrators"
add address=192.168.9.0/24 list="Owned IP"
add address=192.168.14.0/24 list="Owned IP"
add address=45.79.76.236 list="IPSec Penetrators"
add address=37.49.229.196 list="IPSec Penetrators"
add address=89.113.142.164 list="IPSec Penetrators"
add address=213.108.134.176/28 list="IPSec Penetrators"
add address=87.251.66.112/28 list="IPSec Penetrators"
add address=94.232.41.0/24 list="IPSec Penetrators"
add address=111.7.96.162 list="IPSec Penetrators"
add address=123.160.221.47 list="IPSec Penetrators"
add address=87.251.67.120/29 list="IPSec Penetrators"
add address=185.180.143.147 list="IPSec Penetrators"
add address=78.128.113.66 list="IPSec Penetrators"
add address=23.148.144.25 list="IPSec Penetrators"
add address=78.128.113.64/29 list="IPSec Penetrators"
add address=183.136.226.4 list="IPSec Penetrators"
add address=91.191.209.232/29 list="IPSec Penetrators"
add address=***.duckdns.org list=Home_WAN_Ips
add address=***.duckdns.org list=Home_WAN_Ips
add address=192.168.209.0/24 list=Guest_VLANs
add address=192.168.216.0/24 list=Guest_VLANs
add address=192.168.14.128/26 list=Guest_VLANs
add address=***.duckdns.org list=Home_WAN_Ips

/ip firewall filter
add action=accept chain=forward comment=ZeroTier disabled=yes \
    in-interface-list=zerotier
add action=accept chain=input disabled=yes in-interface-list=zerotier
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=forward comment="BLOCK SARAFIDIS RESIDENTS" disabled=\
    yes in-interface=Apts-VLAN src-mac-address=4C:02:20:79:CA:95
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
    src-mac-address=34:29:12:B5:95:A7
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
    src-mac-address=68:14:01:23:58:43
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
    src-mac-address=68:14:01:23:58:43
add action=drop chain=forward comment="Block Guest Access to backbone" \
    disabled=yes dst-address=172.16.16.0/24 dst-port=!53 protocol=tcp \
    src-address-list=Guest_VLANs
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="BLOCK IPSec Penetrators" disabled=yes \
    src-address-list="IPSec Penetrators"
add action=accept chain=input comment="Access RB from IPSec" dst-port=\
    80,443,8291,22 ipsec-policy=in,ipsec protocol=tcp src-address-list=\
    "Owned IP"
add action=accept chain=forward comment="IPSec IN" ipsec-policy=in,none
add action=accept chain=forward comment="IPSec OUT" ipsec-policy=out,none
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=accept chain=input comment="Accept Ping" protocol=icmp
add action=accept chain=input comment="Accept Established" connection-state=\
    established
add action=accept chain=input comment="Accept Related" connection-state=\
    related
add action=accept chain=input comment="allow GRE" disabled=yes protocol=gre
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow ipsec ports" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="allow ipsec" protocol=ipsec-esp
add action=accept chain=input comment="allow pptp (Only from Office-Home)" \
    dst-port=1723 in-interface=pppoe-out1 protocol=tcp src-address-list=\
    Home_WAN_Ips
add action=accept chain=input comment=Wireguard-Roadwarrior dst-port=13231 \
    protocol=udp
add action=drop chain=input comment=Drop in-interface=pppoe-out1

/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=192.168.100.0/24 \
    fragment=no new-mss=1300 passthrough=yes protocol=tcp src-address=\
    192.168.16.0/24 tcp-flags=syn tcp-mss=!0-1300
add action=change-mss chain=forward comment="TCP MSS" disabled=yes new-mss=\
    clamp-to-pmtu out-interface=pppoe-out1 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=0-0
add action=change-mss chain=forward comment="TCP MSS" new-mss=1452 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=1453-65535
    
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=srcnat comment="Access IPSec Subnets" \
    dst-address-list="Owned IP" ipsec-policy=out,ipsec src-address=\
    192.168.16.0/24
add action=accept chain=srcnat comment="Access IPSec Subnets Atrium" \
    dst-address-list="Owned IP" ipsec-policy=out,ipsec src-address=\
    192.168.9.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Masq L2TP" dst-address=\
    !192.168.16.208/28 src-address=192.168.16.208/28
add action=masquerade chain=srcnat comment="Access ADSL Modem" out-interface=\
    WAN
add action=dst-nat chain=dstnat comment="Docker Reverse Proxy" dst-port=\
    80,443 in-interface=pppoe-out1 protocol=tcp src-address-list=Home_WAN_Ips \
    to-addresses=172.16.16.50 to-ports=80-443
add action=dst-nat chain=dstnat comment="DVR View Building A" dst-port=55416 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.16.10 to-ports=\
    1-65535
add action=dst-nat chain=dstnat comment="DVR View Building B" dst-port=55404 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.16.20 to-ports=\
    1-65535
add action=src-nat chain=srcnat dst-address=192.168.14.0/24 to-addresses=\
    192.168.14.1
add action=src-nat chain=srcnat dst-address=192.168.9.0/24 to-addresses=\
    192.168.9.1
    
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Block Access from guests to mgmt-vlan" dst-address=172.16.16.0/24 \
    dst-port=!53 log=yes protocol=tcp src-address-list=Guest_VLANs
add action=drop chain=prerouting in-interface=pppoe-out1 log=yes \
    src-address-list="IPSec Penetrators"
    
/ip firewall service-port
set sip disabled=yes

/ip ipsec identity
add auth-method=rsa-key key=astarti_mt my-id=fqdn:***.duckdns.org peer=\
    HOME remote-id=fqdn:***.duckdns.org remote-key=home-erx
add auth-method=rsa-key generate-policy=port-strict key=astarti_mt my-id=\
    fqdn:***.duckdns.org peer=OFFICE remote-id=\
    fqdn:***.duckdns.org remote-key=rodou_mt
    
/ip ipsec policy
add comment="Office RB2011" dst-address=192.168.100.0/24 peer=OFFICE proposal=\
    site-to-site src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
    src-address=192.168.9.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
    src-address=192.168.14.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
    src-address=172.16.16.0/24 tunnel=yes
add comment="Home ER-X" dst-address=192.168.0.0/24 level=unique peer=HOME \
    proposal=site-to-site src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
    src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.0.0/24 level=unique peer=HOME proposal=site-to-site \
    src-address=172.16.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
    src-address=172.16.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
    src-address=192.168.9.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
    src-address=192.168.14.0/24 tunnel=yes
    
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=pppoe-out1 pref-src=\
    192.168.16.1
add comment="IPSEC OWN NETWORKS" disabled=no dst-address=192.168.30.0/24 \
    gateway=pppoe-out1 pref-src=192.168.16.1
add disabled=no dst-address=192.168.0.0/24 gateway=pppoe-out1 pref-src=\
    192.168.16.1


/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=15m name=mtcloud_update on-event=mtcloudupdate policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    may/26/2016 start-time=15:50:54
add disabled=yes interval=20m20s name="IPSec Updater" on-event=\
    home_ipsec_update policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=10m name="DuckDNS Updater" on-event=DUCKDNS policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add comment="Unifi Cloud Key" disabled=yes host=192.168.16.12
What do you suggest I do to get at least 250 Mbps of combined throughput?
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 3:17 pm

Looking at official test results one can get impression that this device can route at speeds around 840Mbps (routing 25 rules, 512 byte packet size).

However, this figure represents real-life performance with fast-track enabled. With fast-track dissbled performance will be much lower. Your device is capable of better throughput than you are getting, but only if there are multiple parallel streams ... so that router can distribute load to both CPU cores, e.g. by running two concurrent ftp GETs (all packets of any single connection are handled by same CPU core to ensure packet order doesn't change). Many modern routers have the same problem, even speedtest.net by default uses a few parallel connections to overcome this problem. Which doesn't seem to be that exposed real-life, e.g. modern web browsers start multiple parallel connections when loadong a web page to speed-up loading of different page elements.
Top
 
vaiost
just joined
Topic Author
Posts: 15
Joined: Fri May 13, 2016 8:12 pm
Location: Greece

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 5:13 pm

Looking at official test results one can get impression that this device can route at speeds around 840Mbps (routing 25 rules, 512 byte packet size).

However, this figure represents real-life performance with fast-track enabled. With fast-track dissbled performance will be much lower. Your device is capable of better throughput than you are getting, but only if there are multiple parallel streams ... so that router can distribute load to both CPU cores, e.g. by running two concurrent ftp GETs (all packets of any single connection are handled by same CPU core to ensure packet order doesn't change). Many modern routers have the same problem, even speedtest.net by default uses a few parallel connections to overcome this problem. Which doesn't seem to be that exposed real-life, e.g. modern web browsers start multiple parallel connections when loadong a web page to speed-up loading of different page elements.
I get the same performance through speedtest as well. So I guess, that is not the case (parallel streams).

Any ideas to improve the performance?
Top
 
biomesh
Long time Member
Long time Member
Posts: 563
Joined: Fri Feb 10, 2012 8:25 pm

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 7:23 pm

Looking at the block diagram, eth1-eth5 has access to both cpus. You have a module in sfp1 (looing at the comments on the interface at least) which means sfp1 and eth6-eth10 only have access to one cpu core. You could try to move the interfaces around to see if that helps performance. You don't state where the tests are being run on your network, so its hard to say what is happening.

I know you said you need queues, but have you tried it without queues just for testing? Also, have you tried other queue types to see if they impact CPU usage?
Top
 
mafiosa
Member Candidate
Member Candidate
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:
Contact mafiosa

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 7:29 pm

I was also finding poor throughput about 210mbps max with 86%+ utilization. Same config with HAP AC^2 would give same throughput with 27% max cpu utilization. I have upgraded to RB5009 as mikrotik support said thats the best we can get from RB3011 on v7.
Top
 
vaiost
just joined
Topic Author
Posts: 15
Joined: Fri May 13, 2016 8:12 pm
Location: Greece

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 8:00 pm

Looking at the block diagram, eth1-eth5 has access to both cpus. You have a module in sfp1 (looing at the comments on the interface at least) which means sfp1 and eth6-eth10 only have access to one cpu core. You could try to move the interfaces around to see if that helps performance. You don't state where the tests are being run on your network, so its hard to say what is happening.

I know you said you need queues, but have you tried it without queues just for testing? Also, have you tried other queue types to see if they impact CPU usage?
Hello,
That router is at a motel. Right now it is closed, so no guests and almost no devices being utilized in SFP port.
The tests were run from a proxmox vm sitting in the "mgmt-vlan" with a 172.16.16.0/24 subnet connected to eth7 (that will change as soon as I get there) which is not in any queue tree, so not monitored. Disabling all queues makes no difference.
I could leave 2-3 networks outside of queues since I always allow for some overhead in the limits defined in queues.
Top
 
vaiost
just joined
Topic Author
Posts: 15
Joined: Fri May 13, 2016 8:12 pm
Location: Greece

Re: Help! 3011 Capped at 150Mbps

Thu Mar 24, 2022 8:00 pm

I was also finding poor throughput about 210mbps max with 86%+ utilization. Same config with HAP AC^2 would give same throughput with 27% max cpu utilization. I have upgraded to RB5009 as mikrotik support said thats the best we can get from RB3011 on v7.
So the solution is to downgrade to v6?
Top
 
vaiost
just joined
Topic Author
Posts: 15
Joined: Fri May 13, 2016 8:12 pm
Location: Greece

Re: Help! 3011 Capped at 150Mbps

Tue Mar 29, 2022 3:35 pm

Getting back to inform on what mikrotik support has replied:
RouterOS v7 will have worse slow path performance compared to v6. Take a look at the forum article below for a more detailed explanation:
viewtopic.php?p=882867#p882867
And my next question is if they were suggesting to go back to ROS6 they replied:
We can only suggest FastTrack, configure it for the traffic which can bypass queues, otherwise, there is nothing much we can suggest at the moment.
Top
 
User avatar
Ferrograph
Member Candidate
Member Candidate
Posts: 154
Joined: Wed Mar 07, 2012 4:05 am

Re: Help! 3011 Capped at 150Mbps

Wed Jul 20, 2022 1:57 pm

Im having the same trouble and similar speed capping although if I do a UDP bandwidth test from a hap on the network (actually in a remote building off the SFP port) with packet size of 1400 I can easy get gigabit. If I use default 1500 then the speed is a fraction and lots of lost packets. TCP bandwidth test also a fraction. I have a suspicion that the auto MTU might not be working.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help! 3011 Capped at 150Mbps

Wed Jul 20, 2022 2:05 pm

MTU should not cause any probkem if it's the same on all interfaces/subnets. If, OTOH, one subnet has lower MTU than the other one, then router has to perform fragmentation, receiver has to perform re-assembly of fragments, both causes considerable load and may increase latency. UDP has a nice/nasty property of having no effective flow control and it's easy to overflow some intermediate device ... which then causes packet drops. If packets are fragmented, the effect of dropping (fragments) is emphasized.
Top
Post Reply

Who is online

Users browsing this forum: hazem and 190 guests
  4. RouterOS
  5. General