hAP ac3 Bandwidth limitation - high cpu usage

sniderit · Tue Sep 27, 2022 3:58 am

I recently had Frontier fiber installed at my house, 1Gbps/1Gbps. I was previously running a hAP ac but I was only getting about 280Mbps/150Mbps on a speedtest. I am using fasttrack but I noticed my CPU usage was hitting 98-99% so I just assumed the 1 core 720MHz CPU was limiting my ability to get the full throughput.
So, I purchased a hAP ac3 which has a 4 core 716MHz CPU which I assumed would be adequate. However, I am still hitting 99% CPU usage on the new router and only getting around 680Mbps/480Mbps.

I am wondering if anyone can recommend any configuration changes or do I just need to go bigger on the router? I was thinking the RB4011iGS+5HacQ2HnD-IN should definitely handle it being 4 core 1.4GHz but if I can get this router to work, I'd rather do that.

I have been doing some research and 1 thing that I battled with on the new service is I can't simply put DHCP on ether1, I had to create a WAN Bridge interface with VLAN Filtering enabled in order for DHCP to work. In some previous forum posts, I did see where people were having bandwidth throughput issues using VLAN Filtering, but this is the only way I could get the mikrotik to pull a DHCP address. If anyone has another recommended configuration where I can do away with the bridge interface, I would love to try it.

I have attached a cleaned up version of my configuration for review:

# sep/26/2022 19:46:25 by RouterOS 7.5
# software id = ***redacted***
#
# model = RBD53iG-5HacD2HnD
# serial number = ***redacted***
/interface bridge add ingress-filtering=no name="WAN Bridge" vlan-filtering=yes
/interface bridge add admin-mac=18:FD:74:57:8D:CF auto-mac=no comment=defconf name=bridge-local
/interface ethernet set [ find default-name=ether1 ] name=ether1-gateway
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface bridge port add bridge=bridge-local comment=defconf interface=ether2
/interface bridge port add bridge=bridge-local comment=defconf interface=ether3
/interface bridge port add bridge=bridge-local comment=defconf interface=ether4
/interface bridge port add bridge=bridge-local comment=defconf interface=ether5
/interface bridge port add bridge="WAN Bridge" interface=ether1-gateway
/interface list member add comment=defconf interface=bridge-local list=LAN
/interface list member add comment=defconf interface=ether1-gateway list=WAN
/interface list member add interface=wlan1 list=WAN
/interface list member add interface="WAN Bridge" list=WAN
/ip address add address=10.100.10.1/24 comment="default configuration" interface=bridge-local network=10.100.10.0
/ip dhcp-client add default-route-distance=2 interface="WAN Bridge"
/ip firewall filter add action=accept chain=input comment=***redacted*** in-interface-list=WAN src-address-list=***redacted***
/ip firewall filter add action=drop chain=forward comment="Drop interVLAN routing" in-interface=bridge-local out-interface=all-vlan
/ip firewall filter add action=drop chain=forward comment="Drop interVLAN routing" in-interface=all-vlan out-interface=all-vlan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface-list=WAN

I have also attached a screenshot of the WAN Bridge VLAN tab.

k6ccc · Tue Sep 27, 2022 4:57 am

For whatever it's worth, when I got my Gig fiber last year, I upgraded my RB750gr3 to a RB4011iGS+ because I figured the 750 would not handle the gig fiber and my 200/10 cable. The 4011 seldom gets over 10%.
I did not need the WiFi in the router because I have separate WiFi, and also separate switches.

sniderit · Tue Sep 27, 2022 5:02 am

moderator note: do not quote preceding post. use "Post Reply".

I appreciate that, I figured the 4011 would do it, just way more powerful. I only use the wifi on the router if my ISP goes down, I have the wlan adapter pre-programmed to the wifi hotspot that I can broadcast on my cell phone so that I can still run my network and use my computer via the cell hotspot. Just a nice little convenience I didn't want to give up if I didn't have to.

Znevna · Tue Sep 27, 2022 7:44 am

Adding a VLAN interface to ether1 and using dhcp-client on that vlan doesn't work?
Most of the problems are from the extra bridge.
Or at least try this, which should leave hardware offload enabled for your LAN bridge:

/interface/bridge/port/set hw=no [find where bridge="WAN Bridge"]

Tue Sep 27, 2022 8:21 am

I agree.
Passing VLAN-boundaries is what is most likely killing the performance and very noticeable on devices where CPU doesn't have the added power to handle it.
Try to have the path with the most traffic on the same VLAN.

Why 2 bridges ?

mkx · Tue Sep 27, 2022 11:06 am

Why 2 bridges ?

Because OP uses 2.4GHz wlan interface as backup WAN interface and he created WAN bridge to join ether1 and wifi1.

However I'm wondering if this is a good idea. The problem (one of them) is that in case both WANs are active, there might be some traffic flowing between them, confusing both ISPs ... If you want to have two WAN links in backup configuration, it would be better to configure each of WAN ports individually and configure failover between them.

Another question is: how do you perform the bandwidth test? Under certain conditions single CPU core performance can be the bottleneck (the rest of CPU cores are lightly used during test). Loading of single CPU core is normal in those conditions and only different test case can get you better performance.

Znevna · Tue Sep 27, 2022 11:19 am

wlan1 is only listed in WAN interfaces list, it is not a member of the WAN bridge, probably just some config remnant, he only uses that bridge for vlan filtering.

mkx · Tue Sep 27, 2022 11:23 am

@znevna: indeed. My bad.

sniderit · Wed Sep 28, 2022 6:38 pm

Appreciate the suggestions guys:
@Znevna - I tried your hardware offload suggestion and that does seem to improve things slightly. Download I am getting about 780Mbps now with CPU hitting low 90%'s and Upload is hitting 950Mbps with only 30-35% CPU usage. The problem with the VLAN interface is the Frontier ONT is passing this traffic with a VLAN tag of 0, and Mikrotik doesn't allow you to create a VLAN interface with id 0. I would love to ditch the WAN Bridge, I just can't think of another way to make this work? Maybe bring the ONT into an access port (random vlan ID) on my switch and use another access port (same vlan ID) to ether1 on mikrotik?

@mkx - I am using speedtest.net from a wired PC on the network to do my testing. I attached a screenshoot of tools/profile showing that all 4 CPU cores are getting maxed out.

Znevna · Wed Sep 28, 2022 7:29 pm

Weird ISP, found a few posts around the forum regarding how to strip vlan tag 0, one of them mentioned your method, with wan in a bridge.
RouterOS handles the bridge vlan filtering in hardware in version 7 for hEX, sooo.. if you have one extra switch, you could try using only two ports from the hEX and do this:
Revert what I posted earlier (you set the same command but with hw=yes)
Make one of the other ports the LAN port and delete the LAN bridge (be sure to move everything LAN related to that port).
I don't know if it will make a difference...
You're near the limit of what 750Gr3 can do in ROS7 anyway (regarding throughput).

k6ccc · Wed Sep 28, 2022 8:07 pm

the Frontier ONT is passing this traffic with a VLAN tag of 0,

That's interesting. My Frontier ONT is not sending me VLAN tagged traffic - double checked that just now with Torch. Just plain old Ethernet. However if this make a difference, I specifically asked for the ONT to be set up in dumb bridge mode.
BTW my Spectrum cable based Internet is the same way.

sniderit · Thu Sep 29, 2022 6:11 am

Just an update here, i've learned that the ONT is not actually passing a VLAN ID of 0, it's actually a priority tag of 0. The thing is i'm not sure how to tell the mikrotik to strip this. I've tried going into Switch > Port tab and telling it to strip the VLAN header but that doesn't seem to work. Any ideas?

k6ccc · Thu Sep 29, 2022 6:33 am

Just an update here, i've learned that the ONT is not actually passing a VLAN ID of 0, it's actually a priority tag of 0. The thing is i'm not sure how to tell the mikrotik to strip this. I've tried going into Switch > Port tab and telling it to strip the VLAN header but that doesn't seem to work. Any ideas?

I don't think you have to strip a priority tag.

hAP ac3 Bandwidth limitation - high cpu usage

hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Re: hAP ac3 Bandwidth limitation - high cpu usage

Who is online