So, I purchased a hAP ac3 which has a 4 core 716MHz CPU which I assumed would be adequate. However, I am still hitting 99% CPU usage on the new router and only getting around 680Mbps/480Mbps.
I am wondering if anyone can recommend any configuration changes or do I just need to go bigger on the router? I was thinking the RB4011iGS+5HacQ2HnD-IN should definitely handle it being 4 core 1.4GHz but if I can get this router to work, I'd rather do that.
I have been doing some research and 1 thing that I battled with on the new service is I can't simply put DHCP on ether1, I had to create a WAN Bridge interface with VLAN Filtering enabled in order for DHCP to work. In some previous forum posts, I did see where people were having bandwidth throughput issues using VLAN Filtering, but this is the only way I could get the mikrotik to pull a DHCP address. If anyone has another recommended configuration where I can do away with the bridge interface, I would love to try it.
I have attached a cleaned up version of my configuration for review:
Code: Select all
# sep/26/2022 19:46:25 by RouterOS 7.5
# software id = ***redacted***
#
# model = RBD53iG-5HacD2HnD
# serial number = ***redacted***
/interface bridge add ingress-filtering=no name="WAN Bridge" vlan-filtering=yes
/interface bridge add admin-mac=18:FD:74:57:8D:CF auto-mac=no comment=defconf name=bridge-local
/interface ethernet set [ find default-name=ether1 ] name=ether1-gateway
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface bridge port add bridge=bridge-local comment=defconf interface=ether2
/interface bridge port add bridge=bridge-local comment=defconf interface=ether3
/interface bridge port add bridge=bridge-local comment=defconf interface=ether4
/interface bridge port add bridge=bridge-local comment=defconf interface=ether5
/interface bridge port add bridge="WAN Bridge" interface=ether1-gateway
/interface list member add comment=defconf interface=bridge-local list=LAN
/interface list member add comment=defconf interface=ether1-gateway list=WAN
/interface list member add interface=wlan1 list=WAN
/interface list member add interface="WAN Bridge" list=WAN
/ip address add address=10.100.10.1/24 comment="default configuration" interface=bridge-local network=10.100.10.0
/ip dhcp-client add default-route-distance=2 interface="WAN Bridge"
/ip firewall filter add action=accept chain=input comment=***redacted*** in-interface-list=WAN src-address-list=***redacted***
/ip firewall filter add action=drop chain=forward comment="Drop interVLAN routing" in-interface=bridge-local out-interface=all-vlan
/ip firewall filter add action=drop chain=forward comment="Drop interVLAN routing" in-interface=all-vlan out-interface=all-vlan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface-list=WAN