Community discussions

MikroTik App
 
collateral
just joined
Topic Author
Posts: 2
Joined: Tue Mar 14, 2023 7:19 pm

WAN/LAN traffic interaction on HAP AX^3 HW acceleration issue

Thu Mar 23, 2023 9:29 pm

I recently bought an HAP AX^3 for my personal use at home.
I am new to Mikrotik devices, but I am not new to networks and network switches.

Few day after the initial configuration I finally found some time to do some performance testing with my new equipment, and I noticed a weird behavior:
If I have a TCP stream running between two machines in my LAN (red arrow in my graph), my upload throughput towards the Internet (green arrow) is only 200 Mb/s instead of the normal 1 Gb/s, the download speed is unaffected.
schema_mikrotik.png
If I just send from a computer in my LAN towards the Internet using TCP, with no other significant traffic on my LAN I can saturate my 1 Gb/s connection.
If I try to stress the switch with just local traffic it can bridge 2 full-duplex TCP streams without any issues.
The problem seems to happen only when I have both local and external traffic.

In order to exclude any possible misbehavior of the NAT, I tried to replicate the setup using another port and assigning it to a different subnet. The router shows the same behavior, as soon as there is bridged and routed traffic the upload of the routed stream (green arrow) is limited to 200 Mb/s.
schema_mikrotik_2.png
If I disable the HW offloading of L2 traffic the problem goes away, so this seems to be related to the HW offloading in the switch ASIC.

This is the configuration I am currently running:
/interface bridge
add admin-mac=48:A9:8A:0C:DF:02 auto-mac=no comment=defconf name=bridge protocol-mode=none
add name=guest_traffic
/interface ethernet
set [ find default-name=ether5 ] mac-address=00:1E:80:A8:91:90 name=eth_wan
set [ find default-name=ether1 ] poe-out=off
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=France .mode=ap .ssid=frafla_network disabled=no name=wifi \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=France .mode=ap .ssid=frafla_network_5G disabled=no name=wifi_5g \
    security.authentication-types=wpa2-psk,wpa3-psk
add channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=France .mode=ap .ssid=frafla_guest disabled=no mac-address=4A:A9:8A:0C:DF:07 master-interface=\
    wifi name=wifi_guest security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="guest internet only traffic" name=GUEST
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=dhcp
add address-pool=dhcp_pool1 interface=guest_traffic name=guest_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi_5g
add bridge=bridge comment=defconf interface=wifi
add bridge=guest_traffic interface=wifi_guest
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=eth_wan list=WAN
add interface=guest_traffic list=GUEST
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=192.168.10.1/24 interface=guest_traffic network=192.168.10.0
/ip dhcp-client
add interface=eth_wan
/ip dhcp-server lease
add address=192.168.0.10 mac-address=00:11:32:BE:DE:73 server=dhcp
add address=192.168.0.4 mac-address=DC:A6:32:D8:6F:04 server=dhcp
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.0.0/24 comment="LAN addresses" list=lan
add address=192.168.10.0/24 comment="Gues LAN addresses" list=guest_lan
add address=192.168.0.0/24 comment="All LAN addresses" list=local
add address=192.168.10.0/24 comment="All LAN addresses" list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Guest network can only access the Internet" in-interface-list=GUEST out-interface-list=!WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN src-address-list=local
add action=dst-nat chain=dstnat comment="NAS/Synology Drive Server" dst-port=6690 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=6690
add action=dst-nat chain=dstnat comment=NAS/openvpn dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=192.168.0.10 to-ports=1194
add action=dst-nat chain=dstnat comment=NAS/ssh dst-port=50314 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=22
add action=dst-nat chain=dstnat comment="NAS/hyper backup vault" dst-port=6281 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=6281
add action=dst-nat chain=dstnat comment=NAS/managment dst-port=5314 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=5314
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=local in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop LAN traffic if not from lan address range" in-interface-list=LAN src-address-list=!lan
add action=drop chain=prerouting comment="defconf: drop Guest LAN traffic if not from guest lan address range" in-interface-list=GUEST src-address-list=!guest_lan
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from GUEST LAN" in-interface-list=GUEST
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec policy
set 0 disabled=yes
/ip ssh
set strong-crypto=yes
/ip tftp
add disabled=yes real-filename=MikroTik-20230305-1857.backup req-filename=MikroTik-20230305-1857.backup
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.fr.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool graphing
set page-refresh=60
/tool graphing interface
add disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add disabled=yes interface=eth_wan name=traf1
Am I missing something in the configuration or there is a problem with the HW offloading?

Thank you.
You do not have the required permissions to view the files attached to this post.
Last edited by collateral on Thu Mar 30, 2023 4:32 pm, edited 1 time in total.
 
collateral
just joined
Topic Author
Posts: 2
Joined: Tue Mar 14, 2023 7:19 pm

Re: WAN/LAN traffic interaction on HAP AX^3

Thu Mar 30, 2023 4:11 pm

I post an update.

Since the 06/03/23 the official documentation as been updated, and and this sentence has been added.
Currently, HW offloaded bridge support for the IPQ-PPE switch chip is still a work in progress. We recommend using, the default, non-HW offloaded bridge (enabled RSTP).
I guess that they are working on it. In any case it is a bit sad to release a product before it is ready, especially because there is no mention of this in the product page and I purchased it before update of the documentation.

I hope the will fix it soon.

Who is online

Users browsing this forum: DanMos79 and 61 guests