I have two CRS326-24G-2S+ bonded together via a couple of trunk interfaces in a typical WAN<->Internal LAN scenario (RouterOS 6.49.1).
As the two networks (LAN/WAN) need to be separate, in order to take advantage of RouterOS HW bridge capabilities, I used a single bridge and the associated VLAN filtering feature in order to separate the two networks from each other.
The only twist to the above standard scenario is that I have a mixture of clients and servers sharing the same internal LAN network and I need to limit the access of one IP address set to the other. Thus, I also enabled IP firewall on the bridge interface.
Last but not least, as I want the internal servers/LANs to use a single as a default gateway (for redundancy reasons), I defined a common VRRP IP address between the two routers. Of course, both routers have their WAN segment connected (not to each other, via a separate cable to the WAN main switch of the building).
The issue I am having is that even when I'm copying files between the same LAN segment, I see the router's CPU used at 100%. I read that in the case of enabling IP firewall within the bridge settings, then all traffic flows through the CPU as bridge fast path is not applied. I then turned off bridge IP filtering regarding that, sacrificing on security (I cannot re-segment the internal LAN, assigning different networks to servers and clients). The same however (100% CPU utilization) appears for traffic routed between the internal LAN and the WAN interfaces. The WAN line is a Gigabit fiber one and when copying a file from an internal client to a PC within the WAN DMZ the highest throughput is around 109 Mbps with the router CPU constantly within the 90-100% range.
Please note that all ports in the bridge have the H marking on, thus showing that HW support has been enabled.
Questions:
* Can I modify the router config (with the current network setup) so that I can see better performance/throughput between ports that belong to the same LAN segment?
* Similarly, how can I achieve better throughput between the internal LAN and the WAN segment? Even if H is shown in the bridge ports, all traffic seems to flow within the CPU. Is this the answer? -> viewtopic.php?f=1&t=177092#p878135 . If there is an alternative setup (apart from VLAN filtering) in order to isolate the two networks but at the same time achieve fast track performance, please share!!
* Should we have opted out for a better switch/router should we wanted a better performance?
Here is the configuration of one of the binded CRS326 units, the other has a similar configuration. I have not included the IP Firewall rules for security reasons, I can add a couple ones as an indication should it be required.
Your help will be GREATLY appreciated!
Thank you!
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WANOut
set [ find default-name=ether2 ] name=ether2-WANOut
set [ find default-name=ether3 ] name=ether3-LANin
set [ find default-name=ether4 ] name=ether4-LANin
set [ find default-name=ether4 ] name=ether5-LANin
set [ find default-name=ether23 ] name=ether23-Trunk
set [ find default-name=ether24 ] name=ether24-Trunk
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge-LANin pvid=50 vlan-filtering=yes
/interface vrrp
add interface=bridge-LANin name=vrrp-LANin vrid=50
/interface vlan
add interface=bridge-LANin name=vlan30 vlan-id=30
/interface bonding
add lacp-rate=1sec mode=802.3ad name=bonding-switch-trunk slaves=\
ether24-Trunk,ether23-Trunk transmit-hash-policy=layer-2-and-3
/interface list
add name=WANOut
add name=LANin-Clients
add name=LANin-Srv
/interface bridge port
add bridge=bridge-LANin edge=yes frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether1-WANOut pvid=30
add bridge=bridge-LANin edge=yes frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether2-WANOut pvid=30
add bridge=bridge-LANin frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether3-LANin pvid=50
add bridge=bridge-LANin frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether4-LANin pvid=50
add bridge=bridge-LANin interface=bonding-switch-trunk pvid=99
/interface bridge settings
set use-ip-firewall=yes
/interface bridge vlan
add bridge=bridge-LANin tagged=bonding-switch-trunk untagged="ether3-LANin,ether4-LANin,ether5-LANin,bridge-LANin,*23" vlan-ids=50
add bridge=bridge-LANin tagged=bridge-LANin untagged=ether1-WANOut,ether2-WANOut,*23 vlan-ids=30
/interface list member
add interface=ether1-WANOut list=WANOut
add interface=ether2-WANOut list=WANOut
add interface=ether3-LANin list=LANin-Srv
add interface=ether4-LANin list=LANin-Srv
add interface=ether5-LANin list=LANin-Clients
add interface=vlan30 list=WANOut
/ip address
add address=192.168.50.10/24 comment="LANin Bridge" interface=bridge-LANin network=192.168.50.0
add address=192.168.30.1/24 comment="WANOut Bridge" interface=vlan30 network=192.168.30.0
add address=192.168.50.15 comment="LANin Common" interface=vrrp-LANin network=192.168.50.0
/ip firewall address-list
add address=192.168.50.70-192.168.50.80 list=LANin-Servers-List
add address=192.168.50.20-192.168.50.50 list=LANin-Clients-List
/ip firewall nat
add action=masquerade chain=srcnat "Allow All Traffic from Clients to WANOut" out-interface-list=WANOut src-address-list=LANin-Clients-List
add action=masquerade chain=srcnat "Allow All Traffic from local Servers to WANOut" out-interface-list=WANOut src-address-list=LANin-Servers-List