Community discussions

MikroTik App
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Speed drop after update to 7.1stable

Wed Dec 08, 2021 9:55 am

Hi Guys,

First of all I'm using a RB3011. My Internet Connection is normally around 550 - 650MBit which I do get with 6.49.2.
The CPU reaches about (max) ~50% load during speedtest (firewall enabled). After update to 7.1 stable it maxes out at around 250-300MBit and the cpu reaches 100% with firewall enabled and around 80% with firewall disabled (no change in max dl-speed with disabled firewall).
Fasttrack rules are in place of course.

I don't know where to start to be honest.

Do you guys have any idea?

Cheers

PS: I can do a screenshot with 7.1 tomorrow. I've reverted back to 6.49.2 because of family constraints :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Speed drop after update to 7.1stable

Wed Dec 08, 2021 7:24 pm

Probably best to report this directly to support, including supout files from both v6 and v7.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Speed drop after update to 7.1stable

Wed Dec 08, 2021 7:30 pm

Disable route cache in ROS v6 and then compare the speeds.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Speed drop after update to 7.1stable

Wed Dec 08, 2021 8:38 pm

I think the disable route cache setting is broken in v6, I did some tests a few versions ago, it didn't change anything.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Wed Dec 08, 2021 11:43 pm

Fasttrack rules are in place of course.
See if the fasttrack rules are working and the fasttrack counters are going up. The lack of route caching in RouterOS v7 means that you will get lower speed test results without fasttrack, but I would expect Fasttrack to help more than it is if it was working.

You can see my response here to post about a similar seemingly slower IPv6 performance on RouterOS v7: viewtopic.php?t=180831&start=300#p896045

You should get similar results on IPv4 as well if fasttrack is not used, just like IPv6.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Wed Dec 08, 2021 11:47 pm

I think the disable route cache setting is broken in v6, I did some tests a few versions ago, it didn't change anything.
Yes, I suspect the disable route cache setting was made into a dummy switch in RouterOS v7 that doesn't actually do anything (because there is no route cache there), and this change (making it a dummy switch) was accidentally backported to RouterOS v6, breaking the ability to turn off route caching from recent v6 versions.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 7:27 am

Good Morning,
Disable route cache in ROS v6 and then compare the speeds.
Disabling route-cache caused 6.49.2 also to max out at around 350MBit (but with the CPU at ~50%).
See if the fasttrack rules are working and the fasttrack counters are going up.
.....
Yes they are. Its also shown as active in IP-Settings (IPv4 Fasttrack Active - counting up)

Thx for your help indeed!
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 3:52 pm

Disabling route-cache caused 6.49.2 also to max out at around 350MBit (but with the CPU at ~50%).

Yes they are. Its also shown as active in IP-Settings (IPv4 Fasttrack Active - counting up)
The route cache is gone from v7 and is not coming back, so if it is the only reason for the speedtest results you are seeing, then unfortunately you will not be able to replicate those speedtest results with v7. Route caching would give an artificial boost to things like speedtests making it look like your router could handle more traffic than it could in normal real world situations, so on RouterOS v6 you get the 620Mbps speedtest result when your router most likely can't handle more than 300-350Mbps of real world traffic with route caching on in v6.

Are you using the default firewall ruleset, or did you modify things? If you modified things it could be that you are only fasttracking a portion of your traffic instead of all traffic.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 3:56 pm

Moving a huge video file to a remote NAS or to a NAS from another subnet doesn't count as "real world" ?
Or database backups, or other big files.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 4:11 pm

Disabling route-cache caused 6.49.2 also to max out at around 350MBit (but with the CPU at ~50%).

Yes they are. Its also shown as active in IP-Settings (IPv4 Fasttrack Active - counting up)
The route cache is gone from v7 and is not coming back, so if it is the only reason for the speedtest results you are seeing, then unfortunately you will not be able to replicate those speedtest results with v7. Route caching would give an artificial boost to things like speedtests making it look like your router could handle more traffic than it could in normal real world situations, so on RouterOS v6 you get the 620Mbps speedtest result when your router most likely can't handle more than 300-350Mbps of real world traffic with route caching on in v6.

Are you using the default firewall ruleset, or did you modify things? If you modified things it could be that you are only fasttracking a portion of your traffic instead of all traffic.
Ehm - don't get me wrong but I can download from the internet with ~55MB from CDN-networks (for example via ddownload or rapidgator for example) so I assume that the speedtest tells me the truth and does not tells me "fictional facts".
Also the test-results on https://mikrotik.com/product/RB3011UiAS ... estresults tells another language.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 4:19 pm

Sorry missed your question regarding the firewall. I use a self made firewall -->
[admin@router-main] /ip firewall filter> export 
# dec/09/2021 15:16:04 by RouterOS 6.49.2
/ip firewall filter
add action=accept chain=input comment="WireGuard Docker Container" dst-port=51820 log=yes protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address=!192.168.100.0/24 src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=drop chain=forward comment="Block YouTube on FireTV Sandro" layer7-protocol=YouTube src-address=192.168.100.67
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN_list log=yes log-prefix=!public_from_LAN out-interface-list=!LAN_list
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN_list log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN_list log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN_list log=yes log-prefix=LAN_!LAN src-address=!192.168.100.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=log chain=icmp comment="deny all other types"
add action=drop chain=icmp comment="deny all other types"

/ip firewall layer7-protocol
add name=YouTube regexp="^.+(youtube.com).*\$"

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3074,27014-27050 in-interface-list=WAN_list protocol=tcp to-addresses=192.168.100.59
add action=dst-nat chain=dstnat dst-port=3074,3075,3076,3077,3078,3079 in-interface-list=WAN_list protocol=udp to-addresses=192.168.100.59
add action=dst-nat chain=dstnat comment="SSH to zeus 22" dst-port=8080 in-interface-list=WAN_list protocol=tcp to-addresses=192.168.100.211 to-ports=22
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=WAN_list protocol=udp to-addresses=192.168.100.210 to-ports=51820
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN_list protocol=tcp to-addresses=192.168.100.210 to-ports=443
add action=dst-nat chain=dstnat comment=temp_rule_for_letsencrypt_do_not_change dst-port=80 in-interface-list=WAN_list protocol=tcp to-addresses=192.168.100.210 to-ports=80
add action=masquerade chain=srcnat comment="lan --> internet" out-interface-list=WAN_list src-address=192.168.100.0/24
add action=masquerade chain=srcnat disabled=yes

/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN_list src-address-list=blacklist
cheers
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 4:23 pm

Ehm - don't get me wrong but I can download from the internet with ~55MB from CDN-networks (for example via ddownload or rapidgator for example) so I assume that the speedtest tells me the truth and does not tells me "fictional facts".
Also the test-results on https://mikrotik.com/product/RB3011UiAS ... estresults tells another language.
Route caching gives a boost to speed tests and big file downloads in the same way because of how it works. So yes, big file downloads to one system will also decrease in speed in v7, but you are not doing big file downloads all the time like that. Where route caching starts to really harm the performance of the device is when you have a bunch of users behind it going to a bunch of different websites and other online things. In RouterOS v6 most of this regular browsing traffic will miss the cache, and the cache harms performance more than helping. That is why it was removed from the Linux kernel nearly a decade ago.

Those test results are on RouterOS v6. As MikroTik has been revising test results for RouterOS v7 they are often 20-50% lower than what they were on RouterOS v6 for the same device.

Please see this for more details: viewtopic.php?p=882867#p882867
Last edited by mducharme on Thu Dec 09, 2021 4:51 pm, edited 2 times in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 4:32 pm

Sorry missed your question regarding the firewall. I use a self made firewall -->
The block Youtube on fireTV layer 7 rule needs to be moved down and adjusted. It will be extremely heavy on the router and is probably the reason you are getting slower fasttrack speeds than I would expect. Layer7 matchers are so heavy that they often completely kill the performance. If you disable it temporarily you should find higher speeds with fasttrack, and then you can figure out how to adjust the rule in the list and in terms of the conditions so that it doesn't have to scan so much traffic.

You could also remove some things like the ssh brute force - you probably shouldn't have ssh open to the world anyway so there is no need for address lists for brute force, and you can cut down on the number of rules for ICMP. And some other changes, like moving the accept dstnat rule below the accept established,related. And you have the raw blacklist rule as well, which is probably not necessary for a home router.

You may even want to try using the MikroTik default firewall for comparison temporarily:
                    /interface list member add list=LAN interface=bridge comment="defconf"
                     /interface list member add list=WAN interface=ether1 comment="defconf"
                     /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
                     /ip firewall {
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
                       filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
                       filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
                       filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
                     }
If all that does not help you may just need a faster device.
Last edited by mducharme on Thu Dec 09, 2021 5:00 pm, edited 6 times in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 4:35 pm

Moving a huge video file to a remote NAS or to a NAS from another subnet doesn't count as "real world" ?
Or database backups, or other big files.
It is not a typical traffic pattern for an internet router. You aren't doing file transfers like that all the time, only occasionally. Still, even if you make the argument that it should be considered typical, route caching has been gone from the Linux kernel for almost 10 years, and MikroTik cannot put it back.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 5:22 pm

I wasn't picking on route caching beeing gone, I was picking on your definition of "real world".
There are users out there that bought routers for home use, not to be a small ISP in their home, nobody keeps at home tens of machines doing random stuff on the internet.
And yes there are users that do video editing and 3D rendering from a home office. And yes they have 500Mbps+ connections.
And yes they bought a hEX or hAP ac2/ac3/Audience/ for that connection, which currently work fine with ROS v6, not so much with IPv6, but that will probably change if IPv6 FastTrack gets implemented.
It's not all about ISPs.
LE: removed Chateau, that's v7 only(?).
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 5:37 pm

These days there are a lot of systems in homes - families with kids, you can have a bunch of laptops, phones, tablets, and gaming systems. In most cases the total traffic used is fairly low because things are not being used all the time, so whether such heavy users have 300Mbps connections or 1Gbps connections they really only use 10-20Mbps on average. So the 1Gbps connection isn't really any faster for them than the 300Mbps connection if only 10-20Mbps is used.

And for the people who do a lot of file transfers and bulk traffic that route caching really helps with, in cases where there is a CPU bottleneck, then unfortunately they will get slower speeds on v7, and the choice will be to remain on RouterOS v6 forever or upgrade to a more powerful device. I suspect some users will instead try to wait for this to be "fixed" in v7, thinking it is just a bug that can be fixed, when this will never happen.

I am hoping that at some point MikroTik goes back and revises the product pages for existing devices to show the v7 performance instead of v6, so that people know what to expect.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 5:59 pm

@mducharme
In my market many clients have multiple [4 to5] real-time HD iptv streams running all day long plus many other ream time activities by other family members plus plus plus … they all have I Gbps service and yes all working well ….
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Speed drop after update to 7.1stable

Thu Dec 09, 2021 6:09 pm

You don't need that much bandwidth for a few video streams. 4K streams are usualy under 50Mbps, HD ones are insignificant.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Fri Dec 10, 2021 8:16 am

The block Youtube on fireTV layer 7 rule needs to be moved down and adjusted. It will be extremely heavy on the router and is probably the reason you are getting slower fasttrack speeds than I would expect. Layer7 matchers are so heavy that they often completely kill the performance. If you disable it temporarily you should find higher speeds with fasttrack, and then you can figure out how to adjust the rule in the list and in terms of the conditions so that it doesn't have to scan so much traffic.

You could also remove some things like the ssh brute force - you probably shouldn't have ssh open to the world anyway so there is no need for address lists for brute force, and you can cut down on the number of rules for ICMP. And some other changes, like moving the accept dstnat rule below the accept established,related. And you have the raw blacklist rule as well, which is probably not necessary for a home router.

You may even want to try using the MikroTik default firewall for comparison temporarily:
I deleted my whole firewall and took this one as successor https://help.mikrotik.com/docs/display/ ... t+Firewall wich should be MT approved I guess. There is no reasonable difference in CPU load.

But to be honest I do not get the point why I do need another device - I did speedtests now with and without Route-Cache on v6 (not tested v7 until know)

enabled-route-cache -- Download ~ 550MBit
lcd                                 0.5%
spi                                 2.5%
ethernet                           10.2%
console                             0.2%
firewall                           10.5%
networking                         12.7%
winbox                              0.2%
management                            1%
profiling                             0%
traffic-accou...                    0.5%
bridging                              3%
unclassified                          5%
total                              46.3%
disabled-route-cache -- Download ~ 340Mbit
lcd                                 0.7%
spi                                   3%
ethernet                            7.5%
console                             0.2%
firewall                           17.2%
networking                         18.5%
winbox                              0.5%
management                          1.7%
routing                             3.2%
dhcp                                  0%
profiling                           0.5%
traffic-accou...                    1.2%
bridging                            5.5%
unclassified                          8%
total                              67.7%
So from a CPU-Load perspective I do not understand why a more powerful device is needed (btw - I thought that the 3011 with dual 1,4GHz ARM CPU "is" powerful - which one would you assume to fullfill the needs for my internet-connection then?)

Cheers
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Speed drop after update to 7.1stable

Fri Dec 10, 2021 12:05 pm

Please read this.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Fri Dec 10, 2021 1:36 pm

Please read this.
I did already before.

How is this related when I even do NOT hit the cpu limit with my system. I did the test again with 7.1 and it maxes out at around 320MBit with 70% CPU.
So why not 100% CPU?

Please don't blame me but I do not get the point ...-

cheers
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 12:32 am

How is this related when I even do NOT hit the cpu limit with my system. I did the test again with 7.1 and it maxes out at around 320MBit with 70% CPU.
So why not 100% CPU?
It will be a CPU limit if any one of the CPU cores is maxed out. Your router has two cores. You have to go into System->Resources->CPU button and look at the CPU load for each core. If either core goes to 100% (which means that your total utilization is at 50%) then it is a CPU limit. Many processes can only work on a single core and cannot be spread across different cores. Things like managing traffic on a single physical interface are often bound to one CPU core and therefore the interface traffic will not be able to go higher if that core is at 100%.

You have to ignore the CPU% in the top right corner of winbox and look at the percent for each core instead. The winbox display is near useless because it doesn't show you if one of the cores is maxed. That 70% that you saw is an average across the two cores, so it could happen from one core at 100% usage and the other at 40% usage.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 6:04 am

I deleted my whole firewall and took this one as successor https://help.mikrotik.com/docs/display/ ... t+Firewall wich should be MT approved I guess.
FYI - The "Building Your First Firewall" page has a much more complicated firewall than MikroTik devices normally come preconfigured with, with many more rules. I generally prefer the MikroTik default firewall to the one on that page. I'm not saying the one on that page is bad, but it goes overboard, especially if you are worried about performance. That is why I shared the rules with you instead of sending you to that page.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 9:19 am

It will be a CPU limit if any one of the CPU cores is maxed out. Your router has two cores. You have to go into System->Resources->CPU button and look at the CPU load for each core. If either core goes to 100% (which means that your total utilization is at 50%) then it is a CPU limit. Many processes can only work on a single core and cannot be spread across different cores. Things like managing traffic on a single physical interface are often bound to one CPU core and therefore the interface traffic will not be able to go higher if that core is at 100%.

You have to ignore the CPU% in the top right corner of winbox and look at the percent for each core instead. The winbox display is near useless because it doesn't show you if one of the cores is maxed. That 70% that you saw is an average across the two cores, so it could happen from one core at 100% usage and the other at 40% usage.
Hmm I did not post the cpu from winbox but from /tool profile (maybe you've overseen)
And I posted also in the very first post of this topic that the difference with even DISABLED firewall is not worth mentioning :)

Ok I've looked to CPU Resources via console now and this even draws the same picture. cpu does not max out to 100%
[admin@router-main] /system/resource/cpu> print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  78%   40%  0%  
1  cpu1  64%   55%  0%  
and just for reference so no firewall could influence the behaviour - here the results with completely disabled firewall
[admin@router-main] /system/resource/cpu> print 
Columns: CPU, LOAD, IRQ, DISK
#  CPU   LOAD  IRQ  DISK
0  cpu0  76%   72%  0%  
1  cpu1  62%   47%  0%  
so there is not really a noticeable difference.

Cheers
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 2:45 pm

Did you disable your layer 7 rule as well for your test?
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 5:11 pm

Did you disable your layer 7 rule as well for your test?
Of course
...

Cheers
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 5:12 pm

Did you disable your layer 7 rule as well for your test?
Of course
...
Cheers
Maybe I've time next week to reset the router completely to factory reset and test again.
I'll update you with my results then.

Anyhow - If really a new device is needed - which one would you suggest? RB4011?
Cheers
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 5:30 pm

This doesn’t seem to be a v7 issue as it is happening on both versions (in v6 with route cache off). It must be something config related. Can you post your full config? Also, try disabling the LCD (I recall some people had reduced performance with the LCD on on the RB2011 model), and I saw traffic accounting in your processes list, if you could ensure that is disabled as well.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 6:05 pm

If I had not seen it with my own eyes, I would never have believed that disabling the LCD had any effect. But it did!
With disabled LCD I got ~500Mbit at my first speedtest. Unfortunately it looks like this was a one-time shot. I was not able to reproduce it (even with some JDownloader download tests).
But anyhow I do get more then before. Around ~400 - 450MBit. Maybe there is still something to "tune".

I also

Here is my whole config for reference. I've deleted my firewall adress lists (because the firewall was deleted / disabled at this point (I left only the fasttrack rules in place because without them speed dropped to 140MBit)), dhcp-leases and obfuscated my domain-things for privacy reasons.
# dec/11/2021 16:44:04 by RouterOS 7.1
# software id = LVGI-H82J
#
# model = RouterBOARD 3011UiAS
# serial number = B8950BD1D59A
/interface bridge add name=BR_LAN priority=0xF000 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] loop-protect=off name="ether1 - switch-sz"
/interface ethernet set [ find default-name=ether2 ] name="ether2 - switch-wz"
/interface ethernet set [ find default-name=ether3 ] name="ether3 - switch-kg"
/interface ethernet set [ find default-name=ether9 ] name="ether9 - UPC"
/interface ethernet set [ find default-name=ether10 ] name="ether10 - AP-Wohnzimmer"
/interface ethernet set [ find default-name=sfp1 ] name="sfp1 - switch-sk"
/interface vlan add interface=BR_LAN name=VLAN_MGMT vlan-id=10
/interface vrrp add authentication=simple interface=VLAN_MGMT name=VRRP_PIHOLE_DNS on-backup="/ip dns set allow-remote-requests=no\r\
    \n/ip dns set servers=192.168.100.246" on-master="/ip dns set allow-remote-requests=yes\r\
    \n/ip dns set servers=1.1.1.1,9.9.9.9" version=2 vrid=2
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=wifi
/interface list add name=LIST_WAN
/interface list add name=LIST_LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config add name=l2tp-vpn-mode-config static-dns=192.168.100.246 system-dns=no
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256,3des name=l2tp-vpn-peer-profile
/ip ipsec proposal add enc-algorithms=aes-256-cbc,3des name=l2tp-vpn-proposal pfs-group=none
/ip kid-control add fri=6h-20h mon=6h-20h name=Sandro sat=6h-20h sun=6h-20h thu=6h-20h tue=6h-20h wed=6h-20h
/ip pool add comment="Network:   192.168.100.0/27" name=dhcp-lan ranges=192.168.100.1-192.168.100.30
/ip dhcp-server add add-arp=yes address-pool=dhcp-lan interface=VLAN_MGMT name=DHCP-LAN
/port set 0 name=serial0
/routing bgp template set default as=65530 disabled=no name=default output.network=bgp-networks
/routing table add fib name=""
/snmp community add addresses=192.168.100.210/32 encryption-protocol=AES name=phpipam write-access=yes
/system logging action add name=synology remote=192.168.100.251 remote-port=5014 src-address=192.168.100.254 target=remote
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api
/user group add name=prometheus policy=read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/user group add name=homeassistant policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/interface bridge port add bridge=BR_LAN frame-types=admit-only-vlan-tagged ingress-filtering=no interface="sfp1 - switch-sk"
/interface bridge port add bridge=BR_LAN frame-types=admit-only-vlan-tagged interface="ether1 - switch-sz" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether2 - switch-wz" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether3 - switch-kg" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether10 - AP-Wohnzimmer" pvid=10
/ip neighbor discovery-settings set discover-interface-list=all
/ip settings set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=BR_LAN tagged="BR_LAN,sfp1 - switch-sk,ether1 - switch-sz" vlan-ids=10
/interface bridge vlan add bridge=BR_LAN tagged="BR_LAN,sfp1 - switch-sk,ether1 - switch-sz,ether2 - switch-wz" vlan-ids=100
/interface bridge vlan add bridge=BR_LAN tagged="BR_LAN,sfp1 - switch-sk,ether1 - switch-sz,ether2 - switch-wz" vlan-ids=20
/interface bridge vlan add bridge=BR_LAN tagged=BR_LAN,ether8 vlan-ids=30
/interface l2tp-server server set allow-fast-path=yes authentication=mschap2 default-profile=l2tp-vpn-profile enabled=yes max-mru=1460 max-mtu=1460 one-session-per-host=yes use-ipsec=yes
/interface list member add interface="ether9 - UPC" list=LIST_WAN
/interface list member add interface=BR_LAN list=LIST_LAN
/interface list member add interface=VLAN_MGMT list=LIST_LAN
/interface ovpn-server server set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=ovpn-vpn-profile port=80
/interface sstp-server server set authentication=mschap2 max-mru=1600 max-mtu=1600 mrru=1600 pfs=yes port=55555 tls-version=only-1.2
/ip address add address=192.168.100.254/24 interface=VLAN_MGMT network=192.168.100.0
/ip address add address=192.168.100.246/24 interface=VRRP_PIHOLE_DNS network=192.168.100.0
/ip cloud set ddns-enabled=yes update-time=no
/ip dhcp-client add interface="ether9 - UPC" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.100.0/24 dns-server=192.168.100.246 domain=acme.lan gateway=192.168.100.254 netmask=24 ntp-server=192.168.100.210
/ip dhcp-server network add address=192.168.101.0/24 dns-server=192.168.100.246 domain=iot.acme.lan gateway=192.168.101.254 netmask=24 ntp-server=192.168.100.210
/ip dns set allow-remote-requests=no servers=1.1.1.1,9.9.9.9
/ip dns static add address=192.168.100.251 name=home.acme.com ttl=1m
/ip dns static add address=192.168.100.253 name=poseidon.acme.lan ttl=1m
/ip dns static add address=192.168.100.246 name=pihole.acme.lan ttl=1m
/ip dns static add address=192.168.100.252 name=apollon.acme.lan ttl=1m
/ip dns static add address=192.168.100.210 name=ntp.acme.lan
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall nat add action=dst-nat chain=dstnat comment="SSH to zeus 22" dst-port=8080 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.211 to-ports=22
/ip firewall nat add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=LIST_WAN protocol=udp to-addresses=192.168.100.210 to-ports=51820
/ip firewall nat add action=dst-nat chain=dstnat dst-port=443 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.210 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment=temp_rule_for_letsencrypt_do_not_change dst-port=80 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.210 to-ports=80
/ip firewall nat add action=masquerade chain=srcnat comment="lan --> internet" out-interface-list=LIST_WAN src-address=192.168.100.0/24
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip kid-control device add mac-address=7A:E8:FB:1A:E6:0B name="iPad Sandro" user=Sandro
/ip kid-control device add mac-address=40:A2:DB:B4:18:2D name="Sandro FireTV Stick" user=Sandro
/ip proxy set anonymous=yes port=3128
/ip proxy access add src-address=192.168.100.0/24
/ip service set telnet address=192.168.100.0/24 disabled=yes
/ip service set ftp address=192.168.100.0/24 disabled=yes
/ip service set www address=192.168.100.0/24 disabled=yes
/ip service set ssh address=192.168.100.0/24
/ip service set www-ssl address=192.168.100.0/24 certificate=wildcard.acme.lan disabled=no tls-version=only-1.2
/ip service set api address=192.168.100.0/24
/ip service set winbox address=192.168.100.0/24
/ip service set api-ssl address=192.168.100.0/24 certificate=wildcard.acme.lan tls-version=only-1.2
/ip ssh set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ip traffic-flow set cache-entries=8k
/ip upnp set enabled=yes
/ip upnp interfaces add interface="ether9 - UPC" type=external
/ip upnp interfaces add interface=VLAN_MGMT type=internal
/lcd set backlight-timeout=never default-screen=stats enabled=no read-only-mode=yes time-interval=daily touch-screen=disabled
/lcd interface set "ether1 - switch-sz" disabled=yes
/lcd interface set "ether2 - switch-wz" disabled=yes
/lcd interface set "ether3 - switch-kg" disabled=yes
/lcd interface set ether4 disabled=yes
/lcd interface set ether5 disabled=yes
/lcd interface set "sfp1 - switch-sk" disabled=yes
/lcd interface set ether6 disabled=yes
/lcd interface set ether7 disabled=yes
/lcd interface set ether8 disabled=yes
/lcd interface set "ether10 - AP-Wohnzimmer" disabled=yes
/lcd interface pages set 0 interfaces="ether9 - UPC"
/lcd screen set 1 disabled=yes
/lcd screen set 2 disabled=yes
/lcd screen set 3 disabled=yes
/lcd screen set 4 disabled=yes
/lcd screen set 5 disabled=yes
/ppp profile add change-tcp-mss=yes dns-server=192.168.100.246 local-address=192.168.102.254 name=l2tp-vpn-profile remote-address=*3 use-encryption=required use-mpls=yes
/ppp profile add change-tcp-mss=yes dns-server=192.168.100.246 idle-timeout=30m local-address=192.168.102.254 name=ovpn-vpn-profile only-one=yes remote-address=*3 session-timeout=6h use-compression=no use-encryption=required use-mpls=yes
/ppp secret add name=florian.doe profile=l2tp-vpn-profile
/ppp secret add name=martina.doe profile=l2tp-vpn-profile service=l2tp
/ppp secret add name=florian.doe.ovpn profile=ovpn-vpn-profile service=ovpn
/snmp set contact="Florian Doe" enabled=yes location="Dream Lane 25"
/system clock set time-zone-name=Europe/Vienna
/system clock manual set dst-delta=+01:00 dst-end="oct/27/2019 03:00:00" dst-start="mar/31/2019 02:00:00"
/system identity set name=router-main
/system logging set 0 disabled=yes
/system logging set 1 disabled=yes
/system logging set 2 disabled=yes
/system logging add action=synology topics=interface
/system logging add action=synology topics=error
/system logging add action=synology topics=critical
/system logging add action=synology topics=info
/system ntp client set enabled=yes
/system ntp client servers add address=ntp.acme.lan
/system scheduler add interval=1d name="99_Daily Backup" on-event="Daily Backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/28/2014 start-time=04:00:00
/system scheduler add comment="Download spamnaus list" interval=3d name=DownloadSpamhausList on-event=DownloadSpamhaus policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:38:01
/system scheduler add comment="Apply spamnaus List" interval=3d name=InstallSpamhausList on-event=ReplaceSpamhaus policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:43:01
/system scheduler add comment="Download dshield list" interval=3d name=DownloadDShieldList on-event=Download_dshield policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:48:01
/system scheduler add comment="Apply dshield List" interval=3d name=InstallDShieldList on-event=Replace_dshield policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:53:01
/system scheduler add comment="Download malc0de list" interval=3d name=Downloadmalc0deList on-event=Download_malc0de policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:48:01
/system scheduler add comment="Apply malc0de List" interval=3d name=Installmalc0deList on-event=Replace_malc0de policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:53:01
/system scheduler add comment="Download voip-bl list" interval=3d name=Refresh_voip-bl on-event=Download_voip-bl policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:48:01
/system scheduler add comment="Apply voip-bl List" interval=3d name=Update_voip-bl on-event=Replace_voip-bl policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=16:53:01
/system script add dont-require-permissions=no name="Daily Backup" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/file remove [find type=script]\r\
    \n:log info \"backup beginning now\"\r\
    \n:global backupfile ([/system identity get name] . \"-\" . [/system clock get time])\r\
    \n/export terse file=\$backupfile\r\
    \n:delay 5s\r\
    \n/system backup save name=daily_backup\r\
    \n:log info \"backup pausing for 10s\"\r\
    \n:delay 10s\r\
    \n:log info \"backup being emailed\"\r\
    \n/tool e-mail send to=\"florian@acme.com\" subject=([/system identity get name] . \\\r\
    \n\" Backup\") from=void@acme.com file=\$backupfile body=(\"This is an automated e-mail! Date is \" .\\ ([/system clock get date]).\\ \" time \".\\ ([/system clock get time]))\r\
    \n:log info \"backup finished\""
/system script add dont-require-permissions=no name=DownloadSpamhaus owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/tool fetch url=\"http://joshaven.com/spamhaus.rsc\" mode=http;\
    \n:log info \"Downloaded spamhaus.rsc from Joshaven.com\";\
    \n"
/system script add dont-require-permissions=no name=ReplaceSpamhaus owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/ip firewall address-list remove [find where comment=\"SpamHaus\"]\
    \n/import file-name=spamhaus.rsc;\
    \n:log info \"Removed old Spamhaus records and imported new list\";\
    \n"
/system script add dont-require-permissions=no name=Download_dshield owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/tool fetch url=\"http://joshaven.com/dshield.rsc\" mode=http;\
    \n:log info \"Downloaded dshield.rsc from Joshaven.com\";\
    \n"
/system script add dont-require-permissions=no name=Replace_dshield owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/ip firewall address-list remove [find where comment=\"DShield\"]\
    \n/import file-name=dshield.rsc;\
    \n:log info \"Removed old dshield records and imported new list\";\
    \n"
/system script add dont-require-permissions=no name=Download_malc0de owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/tool fetch url=\"http://joshaven.com/malc0de.rsc\" mode=http;\
    \n:log info \"Downloaded malc0de.rsc from Joshaven.com\";\
    \n"
/system script add dont-require-permissions=no name=Replace_malc0de owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/ip firewall address-list remove [find where comment=\"malc0de\"]\
    \n/import file-name=malc0de.rsc;\
    \n:log info \"Removed old malc0de records and imported new list\";\
    \n"
/system script add dont-require-permissions=no name=Download_voip-bl owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/tool fetch url=\"http://joshaven.com/voip-bl.rsc\" mode=http;\
    \n:log info \"Downloaded voip-bl.rsc from Joshaven.com\";\
    \n"
/system script add dont-require-permissions=no name=Replace_voip-bl owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n/ip firewall address-list remove [find where comment=\"VoIP BL\"]\
    \n/import file-name=voip-bl.rsc;\
    \n:log info \"Removed old voip-bl records and imported new list\";\
    \n"
/tool bandwidth-server set authenticate=no
/tool e-mail set address=192.168.100.210 from=void@acme.com
/tool graphing interface add
/tool graphing interface add
/tool romon set enabled=yes
/tool sniffer set filter-interface=*12 streaming-enabled=no streaming-server=192.168.100.242
/tool traffic-generator packet-template add data=random header-stack="" name=packet-template1
/tool traffic-generator stream add mbps=200 name=str1 packet-size=1500 tx-template=packet-template1

Cheers
Florian
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 6:22 pm

RB5009 is a better alternative to 4011 in my opinion.
Also bridge vlan filtering on rb3011 is done in software, that also eats CPU.
ipsec even hardware offloaded can eat a few tens of Mbps of throughput.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Sat Dec 11, 2021 8:16 pm

Even aside from the bridge vlan filtering (which I also noticed), that config is fairly complicated. Certainly see if disabling bridge VLAN filtering does anything, but there are many things in there that could potentially impact performance - even kid control as it does additional monitoring of all traffic. Temporarily disabling kid control may also help. It looks like those L2TP/ipsec tunnels are for remote connections to this router, so they are probably not even in use when this testing is happening, I would imagine. You have an anonymous proxy set up as well - is that being used for anything?
 
cadillackid
newbie
Posts: 30
Joined: Wed Oct 17, 2007 5:20 pm

Re: Speed drop after update to 7.1stable

Sun Dec 12, 2021 2:27 am

im interested to know also which box should supercede the 3011 .. I too experienced a serious perfrmance hit when upgrading.. (and changing my VLANs from the "old" way to the "new" bridge way.. not sure if that has any effect? my LCD's are always disabled.. I had a 2011 which ran terribly slow with LCD so i just always tuirn it off on any MT device i get.. I have a 4011 in a box ive never even gotten out just because ive been lazy.. is it any better CPU-wise than the 3011?

I tested with real-world internetting and not just speed-test and notice the slow-downs.. my 500 meg connection takes forever to load complex sites.. DNS lookups appear to occur much slower than they did on ROS6, I went back to 6 and am happy again..

so if ROS7.1 causes performance hits in general what is the best machine i can get? I have 6 VLANs and use 4 physical ports.. there are 2 L2TP remotes that tunnel into my MT 24/7 .. firewall is pretty simple other than I do run a DDOS ruleset to catch people trying to spam the web server which sits behind my MT.

do I need a Chateau?

maybe the 5009?

I could use the LTE modem in one of my other routers since I dont need it in my fixed installation.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Sun Dec 12, 2021 2:38 am

I have a 4011 in a box ive never even gotten out just because ive been lazy.. is it any better CPU-wise than the 3011?
The RB4011 is over three times faster than the RB3011 - there is a huge difference between them. Just plug that in, don't get a new device.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Mon Dec 13, 2021 7:35 am

Also bridge vlan filtering on rb3011 is done in software, that also eats CPU.
I think there is no alternative right?
ipsec even hardware offloaded can eat a few tens of Mbps of throughput.
I did not have IPSec tunnels. All of them where leftovers and were disabled.
Even aside from the bridge vlan filtering (which I also noticed), that config is fairly complicated. Certainly see if disabling bridge VLAN filtering does anything, but there are many things in there that could potentially impact performance - even kid control as it does additional monitoring of all traffic. Temporarily disabling kid control may also help. It looks like those L2TP/ipsec tunnels are for remote connections to this router, so they are probably not even in use when this testing is happening, I would imagine. You have an anonymous proxy set up as well - is that being used for anything?
I did not saw any reasonable difference with disabled VLAN Bridge Filtering. I got 5% less CPU load with disabled KID-Control but not more trohoughput. The Web-Proxy also was a leftover and was already disabled.

Anyway, I have reset my router to factory settings and configured it again without all these leftovers. I've put in again a new firewall (the advanced one from https://help.mikrotik.com/docs/display/ ... d+Firewall) - it does not really make a reasonable difference if is enabled or disabled (I think because of the benefit of the RAW-Filters - it takes ~5-7% CPU.
# dec/13/2021 06:31:05 by RouterOS 7.1
# software id = LVGI-H82J
#
# model = RouterBOARD 3011UiAS
# serial number = B8950BD1D59A
/interface bridge add name=BR_LAN priority=0xF000 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] loop-protect=off name="ether1 - switch-sz"
/interface ethernet set [ find default-name=ether2 ] name="ether2 - switch-wz"
/interface ethernet set [ find default-name=ether3 ] name="ether3 - switch-kg"
/interface ethernet set [ find default-name=ether9 ] name="ether9 - UPC"
/interface ethernet set [ find default-name=ether10 ] name="ether10 - AP-Wohnzimmer"
/interface ethernet set [ find default-name=sfp1 ] name="sfp1 - switch-sk"
/interface vlan add interface=BR_LAN name=VLAN_MGMT vlan-id=10
/interface vrrp add authentication=simple interface=VLAN_MGMT name=VRRP_PIHOLE_DNS on-backup="/ip dns set allow-remote-requests=no\r\
    \n/ip dns set servers=192.168.100.246" on-master="/ip dns set allow-remote-requests=yes\r\
    \n/ip dns set servers=1.1.1.1,9.9.9.9" version=2 vrid=2
/interface list add name=LIST_WAN
/interface list add name=LIST_LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add comment="Network:   192.168.100.0/27" name=dhcp-lan ranges=192.168.100.1-192.168.100.30
/ip dhcp-server add add-arp=yes address-pool=dhcp-lan interface=VLAN_MGMT name=DHCP-LAN
/port set 0 name=serial0
/snmp community add addresses=192.168.100.210/32 encryption-protocol=AES name=phpipam write-access=yes
/system logging action add name=synology remote=192.168.100.251 remote-port=5014 src-address=192.168.100.254 target=remote
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api
/user group add name=prometheus policy=read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/user group add name=homeassistant policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/interface bridge port add bridge=BR_LAN frame-types=admit-only-vlan-tagged ingress-filtering=no interface="sfp1 - switch-sk"
/interface bridge port add bridge=BR_LAN frame-types=admit-only-vlan-tagged interface="ether1 - switch-sz" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether2 - switch-wz" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether3 - switch-kg" pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
/interface bridge port add bridge=BR_LAN frame-types=admit-only-untagged-and-priority-tagged interface="ether10 - AP-Wohnzimmer" pvid=10
/ip neighbor discovery-settings set discover-interface-list=all
/ip settings set max-neighbor-entries=8192 rp-filter=loose
/interface bridge vlan add bridge=BR_LAN tagged="BR_LAN,sfp1 - switch-sk,ether1 - switch-sz" vlan-ids=10
/interface list member add interface="ether9 - UPC" list=LIST_WAN
/interface list member add interface=BR_LAN list=LIST_LAN
/interface list member add interface=VLAN_MGMT list=LIST_LAN
/ip address add address=192.168.100.254/24 interface=VLAN_MGMT network=192.168.100.0
/ip address add address=192.168.100.246/24 interface=VRRP_PIHOLE_DNS network=192.168.100.0
/ip address add address=192.168.100.1/24 disabled=yes interface=BR_LAN network=192.168.100.0
/ip cloud set ddns-enabled=yes update-time=no
/ip dhcp-client add interface="ether9 - UPC" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease add address=192.168.100.50 mac-address=D8:8F:76:68:1F:A5 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.52 mac-address=BC:E1:43:4A:6C:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.106 mac-address=F0:FE:6B:31:1D:66 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.107 mac-address=F0:FE:6B:31:1D:78 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.63 mac-address=70:EE:50:18:FB:3C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.64 mac-address=EC:B5:FA:02:8D:5E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.65 mac-address=00:04:20:F1:EC:C7 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.68 mac-address=68:37:E9:39:93:04 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.69 mac-address=44:00:49:80:A4:88 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.197 mac-address=44:D9:E7:F6:5D:9A server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.203 mac-address=A4:38:CC:8F:68:CE server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.207 mac-address=00:05:CD:AA:7C:6C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.182 mac-address=00:1E:06:33:E2:9F server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.209 mac-address=B8:27:EB:4B:20:57 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.215 mac-address=A8:E3:EE:C9:0C:15 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.217 mac-address=00:1D:EC:14:56:7B server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.246 mac-address=00:0C:29:5A:C6:61 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.250 mac-address=64:D1:54:C3:01:66 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.242 client-id=1:0:50:56:99:6f:ec mac-address=00:50:56:99:6F:EC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.70 mac-address=08:12:A5:54:50:76 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.66 client-id=ff:12:34:56:78:0:3:0:6:68:a4:e:e:ca:f0 mac-address=68:A4:0E:0E:CA:F0 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.201 client-id=1:4:e:3c:59:5d:6e mac-address=04:0E:3C:59:5D:6E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.244 mac-address=00:0C:29:D2:E9:2F server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.67 client-id=1:40:a2:db:b4:18:2d comment="FireTV Stick Sandro" mac-address=40:A2:DB:B4:18:2D server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.241 client-id=1:0:26:b9:7e:4e:d2 mac-address=00:26:B9:7E:4E:D2 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.247 client-id=1:0:7:43:7:23:1c mac-address=00:07:43:07:23:1C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.57 client-id=1:40:33:1a:45:70:23 mac-address=40:33:1A:45:70:23 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.56 client-id=1:20:e2:a8:5c:1b:32 mac-address=20:E2:A8:5C:1B:32 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.101 mac-address=24:0A:C4:F9:ED:CC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.100 mac-address=9C:9C:1F:C6:00:DC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.51 client-id=1:8:f4:ab:34:3e:57 mac-address=08:F4:AB:34:3E:57 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.102 mac-address=2C:3A:E8:3B:77:F5 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.103 mac-address=8C:AA:B5:5D:63:1B server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.104 mac-address=3C:71:BF:22:80:79 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.108 mac-address=3C:61:05:D0:F6:B1 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.59 client-id=1:70:85:c2:b8:ba:c9 mac-address=70:85:C2:B8:BA:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.109 mac-address=8C:AA:B5:7B:24:6C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.110 mac-address=3C:61:05:D1:00:D5 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.111 mac-address=9C:9C:1F:C4:F9:10 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.112 mac-address=70:03:9F:5D:A8:2F server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.58 client-id=1:da:54:2e:91:20:b9 mac-address=DA:54:2E:91:20:B9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.71 client-id=1:74:a7:ea:7e:37:2d comment="FireTV Wohnzimmer" mac-address=74:A7:EA:7E:37:2D server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.53 client-id=1:7a:e8:fb:1a:e6:b comment="iPad Sandro" mac-address=7A:E8:FB:1A:E6:0B server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.55 client-id=1:84:b8:b8:60:d7:0 comment="Lenovo Tablet" mac-address=84:B8:B8:60:D7:00 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.248 client-id=1:d4:ca:6d:85:67:c8 mac-address=D4:CA:6D:85:67:C8 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.200 client-id=1:94:53:30:65:c7:7 mac-address=94:53:30:65:C7:07 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.113 mac-address=98:CD:AC:1F:2C:15 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.114 mac-address=C4:5B:BE:6B:B8:5E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.243 client-id=ff:56:99:92:1:0:4:b0:c7:4d:56:c6:6d:eb:e3:7d:ee:ef:83:7:58:6c:de comment="pihole (non VRRP addr)" mac-address=00:50:56:99:92:01 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.240 client-id=1:0:c:29:e2:ce:ab mac-address=00:0C:29:E2:CE:AB server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.116 mac-address=C4:5B:BE:75:3F:1D server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.115 mac-address=94:3C:C6:C0:59:3C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.72 mac-address=C8:6C:3D:BB:AA:77 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.239 client-id=ff:b6:22:f:eb:0:2:0:0:ab:11:ae:18:42:b2:a0:77:a0:9c mac-address=00:0C:29:FA:FE:BC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.60 client-id=1:14:cb:19:c6:e8:3e mac-address=14:CB:19:C6:E8:3E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.73 client-id=1:70:2e:d9:32:49:de comment="Sandro Fernseher" mac-address=70:2E:D9:32:49:DE server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.74 comment=twinkly_190_icicle_1 mac-address=E8:68:E7:24:49:E0 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.75 comment=twinkly_190_icicle_2 mac-address=10:52:1C:6F:83:CC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.76 comment=twinkly_105_strings mac-address=84:F3:EB:07:5A:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.77 comment=twinkly_400_strings mac-address=98:F4:AB:3D:94:6C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.238 client-id=ff:b6:22:f:eb:0:2:0:0:ab:11:54:3:56:e5:28:43:96:c8 mac-address=00:0C:29:1C:9D:37 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.212 client-id=ff:29:5f:63:99:0:1:0:1:29:37:79:73:0:c:29:5f:63:99 mac-address=00:0C:29:5F:63:99 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.180 client-id=1:0:e0:4c:36:1:af mac-address=00:E0:4C:36:01:AF server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.199 client-id=1:4:18:d6:9c:fe:f8 mac-address=04:18:D6:9C:FE:F8 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.198 client-id=1:4:18:d6:9a:67:cb mac-address=04:18:D6:9A:67:CB server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.251 client-id=1:0:c:29:97:b2:b1 mac-address=00:0C:29:97:B2:B1 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.218 client-id=ff:29:35:5f:f5:0:1:0:1:29:3b:7b:17:0:c:29:35:5f:f5 mac-address=00:0C:29:35:5F:F5 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.210 client-id=ff:b6:22:f:eb:0:2:0:0:ab:11:4a:f2:c0:28:4d:be:cd:79 mac-address=00:0C:29:0D:16:8A server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.105 mac-address=9C:9C:1F:C4:F7:74 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.61 client-id=1:64:6e:e0:1e:68:83 mac-address=64:6E:E0:1E:68:83 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.117 mac-address=3C:61:05:CF:DA:94 server=DHCP-LAN
/ip dhcp-server network add address=192.168.100.0/24 dns-server=192.168.100.246 domain=acme.lan gateway=192.168.100.254 netmask=24 ntp-server=192.168.100.210
/ip dns set servers=192.168.100.246
/ip dns static add address=192.168.100.251 name=home.acme.at ttl=1m
/ip dns static add address=192.168.100.253 name=poseidon.acme.lan ttl=1m
/ip dns static add address=192.168.100.246 name=pihole.acme.lan ttl=1m
/ip dns static add address=192.168.100.252 name=apollon.acme.lan ttl=1m
/ip dns static add address=192.168.100.210 name=ntp.acme.lan
/ip firewall filter add action=accept chain=input src-address=192.168.100.0/24
/ip firewall filter add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LIST_LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Block YouTube on FireTV Sandro" layer7-protocol=*1 src-address=192.168.100.67
/ip firewall filter add action=drop chain=forward comment=" drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=LIST_WAN
/ip firewall filter add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3074,27014-27050 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.59
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3074,3075,3076,3077,3078,3079 in-interface-list=LIST_WAN protocol=udp to-addresses=192.168.100.59
/ip firewall nat add action=dst-nat chain=dstnat comment="SSH to zeus 22" dst-port=8080 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.211 to-ports=22
/ip firewall nat add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=LIST_WAN protocol=udp to-addresses=192.168.100.210 to-ports=51820
/ip firewall nat add action=dst-nat chain=dstnat dst-port=443 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.210 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment=temp_rule_for_letsencrypt_do_not_change dst-port=80 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.210 to-ports=80
/ip firewall nat add action=masquerade chain=srcnat comment="lan --> internet" out-interface-list=LIST_WAN src-address=192.168.100.0/24
/ip firewall raw add action=drop chain=prerouting in-interface-list=LIST_WAN src-address-list=blacklist
/ip firewall raw add action=accept chain=prerouting comment="accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LIST_LAN protocol=udp src-address=0.0.0.0 src-port=68
/ip firewall raw add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="drop bogon IP's" src-address-list=bad_src_ipv4
/ip firewall raw add action=drop chain=prerouting comment="drop bogon IP's" dst-address-list=bad_dst_ipv4
/ip firewall raw add action=drop chain=prerouting comment="drop non global from WAN" in-interface-list=LIST_WAN src-address-list=not_global_ipv4
/ip firewall raw add action=drop chain=prerouting comment="drop forward to local lan from WAN" dst-address=192.168.100.0/24 in-interface-list=LIST_WAN
/ip firewall raw add action=drop chain=prerouting comment="drop local if not from default IP range" in-interface-list=LIST_LAN src-address=!192.168.100.0/24
/ip firewall raw add action=drop chain=prerouting comment="drop bad UDP" port=0 protocol=udp
/ip firewall raw add action=jump chain=prerouting comment="jump to ICMP chain" jump-target=icmp4 protocol=icmp
/ip firewall raw add action=jump chain=prerouting comment="jump to TCP chain" jump-target=bad_tcp protocol=tcp
/ip firewall raw add action=accept chain=prerouting comment="accept everything else from LAN" in-interface-list=LIST_LAN
/ip firewall raw add action=accept chain=prerouting comment="accept everything else from WAN" in-interface-list=LIST_WAN
/ip firewall raw add action=drop chain=prerouting comment="drop the rest"
/ip firewall raw add action=drop chain=bad_tcp comment="TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
/ip firewall raw add action=drop chain=bad_tcp comment="TCP port 0 drop" port=0 protocol=tcp
/ip firewall raw add action=accept chain=icmp4 comment="echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="protocol unreachable" icmp-options=3:2 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="port unreachable" icmp-options=3:3 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="fragmentation needed" icmp-options=3:4 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment=echo icmp-options=8:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="time exceeded " icmp-options=11:0-255 protocol=icmp
/ip firewall raw add action=drop chain=icmp4 comment="drop other icmp" protocol=icmp
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip service set telnet address=192.168.100.0/24 disabled=yes
/ip service set ftp address=192.168.100.0/24 disabled=yes
/ip service set www address=192.168.100.0/24 disabled=yes
/ip service set ssh address=192.168.100.0/24
/ip service set api address=192.168.100.0/24
/ip service set winbox address=192.168.100.0/24
/ip smb users add name=guest
/ip ssh set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ip upnp set enabled=yes
/ip upnp interfaces add interface="ether9 - UPC" type=external
/ip upnp interfaces add interface=VLAN_MGMT type=internal
/lcd set enabled=no
/system clock set time-zone-name=Europe/Vienna
/system clock manual set dst-delta=+01:00 dst-end="oct/27/2019 03:00:00" dst-start="mar/31/2019 02:00:00"
/system identity set name=router-main
/system logging set 0 disabled=yes
/system logging set 1 disabled=yes
/system logging set 2 disabled=yes
/system logging add action=synology topics=interface
/system logging add action=synology topics=error
/system logging add action=synology topics=critical
/system logging add action=synology topics=info
/system ntp client set enabled=yes
/system ntp client servers add address=0.at.pool.ntp.org
/system ntp client servers add address=1.at.pool.ntp.org
/system ntp client servers add address=2.at.pool.ntp.org
/system scheduler add interval=1d name="99_Daily Backup" on-event="Daily Backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/28/2014 start-time=04:00:00
/system script add dont-require-permissions=no name="Daily Backup" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/file remove [find type=script]\r\
    \n:log info \"backup beginning now\"\r\
    \n:global backupfile ([/system identity get name] . \"-\" . [/system clock get time])\r\
    \n/export terse file=\$backupfile\r\
    \n:delay 5s\r\
    \n/system backup save name=daily_backup\r\
    \n:log info \"backup pausing for 10s\"\r\
    \n:delay 10s\r\
    \n:log info \"backup being emailed\"\r\
    \n/tool e-mail send to=\"florian@acme.at\" subject=([/system identity get name] . \\\r\
    \n\" Backup\") from=void@acme.at file=\$backupfile body=(\"This is an automated e-mail! Date is \" .\\ ([/system clock get date]).\\ \" time \".\\ ([/system clock get time]))\r\
    \n:log info \"backup finished\""
/tool e-mail set address=mail.acme.lan from=void@acme.at port=587
It looks like that I really need a new router ... huh?

Cheers
 
jookraw
Member Candidate
Member Candidate
Posts: 143
Joined: Mon Aug 19, 2019 3:06 pm

Re: Speed drop after update to 7.1stable

Mon Dec 13, 2021 11:29 am

My RB4011 when using bridge-vlan-filtering enabled, gets only 600-700 mbps LAN -WAN, my RB5009 gets a bit better 850-900 Mbps.
I use PPPoE over vlan as wan. and when I enable bridge filtering I lose fasttrack and fast path towards the PPPoE WAN.

I think that Mikrotik failed to inform people about this, and keep coming saying about the "Route Cache" is the reason, but it is not just that, for me the release of 7.1 is rushed and unfinished, with bugs introduced in the lasts rc's being ignored and finding it's way till the "stable"
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Speed drop after update to 7.1stable

Mon Dec 13, 2021 4:08 pm

My RB4011 when using bridge-vlan-filtering enabled, gets only 600-700 mbps LAN -WAN, my RB5009 gets a bit better 850-900 Mbps.
I use PPPoE over vlan as wan. and when I enable bridge filtering I lose fasttrack and fast path towards the PPPoE WAN.
If you disable hardware offload for all bridge ports, fast track should continue to work with bridge vlan filtering and the rate will likely increase.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable  [SOLVED]

Tue Dec 14, 2021 8:56 am

My RB4011 when using bridge-vlan-filtering enabled, gets only 600-700 mbps LAN -WAN, my RB5009 gets a bit better 850-900 Mbps.
I use PPPoE over vlan as wan. and when I enable bridge filtering I lose fasttrack and fast path towards the PPPoE WAN.

I think that Mikrotik failed to inform people about this, and keep coming saying about the "Route Cache" is the reason, but it is not just that, for me the release of 7.1 is rushed and unfinished, with bugs introduced in the lasts rc's being ignored and finding it's way till the "stable"
So I set up my mikrotik now without bridge-vlan-filtering (completely new). I don't know what where the thing before (as I already tested it without bridge-vlan-filtering (at leas I though so)).
Now I do get my full speed with 7.1 as well. No need for a new device!!

Conclusio: Bridge-VLAN Filtering was the real bad boy!

Thx for all of your help!
2021-12-14 07_54_25-Clipboard.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Speed drop after update to 7.1stable

Wed Dec 15, 2021 2:13 am

Bridge filtering and bridge IP firewall do not work as expected. It’s better to avoid them until they will be fixed.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Speed drop after update to 7.1stable

Wed Dec 15, 2021 9:37 am

Currently, a bridge with vlan-filtering=yes does not support FastTrack (both in v6, v7). The feature is in development.
 
User avatar
florianmulatz
newbie
Topic Author
Posts: 42
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: Speed drop after update to 7.1stable

Wed Dec 15, 2021 9:38 am

Currently, a bridge with vlan-filtering=yes does not support FastTrack (both in v6, v7). The feature is in development.
This would be good information for the release notes. :)

Cheers

Who is online

Users browsing this forum: No registered users and 21 guests