Community discussions

MikroTik App
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

RB2011UiAS network performance

Wed Jun 29, 2022 9:06 am

Hello to all,
I just got this router for test to replace ZYXEL with which I work since 25 years.
I have a fiber link (Ping 2ms/947Mbps downstream/575Mbps upstream).
My first test is in simple switch mode, the results are pitiful (Ping 2ms/94Mbps down/94Mbps up).
ZYXEL via a USG60W has mediocre performance for its price but still exceeds 100Mbps up and down.
I would like to understand, nowadays the needs are more and more important, how is it possible?
Thank you for your opinions and feedback,
Sincerely
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Wed Jun 29, 2022 9:46 am

I have some news about my performance problem,
It seems that the performance limitation is only between the two switch CPUs.
The idea that comes to my mind is to make an external physical link of its two switches (loss of two ports and not clean installation)
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: RB2011UiAS network performance

Wed Jun 29, 2022 10:05 am

It looks like you've been surprised by a documented feature of the device: five of the RJ45 ports are gigabit, and five are 100 Mbit/sec. (The one SFP port is also on the gigabit side.)

Move the modem to the gigabit side, and you should get better performance.

Meanwhile, realize that the RB2011 is quite old tech. I suppose it's still sold because it fills a gap in the product line, but I wouldn't be using it in any application where you expect gigabit routing. Gigabit switching, sure, among that 5-port group, but routing? No.

For contrast, it's got a slower CPU even than the current lineup of CRS3xx switches.
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Wed Jun 29, 2022 11:15 am

Thank you Tangent,
This equipment was recommended to me by my distributor according to my crystals and material availability.
My needs are at 90% the routing of a fiber internet link and a GPRS backup.
With all the security that comes with it (Network SME SMI).
Cash register, banking terminals of cashing and others.
What range or reference would you advise me?
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: RB2011UiAS network performance

Wed Jun 29, 2022 1:16 pm

according to my crystals

Please tell me there's a language barrier problem here, and that you are not literally consulting crystals in order to make IT product decisions.

Network SME SMI

Is SME a Subject Matter Expert in Small-to-Medium Enterprises focused on Storage Medium Encryption of Short Message Entities?

Is SMI the Structure of Management Information definition for Social Media Information using Standard Message Identifiers?

Define your terms!

Cash register, banking terminals of cashing and others.

You're in a banking business and you've cheaped out on the border router? What else are you penny-pinching?

What range or reference would you advise me?

The next router up the line from the RB2011 is the RB3011, which solves the 100 Mbit/sec part of the problem, but it still splits half the ports between two switch chips, which can cause bottlenecks in some network designs. It offers a dual-core ARM processor, each core of which is over twice as fast as the single core in the RB2011, so it'll have a far better chance of achieving gigabit-class routing. (It depends on the complexity of your configuration: how many firewall rules, how many queues, how many VPN connections…) However, it's still rather old tech, so I cannot recommend it.

Next up is the RB4011, which has the same dual switch chip design. Since it redoubles the number of CPU cores to 4, it's even more likely to suit your needs. It also exchanges the single 1G SFP port on the 3011 for a 10G SFP+ port, which is great for running back to a CRS3xx class device as a core switch.

The pinnacle of the RB line — the RB5009 — is kind of a "lightweight" CCR. It solves its predecessors' dual switch chip problem, and it has a number of other nice improvements besides. It's nominally the same price as the RB4011, but with today's supply chain problems, one or the other may be cheaper and more available where you are, which may override these considerations.

Separating switching from routing is often useful, especially at the low end. The ideal of having both functions in a single device is a nice dream, but inherently problematic when you aren't willing to throw enough CPU power at the problem. In MikroTik land, you can step up to the CCR2004-16G to get gigabit-class switching of more than a few ports plus gigabit-class routing in a single device. I'm not trying to talk you into it. Rather, I'm pointing out that fanning LAN load out onto a CRS3xx class device is cheaper than trying to pack everything into a single box.

You might be talking yourself into these 10-port routers because you have more than the 4-5 endpoint devices that normal routers support, and you're trying to get everything connected to a single box. What might end up working better for less money, though, is taking a solid 4-5 port router (e.g. a hEX S, capable of doing gigabit-class routing within limited circumstances) and fanning that out to a CSS610 to keep LAN-only load off the router. As a bonus, now you get two 10G ports, such as for an on-premises server and a NAS.

That option relegates you to SwOS on the switching side, so maybe instead you'd want to step up to a CRS326-24G to get RouterOS even though you don't need 24 gigabit ports, since that's likely to have a cheaper street price than the new CRS310, and that's before you even consider all the SFP modules you need to populate a CRS310.

As you can see, there are many possible paths.

And we didn't even have to cast a horoscope to identify them.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RB2011UiAS network performance

Wed Jun 29, 2022 6:41 pm

remember, rb2011 is almost 10 years old, and at that time was not a flagship, so don't expect to much performance
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Thu Jun 30, 2022 8:17 am

Hello,
It is indeed the language barrier and automatic translators.
I am an IT service provider, I work in the sector of small and medium-sized companies "PME in French" bars, restaurants and discotheques.
I reassure you, I do not consult crystals..., for any decision making, LOL
I don't especially try to group functions, even if I often have limitations of physical space.
Currently, my clients have :
- a router or fiber modem (in bridge mode)
- A backup access in ADSL or 4G
- A ZYXEL router Type USGxxx
- A switch type HP procurve
My partnership with ZYXEL is becoming complex, the quality, performance, price ratio is becoming unacceptable, hence my purchase of MIKROTIK for testing and workshop evaluation.
My current needs are simple:
-Redundancy (fast) of internet access
-Security against external attacks (type DDOS, intrusion....)
Thereafter, in order to improve and make its networks more reliable, I plan :
- Prioritization of flows
- Remote supervision
- Management of public WIFI (European standard, SYSLOG....)
cordially
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RB2011UiAS network performance

Thu Jun 30, 2022 10:15 am

Probably, instead of using deeply crystals to translate, is better use google translator...
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: RB2011UiAS network performance

Thu Jun 30, 2022 12:30 pm

I work in the sector of small and medium-sized companies "PME in French" bars, restaurants and discotheques.

Okay, that explains "SME." I still want to know what you meant by "SMI," though. Were you referring to the elemental core of SNMP, or to something else?

A switch type HP procurve

They had a wide range of products before they spun that business off to Aruba, but they're roughly equivalent to MikroTik's current SwOS line. Offloading LAN traffic from the router to a ProCurve switch has the same value as what I proposed above, as long as it gets you the features you need.

Contrast RouterOS based switches, which outclass the low end of the ProCurve line, at least, and much of what later became Aruba besides. Aruba's got a top end that runs past RouterOS in some ways, but I don't suppose that's of much interest to you, based on your prior replies.

Redundancy (fast) of internet access

There are a number of ways to do that in RouterOS. Here's one, from the docs.

Security against external attacks (type DDOS)

DDoS mitigation requires having a bigger pipe than your attacker while the attack is in progress. Almost by definition, your single endpoint cannot ever achieve that requirement. Any product or service that claims it can achieve DDoS mitigation at the endpoint is a scam.

You need something like CloudFlare's DDoS Protection to have any hope of surviving a concerted DDoS attack. They've got bigger pipes than just about everyone, allowing them to share the load of temporary DDoS attacks among a large pool of potential victims. The attackers can't take all of them down at once, so in the main, every one of their clients are protected.

intrusion....

RouterOS provides a solid firewall. The only variable is whether you're capable of configuring it securely.

RouterOS is not an IDS, and it's a poor content filter even in the best case. If you want those things, you need to get them elsewhere.

Prioritization of flows

RouterOS's strongest tool for that is its queueing feature set. There are other methods for QoS and such, but they depend on your ISP to obey them, which is a terrible bet in today's laissez-faire Internet. ISPs that get paid by the byte have terrible incentives to choke back flows to "reasonable" levels. Their incentive is for you to clog your link with indiscriminate traffic, then buy a bigger pipe.

Unlike DDoS protection, this is something best done on-premises.

Remote supervision

RouterOS has fairly strong SSH support; far better than your average dusty ProCurve switch, at any rate. Couple that with something like fail2ban monitoring, and I think it's as close to bulletproof as is practical, as long as you hold up your end and use reasonable passwords and such.

If you need stronger protection for your remote monitoring links than that, RouterOS supports a whole raft full of VPN protocols, some of which are arguably more secure than an SSH tunnel.

SYSLOG....

There's built-in logging, but I think it's better to set up remote logging. I've got a guide for setting this up on RouterOS.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: RB2011UiAS network performance

Thu Jun 30, 2022 12:40 pm

While in general it is certainly possible to do what you want there with MikroTik routers, you should certainly know (and likely have realized by now) that MikroTik and ZyXEL equipment really aren't comparable.
ZyXEL, like Draytek etc, are more in the range of ready-made appliances with easy configuration. Things like "put checkmark here for DDoS protection". It is not clear what that really does (besides providing peace-of-mind).
MikroTik is more like a "router toolbox". It is a management interface on top of a Linux system, which provides many low-level functions that normally are configured in dozens of different configuration files, all with a different syntax. MikroTik brings that together in a single interface.
However, it still remains a toolbox. There is no "prevent DDoS" checkbox. You would need to think about what you want to do to achieve that, and then apply configuration like firewall rules. This requires understanding at a much lower level than those other boxes.

As mentioned above, RB2011 is an old design (it was released in 2011) and it should not be used for such new deployments anymore. As MikroTik uses the same software on all devices, it still provides the same functionality as another type, so you can indeed use it for evaluation of the usability, but not for evaluation of the performance.
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Thu Jun 30, 2022 5:12 pm

Thank you very much, to both speakers of this post, whose answers are very professional and clear.
Hardware part, I have well noted my error of choice carried by my reseller.

On the subject of protection, I have a little knowledge of linux UBUNTU/REDHAT/DEBIAN/CENTOS and their IP TABLE, despite that I think I still have a lot of work to do to get an acceptable (and desired personally) level of security.
For the moment, on my current routers, the rules are :
-WAN to LAN all reject except for specific ports reduced to the public IP ranges of local ISPs.
-LAN to WAN all accept
- other reject or drop

About SMI, nothing to do with IT, another mistranslation ("PMI" small and medium industry), service sector.

As for switches, my choice of management functions concerns the monitoring of wire links (quality of cables, connectors, and connected network card), 80% of my troubleshooting interventions concern these links (tropical climate), oxidized connector, cut cable, defective, crushed ...
Many of my customers are in cabling out of category, I am often forced to force some links in low speed 100Mb or extreme case 10Mb.
One of my benchmarks is the monitoring of lost packets.

The real needs of my customers are :
- Link cash register local client / internet server
- Linking credit card bank terminals / internet server
- Linking various web (customers of the establishment and internal need) / web server

These are networks without great complexity but in activated, the availability of the access to Internet is paramount (cash register and terminals)

Best regards and thanks again
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Thu Jun 30, 2022 5:24 pm

Last detail,
regarding SNMP monitoring, I use a low cost solution with added value:
Raspberry and LibreNMS, it meets my current needs, not expensive, not cumbersome in a patch bay
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: RB2011UiAS network performance

Thu Jun 30, 2022 5:48 pm

-WAN to LAN all reject except for specific ports reduced to the public IP ranges of local ISPs.
-LAN to WAN all accept
- other reject or drop

If you take the "except for" bit off, that's approximately what the default configuration for MikroTik's router-class devices do. They add some more rules that have been found to be wise over time, but that's the gist.

Adding the exception you have is trivial for one who knows what they're doing. Those that do not may end up opening themselves up to unwanted connections.

If you post your firewall configuration, there's a fair chance someone here will volunteer to audit it for you, gratis. No guarantee, but if you're kind and professional, you can expect to receive reciprocal treatment.

(And if not, I'll be happy to shout the churl down on your behalf. :) )

(tropical climate), oxidized connector, cut cable, defective, crushed ...

You may get a lot of use out of RouterOS's netwatch and SNMP features, coupled with scripting. You might also find use for its REST API.

Linking various web (customers of the establishment and internal need) / web server

One trick your current system might not support is separating customer traffic from business traffic. RouterOS makes that fairly easy with VLANs, subnets, and routing rules, with firewalls between. It takes work, but you can set up a design where customer traffic is only allowed to go out to the Internet, not toward any internal hosts, for example. That can keep a compromised customer computer from infecting your PoS terminals, among other things.

Raspberry and LibreNMS

If you meant "Raspberry Pi," RouterOS now has Docker container support, which may be able to run that on-device. It depends on how big a router you get, among other things.

Off-device monitoring sounds like a better idea to me, though, since if the router dies, who's left living to report it?

On the other hand, if the router dies, how does LibreNMS report the problem? Presumably this system is more useful for tracking the development of intermittent problems, before the link dies completely, so on-device monitoring might be suitable.
 
MDZT
just joined
Topic Author
Posts: 16
Joined: Tue Jun 28, 2022 3:16 pm

Re: RB2011UiAS network performance

Sat Jul 02, 2022 8:42 am

Hello Tangent and the others,
I didn't have much time to read everything and make progress on the subject, research and development not being what I live for directly.
I did make some progress on my tests, except for the performance test.
Here is my current configuration:
My cellular link is at less than 100Mbps provided by a Mikrotik RBLDFR LTE, so I use the router's POE 10 port.
I do not use BONDING but simply two prioritized routes (Fiber 1 / Cellular 2).
And two Bridge Switches (1 Gbps & 1 Mbps), ports 2 to 5 for the LAN and 6 to 9 for the DMZ.
This weekend I'm attacking the firewall which is not configured yet.
Sincerely
# model = RB2011UiAS
/interface bridge
add name=Bridge-Gb
add name=Bridge-Mb
/interface ethernet
set [ find default-name=ether1 ] name=ETH01-Fiber rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether2 ] name=ETH02-Gb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether3 ] name=ETH03-Gb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether4 ] name=ETH04-Gb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether5 ] name=ETH05-Gb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether6 ] name=ETH06-Mb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether7 ] name=ETH07-Mb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether8 ] name=ETH08-Mb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether9 ] name=ETH09-Mb rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether10 ] name=ETH10-Cellular power-cycle-ping-address=\
    8.8.8.8 power-cycle-ping-enabled=yes power-cycle-ping-timeout=2m \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] disabled=yes
/interface list
add include=all name=WAN-ISP
add name=LAN
add name=DMZ
add exclude=DMZ,LAN,WAN-ISP name=localhost
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.1-10.0.0.253
add name=dhcp_pool1 ranges=10.0.10.1-10.0.10.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-Gb name=dhcp1
add address-pool=dhcp_pool1 interface=Bridge-Mb name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=Bridge-Gb interface=ETH02-Gb
add bridge=Bridge-Gb interface=ETH03-Gb
add bridge=Bridge-Gb interface=ETH04-Gb
add bridge=Bridge-Gb interface=ETH05-Gb
add bridge=Bridge-Mb interface=ETH06-Mb
add bridge=Bridge-Mb interface=ETH07-Mb
add bridge=Bridge-Mb interface=ETH08-Mb
add bridge=Bridge-Mb interface=ETH09-Mb
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ETH01-Fiber list=WAN-ISP
add interface=ETH10-Cellular list=WAN-ISP
add list=LAN
/ip address
add address=10.0.0.254/24 interface=Bridge-Gb network=10.0.0.0
add address=10.0.10.254/24 interface=Bridge-Mb network=10.0.10.0
/ip dhcp-client
add add-default-route=no interface=ETH01-Fiber
add add-default-route=no interface=ETH10-Cellular
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.254
add address=10.0.10.0/24 gateway=10.0.10.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN-ISP
/ip route
add disabled=no distance=1 dst-address=192.168.10.254/24 gateway=192.168.10.254 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=ETH01-Fiber
add disabled=no distance=1 dst-address=192.168.20.254/24 gateway=192.168.20.254 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=ETH10-Cellular
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.10.254 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=ETH01-Fiber
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.20.254 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=ETH10-Cellular
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: RB2011UiAS network performance

Sat Jul 02, 2022 5:24 pm

My cellular link is at less than 100Mbps provided by a Mikrotik RBLDFR LTE, so I use the router's POE 10 port.

This is essentially what I suggested in my first reply: keep using the 2011 for now, but segregate the slow equipment from the fast, taking advantage of the router's internal design rather than fighting it.

Upgrading to a better router should help measurably, but in these supply-constrained times, you might be better off running on the 2011 for some months until a better unit becomes available.

Realize that with the 2011, there's a single 1G link between the 100M side of the network and the 1G side, and it runs through the CPU. You need to budget for this during failover: if you have firewall rules and queues and such that take up 90% of the CPU while running on the primary ISP, the system may fail entirely when you switch over to the backup network because there isn't enough CPU power left to shuttle traffic from the 1G side over to the 100M side.

That's a "maybe." Reducing speeds from 1G to 100M will drop CPU usage, so it might end up okay.

Point is, test; don't guess and pray!

I do not use BONDING but simply two prioritized routes (Fiber 1 / Cellular 2).

That appears to be the solution from the docs I pointed you to.

Its failover behavior depends on the fact that the host you ping is diagnostic of link failure. If the local gateway stays up through that condition, it won't fail over at all, because it fools the router into thinking everything is fine. You might want to adjust the check-gateway target to point at something on the other side of the link that reliably pings only when the link is up, such as an intermediary router inside your ISP's network.

You can use "/tool/traceroute" to find potential candidates.

Beware changing it to a host that both sides of the network can ping. (Anti-example: 8.8.8.8.) That's diagnostic of nothing. Each link has to ping a host that's only available through that link if it's to fail over reliably.

6 to 9 for the DMZ.

DMZ design is old-school thinking associated with weak firewall technologies. (e.g. Low-spec ISP-provided modem/router combos.) With RouterOS, you have a modern platform with a strong firewall. Given those resources, exposing whole hosts to the Internet is lazy and reckless.

Port-forwarding is better for exposing single services hosted within a protected LAN.

If you must expose whole hosts naked to the Internet, rent some cloud service somewhere. I run dozens of public services on my $5/month VPS, for example. That way, if the VPS is ever compromised, it doesn't compromise your private LAN.

add name=Bridge-Gb
add name=Bridge-Mb

I wouldn't name the bridges after their speeds. Speeds change. Name them after their function: bridge-pri and bridge-sec, for example, being primary and secondary. Or, bridge-main and bridge-backup, or anything else, so long as it refers to permanent functional differences.

/interface ethernet
set [ find default-name=ether1 ] name=ETH01-Fiber rx-flow-control=auto \
tx-flow-control=auto

I don't rename the low-level Ethernet interfaces like this. I leave them at their default names, but then use "comment" lines up at the bridge level to mark which interface is which. Human names should be high-level things, not pushed so far down into the config.

This is a matter of taste. I won't be offended if you disagree. Consider it, then decide.

/interface list
add include=all name=WAN-ISP

I think you need to drop the "include=all" bit. That's something you normally do for the LAN in a configuration like this. Consider this alternative:

/interface list
add name=WAN-ISP include=ether1,ether10
add name=LAN include=all exclude=WAN-ISP

/ip pool
add name=dhcp_pool0 ranges=10.0.0.1-10.0.0.253

You've reserved only one static IP in each range. I normally reserve more. Indeed, I don't see how you can't get away with less than 2 reserved static IPs in this configuration. (We'll come back to that later.) A common scheme is to start the DHCP range at .10 and go to .254, leaving all single-digit final-octet IPs as static. If you want to put all static services way up at the top of the range, then I'd reserve at least .250-254.

If you ignore my advice above and continue with your DMZ plans, you need static IPs for those hosts if routing rules are to work properly. If you take my advice and switch to port-forwarding, you still need static IPs for them.

The only exception I'd put on this advice is if you create static leases for certain hosts, so they always get the same IP.

/ip route
add disabled=no distance=1 dst-address=192.168.10.254/24 gateway=192.168.10.254 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=ETH01-Fiber
add disabled=no distance=1 dst-address=192.168.20.254/24 gateway=192.168.20.254 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=ETH10-Cellular

I see no reason at all to define two more subnets here. I believe it will work, but it's pointlessly overcomplicated.

It's simpler if the fiber and cellular router/modem combos have their local interface in the 10.0.x.0/24 side of the network they serve. So, if ether1 continues as 10.0.0.254, the fiber modem can be 10.0.0.253. Now you don't need explicit routes to get packets to the gateway: you just set 10.0.0.253 as the gateway for that subnet, and let RouterOS create a dynamic route for it automatically.

Same with the celluar side: gateway 10.0.10.253.

Who is online

Users browsing this forum: emunt6 and 69 guests