Community discussions

MikroTik App
 
pepsi
just joined
Topic Author
Posts: 5
Joined: Tue Feb 07, 2023 6:12 pm

Slow bandwidth debian server behind NAT

Tue Feb 07, 2023 6:38 pm

Hello,

I have RB3011UiAS, version 6.49.7.

The default openvpn mikrotik server is slow (may be cause of the tcp), so i decided to install OpenVPN server behind NAT on Debian.

It looks like this:
topology.png
The mikrotik speed is 400mbps in/out
The clients speed is 100mbps in/out

The problem is that the bandwidth through the tunnel is very low.
I tested with iperf localy, the speed is fine 600+mbps.

Iperf test from external network to the debian server (NATed port)
iperf-speed.png
Iperf test from external network with openvpn
iperf-with-openvpn.png
It is really strange problem. I even tried with wireguard, the connection stay the same, so i blame my mikrotik configuration now.
May be the problem is with the basic failover I am using and the recursive routing ?

here is my config:
config.rsc
Any help will be appreciated.
You do not have the required permissions to view the files attached to this post.
Last edited by pepsi on Thu Feb 16, 2023 7:59 pm, edited 1 time in total.
 
pepsi
just joined
Topic Author
Posts: 5
Joined: Tue Feb 07, 2023 6:12 pm

Re: Slow bandwidth debian server behind NAT

Thu Feb 16, 2023 7:57 pm

Tried with different Router and the speed is fine.

Mikrotik is nightmare. Zero support.

I regret purchasing your product.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Slow bandwidth debian server behind NAT

Thu Feb 16, 2023 9:56 pm

No the purchaser didnt do their homework as open vpn is not fully supported by MT and only recently has started trying to make it possible.
Meanwhile wireguard which is faster and easier is available......................
 
pepsi
just joined
Topic Author
Posts: 5
Joined: Tue Feb 07, 2023 6:12 pm

Re: Slow bandwidth debian server behind NAT

Fri Feb 17, 2023 11:48 am

No the purchaser didnt do their homework as open vpn is not fully supported by MT and only recently has started trying to make it possible.
Meanwhile wireguard which is faster and easier is available......................
No I made my homework.
I knew that openvpn installed on the router uses tcp and it is slow.

In this case i installed it on debian server, on the local network and made port forwarding. I did not expect that the mikrotik can not handle simple port forwarding.

I tried to iperf (port forwarding without VPN, only open port to the internet) - again slow bandwidth.

I Do not understand, Why mikrotik has so slow speed when port forwarding ?
With other cicso router, the speed is x5
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Slow bandwidth debian server behind NAT

Fri Feb 17, 2023 12:02 pm

I Do not understand, Why mikrotik has so slow speed when port forwarding ?
I think you made some errors on the config:
  • IP address should be set on the bridge, not on an interface that is part of the bridge
  • If you want to do VLAN, you should have VLAN filtering turned on on the bridge
What is the CPU usage when doing a test? How is the test performed? If using the Cisco, do you als forward TCP or UDP?
 
pepsi
just joined
Topic Author
Posts: 5
Joined: Tue Feb 07, 2023 6:12 pm

Re: Slow bandwidth debian server behind NAT

Fri Feb 17, 2023 1:22 pm

I Do not understand, Why mikrotik has so slow speed when port forwarding ?
I think you made some errors on the config:
  • IP address should be set on the bridge, not on an interface that is part of the bridge
  • If you want to do VLAN, you should have VLAN filtering turned on on the bridge
What is the CPU usage when doing a test? How is the test performed? If using the Cisco, do you als forward TCP or UDP?
I do the test with iperf3. I start the --server on the local network and make a port forwarding.
From external network I start the test --client to the Public IP/port where the server is.
The CPU is not more than 5% during the test.

"[*]IP address should be set on the bridge, not on an interface that is part of the bridge"
How to change that ? A have Dual WAN with fail over. That's why it is set on the interface.

On Cisco I use TCP
Thanks for replay mate. I appreciate it
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Slow bandwidth debian server behind NAT

Fri Feb 17, 2023 3:41 pm

It's definitely not that RouterOS couldn't handle port forwarding. Slighly wrong VLAN and IP config shouldn't do it either. Same goes for seemingly unnecessary proxy ARP. But what if you forget about dual WAN for a moment (disable DHCP client on ether10) and try with only single connection, does it change anything?
 
un9edsda
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sun Mar 15, 2020 11:11 pm

Re: Slow bandwidth debian server behind NAT

Fri Feb 17, 2023 4:43 pm

No the purchaser didnt do their homework as open vpn is not fully supported by MT and only recently has started trying to make it possible.
Meanwhile wireguard which is faster and easier is available......................
No I made my homework.
I knew that openvpn installed on the router uses tcp and it is slow.
Actually based on your configuration file (that you have attached to your opening post) you have not done your homework before purchasing as from it seems that you had not checked the block diagram of RB3011UiAS-RM before purchasing. Since from your configuration it seems that you are not using any of the missing features like BFD that is implemented in RouterOS v6 it is time to move on to v7 (it has UDP OpenVPN by the way).
The risk averse way of this is to export your configuration with
export file=thedesirednameoftheexportedconfigfile
than copy it to your computer so you have it as a reference at hand, than use Netinstall to load the latest stable RouterOS v7 (at the time of writing it is 7.7) to your device (make sure that you don't select "keep old configuration" (Windows version) or in case of the GNU/Linux version you do use the "-r" parameter). After it rebuild your configuration on the router from scratch (do not load your previously exported configuration file on the router).


In this case i installed it on debian server, on the local network and made port forwarding. I did not expect that the mikrotik can not handle simple port forwarding.
...
I Do not understand, Why mikrotik has so slow speed when port forwarding ?
Based on your configuration export I assume that
  • your ISPs' Ethernet cables are connected to Eth1 and Eth10
  • you have started from the default configuration

Unfortunately the default configuration on at least a few devices with more than one switch chip is one which is mentioned as a typical Layer 2 misconfiguration in the current documentation: Bridgeing and Switching Case Studies / Layer2 misconfiguration / VLAN filtering with multiple switch chips. The block diagram of RB3011UiAS-RM clearly states that it has two switch chips and a SFP cage (directly connected to the CPU with XOR with switch2 serving ports Eth6 to Eth10) therefore from performance point of view having a single bridge with all of the ports may be suboptimal. According to the current documentation the RB3011UiAS-RM has two QCA8337 switch chips. Since the two switches are the same they have the same Bridge Hardware Offloading capabilities. Since these two chips are the same type they have the same Bridging and Switching / Switch Chip Features as described in the documentation. Therefore to maximise the throughput you should use two separate bridges: one for the Eth1 to Eth5 ports and and another one for Eth6 to Eth10 ports (except the port(s) that are used for Internet uplink) while keeping in mind not to enable features on the two separate bridges that are not supported in the respective switch chip's hardware. Please note that in case you intend to use the SFP cage in the future than it is better to select from Eth6 to Eth9 for Internet uplink(s) (Eth10 has passive PoE out), for additional reasons keep on reading.

While implementing Basic VLAN switching following the case study in the documentation than heed the warning in it:
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and adapt the configuration (bridge1 should only have Eth1 to Eth5 ports):
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=30
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

And in case of the solution for VLAN filtering with multiple switch chips adapt the solution code as following:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/interface ethernet switch port
set ether1,ether2,ether3,ether4,ether7,ether8,ether9 default-vlan-id=10 vlan-header=leave-as-is vlan-mode=secure
set ether5,ether6,ether10 vlan-header=leave-as-is vlan-mode=secure
set switch1-cpu,switch2-cpu vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add ports=ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=10
 
pepsi
just joined
Topic Author
Posts: 5
Joined: Tue Feb 07, 2023 6:12 pm

Re: Slow bandwidth debian server behind NAT

Mon Feb 20, 2023 11:24 am



No I made my homework.
I knew that openvpn installed on the router uses tcp and it is slow.
Actually based on your configuration file (that you have attached to your opening post) you have not done your homework before purchasing as from it seems that you had not checked the block diagram of RB3011UiAS-RM before purchasing. Since from your configuration it seems that you are not using any of the missing features like BFD that is implemented in RouterOS v6 it is time to move on to v7 (it has UDP OpenVPN by the way).
The risk averse way of this is to export your configuration with
export file=thedesirednameoftheexportedconfigfile
than copy it to your computer so you have it as a reference at hand, than use Netinstall to load the latest stable RouterOS v7 (at the time of writing it is 7.7) to your device (make sure that you don't select "keep old configuration" (Windows version) or in case of the GNU/Linux version you do use the "-r" parameter). After it rebuild your configuration on the router from scratch (do not load your previously exported configuration file on the router).


In this case i installed it on debian server, on the local network and made port forwarding. I did not expect that the mikrotik can not handle simple port forwarding.
...
I Do not understand, Why mikrotik has so slow speed when port forwarding ?
Based on your configuration export I assume that
  • your ISPs' Ethernet cables are connected to Eth1 and Eth10
  • you have started from the default configuration

Unfortunately the default configuration on at least a few devices with more than one switch chip is one which is mentioned as a typical Layer 2 misconfiguration in the current documentation: Bridgeing and Switching Case Studies / Layer2 misconfiguration / VLAN filtering with multiple switch chips. The block diagram of RB3011UiAS-RM clearly states that it has two switch chips and a SFP cage (directly connected to the CPU with XOR with switch2 serving ports Eth6 to Eth10) therefore from performance point of view having a single bridge with all of the ports may be suboptimal. According to the current documentation the RB3011UiAS-RM has two QCA8337 switch chips. Since the two switches are the same they have the same Bridge Hardware Offloading capabilities. Since these two chips are the same type they have the same Bridging and Switching / Switch Chip Features as described in the documentation. Therefore to maximise the throughput you should use two separate bridges: one for the Eth1 to Eth5 ports and and another one for Eth6 to Eth10 ports (except the port(s) that are used for Internet uplink) while keeping in mind not to enable features on the two separate bridges that are not supported in the respective switch chip's hardware. Please note that in case you intend to use the SFP cage in the future than it is better to select from Eth6 to Eth9 for Internet uplink(s) (Eth10 has passive PoE out), for additional reasons keep on reading.

While implementing Basic VLAN switching following the case study in the documentation than heed the warning in it:
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and adapt the configuration (bridge1 should only have Eth1 to Eth5 ports):
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=30
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

And in case of the solution for VLAN filtering with multiple switch chips adapt the solution code as following:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/interface ethernet switch port
set ether1,ether2,ether3,ether4,ether7,ether8,ether9 default-vlan-id=10 vlan-header=leave-as-is vlan-mode=secure
set ether5,ether6,ether10 vlan-header=leave-as-is vlan-mode=secure
set switch1-cpu,switch2-cpu vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add ports=ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=10
Thank you for the replay.
I will try it next week. I hope it will works

Who is online

Users browsing this forum: No registered users and 22 guests