Community discussions

MikroTik App
 
bclementson
just joined
Topic Author
Posts: 1
Joined: Tue Mar 07, 2023 4:15 am

Slow Bandwith Between VLANS with Hex S

Tue Mar 07, 2023 7:01 am

Hello All,

I am experiencing slow traffic between VLANS on my Hex S. I have tried to configure my network closely to viewtopic.php?t=143620, but would like confirmation that there is nothing misconfigured.

I have a Dell Micro hosting Ubuntu Server / Docker services on the Management VLAN connected directly to the Hex S. My main PC is on the Trusted VLAN, => TP-Link Switch => Hex S. On the Trusted VLAN, iperf tests average 217Mbps, while connecting the same PC to the Managment VLAN averages 946Mbps.

Is this expected - am I maxing out my Hex S when routing between VLANS? Or is there something in my configuration I need to change?

Thanks in advance!
# mar/06/2023 20:49:17 by RouterOS 7.8
# software id = RTFH-SGFX
#
# model = RB760iGS
# serial number = E2080F8C9A12
/interface bridge
add admin-mac=DC:2C:6E:11:5D:C2 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/interface vlan
add interface=bridge name=guest_vlan vlan-id=400
add interface=bridge name=homelab_vlan vlan-id=200
add interface=bridge name=iot_vlan vlan-id=300
add interface=bridge name=management_vlan vlan-id=999
add interface=bridge name=trusted_vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MANAGEMENT
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=trusted_pool ranges=10.0.10.2-10.0.10.254
add name=homelab_pool ranges=10.0.20.2-10.0.20.254
add name=iot_pool ranges=10.0.30.2-10.0.30.254
add name=guest_pool ranges=10.0.40.2-10.0.40.254
add name=management_pool ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=trusted_pool interface=trusted_vlan name=trusted_dhcp
add address-pool=homelab_pool interface=homelab_vlan name=homelab_dhcp
add address-pool=iot_pool interface=iot_vlan name=iot_dhcp
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp
add address-pool=management_pool interface=management_vlan name=management_dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=sfp1
add bridge=bridge interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=100
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=200
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=300
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=400
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=999
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=trusted_vlan list=VLAN
add interface=homelab_vlan list=VLAN
add interface=iot_vlan list=VLAN
add interface=guest_vlan list=VLAN
add interface=guest_vlan list=IOT
add interface=homelab_vlan list=IOT
add interface=management_vlan list=IOT
add interface=trusted_vlan list=IOT
/ip address
add address=10.0.10.1/24 interface=trusted_vlan network=10.0.10.0
add address=10.0.20.1/24 interface=homelab_vlan network=10.0.20.0
add address=10.0.30.1/24 interface=iot_vlan network=10.0.30.0
add address=10.0.40.1/24 interface=guest_vlan network=10.0.40.0
add address=192.168.0.1/24 interface=management_vlan network=192.168.0.0
add address=172.17.0.1/24 interface=*E network=172.17.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.30.12 mac-address=54:AF:97:9E:14:C2 server=iot_dhcp
add address=10.0.30.11 mac-address=54:AF:97:AA:15:2C server=iot_dhcp
add address=10.0.30.13 mac-address=54:AF:97:B2:94:F5 server=iot_dhcp
add address=10.0.30.14 mac-address=54:AF:97:9D:F3:90 server=iot_dhcp
add address=10.0.30.15 mac-address=34:60:F9:98:0A:CC server=iot_dhcp
add address=10.0.10.5 client-id=1:2c:f0:5d:94:ce:ee mac-address=2C:F0:5D:94:CE:EE server=trusted_dhcp
/ip dhcp-server network
add address=10.0.10.0/24 comment="Trusted VLAN" dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment="HomeLab VLAN" dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 comment="IOT VLAN" dns-server=192.168.0.1,192.168.0.125,9.9.9.9 gateway=10.0.30.1
add address=10.0.40.0/24 comment="Guest VLAN" dns-server=10.0.40.1 gateway=10.0.40.1
add address=192.168.0.0/24 comment="Management VLAN" dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.125
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=reject chain=input comment="Block IoT Network from accessing router management" dst-port=80 in-interface=iot_vlan protocol=tcp reject-with=\
    icmp-network-unreachable
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow management_vlan Full Access" in-interface=management_vlan
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established and Related" connection-state=established,related
add action=accept chain=forward comment="Allow DNS Queries from IOT VLAN over TCP" dst-port=53 in-interface=iot_vlan out-interface=management_vlan \
    protocol=tcp
add action=accept chain=forward comment="Allow DNS Queries from IOT VLAN over UDP" dst-port=53 in-interface=iot_vlan out-interface=management_vlan \
    protocol=udp
add action=drop chain=forward comment="Block IOT VLAN from accessing other VLANS" in-interface=iot_vlan out-interface-list=IOT
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.0.125 dst-port=53 protocol=udp src-address=!192.168.0.125 to-addresses=192.168.0.125
add action=dst-nat chain=dstnat dst-address=!192.168.0.125 dst-port=53 protocol=tcp src-address=!192.168.0.125 to-addresses=192.168.0.125
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.40.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.40.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.30.0/24 gateway=management_vlan pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system scheduler
add interval=30s name=dns-failover-check on-event=":local currentDNS [/ip dns get server]\r\
    \n:local piholeDNS \"192.168.0.125\"\r\
    \n:local backupDNS \"9.9.9.9,149.112.112.112\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$currentDNS = \$piholeDNS) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server=\$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip dns set servers=\$backupDNS\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server=\$piholeDNS\r\
    \n        /ip dns set servers=\$piholeDNS\r\
    \n    } on-error={}\r\
    \n}" policy=read,write,test start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Slow Bandwith Between VLANS with Hex S

Tue Mar 07, 2023 11:19 pm

Overall I think a good cleanup of firewall rules, and sourcenat should help.
A better approach to DNS may help improve performance along with the cleanup of firewall rules.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(1) Since there is no difference between your ports it could be a one liner.............

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=100,200,300,400,999


(2) I dont see why there would be an issue but dont understand the VETH thingy..........
Not even sure its something you can add to a bridge??

(3) The bridge has no purpose to a LAN interface list member as you do it through the vlans, so should remove.
/interface list member
add comment=defconf interface=bridge list=LAN


(4) what is the purpose of putting an internal server here..........?? Also the dhcp server network dns settings dont seem to match up with your IP DNS setting??
Why the static setting ( left over default from initial install )?

(5) WHY do you allow every fricken dog full access to your router and then afterwards attempt to narrow it down LOL. Fence is open, horses have left......
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow management_vlan Full Access" in-interface=management_vlan


We need to discuss a better strategy and purpose!!! There is an easier better way.

(6) Your sourcenat rules are over the top overdone.................... suggest you need to simplify.......

(7) dont understand the purpose of the IP route you have ???

Who is online

Users browsing this forum: No registered users and 42 guests