I am experiencing slow traffic between VLANS on my Hex S. I have tried to configure my network closely to viewtopic.php?t=143620, but would like confirmation that there is nothing misconfigured.
I have a Dell Micro hosting Ubuntu Server / Docker services on the Management VLAN connected directly to the Hex S. My main PC is on the Trusted VLAN, => TP-Link Switch => Hex S. On the Trusted VLAN, iperf tests average 217Mbps, while connecting the same PC to the Managment VLAN averages 946Mbps.
Is this expected - am I maxing out my Hex S when routing between VLANS? Or is there something in my configuration I need to change?
Thanks in advance!
Code: Select all
# mar/06/2023 20:49:17 by RouterOS 7.8
# software id = RTFH-SGFX
#
# model = RB760iGS
# serial number = E2080F8C9A12
/interface bridge
add admin-mac=DC:2C:6E:11:5D:C2 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/interface vlan
add interface=bridge name=guest_vlan vlan-id=400
add interface=bridge name=homelab_vlan vlan-id=200
add interface=bridge name=iot_vlan vlan-id=300
add interface=bridge name=management_vlan vlan-id=999
add interface=bridge name=trusted_vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MANAGEMENT
add name=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=trusted_pool ranges=10.0.10.2-10.0.10.254
add name=homelab_pool ranges=10.0.20.2-10.0.20.254
add name=iot_pool ranges=10.0.30.2-10.0.30.254
add name=guest_pool ranges=10.0.40.2-10.0.40.254
add name=management_pool ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=trusted_pool interface=trusted_vlan name=trusted_dhcp
add address-pool=homelab_pool interface=homelab_vlan name=homelab_dhcp
add address-pool=iot_pool interface=iot_vlan name=iot_dhcp
add address-pool=guest_pool interface=guest_vlan name=guest_dhcp
add address-pool=management_pool interface=management_vlan name=management_dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=sfp1
add bridge=bridge interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=100
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=200
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=300
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=400
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,sfp1 vlan-ids=999
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=trusted_vlan list=VLAN
add interface=homelab_vlan list=VLAN
add interface=iot_vlan list=VLAN
add interface=guest_vlan list=VLAN
add interface=guest_vlan list=IOT
add interface=homelab_vlan list=IOT
add interface=management_vlan list=IOT
add interface=trusted_vlan list=IOT
/ip address
add address=10.0.10.1/24 interface=trusted_vlan network=10.0.10.0
add address=10.0.20.1/24 interface=homelab_vlan network=10.0.20.0
add address=10.0.30.1/24 interface=iot_vlan network=10.0.30.0
add address=10.0.40.1/24 interface=guest_vlan network=10.0.40.0
add address=192.168.0.1/24 interface=management_vlan network=192.168.0.0
add address=172.17.0.1/24 interface=*E network=172.17.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.30.12 mac-address=54:AF:97:9E:14:C2 server=iot_dhcp
add address=10.0.30.11 mac-address=54:AF:97:AA:15:2C server=iot_dhcp
add address=10.0.30.13 mac-address=54:AF:97:B2:94:F5 server=iot_dhcp
add address=10.0.30.14 mac-address=54:AF:97:9D:F3:90 server=iot_dhcp
add address=10.0.30.15 mac-address=34:60:F9:98:0A:CC server=iot_dhcp
add address=10.0.10.5 client-id=1:2c:f0:5d:94:ce:ee mac-address=2C:F0:5D:94:CE:EE server=trusted_dhcp
/ip dhcp-server network
add address=10.0.10.0/24 comment="Trusted VLAN" dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment="HomeLab VLAN" dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 comment="IOT VLAN" dns-server=192.168.0.1,192.168.0.125,9.9.9.9 gateway=10.0.30.1
add address=10.0.40.0/24 comment="Guest VLAN" dns-server=10.0.40.1 gateway=10.0.40.1
add address=192.168.0.0/24 comment="Management VLAN" dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.125
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=reject chain=input comment="Block IoT Network from accessing router management" dst-port=80 in-interface=iot_vlan protocol=tcp reject-with=\
icmp-network-unreachable
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow management_vlan Full Access" in-interface=management_vlan
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established and Related" connection-state=established,related
add action=accept chain=forward comment="Allow DNS Queries from IOT VLAN over TCP" dst-port=53 in-interface=iot_vlan out-interface=management_vlan \
protocol=tcp
add action=accept chain=forward comment="Allow DNS Queries from IOT VLAN over UDP" dst-port=53 in-interface=iot_vlan out-interface=management_vlan \
protocol=udp
add action=drop chain=forward comment="Block IOT VLAN from accessing other VLANS" in-interface=iot_vlan out-interface-list=IOT
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.0.125 dst-port=53 protocol=udp src-address=!192.168.0.125 to-addresses=192.168.0.125
add action=dst-nat chain=dstnat dst-address=!192.168.0.125 dst-port=53 protocol=tcp src-address=!192.168.0.125 to-addresses=192.168.0.125
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=tcp src-address=10.0.40.0/24
add action=masquerade chain=srcnat dst-address=192.168.0.125 dst-port=53 protocol=udp src-address=10.0.40.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.30.0/24 gateway=management_vlan pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system scheduler
add interval=30s name=dns-failover-check on-event=":local currentDNS [/ip dns get server]\r\
\n:local piholeDNS \"192.168.0.125\"\r\
\n:local backupDNS \"9.9.9.9,149.112.112.112\"\r\
\n:local testDomain \"www.google.com\"\r\
\n\r\
\n:if (\$currentDNS = \$piholeDNS) do={\r\
\n :do {\r\
\n :resolve \$testDomain server=\$piholeDNS\r\
\n } on-error={\r\
\n /ip dns set servers=\$backupDNS\r\
\n }\r\
\n} else={\r\
\n :do {\r\
\n :resolve \$testDomain server=\$piholeDNS\r\
\n /ip dns set servers=\$piholeDNS\r\
\n } on-error={}\r\
\n}" policy=read,write,test start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN