Community discussions

MikroTik App
 
Tyrmida
just joined
Topic Author
Posts: 5
Joined: Fri Dec 09, 2022 2:54 pm

Throughput Performance issue on RB-3011UiAS

Mon Mar 20, 2023 11:50 pm

Good Day,

I am having some trouble obtaining expected throughput on a link and was hoping someone could point me in the right direction.

I have a RB1100AHx4 and RB3011 connected with ipsec (aes-128 cbc) over the internet.

The RB1100AHx4 is on a 1gb line and the RB3011 on a 500mb line. Internet connections both test at that speed.

However when I use the Bandwidth Test tool to test bandwidth between routers (from the RB1100AHx4) I only get 160Mbps send and 240Mbps receive.

On transmitting to the RB3011 its CPU usage shows 50% (so using 100% of one core) with the "networking" process using 40%

If I receive from the RB3011 its CPU usage shows 100% (but it is 50% used by btest).

No firewall rules whatsoever. I have tried adding fasttrack but I don't think it will make a difference here as there is no forwarding applied.

Initially I tried to build a GRE tunnel to route traffic between sites but removed that because the performance was just too slow.

If anyone can suggest something I can try, I'd appreciate it

Config as follow:

RB3011:
/interface ethernet
set [ find default-name=ether10 ] mtu=1400
/ip ipsec mode-config
add name=ike2-gre responder=no
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-128 name=ike2-gre
/ip ipsec peer
add address=yadayadayada exchange-mode=ike2 name=p1.ez profile=ike2-gre
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=ike2-gre pfs-group=none
/ip address
add address=10.10.10.15/24 interface=ether10 network=10.10.10.0
/ip dns
set servers=10.10.10.1,10.10.10.2
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-gre peer=p1.ez policy-template-group=ike2-gre
/ip ipsec policy
add dst-address=192.168.99.0/24 group=ike2-gre proposal=ike2-gre src-address=192.168.99.0/24 template=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.10.199 routing-table=main suppress-hw-offload=no
RB1100AHx4:
/interface ethernet
set [ find default-name=ether2 ] mtu=1400
/ip ipsec policy group
add name=ike2-gre
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=ike2-gre pfs-group=none
/ip pool
add name=pool1 ranges=192.168.99.2
/ip ipsec mode-config
add address-pool=pool1 name=ike2-gre split-include=192.168.99.1/32 system-dns=no
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add interface=ether1
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-gre peer=ike2 policy-template-group=ike2-gre
/ip ipsec policy
add dst-address=192.168.99.2/32 group=ike2-gre proposal=ike2-gre src-address=192.168.99.0/24 template=yes
Thank you in advance
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Throughput Performance issue on RB-3011UiAS

Mon Mar 20, 2023 11:59 pm

please do not use the BT tool on these 2 routers if they are en-/decrypting ipsec

setup 2 clients on both ends (pc behind RB1100 and another one behind 3011) and run a iperf3 test between the 2 ENDPOINTS not BT tool between the routers!

S: iperf3 -s
C iperf3 -P8 -b0 -c [IP of "S"]
 
Tyrmida
just joined
Topic Author
Posts: 5
Joined: Fri Dec 09, 2022 2:54 pm

Re: Throughput Performance issue on RB-3011UiAS

Tue Mar 21, 2023 12:29 am

I will try that thank you

Going to have to figure out how to route the traffic between the sites without GRE first will do that in the morning.

And then run some tests with devices on either side.

I will update with that information once I am there thank you for the advice
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Throughput Performance issue on RB-3011UiAS

Tue Mar 21, 2023 1:16 am

note, if you are using the same subnets on both sites you'll need to do NAT between the two sites
Last edited by BartoszP on Tue Mar 21, 2023 8:03 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart. lines of quote, 1 line of post.
 
Tyrmida
just joined
Topic Author
Posts: 5
Joined: Fri Dec 09, 2022 2:54 pm

Re: Throughput Performance issue on RB-3011UiAS

Tue Mar 21, 2023 10:18 am

I have set it up that way.

iperf3 is testing even worse than doing btest between the units.
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.01  sec  12.1 MBytes  10.2 Mbits/sec                  sender
[  4]   0.00-10.01  sec  12.0 MBytes  10.1 Mbits/sec                  receiver
[  6]   0.00-10.01  sec  12.0 MBytes  10.1 Mbits/sec                  sender
[  6]   0.00-10.01  sec  11.8 MBytes  9.89 Mbits/sec                  receiver
[  8]   0.00-10.01  sec  17.2 MBytes  14.5 Mbits/sec                  sender
[  8]   0.00-10.01  sec  17.0 MBytes  14.3 Mbits/sec                  receiver
[ 10]   0.00-10.01  sec  13.5 MBytes  11.3 Mbits/sec                  sender
[ 10]   0.00-10.01  sec  13.3 MBytes  11.1 Mbits/sec                  receiver
[ 12]   0.00-10.01  sec  14.5 MBytes  12.2 Mbits/sec                  sender
[ 12]   0.00-10.01  sec  14.3 MBytes  12.0 Mbits/sec                  receiver
[ 14]   0.00-10.01  sec  17.1 MBytes  14.3 Mbits/sec                  sender
[ 14]   0.00-10.01  sec  16.9 MBytes  14.2 Mbits/sec                  receiver
[ 16]   0.00-10.01  sec  13.4 MBytes  11.2 Mbits/sec                  sender
[ 16]   0.00-10.01  sec  13.1 MBytes  11.0 Mbits/sec                  receiver
[ 18]   0.00-10.01  sec  9.62 MBytes  8.07 Mbits/sec                  sender
[ 18]   0.00-10.01  sec  9.41 MBytes  7.89 Mbits/sec                  receiver
[SUM]   0.00-10.01  sec   110 MBytes  91.8 Mbits/sec                  sender
[SUM]   0.00-10.01  sec   108 MBytes  90.5 Mbits/sec                  receiver

iperf Done.
I have even disabled connection tracking without any luck

What can I try next?
 
Tyrmida
just joined
Topic Author
Posts: 5
Joined: Fri Dec 09, 2022 2:54 pm

Re: Throughput Performance issue on RB-3011UiAS

Tue Mar 21, 2023 5:38 pm

I have now taken the internet and other routers out of the equation.

I have:

Computer => Router => Ipsect <= Router <= Computer

Using iperf3 I get a maximum of 180 Mbits/sec with connection tracking disabled and 130 Mbits/sec with connection tracking enabled

I think this is happening because there is no fast-path/fast-track route and the router can't handle the traffic? But that doesn't sound quite right to me, this isn't normal is it?
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Throughput Performance issue on RB-3011UiAS

Tue Mar 21, 2023 9:29 pm

maybe (i am not sure right now) but maybe the encryption algorithm negotiated between the 2 routers is not hardware accelerated and has to be processed by the cpu

please consult that table for your setup if your configuration has hw-acceleration possibilities

https://help.mikrotik.com/docs/display/ ... celeration

Who is online

Users browsing this forum: CGGXANNX, Kanzler and 55 guests