Community discussions

MikroTik App
 
tincboy
just joined
Topic Author
Posts: 18
Joined: Wed Mar 10, 2010 8:57 am

offload the tunneling process to hardware in CHR

Sun Apr 02, 2023 4:40 am

I utilize Mikrotik CHR as my router to manage IPIP tunnels that lack encryption. However, I have observed that the CPU's single-core ranking plays a crucial role in the tunnel's bandwidth. Despite increasing the number of cores per CHR, I cannot improve the IPIP tunnel's throughput beyond 300 Mbps when using a standard CPU like E5-2698 v4. Conversely, utilizing a CPU like E-2388, I can achieve over 700 or even 900 Mbps throughput on IPIP tunnels.
Consequently, I am curious if it is feasible to request CHR to offload the taxing burden to a chip or specialized hardware part in the CPU or NIC.
Does anyone have any advice on how to do this?
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: offload the tunneling process to hardware in CHR

Thu Apr 06, 2023 10:03 am

when using a standard CPU like E5-2698 v4
That is not standard, that is outdated. That is a 2016 CPU. Given a 5 year replacement cycle - that should have been retired in 2021. Hence, you know, it is slow compared to a modern CPU. It is also a (for that time) high Core count cpu, which means bad per core performance. If you need high per core performance, you want speed optimized cores, not something with as many cores as possible. 2016 was before the core craze started by AMD and back then that was really a lot of cores.
Consequently, I am curious if it is feasible to request CHR to offload the taxing burden to a chip or specialized hardware part in the CPU or NIC.
Does anyone have any advice on how to do this?
Yeah, try it. In particular because hardware offload of that requires hardware support. Support which, funny enough, is NOT THERE. It is easy to talk of "specialized hardware in the CPU" when the CPU has no specialized hardware for that. It is even funnier to talk about that on a NIC - when access to the NIC is not through NIC specific drivers but via a hypervisor. Even IF a NIC has that, it is not exposed.

So, the question is moot as there is no magic "make this in hardware" switch when the hardware is not there.

If you need / want hardware offloading, look at the new high end mikrotik products - though I fear VPN is not something to be offloaded (except IPCSEC). And that on few products. The CHR is generally meant to allow higher core counts and - well - running it in the cloud. Hard to put hardware to i.e. Microsoft Azure - so a CHR is VERY wellcome.

So, that simply is not an option to start with given you talk about CHR. Getting a better CPU in is the only option. There are decent RYZEN based Servers (including server level motherboards) out now - you want to go as modern as possible with an as high core performance as possible. Makes me wonder about the 7800X3D.... see, gaming and single core performance are (still) pretty much the same. And as I said, you can get server grade motherboards for that.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: offload the tunneling process to hardware in CHR

Thu Apr 06, 2023 12:09 pm

@tincboy, the Intel Xeon E5-2698 v4 is more than capable of hundreds and the Intel Xeon E-2388G processor many tens of gigabit/s throughput and none are "outdated". Thus, don't throw any away before conducting a proper analysis to find the actual root cause of the issues.

My advice is to create a separate test instance and start thorough tests there.

One of the most common causes of poor network throughput in virtual environments at higher speeds is badly configured NICs or NICs that don't support sr-iov and interrupt moderation. This often results in very high CPU usage where the higher throughput burdens the CPU due to unnecessary NIC interrupts. I've seen systems where interrupts consume >80-90% of the total performance due to this problem.

Another common cpu hog is encryption where the hardware offloading capabilities doesn't match the chosen method but not in this case it seems as encryption is not utilized.

Who is online

Users browsing this forum: andrejtom and 11 guests