RouterOS install on minisforum ms-01 minipc

adamantasaurus · Tue May 27, 2025 1:11 pm

Hey I'm trying to install routerOS on my minisforum ms-01 minipc I've tried it 4 different ways none work. The .iso file when i boot into it, it tries to install but fails giving me an error saying no cd/rom detected. When I grab the image file from the downloads page I boot into that and attempt to install and it tells me no installation files detected, then I tried netinstall via ethernet I set the minisforum to pickup pxe ethernet boot the minisforum detects my laptop that I had it connected to but the minisforum does not show up in the netinstall gui then i tried to install with netinstall via usb I tried to install it onto a usb and it tells me find resource: the specified image file can't be found in the image file 1814 (I am using the .npk file for netinstall).

Im scratching my head here I just want this thing installed and failed and every attempt???? please someone help

CGGXANNX · Tue May 27, 2025 1:45 pm

It might be better if you install Proxmox on the device and install the CHR version of RouterOS inside Proxmox. Even if you were able to install RouterOS x86 on bare-metal, I don't think RouterOS supports the i226-LM network adapters.

sirbryan · Tue May 27, 2025 2:53 pm

I second this. I have three in my lab, and they're all running Proxmox with CHR VM's.

gigabyte091 · Tue May 27, 2025 3:32 pm

I agree, I tried to install x86 and with some NICs computer even refused to boot. CHR in proxmox is as way to go IMHO.

adamantasaurus · Tue May 27, 2025 7:03 pm

Oh ok I'm running a lot of nat rules and data through it will running it in a vm limit my cpu power noticably?

Tue May 27, 2025 7:07 pm

Not working versus working.
Who cares about cpu impact then ?

adamantasaurus · Tue May 27, 2025 9:13 pm

well obviously I do as it is a crucial part of the project I'm working on hence why Im getting rid of my mikrotik hardware and going for a bigger cpu I was pushing the cpu on the ccr2116 past 80%

also which image should I download if I'm going to install it on the vm?

Tue May 27, 2025 9:15 pm

If it's not working your impact is 100%.
Simple, no ?

adamantasaurus · Tue May 27, 2025 9:18 pm

I dont get why u can't understand the necessity... But I already have a working network I'm transfering all my rules from my router(S) to this one router and as it is right now I'm limited on growing my network bc I'm bottlenecked at my cpu router so yea of course what your saying makes sense, but my question isn't about that its about whether or not running in a vm will limit my cpu power or am I better off scratching mikrotik and transferring all my rules over manually with pfsense or opnsense.... get it????

Tue May 27, 2025 9:22 pm

Obviously using something like proxmox has some impact.
But you can not compare it to a router running ROS natively with a totally different cpu.
Test and see what you get.
The fact some others say they use the same setup as you with good results might also indicate something.

Moving to other operating systems is not really in scope for this forum. But nobody is going to stop you...

adamantasaurus · Tue May 27, 2025 9:55 pm

not really sure how to install on a vm I just created either is there a certain .iso I need to download I'm getting an error on boot

gigabyte091 · Wed May 28, 2025 6:07 am

Here is the video Mikrotik provided on their official youtube channel: https://youtu.be/kPhZypQ1gMY?si=5lpECqsAULUg1Aw4

If you see that your CHR is struggling with the load you can add more cores to the VM. Are you planning to use this PC for CHR only ?

adamantasaurus · Thu May 29, 2025 12:25 pm

Here is the video Mikrotik provided on their official youtube channel: https://youtu.be/kPhZypQ1gMY?si=5lpECqsAULUg1Aw4

If you see that your CHR is struggling with the load you can add more cores to the VM. Are you planning to use this PC for CHR only ?

Yes it will be a dedicated machine for routing. I have the 60day trial version right now and I had to shut my servers down bc with what I'm doing my internet became so slow it was unusable, it wasn't like that on my CCR2116 so I'm thinking I need to find a way to install router OS on bare metal. Grok told me that routerOS was compatible with most intel nic cards including the one that is in my minisforum ms-01 unless grok is wrong?

CGGXANNX · Thu May 29, 2025 3:14 pm

Are you sure you tested the P1/P10/PU trial and not the version that limits every port to 1Mbps?

I think the igc driver is not part of RouterOS x86 or CHR, so i225/i226 chips are not yet supported.

pkrexer · Thu May 29, 2025 5:23 pm

Try disabling UEFI in BIOS and setting "legacy" or non-UEFI mode. Make sure the BIOS is configured for USB boot.

Use rufus or etcher for creating a bootable USB, using the .img file.

I made a custom router, running routerOS on a Intel N150 with 4x intel i226-V and works great. Not sure aboout the i226-LM chipset though.

adamantasaurus · Thu May 29, 2025 6:05 pm

Try disabling UEFI in BIOS and setting "legacy" or non-UEFI mode. Make sure the BIOS is configured for USB boot.

Use rufus or etcher for creating a bootable USB, using the .img file.

I made a custom router, running routerOS on a Intel N150 with 4x intel i226-V and works great. Not sure aboout the i226-LM chipset though.

yea I think in the minisforum bios that isn't an option I was trying to do that but didn't see it possible unless I'm missing something, and yea I had a bootable USB made with rufus I tried the .img and the .iso the iso gave me an error bc it was expecting a cd/rom and the .img gave me an error saying there was no media. But I could install other OS's via usb no problem hence proxmox install went fine that was from USB

adamantasaurus · Thu May 29, 2025 6:05 pm

Are you sure you tested the P1/P10/PU trial and not the version that limits every port to 1Mbps?

I think the igc driver is not part of RouterOS x86 or CHR, so i225/i226 chips are not yet supported.

yes I have P1 without my servers running, I do a speed test and I get 1gb up/down (my speed from ont is 2.5gb up/down)

adamantasaurus · Thu May 29, 2025 10:10 pm

Try disabling UEFI in BIOS and setting "legacy" or non-UEFI mode. Make sure the BIOS is configured for USB boot.

Use rufus or etcher for creating a bootable USB, using the .img file.

I made a custom router, running routerOS on a Intel N150 with 4x intel i226-V and works great. Not sure aboout the i226-LM chipset though.

Yea so I just checked there's 2 chipsets the 226v and the 226lm as well as 2 sfp ports with x710

But I can't disable uefi in minisforum bios it looks like the newer bios have uefi locked in something to do with win 11 idk

sirbryan · Fri May 30, 2025 4:25 am

You were maxing out a CCR2116 with only 1-2Gbps? That sounds to me like you're doing super heavy CPU-related tasks on the 2116, or your configuration is not leveraging the hardware correctly.

I have 5 2116's pushing 5-6Gbps each for just over 1000 people all day long, with them running at 38% max without L3HW offload enabled. With L3HW turned on, the busiest one is at 15%.

adamantasaurus · Fri May 30, 2025 10:05 am

You were maxing out a CCR2116 with only 1-2Gbps? That sounds to me like you're doing super heavy CPU-related tasks on the 2116, or your configuration is not leveraging the hardware correctly.

I have 5 2116's pushing 5-6Gbps each for just over 1000 people all day long, with them running at 38% max without L3HW offload enabled. With L3HW turned on, the busiest one is at 15%.

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes

sirbryan · Fri May 30, 2025 3:30 pm

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes

All the ports in the 2116 are a switch that's capable of both Layer 2 and Layer 3 switching. You should be able to enable L3HW offload for all of the ports except your Internet uplink and get wire speed routing on it (which would drop the CPU utilization to next to nothing).

adamantasaurus · Fri May 30, 2025 5:20 pm

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes

All the ports in the 2116 are a switch that's capable of both Layer 2 and Layer 3 switching. You should be able to enable L3HW offload for all of the ports except your Internet uplink and get wire speed routing on it (which would drop the CPU utilization to next to nothing).

Hmmm alright thanks, I'll give it a try

adamantasaurus · Fri May 30, 2025 8:36 pm

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes

All the ports in the 2116 are a switch that's capable of both Layer 2 and Layer 3 switching. You should be able to enable L3HW offload for all of the ports except your Internet uplink and get wire speed routing on it (which would drop the CPU utilization to next to nothing).

so yea that wont work as I'm using alot of nat/firewall rules each node is assigned to a port and I have containers on proxmox with a port range

sirbryan · Fri May 30, 2025 10:19 pm

so yea that wont work as I'm using alot of nat/firewall rules each node is assigned to a port and I have containers on proxmox with a port range

You're doing a lot of NAT between nodes/ports? Could the Proxmox hosts do the NAT work and let the router handle straight switching/routing?

The L3HW offload does support hw-offloaded NAT, but I'm not sure what the best way would be to set that up. Most of MikroTik's examples are assuming a simple WAN/LAN config.

jaclaz · Sat May 31, 2025 5:13 pm

The CHR image is usually not validly partitioned for UEFI (wrong filesystem and another couple of issues).

Try with the FAT modified image from here:
viewtopic.php?t=184254
https://github.com/tikoci/fat-chr/releases

adamantasaurus · Sun Jun 01, 2025 6:01 pm

The CHR image is usually not validly partitioned for UEFI (wrong filesystem and another couple of issues).

Try with the FAT modified image from here:
viewtopic.php?t=184254
https://github.com/tikoci/fat-chr/releases

I could get the CHR installed, it's the x86 install on baremetal thats giving me issues. It boots from usb loads into the installer I select the hard drive I want it installed on and then it just tells me no installation media found. I'm not sure if there's something wrong with the .img file or my system, I also tried the routeros 6. version as well same error.

jaclaz · Sun Jun 01, 2025 6:42 pm

Ooops, my bad

(though there may be similar issues on the x86 version)

Netinstall is said to be able to install the x86 on a hard disk temporarily attached to another PC, maybe you can try that way.
Or you can try Pxe booting your minipc to netinstall.

Anyway the official instructions suggest using the .iso file for making a bootable USB installer, not the .img:
https://help.mikrotik.com/docs/spaces/R ... x86+on+USB
and they also say that you need CSM (please read as BIOS) disabled, so your UEFI only PC should be fine.
Judging from the dd command used, the .iso should be a dual mode .img/.iso image.

sirbryan · Sun Jun 01, 2025 8:02 pm

Are you using one of the onboard M.2 slots as NVMe or mSATA? Do they show up in the BIOS?

While NVMe should "just work," I did have issues with RouterOS (ARM64) not seeing some Crucial M.2 NVMe's on my 2116, but it saw other brands just fine.

If you're adept at using a UEFI shell, you can change to the EFI boot directory on the installer and pass some Linux kernel boot arguments to enable debugging parameters that help you to see what devices it recognizes at boot up. I did that while testing boot + install issues on my Ampere ARM64 system. (Turned out RouterOS 7 doesn't like one of my ASMedia SATA controllers when it has drives connected to it, despite other boards using the same ASMedia chipset working fine on other RouterOS installations that I have.)

adamantasaurus · Sun Jun 01, 2025 10:57 pm

Are you using one of the onboard M.2 slots as NVMe or mSATA? Do they show up in the BIOS?

While NVMe should "just work," I did have issues with RouterOS (ARM64) not seeing some Crucial M.2 NVMe's on my 2116, but it saw other brands just fine.

If you're adept at using a UEFI shell, you can change to the EFI boot directory on the installer and pass some Linux kernel boot arguments to enable debugging parameters that help you to see what devices it recognizes at boot up. I did that while testing boot + install issues on my Ampere ARM64 system. (Turned out RouterOS 7 doesn't like one of my ASMedia SATA controllers when it has drives connected to it, despite other boards using the same ASMedia chipset working fine on other RouterOS installations that I have.)

Yea I have 2 ssd's in there NVMe and they do show up in the bios and they both show up when I'm in the routerOS installation wizard, and yea the bios wouldnt even let me into the uefi shell that was a hole rabbit hold I didnt feel like going down haha. But yea I also tried with the netinstaller and it wouldn't detect my ms-01 I tried with the .iso it tells me it is looking for a cd/rom and wont install and the .img tells me theres no install media. I'm at a loss as to why it wont install lol.... Arrggh

sirbryan · Sun Jun 01, 2025 11:21 pm

I'd say at this point just do Proxmox and CHR and pass the ports through to the VM. It will only recognize the X710's anyway, so to use the 2.5G ports they'll have to be bridged virtio interfaces.

jaclaz · Sun Jun 01, 2025 11:40 pm

Here:
https://mikrotik.com/software

Other x86: Netinstall will write RouterOS to any secondary drive you have attached to your Windows PC. Move the drive to your Router PC and boot it

it says that netinstall can be used on another PC to install on a hard disk that can later be moved back to the mini-pc (but cannot say if this way you can workaround the compatibility issues you experienced).

adamantasaurus · Mon Jun 02, 2025 12:18 am

I'd say at this point just do Proxmox and CHR and pass the ports through to the VM. It will only recognize the X710's anyway, so to use the 2.5G ports they'll have to be bridged virtio interfaces.

yea the CHR wont work it loses too much routing power and my whole network is bogged down with my servers at 1/3 capacity 1 ccr 2116 is about 2x better than 1 chr on the minisforum

sirbryan · Mon Jun 02, 2025 5:35 am

Let's consider the two.

2116 is a 16-core 2GHz ARM64 processor.

MS-01 is at best an i9 13900H with 14 cores (6 performance hyper threaded, 8 efficiency cores) for a maximum of 20 threads, with frequencies maxing at 8@4.1GHz and 6@4.9GHz when all cores are firing. If you didn't get that processor, then specs are less (a couple cores less and slightly lower max turbo frequencies, depending on the processor you chose).

Whatever you gain in CPU on the MS-01 may be lost in other optimizations MikroTik has made in the kernel for the 2116's switch chip vs. an x86 deployment with X710's.

It sounds like the way you designed your lab network is CPU-bound, that it sounds like you need something more powerful than either of these processors. That, or you need to rearrange your network so that the routers don't have to do so much CPU-based work so you can take advantage of hardware-assisted routing. Or, try a Linux network distribution with DPDK on the MS-01.

adamantasaurus · Mon Jun 02, 2025 2:42 pm

Let's consider the two.

2116 is a 16-core 2GHz ARM64 processor.

MS-01 is at best an i9 13900H with 14 cores (6 performance hyper threaded, 8 efficiency cores) for a maximum of 20 threads, with frequencies maxing at 8@4.1GHz and 6@4.9GHz when all cores are firing. If you didn't get that processor, then specs are less (a couple cores less and slightly lower max turbo frequencies, depending on the processor you chose).

Whatever you gain in CPU on the MS-01 may be lost in other optimizations MikroTik has made in the kernel for the 2116's switch chip vs. an x86 deployment with X710's.

It sounds like the way you designed your lab network is CPU-bound, that it sounds like you need something more powerful than either of these processors. That, or you need to rearrange your network so that the routers don't have to do so much CPU-based work so you can take advantage of hardware-assisted routing. Or, try a Linux network distribution with DPDK on the MS-01.

Hmmm yea I was looking at getting rid of the ms-01 and grok told me the most powerful processor for routerOS is the i9-14900k Im going to build a pc with that processor and trying running routerOS on it would that potentially solve the issue? what about putting multiple ccr-2116's? My ISP won't give me multiple mac addresses at my ONT so I can't have them seperated on my network will their cpu's work in tandem to give me more processing power?

And what is a linux distribution with dpdk? I was looking it up online but its not quite clear?

sirbryan · Mon Jun 02, 2025 4:13 pm

Hmmm yea I was looking at getting rid of the ms-01 and grok told me the most powerful processor for routerOS is the i9-14900k Im going to build a pc with that processor and trying running routerOS on it would that potentially solve the issue? what about putting multiple ccr-2116's? My ISP won't give me multiple mac addresses at my ONT so I can't have them seperated on my network will their cpu's work in tandem to give me more processing power?

And what is a linux distribution with dpdk? I was looking it up online but its not quite clear?

It might help to see a network diagram of your setup to understand what you're trying to accomplish and see if there isn't a way to optimize it so you can take advantage of the 2116's L3HW offload. Otherwise, either a CCR1036 or CCR1072 will have more cores to handle what you want, or a Xeon-based server (or Ampere ARM64 processor; they range from 32 cores to 192). But again, with a computer-based solution, the card may become the bottleneck before the CPU is. You'd have to search some of the posts by users on this forum about how they've optimized CHR and hypervisors to get 40-100G working on big machines.

For a modern Linux-based solution, with DPDK offload, it usually involves installing something like Ubuntu, then some software that controls the cards via the Intel Data Plan Development Kit, where code is loaded into the cards that helps offload much of the work from the kernel (and CPU).

You could start with something like FRR (Free Range Routing), which is software that runs on linux and controls the Linux networking stack from a number of daemons that have a Cisco-esque command line. It has DPDK support, although I'm not familiar enough with it to advise further (it's been 20 years since I used FRR's predecessor, Zebra).

There are a few other projects, a couple of which I've researched, but none of which I've deployed. The only commercial solution I've evaluated that leveraged DPDK was NetElastic for a CGNAT solution.

adamantasaurus · Mon Jun 02, 2025 8:38 pm

Hmmm yea I was looking at getting rid of the ms-01 and grok told me the most powerful processor for routerOS is the i9-14900k Im going to build a pc with that processor and trying running routerOS on it would that potentially solve the issue? what about putting multiple ccr-2116's? My ISP won't give me multiple mac addresses at my ONT so I can't have them seperated on my network will their cpu's work in tandem to give me more processing power?

And what is a linux distribution with dpdk? I was looking it up online but its not quite clear?
It might help to see a network diagram of your setup to understand what you're trying to accomplish and see if there isn't a way to optimize it so you can take advantage of the 2116's L3HW offload. Otherwise, either a CCR1036 or CCR1072 will have more cores to handle what you want, or a Xeon-based server (or Ampere ARM64 processor; they range from 32 cores to 192). But again, with a computer-based solution, the card may become the bottleneck before the CPU is. You'd have to search some of the posts by users on this forum about how they've optimized CHR and hypervisors to get 40-100G working on big machines.

For a modern Linux-based solution, with DPDK offload, it usually involves installing something like Ubuntu, then some software that controls the cards via the Intel Data Plan Development Kit, where code is loaded into the cards that helps offload much of the work from the kernel (and CPU).

You could start with something like FRR (Free Range Routing), which is software that runs on linux and controls the Linux networking stack from a number of daemons that have a Cisco-esque command line. It has DPDK support, although I'm not familiar enough with it to advise further (it's been 20 years since I used FRR's predecessor, Zebra).

There are a few other projects, a couple of which I've researched, but none of which I've deployed. The only commercial solution I've evaluated that leveraged DPDK was NetElastic for a CGNAT solution.

ah ok thanks, yea I didnt even know those 2 routers existed they aren't on the current router product page those routers I assume will probably be exactly what I need and the easiest to implement instead of dealing with a custom computer and the OS

mada3k · Mon Jun 02, 2025 9:11 pm

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes

what nodes? are you doing software simulations of botnets or whats the deal?

the 2116 has great performance, if you use it correctly.

adamantasaurus · Mon Jun 02, 2025 10:18 pm

Yes I'm running nodes transferring massive amounts of data, 63k nodes my 2116 cpu was at 40% my servers when fully maxed out with ram are capable of doing close to 500k nodes
what nodes? are you doing software simulations of botnets or whats the deal?

the 2116 has great performance, if you use it correctly.

Im basically acting as data storage for a network by running these nodes and getting rewards, the network has recently just launched.called autonomi. If you've ever seen the show silicon valley that show was based on this project.

adamantasaurus · Mon Jun 02, 2025 10:21 pm

Hmmm yea I was looking at getting rid of the ms-01 and grok told me the most powerful processor for routerOS is the i9-14900k Im going to build a pc with that processor and trying running routerOS on it would that potentially solve the issue? what about putting multiple ccr-2116's? My ISP won't give me multiple mac addresses at my ONT so I can't have them seperated on my network will their cpu's work in tandem to give me more processing power?

And what is a linux distribution with dpdk? I was looking it up online but its not quite clear?
It might help to see a network diagram of your setup to understand what you're trying to accomplish and see if there isn't a way to optimize it so you can take advantage of the 2116's L3HW offload. Otherwise, either a CCR1036 or CCR1072 will have more cores to handle what you want, or a Xeon-based server (or Ampere ARM64 processor; they range from 32 cores to 192). But again, with a computer-based solution, the card may become the bottleneck before the CPU is. You'd have to search some of the posts by users on this forum about how they've optimized CHR and hypervisors to get 40-100G working on big machines.

For a modern Linux-based solution, with DPDK offload, it usually involves installing something like Ubuntu, then some software that controls the cards via the Intel Data Plan Development Kit, where code is loaded into the cards that helps offload much of the work from the kernel (and CPU).

You could start with something like FRR (Free Range Routing), which is software that runs on linux and controls the Linux networking stack from a number of daemons that have a Cisco-esque command line. It has DPDK support, although I'm not familiar enough with it to advise further (it's been 20 years since I used FRR's predecessor, Zebra).

There are a few other projects, a couple of which I've researched, but none of which I've deployed. The only commercial solution I've evaluated that leveraged DPDK was NetElastic for a CGNAT solution.

And what kind of diagram would you want like my topology? I just have 1 ccr2004 with all my regular use devices on it and then a ccr2116 with my 2 servers on it running the nodes the 2116 is also my my internet gateway (idk if I'm using the correct term, but its connected to my ONT)

sirbryan · Mon Jun 02, 2025 10:44 pm

So a diagram would look like this:

INTERNET ---> WAN port of 2116 (ether1)

LAN port of 2116 ---> Node 1 (SFP+1)
LAN port of 2116 ---> Node 2 (SFP+2)

WAN : public IP address (65.34.223.129 for example)
LAN : private IP address (192.168.10.x/24 for example)

IP firewall nat -> masquerade rule for WAN interface

If that's the case, then hardware offload should just work. If you're doing anything fancier than that, then we want to understand.

You can share your configuration (remove sensitive stuff).

lurker888 · Mon Jun 02, 2025 10:58 pm

I was looking to buy one of these boxes, and so I looked around on forums, etc. People reported getting about 6-7 Gbps from the device regardless of what they were running: pfSense/OPNsense/VyOS, virtualized or not. Make of this what you will, and I'm not even sure there actually aren't many more variants of the thing than we're aware of.

The 2116, while it actually has a much weaker CPU, has really good forwarding capabilities, and at its price point it's very hard to beat it. Make sure you make use of available resources like fasttrack and HW offload. The number of NAT connections it can offload seems awfully small, but actually Mikrotik's algorithm for offloading the busiest connections seems to work fairly well, and people have reported CPU usage decreases of 60-70% when turning it on.

Basically the 2116 can almost saturate its interfaces with fasttrack only. If you're not getting that result, then something's wrong.

adamantasaurus · Mon Jun 02, 2025 11:48 pm

So a diagram would look like this:

INTERNET ---> WAN port of 2116 (ether1)

LAN port of 2116 ---> Node 1 (SFP+1)
LAN port of 2116 ---> Node 2 (SFP+2)

WAN : public IP address (65.34.223.129 for example)
LAN : private IP address (192.168.10.x/24 for example)

IP firewall nat -> masquerade rule for WAN interface

If that's the case, then hardware offload should just work. If you're doing anything fancier than that, then we want to understand.

You can share your configuration (remove sensitive stuff).

Ah ok

Internet ---> WAN port: SFP+1

Lan Port of 2116 SFP+2 -----> Ethernet Switch

Ethernet Switch ----> NodeServer1, NodeServer2, CCR2004

WAN: 32.......
LAN: 10......

On the 2116 I have 2 IP gateways 10.20.20.1 and 10.30.30.1

IP Firwall NAT:
Masquerade rule for 10.20.20.1 and 10.30.30.1

Port Forwarding Rules:

127 Rules for each of my servers They are each running 127 containers in proxmox Container 100 port forwards with udp to a port range from 2000-2499 and that continues all the way until container 226 ending with the range 65000-65499 (I fcked up and have to rearrange the ports but for now that last container just doesnt receive rewards for running nodes).

Same exact rules for the other server with the same port ranges and ammount of containers.

Oh and I also have multiple static IP's Server1 is behind 1 and Server2 is behind another so I can use all 130,000 ports

sirbryan · Tue Jun 03, 2025 2:02 am

For L3HW offload to work best, it is recommended that all internal ports be put into a single bridge, so everything but your WAN port would go in that bridge. The internal IP's would then be assigned to the bridge interface, as would the DHCP server (of any).

The public IPs would go on the lone SFP+ WAN interface.

In your L3HW settings, you would enable L3HW offload on all ports but the WAN port. Then, once that's all set up, you turn L3HW offload on in the Switch settings. That should push all FW/NAT rules to the ASIC.

Out of curiosity, how much storage do you have assigned to each container? And it's just a 1Gbps Internet connection, correct?

adamantasaurus · Tue Jun 03, 2025 3:54 am

For L3HW offload to work best, it is recommended that all internal ports be put into a single bridge, so everything but your WAN port would go in that bridge. The internal IP's would then be assigned to the bridge interface, as would the DHCP server (of any).

The public IPs would go on the lone SFP+ WAN interface.

In your L3HW settings, you would enable L3HW offload on all ports but the WAN port. Then, once that's all set up, you turn L3HW offload on in the Switch settings. That should push all FW/NAT rules to the ASIC.

Out of curiosity, how much storage do you have assigned to each container? And it's just a 1Gbps Internet connection, correct?

Right now theres not much of anything on the network so I think I have less than 100gb assigned to the whole server I have a 24tb harddrive in each server ready and 11 more bays to fill up when the network gets loaded. I have a 2.5gbps connection frontier will not let me get any faster if I have multiple static IP's for some reason they have up to 7gb speed available.

And ok I'll have to look into doing that with the mikrotik thanks alot.

millenium7 · Tue Jun 03, 2025 9:21 pm

Seriously just run proxmox and CHR
You get massive benefits like being able to cluster more than one with failover, setting up automated backups, portability to other systems if you ever upgrade, running other services and not needing containers etc etc

I'm using a MS01 cluster in production and yes with CHR instances and it's ridiculously fast. Can easily push more than than the 20gbit/s of network capacity on it. They are stinking fast machines for their size and proxmox has a very minimal impact on it
Just make sure you set the CPU type to 'host' and not the default x64-x86 emulation

There is still something to be said for real physical hardware, but I see no purpose for x86 ROS deployments. All the negatives with no real upside

adamantasaurus · Wed Jun 04, 2025 2:05 am

Seriously just run proxmox and CHR
You get massive benefits like being able to cluster more than one with failover, setting up automated backups, portability to other systems if you ever upgrade, running other services and not needing containers etc etc

I'm using a MS01 cluster in production and yes with CHR instances and it's ridiculously fast. Can easily push more than than the 20gbit/s of network capacity on it. They are stinking fast machines for their size and proxmox has a very minimal impact on it
Just make sure you set the CPU type to 'host' and not the default x64-x86 emulation

There is still something to be said for real physical hardware, but I see no purpose for x86 ROS deployments. All the negatives with no real upside

yea I tried the CHR with less than half the load my network becomes unusable I would do it if I could, the 1gb connection I was getting went down to .1gbps lol it was completely unusable so I think CHR is just not a possibility What I'm doing on my network is unique and not a standard situation.

millenium7 · Wed Jun 04, 2025 3:31 am

There is nothing unique about your situation that would be solved by x86 or even ANY of mikrotik's physical boxes vs running CHR. It is not a hardware or speed limitation. So if you are having performance issues you must have something misconfigured on the proxmox side of things or its something obvious like you didn't use an Unlimited CHR licence
Like I said I can fully saturate the 2x 10gbit NIC's whilst bonded with the exact same hardware. The hardware is fully compatible with proxmox and CHR is fully capable running as a VM inside of it

I actually run the CHR instances alongside quite a lot of other server processes, many of them are very power hungry
To give you a relative performance difference (I know this isn't actual routing but anything you are doing that is 'heavy' is going to be CPU limited anyway) - a CCR1036 doing a TCP bandwidth test to 127.0.0.1 hits ~19gbit/s (1 way) at 100% cpu load on all cores.
A CHR instance with just 2 cores assigned to it on a MS-01 is ~90gbit/s at 100% CPU load

adamantasaurus · Wed Jun 04, 2025 4:01 am

There is nothing unique about your situation that would be solved by x86 or even ANY of mikrotik's physical boxes vs running CHR. It is not a hardware or speed limitation. So if you are having performance issues you must have something misconfigured on the proxmox side of things or its something obvious like you didn't use an Unlimited CHR licence
Like I said I can fully saturate the 2x 10gbit NIC's whilst bonded with the exact same hardware. The hardware is fully compatible with proxmox and CHR is fully capable running as a VM inside of it

I actually run the CHR instances alongside quite a lot of other server processes, many of them are very power hungry
To give you a relative performance difference (I know this isn't actual routing but anything you are doing that is 'heavy' is going to be CPU limited anyway) - a CCR1036 doing a TCP bandwidth test to 127.0.0.1 hits ~19gbit/s (1 way) at 100% cpu load on all cores.
A CHR instance with just 2 cores assigned to it on a MS-01 is ~90gbit/s at 100% CPU load

Yea I had the P1 lic. attached to the CHR so hmm what could it be on the proxmox side of things that could be screwing with it then?

millenium7 · Wed Jun 04, 2025 4:15 am

CPU type is the most likely problem
By default proxmox creates VMs with an emulation architecture so it adds a layer between the CPU and VM. It's the safe bet when you have mixed architecture in a cluster i.e. 11th gen and 13th gen processors. It ensures they can migrate and nothing will break

Set it to 'host only' and it exposes the CPU directly to the VM. Much faster and totally fine if you have the same hardware. But it would break live migration if CPU architecture was different

adamantasaurus · Wed Jun 04, 2025 7:38 pm

CPU type is the most likely problem
By default proxmox creates VMs with an emulation architecture so it adds a layer between the CPU and VM. It's the safe bet when you have mixed architecture in a cluster i.e. 11th gen and 13th gen processors. It ensures they can migrate and nothing will break

Set it to 'host only' and it exposes the CPU directly to the VM. Much faster and totally fine if you have the same hardware. But it would break live migration if CPU architecture was different

Yea I had it set to host and the CPU is an i9-13900k so idk what else could be the issue? My cpu was at max 35% in the CHR with an unusable internet, in my ccr2116 the cpu is at max 51% with usable internet (although when nodes are starting the connection is a bit spotty)

sirbryan · Thu Jun 05, 2025 4:20 pm

Yea I had it set to host and the CPU is an i9-13900k so idk what else could be the issue? My cpu was at max 35% in the CHR with an unusable internet, in my ccr2116 the cpu is at max 51% with usable internet (although when nodes are starting the connection is a bit spotty)

51%? What does a profile look like? (Tools -> Profile, total of all CPUs)

At this point export your config and post it.

adamantasaurus · Fri Jun 06, 2025 5:40 am

Yea I had it set to host and the CPU is an i9-13900k so idk what else could be the issue? My cpu was at max 35% in the CHR with an unusable internet, in my ccr2116 the cpu is at max 51% with usable internet (although when nodes are starting the connection is a bit spotty)
51%? What does a profile look like? (Tools -> Profile, total of all CPUs)

At this point export your config and post it.

Heres my config: I'm currently only running the server with the 10.20.20 IPs

# 2025-06-05 22:29:50 by RouterOS 7.14
# software id = K474-69PJ
#
# model = CCR2116-12G-4S+
# serial number = <removed>
/interface bridge
add arp=local-proxy-arp name=bridge1-localproxy
/interface ethernet
set [ find default-name=ether1 ] name=ether3
set [ find default-name=ether2 ] name=ether4
set [ find default-name=ether3 ] name=ether5
set [ find default-name=ether4 ] name=ether6
set [ find default-name=ether5 ] name=ether7
set [ find default-name=ether6 ] name=ether8
set [ find default-name=ether7 ] name=ether9
set [ find default-name=ether8 ] name=ether10
set [ find default-name=ether9 ] name=ether11
set [ find default-name=ether10 ] name=ether12
set [ find default-name=ether11 ] name=ether14
set [ find default-name=ether12 ] name=ether15
/interface wireguard
add listen-port=1500 mtu=1420 name=wireguard1
/ip ipsec profile
set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4
/ip pool
add name=dhcp_pool0 ranges=10.30.30.2-10.30.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1-localproxy lease-time=5m name=\
    dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1-localproxy horizon=1 interface=sfp-sfpplus1
add bridge=bridge1-localproxy horizon=1 interface=sfp-sfpplus2
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=******2.2/32 interface=wireguard1 persistent-keepalive=\
    30s public-key="cfMEGk2eEkrOlU0RXfO3V5g4kKgzUdfkfVHrYx9DqS4="
/ip address
add address=******.18.107/24 interface=bridge1-localproxy network=******.18.0
add address=******.18.208/24 interface=bridge1-localproxy network=******.18.0
add address=******2.1/24 interface=wireguard1 network=******2.0
add address=10.30.30.1/23 interface=bridge1-localproxy network=10.30.30.0
add address=10.20.20.1/24 interface=bridge1-localproxy network=10.20.20.0
add address=******.18.215/24 interface=bridge1-localproxy network=******.18.0
/ip dhcp-server network
add address=10.30.30.0/23 gateway=10.30.30.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.30.30.0/23
add action=masquerade chain=srcnat src-address=10.20.20.0/24
add action=dst-nat chain=dstnat comment=100 dst-address=******.18.107 \
    dst-port=2000-2499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.2 to-ports=2000-2499
add action=dst-nat chain=dstnat comment=101 dst-address=******.18.107 \
    dst-port=2500-2999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.3 to-ports=2500-2999
add action=dst-nat chain=dstnat comment=102 dst-address=******.18.107 \
    dst-port=3000-3499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.4 to-ports=3000-3499
add action=dst-nat chain=dstnat comment=103 dst-address=******.18.107 \
    dst-port=3500-3999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.5 to-ports=3500-3999
add action=dst-nat chain=dstnat comment=104 dst-address=******.18.107 \
    dst-port=4000-4499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.6 to-ports=4000-4499
add action=dst-nat chain=dstnat comment=105 dst-address=******.18.107 \
    dst-port=4500-4999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.7 to-ports=4500-4999
add action=dst-nat chain=dstnat comment=106 dst-address=******.18.107 \
    dst-port=5000-5499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.8 to-ports=5000-5499
add action=dst-nat chain=dstnat comment=107 dst-address=******.18.107 \
    dst-port=5500-5999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.9 to-ports=5500-5999
add action=dst-nat chain=dstnat comment=108 dst-address=******.18.107 \
    dst-port=6000-6499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.10 to-ports=6000-6499
add action=dst-nat chain=dstnat comment=109 dst-address=******.18.107 \
    dst-port=6500-6999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.11 to-ports=6500-6999
add action=dst-nat chain=dstnat comment=110 dst-address=******.18.107 \
    dst-port=7000-7499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.12 to-ports=7000-7499
add action=dst-nat chain=dstnat comment=111 dst-address=******.18.107 \
    dst-port=7500-7999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.13 to-ports=7500-7999
add action=dst-nat chain=dstnat comment=112 dst-address=******.18.107 \
    dst-port=8000-8499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.14 to-ports=8000-8499
add action=dst-nat chain=dstnat comment=113 dst-address=******.18.107 \
    dst-port=8500-8999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.15 to-ports=8500-8999
add action=dst-nat chain=dstnat comment=114 dst-address=******.18.107 \
    dst-port=9000-9499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.16 to-ports=9000-9499
add action=dst-nat chain=dstnat comment=115 dst-address=******.18.107 \
    dst-port=9500-9999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.17 to-ports=9500-9999
add action=dst-nat chain=dstnat comment=116 dst-address=******.18.107 \
    dst-port=10000-10499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.18 to-ports=10000-10499
add action=dst-nat chain=dstnat comment=117 dst-address=******.18.107 \
    dst-port=10500-10999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.19 to-ports=10500-10999
add action=dst-nat chain=dstnat comment=118 dst-address=******.18.107 \
    dst-port=11000-11499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.20 to-ports=11000-11499
add action=dst-nat chain=dstnat comment=119 dst-address=******.18.107 \
    dst-port=11500-11999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.21 to-ports=11500-11999
add action=dst-nat chain=dstnat comment=120 dst-address=******.18.107 \
    dst-port=12000-12499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.22 to-ports=12000-12499
add action=dst-nat chain=dstnat comment=121 dst-address=******.18.107 \
    dst-port=12500-12999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.23 to-ports=12500-12999
add action=dst-nat chain=dstnat comment=122 dst-address=******.18.107 \
    dst-port=13000-13499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.24 to-ports=13000-13499
add action=dst-nat chain=dstnat comment=123 dst-address=******.18.107 \
    dst-port=13500-13999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.25 to-ports=13500-13999
add action=dst-nat chain=dstnat comment=124 dst-address=******.18.107 \
    dst-port=14000-14499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.26 to-ports=14000-14499
add action=dst-nat chain=dstnat comment=125 dst-address=******.18.107 \
    dst-port=14500-14999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.27 to-ports=14500-14999
add action=dst-nat chain=dstnat comment=126 dst-address=******.18.107 \
    dst-port=15000-15499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.28 to-ports=15000-15499
add action=dst-nat chain=dstnat comment=127 dst-address=******.18.107 \
    dst-port=15500-15999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.29 to-ports=15500-15999
add action=dst-nat chain=dstnat comment=128 dst-address=******.18.107 \
    dst-port=16000-16499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.30 to-ports=16000-16499
add action=dst-nat chain=dstnat comment=129 dst-address=******.18.107 \
    dst-port=16500-16999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.31 to-ports=16500-16999
add action=dst-nat chain=dstnat comment=130 dst-address=******.18.107 \
    dst-port=17000-17499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.32 to-ports=17000-17499
add action=dst-nat chain=dstnat comment=131 dst-address=******.18.107 \
    dst-port=17500-17999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.33 to-ports=17500-17999
add action=dst-nat chain=dstnat comment=132 dst-address=******.18.107 \
    dst-port=18000-18499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.34 to-ports=18000-18499
add action=dst-nat chain=dstnat comment=133 dst-address=******.18.107 \
    dst-port=18500-18999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.35 to-ports=18500-18999
add action=dst-nat chain=dstnat comment=134 dst-address=******.18.107 \
    dst-port=19000-19499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.36 to-ports=19000-19499
add action=dst-nat chain=dstnat comment=135 dst-address=******.18.107 \
    dst-port=19500-19999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.37 to-ports=19500-19999
add action=dst-nat chain=dstnat comment=136 dst-address=******.18.107 \
    dst-port=20000-20499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.38 to-ports=20000-20499
add action=dst-nat chain=dstnat comment=137 dst-address=******.18.107 \
    dst-port=20500-20999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.39 to-ports=20500-20999
add action=dst-nat chain=dstnat comment=138 dst-address=******.18.107 \
    dst-port=21000-21499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.40 to-ports=21000-21499
add action=dst-nat chain=dstnat comment=139 dst-address=******.18.107 \
    dst-port=21500-21999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.41 to-ports=21500-21999
add action=dst-nat chain=dstnat comment=140 dst-address=******.18.107 \
    dst-port=22000-22499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.42 to-ports=22000-22499
add action=dst-nat chain=dstnat comment=141 dst-address=******.18.107 \
    dst-port=22500-22999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.43 to-ports=22500-22999
add action=dst-nat chain=dstnat comment=142 dst-address=******.18.107 \
    dst-port=23000-23499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.44 to-ports=23000-23499
add action=dst-nat chain=dstnat comment=143 dst-address=******.18.107 \
    dst-port=23500-23999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.45 to-ports=23500-23999
add action=dst-nat chain=dstnat comment=144 dst-address=******.18.107 \
    dst-port=24000-24499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.46 to-ports=24000-24499
add action=dst-nat chain=dstnat comment=145 dst-address=******.18.107 \
    dst-port=24500-24999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.47 to-ports=24500-24999
add action=dst-nat chain=dstnat comment=146 dst-address=******.18.107 \
    dst-port=25000-25499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.48 to-ports=25000-25499
add action=dst-nat chain=dstnat comment=147 dst-address=******.18.107 \
    dst-port=25500-25999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.49 to-ports=25500-25999
add action=dst-nat chain=dstnat comment=148 dst-address=******.18.107 \
    dst-port=26000-26499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.50 to-ports=26000-26499
add action=dst-nat chain=dstnat comment=149 dst-address=******.18.107 \
    dst-port=26500-26999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.51 to-ports=26500-26999
add action=dst-nat chain=dstnat comment=150 dst-address=******.18.107 \
    dst-port=27000-27499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.52 to-ports=27000-27499
add action=dst-nat chain=dstnat comment=151 dst-address=******.18.107 \
    dst-port=27500-27999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.53 to-ports=27500-27999
add action=dst-nat chain=dstnat comment=152 dst-address=******.18.107 \
    dst-port=28000-28499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.54 to-ports=28000-28499
add action=dst-nat chain=dstnat comment=153 dst-address=******.18.107 \
    dst-port=28500-28999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.55 to-ports=28500-28999
add action=dst-nat chain=dstnat comment=154 dst-address=******.18.107 \
    dst-port=29000-29499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.56 to-ports=29000-29499
add action=dst-nat chain=dstnat comment=155 dst-address=******.18.107 \
    dst-port=29500-29999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.57 to-ports=29500-29999
add action=dst-nat chain=dstnat comment=156 dst-address=******.18.107 \
    dst-port=30000-30499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.58 to-ports=30000-30499
add action=dst-nat chain=dstnat comment=157 dst-address=******.18.107 \
    dst-port=30500-30999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.59 to-ports=30500-30999
add action=dst-nat chain=dstnat comment=158 dst-address=******.18.107 \
    dst-port=31000-31499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.60 to-ports=31000-31499
add action=dst-nat chain=dstnat comment=159 dst-address=******.18.107 \
    dst-port=31500-31999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.61 to-ports=31500-31999
add action=dst-nat chain=dstnat comment=160 dst-address=******.18.107 \
    dst-port=32000-32499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.62 to-ports=32000-32499
add action=dst-nat chain=dstnat comment=161 dst-address=******.18.107 \
    dst-port=32500-32999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.63 to-ports=32500-32999
add action=dst-nat chain=dstnat comment=162 dst-address=******.18.107 \
    dst-port=33000-33499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.64 to-ports=33000-33499
add action=dst-nat chain=dstnat comment=163 dst-address=******.18.107 \
    dst-port=33500-33999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.65 to-ports=33500-33999
add action=dst-nat chain=dstnat comment=164 dst-address=******.18.107 \
    dst-port=34000-34499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.66 to-ports=34000-34499
add action=dst-nat chain=dstnat comment=165 dst-address=******.18.107 \
    dst-port=34500-34999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.67 to-ports=34500-34999
add action=dst-nat chain=dstnat comment=166 dst-address=******.18.107 \
    dst-port=35000-35499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.68 to-ports=35000-35499
add action=dst-nat chain=dstnat comment=167 dst-address=******.18.107 \
    dst-port=35500-35999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.69 to-ports=35500-35999
add action=dst-nat chain=dstnat comment=168 dst-address=******.18.107 \
    dst-port=36000-36499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.70 to-ports=36000-36499
add action=dst-nat chain=dstnat comment=169 dst-address=******.18.107 \
    dst-port=36500-36999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.71 to-ports=36500-36999
add action=dst-nat chain=dstnat comment=170 dst-address=******.18.107 \
    dst-port=37000-37499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.72 to-ports=37000-37499
add action=dst-nat chain=dstnat comment=171 dst-address=******.18.107 \
    dst-port=37500-37999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.73 to-ports=37500-37999
add action=dst-nat chain=dstnat comment=172 dst-address=******.18.107 \
    dst-port=38000-38499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.74 to-ports=38000-38499
add action=dst-nat chain=dstnat comment=173 dst-address=******.18.107 \
    dst-port=38500-38999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.75 to-ports=38500-38999
add action=dst-nat chain=dstnat comment=174 dst-address=******.18.107 \
    dst-port=39000-39499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.76 to-ports=39000-39499
add action=dst-nat chain=dstnat comment=175 dst-address=******.18.107 \
    dst-port=39500-39999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.77 to-ports=39500-39999
add action=dst-nat chain=dstnat comment=176 dst-address=******.18.107 \
    dst-port=40000-40499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.78 to-ports=40000-40499
add action=dst-nat chain=dstnat comment=177 dst-address=******.18.107 \
    dst-port=40500-40999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.79 to-ports=40500-40999
add action=dst-nat chain=dstnat comment=178 dst-address=******.18.107 \
    dst-port=41000-41499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.80 to-ports=41000-41499
add action=dst-nat chain=dstnat comment=179 dst-address=******.18.107 \
    dst-port=41500-41999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.81 to-ports=41500-41999
add action=dst-nat chain=dstnat comment=180 dst-address=******.18.107 \
    dst-port=42000-42499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.82 to-ports=42000-42499
add action=dst-nat chain=dstnat comment=181 dst-address=******.18.107 \
    dst-port=42500-42999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.83 to-ports=42500-42999
add action=dst-nat chain=dstnat comment=182 dst-address=******.18.107 \
    dst-port=43000-43499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.84 to-ports=43000-43499
add action=dst-nat chain=dstnat comment=183 dst-address=******.18.107 \
    dst-port=43500-43999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.85 to-ports=43500-43999
add action=dst-nat chain=dstnat comment=184 dst-address=******.18.107 \
    dst-port=44000-44499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.86 to-ports=44000-44499
add action=dst-nat chain=dstnat comment=185 dst-address=******.18.107 \
    dst-port=44500-44999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.87 to-ports=44500-44999
add action=dst-nat chain=dstnat comment=186 dst-address=******.18.107 \
    dst-port=45000-45499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.88 to-ports=45000-45499
add action=dst-nat chain=dstnat comment=187 dst-address=******.18.107 \
    dst-port=45500-45999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.89 to-ports=45500-45999
add action=dst-nat chain=dstnat comment=188 dst-address=******.18.107 \
    dst-port=46000-46499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.90 to-ports=46000-46499
add action=dst-nat chain=dstnat comment=189 dst-address=******.18.107 \
    dst-port=46500-46999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.91 to-ports=46500-46999
add action=dst-nat chain=dstnat comment=190 dst-address=******.18.107 \
    dst-port=47000-47499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.92 to-ports=47000-47499
add action=dst-nat chain=dstnat comment=191 dst-address=******.18.107 \
    dst-port=47500-47999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.93 to-ports=47500-47999
add action=dst-nat chain=dstnat comment=192 dst-address=******.18.107 \
    dst-port=48000-48499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.94 to-ports=48000-48499
add action=dst-nat chain=dstnat comment=193 dst-address=******.18.107 \
    dst-port=48500-48999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.95 to-ports=48500-48999
add action=dst-nat chain=dstnat comment=194 dst-address=******.18.107 \
    dst-port=49000-49499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.96 to-ports=49000-49499
add action=dst-nat chain=dstnat comment=195 dst-address=******.18.107 \
    dst-port=49500-49999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.97 to-ports=49500-49999
add action=dst-nat chain=dstnat comment=196 dst-address=******.18.107 \
    dst-port=50000-50499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.98 to-ports=50000-50499
add action=dst-nat chain=dstnat comment=197 dst-address=******.18.107 \
    dst-port=50500-50999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.99 to-ports=50500-50999
add action=dst-nat chain=dstnat comment=198 dst-address=******.18.107 \
    dst-port=51000-51499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.100 to-ports=51000-51499
add action=dst-nat chain=dstnat comment=199 dst-address=******.18.107 \
    dst-port=51500-51999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.101 to-ports=51500-51999
add action=dst-nat chain=dstnat comment=200 dst-address=******.18.107 \
    dst-port=52000-52499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.102 to-ports=52000-52499
add action=dst-nat chain=dstnat comment=201 dst-address=******.18.107 \
    dst-port=52500-52999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.103 to-ports=52500-52999
add action=dst-nat chain=dstnat comment=202 dst-address=******.18.107 \
    dst-port=53000-53499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.104 to-ports=53000-53499
add action=dst-nat chain=dstnat comment=203 dst-address=******.18.107 \
    dst-port=53500-53999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.105 to-ports=53500-53999
add action=dst-nat chain=dstnat comment=204 dst-address=******.18.107 \
    dst-port=54000-54499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.106 to-ports=54000-54499
add action=dst-nat chain=dstnat comment=205 dst-address=******.18.107 \
    dst-port=54500-54999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.107 to-ports=54500-54999
add action=dst-nat chain=dstnat comment=206 dst-address=******.18.107 \
    dst-port=55000-55499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.108 to-ports=55000-55499
add action=dst-nat chain=dstnat comment=207 dst-address=******.18.107 \
    dst-port=55500-55999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.109 to-ports=55500-55999
add action=dst-nat chain=dstnat comment=208 dst-address=******.18.107 \
    dst-port=56000-56499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.110 to-ports=56000-56499
add action=dst-nat chain=dstnat comment=209 dst-address=******.18.107 \
    dst-port=56500-56999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.111 to-ports=56500-56999
add action=dst-nat chain=dstnat comment=210 dst-address=******.18.107 \
    dst-port=57000-57499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.112 to-ports=57000-57499
add action=dst-nat chain=dstnat comment=211 dst-address=******.18.107 \
    dst-port=57500-57999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.113 to-ports=57500-57999
add action=dst-nat chain=dstnat comment=212 dst-address=******.18.107 \
    dst-port=58000-58499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.114 to-ports=58000-58499
add action=dst-nat chain=dstnat comment=213 dst-address=******.18.107 \
    dst-port=58500-58999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.115 to-ports=58500-58999
add action=dst-nat chain=dstnat comment=214 dst-address=******.18.107 \
    dst-port=59000-59499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.116 to-ports=59000-59499
add action=dst-nat chain=dstnat comment=215 dst-address=******.18.107 \
    dst-port=59500-59999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.117 to-ports=59500-59999
add action=dst-nat chain=dstnat comment=216 dst-address=******.18.107 \
    dst-port=60000-60499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.118 to-ports=60000-60499
add action=dst-nat chain=dstnat comment=217 dst-address=******.18.107 \
    dst-port=60500-60999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.119 to-ports=60500-60999
add action=dst-nat chain=dstnat comment=218 dst-address=******.18.107 \
    dst-port=61000-61499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.120 to-ports=61000-61499
add action=dst-nat chain=dstnat comment=219 dst-address=******.18.107 \
    dst-port=61500-61999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.121 to-ports=61500-61999
add action=dst-nat chain=dstnat comment=220 dst-address=******.18.107 \
    dst-port=62000-62499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.122 to-ports=62000-62499
add action=dst-nat chain=dstnat comment=221 dst-address=******.18.107 \
    dst-port=62500-62999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.123 to-ports=62500-62999
add action=dst-nat chain=dstnat comment=222 dst-address=******.18.107 \
    dst-port=63000-63499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.124 to-ports=63000-63499
add action=dst-nat chain=dstnat comment=223 dst-address=******.18.107 \
    dst-port=63500-63999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.125 to-ports=63500-63999
add action=dst-nat chain=dstnat comment=224 dst-address=******.18.107 \
    dst-port=64000-64499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.126 to-ports=64000-64499
add action=dst-nat chain=dstnat comment=225 dst-address=******.18.107 \
    dst-port=64500-64999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.127 to-ports=64500-64999
add action=dst-nat chain=dstnat comment=226 dst-address=******.18.107 \
    dst-port=65000-65499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.20.20.128 to-ports=65000-65499
add action=dst-nat chain=dstnat comment=100 dst-address=******.18.215 \
    dst-port=2000-2499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.2 to-ports=2000-2499
add action=dst-nat chain=dstnat comment=101 dst-address=******.18.215 \
    dst-port=2500-2999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.3 to-ports=2500-2999
add action=dst-nat chain=dstnat comment=102 dst-address=******.18.215 \
    dst-port=3000-3499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.4 to-ports=3000-3499
add action=dst-nat chain=dstnat comment=103 dst-address=******.18.215 \
    dst-port=3500-3999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.5 to-ports=3500-3999
add action=dst-nat chain=dstnat comment=104 dst-address=******.18.215 \
    dst-port=4000-4499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.6 to-ports=4000-4499
add action=dst-nat chain=dstnat comment=105 dst-address=******.18.215 \
    dst-port=4500-4999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.7 to-ports=4500-4999
add action=dst-nat chain=dstnat comment=106 dst-address=******.18.215 \
    dst-port=5000-5499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.8 to-ports=5000-5499
add action=dst-nat chain=dstnat comment=107 dst-address=******.18.215 \
    dst-port=5500-5999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.9 to-ports=5500-5999
add action=dst-nat chain=dstnat comment=108 dst-address=******.18.215 \
    dst-port=6000-6499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.10 to-ports=6000-6499
add action=dst-nat chain=dstnat comment=109 dst-address=******.18.215 \
    dst-port=6500-6999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.11 to-ports=6500-6999
add action=dst-nat chain=dstnat comment=110 dst-address=******.18.215 \
    dst-port=7000-7499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.12 to-ports=7000-7499
add action=dst-nat chain=dstnat comment=111 dst-address=******.18.215 \
    dst-port=7500-7999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.13 to-ports=7500-7999
add action=dst-nat chain=dstnat comment=112 dst-address=******.18.215 \
    dst-port=8000-8499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.14 to-ports=8000-8499
add action=dst-nat chain=dstnat comment=113 dst-address=******.18.215 \
    dst-port=8500-8999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.15 to-ports=8500-8999
add action=dst-nat chain=dstnat comment=114 dst-address=******.18.215 \
    dst-port=9000-9499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.16 to-ports=9000-9499
add action=dst-nat chain=dstnat comment=115 dst-address=******.18.215 \
    dst-port=9500-9999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.17 to-ports=9500-9999
add action=dst-nat chain=dstnat comment=116 dst-address=******.18.215 \
    dst-port=10000-10499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.18 to-ports=10000-10499
add action=dst-nat chain=dstnat comment=117 dst-address=******.18.215 \
    dst-port=10500-10999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.19 to-ports=10500-10999
add action=dst-nat chain=dstnat comment=118 dst-address=******.18.215 \
    dst-port=11000-11499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.20 to-ports=11000-11499
add action=dst-nat chain=dstnat comment=119 dst-address=******.18.215 \
    dst-port=11500-11999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.21 to-ports=11500-11999
add action=dst-nat chain=dstnat comment=120 dst-address=******.18.215 \
    dst-port=12000-12499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.22 to-ports=12000-12499
add action=dst-nat chain=dstnat comment=121 dst-address=******.18.215 \
    dst-port=12500-12999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.23 to-ports=12500-12999
add action=dst-nat chain=dstnat comment=122 dst-address=******.18.215 \
    dst-port=13000-13499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.24 to-ports=13000-13499
add action=dst-nat chain=dstnat comment=123 dst-address=******.18.215 \
    dst-port=13500-13999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.25 to-ports=13500-13999
add action=dst-nat chain=dstnat comment=124 dst-address=******.18.215 \
    dst-port=14000-14499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.26 to-ports=14000-14499
add action=dst-nat chain=dstnat comment=125 dst-address=******.18.215 \
    dst-port=14500-14999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.27 to-ports=14500-14999
add action=dst-nat chain=dstnat comment=126 dst-address=******.18.215 \
    dst-port=15000-15499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.28 to-ports=15000-15499
add action=dst-nat chain=dstnat comment=127 dst-address=******.18.215 \
    dst-port=15500-15999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.29 to-ports=15500-15999
add action=dst-nat chain=dstnat comment=128 dst-address=******.18.215 \
    dst-port=16000-16499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.30 to-ports=16000-16499
add action=dst-nat chain=dstnat comment=129 dst-address=******.18.215 \
    dst-port=16500-16999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.31 to-ports=16500-16999
add action=dst-nat chain=dstnat comment=130 dst-address=******.18.215 \
    dst-port=17000-17499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.32 to-ports=17000-17499
add action=dst-nat chain=dstnat comment=131 dst-address=******.18.215 \
    dst-port=17500-17999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.33 to-ports=17500-17999
add action=dst-nat chain=dstnat comment=132 dst-address=******.18.215 \
    dst-port=18000-18499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.34 to-ports=18000-18499
add action=dst-nat chain=dstnat comment=133 dst-address=******.18.215 \
    dst-port=18500-18999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.35 to-ports=18500-18999
add action=dst-nat chain=dstnat comment=134 dst-address=******.18.215 \
    dst-port=19000-19499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.36 to-ports=19000-19499
add action=dst-nat chain=dstnat comment=135 dst-address=******.18.215 \
    dst-port=19500-19999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.37 to-ports=19500-19999
add action=dst-nat chain=dstnat comment=136 dst-address=******.18.215 \
    dst-port=20000-20499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.38 to-ports=20000-20499
add action=dst-nat chain=dstnat comment=137 dst-address=******.18.215 \
    dst-port=20500-20999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.39 to-ports=20500-20999
add action=dst-nat chain=dstnat comment=138 dst-address=******.18.215 \
    dst-port=21000-21499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.40 to-ports=21000-21499
add action=dst-nat chain=dstnat comment=139 dst-address=******.18.215 \
    dst-port=21500-21999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.41 to-ports=21500-21999
add action=dst-nat chain=dstnat comment=140 dst-address=******.18.215 \
    dst-port=22000-22499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.42 to-ports=22000-22499
add action=dst-nat chain=dstnat comment=141 dst-address=******.18.215 \
    dst-port=22500-22999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.43 to-ports=22500-22999
add action=dst-nat chain=dstnat comment=142 dst-address=******.18.215 \
    dst-port=23000-23499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.44 to-ports=23000-23499
add action=dst-nat chain=dstnat comment=143 dst-address=******.18.215 \
    dst-port=23500-23999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.45 to-ports=23500-23999
add action=dst-nat chain=dstnat comment=144 dst-address=******.18.215 \
    dst-port=24000-24499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.46 to-ports=24000-24499
add action=dst-nat chain=dstnat comment=145 dst-address=******.18.215 \
    dst-port=24500-24999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.47 to-ports=24500-24999
add action=dst-nat chain=dstnat comment=146 dst-address=******.18.215 \
    dst-port=25000-25499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.48 to-ports=25000-25499
add action=dst-nat chain=dstnat comment=147 dst-address=******.18.215 \
    dst-port=25500-25999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.49 to-ports=25500-25999
add action=dst-nat chain=dstnat comment=148 dst-address=******.18.215 \
    dst-port=26000-26499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.50 to-ports=26000-26499
add action=dst-nat chain=dstnat comment=149 dst-address=******.18.215 \
    dst-port=26500-26999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.51 to-ports=26500-26999
add action=dst-nat chain=dstnat comment=150 dst-address=******.18.215 \
    dst-port=27000-27499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.52 to-ports=27000-27499
add action=dst-nat chain=dstnat comment=151 dst-address=******.18.215 \
    dst-port=27500-27999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.53 to-ports=27500-27999
add action=dst-nat chain=dstnat comment=152 dst-address=******.18.215 \
    dst-port=28000-28499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.54 to-ports=28000-28499
add action=dst-nat chain=dstnat comment=153 dst-address=******.18.215 \
    dst-port=28500-28999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.55 to-ports=28500-28999
add action=dst-nat chain=dstnat comment=154 dst-address=******.18.215 \
    dst-port=29000-29499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.56 to-ports=29000-29499
add action=dst-nat chain=dstnat comment=155 dst-address=******.18.215 \
    dst-port=29500-29999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.57 to-ports=29500-29999
add action=dst-nat chain=dstnat comment=156 dst-address=******.18.215 \
    dst-port=30000-30499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.58 to-ports=30000-30499
add action=dst-nat chain=dstnat comment=157 dst-address=******.18.215 \
    dst-port=30500-30999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.59 to-ports=30500-30999
add action=dst-nat chain=dstnat comment=158 dst-address=******.18.215 \
    dst-port=31000-31499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.60 to-ports=31000-31499
add action=dst-nat chain=dstnat comment=159 dst-address=******.18.215 \
    dst-port=31500-31999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.61 to-ports=31500-31999
add action=dst-nat chain=dstnat comment=160 dst-address=******.18.215 \
    dst-port=32000-32499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.62 to-ports=32000-32499
add action=dst-nat chain=dstnat comment=161 dst-address=******.18.215 \
    dst-port=32500-32999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.63 to-ports=32500-32999
add action=dst-nat chain=dstnat comment=162 dst-address=******.18.215 \
    dst-port=33000-33499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.64 to-ports=33000-33499
add action=dst-nat chain=dstnat comment=163 dst-address=******.18.215 \
    dst-port=33500-33999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.65 to-ports=33500-33999
add action=dst-nat chain=dstnat comment=164 dst-address=******.18.215 \
    dst-port=34000-34499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.66 to-ports=34000-34499
add action=dst-nat chain=dstnat comment=165 dst-address=******.18.215 \
    dst-port=34500-34999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.67 to-ports=34500-34999
add action=dst-nat chain=dstnat comment=166 dst-address=******.18.215 \
    dst-port=35000-35499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.68 to-ports=35000-35499
add action=dst-nat chain=dstnat comment=167 dst-address=******.18.215 \
    dst-port=35500-35999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.69 to-ports=35500-35999
add action=dst-nat chain=dstnat comment=168 dst-address=******.18.215 \
    dst-port=36000-36499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.70 to-ports=36000-36499
add action=dst-nat chain=dstnat comment=169 dst-address=******.18.215 \
    dst-port=36500-36999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.71 to-ports=36500-36999
add action=dst-nat chain=dstnat comment=170 dst-address=******.18.215 \
    dst-port=37000-37499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.72 to-ports=37000-37499
add action=dst-nat chain=dstnat comment=171 dst-address=******.18.215 \
    dst-port=37500-37999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.73 to-ports=37500-37999
add action=dst-nat chain=dstnat comment=172 dst-address=******.18.215 \
    dst-port=38000-38499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.74 to-ports=38000-38499
add action=dst-nat chain=dstnat comment=173 dst-address=******.18.215 \
    dst-port=38500-38999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.75 to-ports=38500-38999
add action=dst-nat chain=dstnat comment=174 dst-address=******.18.215 \
    dst-port=39000-39499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.76 to-ports=39000-39499
add action=dst-nat chain=dstnat comment=175 dst-address=******.18.215 \
    dst-port=39500-39999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.77 to-ports=39500-39999
add action=dst-nat chain=dstnat comment=176 dst-address=******.18.215 \
    dst-port=40000-40499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.78 to-ports=40000-40499
add action=dst-nat chain=dstnat comment=177 dst-address=******.18.215 \
    dst-port=40500-40999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.79 to-ports=40500-40999
add action=dst-nat chain=dstnat comment=178 dst-address=******.18.215 \
    dst-port=41000-41499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.80 to-ports=41000-41499
add action=dst-nat chain=dstnat comment=179 dst-address=******.18.215 \
    dst-port=41500-41999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.81 to-ports=41500-41999
add action=dst-nat chain=dstnat comment=180 dst-address=******.18.215 \
    dst-port=42000-42499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.82 to-ports=42000-42499
add action=dst-nat chain=dstnat comment=181 dst-address=******.18.215 \
    dst-port=42500-42999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.83 to-ports=42500-42999
add action=dst-nat chain=dstnat comment=182 dst-address=******.18.215 \
    dst-port=43000-43499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.84 to-ports=43000-43499
add action=dst-nat chain=dstnat comment=183 dst-address=******.18.215 \
    dst-port=43500-43999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.85 to-ports=43500-43999
add action=dst-nat chain=dstnat comment=184 dst-address=******.18.215 \
    dst-port=44000-44499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.86 to-ports=44000-44499
add action=dst-nat chain=dstnat comment=185 dst-address=******.18.215 \
    dst-port=44500-44999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.87 to-ports=44500-44999
add action=dst-nat chain=dstnat comment=186 dst-address=******.18.215 \
    dst-port=45000-45499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.88 to-ports=45000-45499
add action=dst-nat chain=dstnat comment=187 dst-address=******.18.215 \
    dst-port=45500-45999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.89 to-ports=45500-45999
add action=dst-nat chain=dstnat comment=188 dst-address=******.18.215 \
    dst-port=46000-46499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.90 to-ports=46000-46499
add action=dst-nat chain=dstnat comment=189 dst-address=******.18.215 \
    dst-port=46500-46999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.91 to-ports=46500-46999
add action=dst-nat chain=dstnat comment=190 dst-address=******.18.215 \
    dst-port=47000-47499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.92 to-ports=47000-47499
add action=dst-nat chain=dstnat comment=191 dst-address=******.18.215 \
    dst-port=47500-47999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.93 to-ports=47500-47999
add action=dst-nat chain=dstnat comment=192 dst-address=******.18.215 \
    dst-port=48000-48499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.94 to-ports=48000-48499
add action=dst-nat chain=dstnat comment=193 dst-address=******.18.215 \
    dst-port=48500-48999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.95 to-ports=48500-48999
add action=dst-nat chain=dstnat comment=194 dst-address=******.18.215 \
    dst-port=49000-49499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.96 to-ports=49000-49499
add action=dst-nat chain=dstnat comment=195 dst-address=******.18.215 \
    dst-port=49500-49999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.97 to-ports=49500-49999
add action=dst-nat chain=dstnat comment=196 dst-address=******.18.215 \
    dst-port=50000-50499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.98 to-ports=50000-50499
add action=dst-nat chain=dstnat comment=197 dst-address=******.18.215 \
    dst-port=50500-50999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.99 to-ports=50500-50999
add action=dst-nat chain=dstnat comment=198 dst-address=******.18.215 \
    dst-port=51000-51499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.100 to-ports=51000-51499
add action=dst-nat chain=dstnat comment=199 dst-address=******.18.215 \
    dst-port=51500-51999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.101 to-ports=51500-51999
add action=dst-nat chain=dstnat comment=200 dst-address=******.18.215 \
    dst-port=52000-52499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.102 to-ports=52000-52499
add action=dst-nat chain=dstnat comment=201 dst-address=******.18.215 \
    dst-port=52500-52999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.103 to-ports=52500-52999
add action=dst-nat chain=dstnat comment=202 dst-address=******.18.215 \
    dst-port=53000-53499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.104 to-ports=53000-53499
add action=dst-nat chain=dstnat comment=203 dst-address=******.18.215 \
    dst-port=53500-53999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.105 to-ports=53500-53999
add action=dst-nat chain=dstnat comment=204 dst-address=******.18.215 \
    dst-port=54000-54499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.106 to-ports=54000-54499
add action=dst-nat chain=dstnat comment=205 dst-address=******.18.215 \
    dst-port=54500-54999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.107 to-ports=54500-54999
add action=dst-nat chain=dstnat comment=206 dst-address=******.18.215 \
    dst-port=55000-55499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.108 to-ports=55000-55499
add action=dst-nat chain=dstnat comment=207 dst-address=******.18.215 \
    dst-port=55500-55999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.109 to-ports=55500-55999
add action=dst-nat chain=dstnat comment=208 dst-address=******.18.215 \
    dst-port=56000-56499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.110 to-ports=56000-56499
add action=dst-nat chain=dstnat comment=209 dst-address=******.18.215 \
    dst-port=56500-56999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.111 to-ports=56500-56999
add action=dst-nat chain=dstnat comment=210 dst-address=******.18.215 \
    dst-port=57000-57499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.112 to-ports=57000-57499
add action=dst-nat chain=dstnat comment=211 dst-address=******.18.215 \
    dst-port=57500-57999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.113 to-ports=57500-57999
add action=dst-nat chain=dstnat comment=212 dst-address=******.18.215 \
    dst-port=58000-58499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.114 to-ports=58000-58499
add action=dst-nat chain=dstnat comment=213 dst-address=******.18.215 \
    dst-port=58500-58999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.115 to-ports=58500-58999
add action=dst-nat chain=dstnat comment=214 dst-address=******.18.215 \
    dst-port=59000-59499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.116 to-ports=59000-59499
add action=dst-nat chain=dstnat comment=215 dst-address=******.18.215 \
    dst-port=59500-59999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.117 to-ports=59500-59999
add action=dst-nat chain=dstnat comment=216 dst-address=******.18.215 \
    dst-port=60000-60499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.118 to-ports=60000-60499
add action=dst-nat chain=dstnat comment=217 dst-address=******.18.215 \
    dst-port=60500-60999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.119 to-ports=60500-60999
add action=dst-nat chain=dstnat comment=218 dst-address=******.18.215 \
    dst-port=61000-61499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.120 to-ports=61000-61499
add action=dst-nat chain=dstnat comment=219 dst-address=******.18.215 \
    dst-port=61500-61999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.121 to-ports=61500-61999
add action=dst-nat chain=dstnat comment=220 dst-address=******.18.215 \
    dst-port=62000-62499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.122 to-ports=62000-62499
add action=dst-nat chain=dstnat comment=221 dst-address=******.18.215 \
    dst-port=62500-62999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.123 to-ports=62500-62999
add action=dst-nat chain=dstnat comment=222 dst-address=******.18.215 \
    dst-port=63000-63499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.124 to-ports=63000-63499
add action=dst-nat chain=dstnat comment=223 dst-address=******.18.215 \
    dst-port=63500-63999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.125 to-ports=63500-63999
add action=dst-nat chain=dstnat comment=224 dst-address=******.18.215 \
    dst-port=64000-64499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.126 to-ports=64000-64499
add action=dst-nat chain=dstnat comment=225 dst-address=******.18.215 \
    dst-port=64500-64999 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.127 to-ports=64500-64999
add action=dst-nat chain=dstnat comment=226 dst-address=******.18.215 \
    dst-port=65000-65499 in-interface=bridge1-localproxy protocol=udp \
    to-addresses=10.30.30.128 to-ports=65000-65499
/ip route
add disabled=no dst-address=10.10.10.0/24 gateway=******.18.214 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=30.30.30.0/24 gateway=******.18.215 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=******.18.1 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=****
/system identity
set name=Mikrotik1
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add
/tool romon
set enabled=yes

sirbryan · Fri Jun 06, 2025 7:18 am

OK, here's the crux of the problem:

Your WAN port should never be on the same interface as your internal network. Looks like you've got both SFP+ ports in the bridge, all IP's on the bridge, firewall rules galore, and split horizon, which is 100% software-based. All of that is punting everything to the CPU and bypassing every possible enhancement in RouterOS, such as fast-path, fasttrack, and L2/L3HW offloads.

1. Take SFP+1 out of the bridge. This section should only read:

/interface bridge port
add bridge=bridge1-localproxy interface=sfp-sfpplus2

Some might wonder why use a bridge at all with only one port, and my answer is you may want to add other LAN ports to the bridge without having to reconfigure everything.

2. Assign public IP's to SFP+ directly:

/ip address
## These should all be world-facing only
add address=******.18.107/24 interface=sfp-sfpplus1 network=******.18.0
add address=******.18.208/24 interface=sfp-sfpplus1 network=******.18.0
add address=******.18.215/24 interface=sfp-sfpplus1 network=******.18.0
## only have these on the bridge (the LAN)
add address=10.30.30.1/23 interface=bridge1-localproxy network=10.30.30.0
add address=10.20.20.1/24 interface=bridge1-localproxy network=10.20.20.0

3. Change your firewall rules to use sfp-sfpplus1 as external interface, switch from masquerade to src-nat and have each block use the same IP's for outbound that you have for their inbound dst-nat rules.

/ip firewall nat
#add action=masquerade out-interface=sfp-sfpplus1 chain=srcnat src-address=10.30.30.0/23
#add action=masquerade out-interface=sfp-sfpplus1 chain=srcnat src-address=10.20.20.0/24

##  Don't use masquerade for the nodes, use src-nat to map outbound traffic to the same address as their incoming address range
add action=src-nat chain=src-nat src-address=10.20.20.0/24 out-interface=sfp-sfpplus1 to-addresses=******.18.107 
add action=src-nat chain=src-nat src-address=10.30.30.0/24 out-interface=sfp-sfpplus1 to-addresses=******.18.215 
# If your home network is not part of the 10.20 or 10.30's, you'll want one for that network mapped to whatever IP you want to use
##
add action=dst-nat chain=dstnat comment=100 dst-address=******.18.107 dst-port=2000-2499 protocol=udp to-addresses=10.20.20.2 to-ports=2000-2499
add action=dst-nat chain=dstnat comment=101 dst-address=******.18.107 dst-port=2500-2999 protocol=udp to-addresses=10.20.20.3 to-ports=2500-2999
### etc. #####

Once that's all done, make sure things work. Once you're happy with that, the next step is to try to offload the NAT rules to L3HW.

Go into Switch, Ports, and enable L3HW offloading on sfp-sfpplus2, and disable it on sfp-sfpplus1.
Then to Switch, Settings, and enable "L3 HW Offloading" and test.

millenium7 · Fri Jun 06, 2025 8:38 am

Even with the plethora of NAT rules i'd still expect decent performance. But its still a hell of a lot and worth cleaning up
You can substantially lower the firewall calls by moving all of your port forwards into a different chain, i.e. 'dstnat-portforwardsliketheyregoingoutofbusiness' and then use something that is common to jump to them, in this case you are forwarding most of the UDP ports you could do something like this

/ip firewall nat add action=jump chain=dstnat dst-address=******.18.107 dst-port=2000-65499 in-interface=WAN jump-target=dstnat-portforwardsliketheyregoingoutofbusiness protocol=udp
/ip firewall nat add action=jump chain=dstnat dst-address=******.18.215 dst-port=2000-65499 in-interface=WAN jump-target=dstnat-portforwardsliketheyregoingoutofbusiness-thesequel protocol=udp

Cause right now all traffic in both directions is checking every single one of your rules and going "do I match this? no, ok do I match this? no, ok do I match this? no...." the whole way down the list
If you move all of your rules to a different chain then none of them will be checked, unless there is a jump command to enter that chain and start processing. So at least all of your i.e. TCP/outbound/anything not in the first jump rule will only have to process 2 rules instead of all of them. And all of the incoming UDP only has to check half as many (since you've split each public IP into a different chain)

You should also do a TCP bandwidth-test to 127.0.0.1 to see if you get similar results to me. If you're only getting 5gbit/s and/or your CPU isn't pegged at 100% then something is wrong at the proxmox side

CGGXANNX · Fri Jun 06, 2025 8:43 am

Still, those NAT rule checks normally are only done once per tracked connection and would not cripple the router. The jump rules will help the performance but probably not much. But they will improve the organization of rules.

millenium7 · Fri Jun 06, 2025 8:50 am

Still, those NAT rule checks normally are only done once per tracked connection and would not cripple the router. The jump rules will help the performance but probably not much. But they will improve the organization of rules.

I'm not 100% sure on the NAT table. I know it comes before Filter but unsure if it has an implicit 'established/related' rule at the top to skip connection tracked packets if there is no 'established/related' filter rule?
Speaking of which, I don't see ANY filter rules in his config output. Which is..... alarming at best on a router that appears to have public IPs.... And may explain the piss poor performance if a botnet is constantly hammering the router by DNS/SSH/etc

CGGXANNX · Fri Jun 06, 2025 9:11 am

If you look at the counters on your NAT rules, you'll see that they only increase once per matched connection, not on every packet. The DSTNAT rules are normally in the prerouting chain and are checked (once per connection) before the filter rules, while the SRCNAT rules are in postrouting and are processed (once per connection) after the filter rules.

sirbryan · Fri Jun 06, 2025 3:57 pm

I totally missed that there were no actual firewall (filter) rules. Yeah, yikes.

I also agree that some organization of the rules would help clean things up a bit. I kept trying to think of ways to do it; the jump per subnet (and possibly sub-classifying the port groups) would be a good start.

adamantasaurus · Sat Jun 07, 2025 4:33 am

OK, here's the crux of the problem:

Your WAN port should never be on the same interface as your internal network. Looks like you've got both SFP+ ports in the bridge, all IP's on the bridge, firewall rules galore, and split horizon, which is 100% software-based. All of that is punting everything to the CPU and bypassing every possible enhancement in RouterOS, such as fast-path, fasttrack, and L2/L3HW offloads.

1. Take SFP+1 out of the bridge. This section should only read:
Code: Select all
/interface bridge port
add bridge=bridge1-localproxy interface=sfp-sfpplus2
Some might wonder why use a bridge at all with only one port, and my answer is you may want to add other LAN ports to the bridge without having to reconfigure everything.

2. Assign public IP's to SFP+ directly:
Code: Select all
/ip address
## These should all be world-facing only
add address=******.18.107/24 interface=sfp-sfpplus1 network=******.18.0
add address=******.18.208/24 interface=sfp-sfpplus1 network=******.18.0
add address=******.18.215/24 interface=sfp-sfpplus1 network=******.18.0
## only have these on the bridge (the LAN)
add address=10.30.30.1/23 interface=bridge1-localproxy network=10.30.30.0
add address=10.20.20.1/24 interface=bridge1-localproxy network=10.20.20.0
3. Change your firewall rules to use sfp-sfpplus1 as external interface, switch from masquerade to src-nat and have each block use the same IP's for outbound that you have for their inbound dst-nat rules.
Code: Select all
/ip firewall nat
#add action=masquerade out-interface=sfp-sfpplus1 chain=srcnat src-address=10.30.30.0/23
#add action=masquerade out-interface=sfp-sfpplus1 chain=srcnat src-address=10.20.20.0/24

##  Don't use masquerade for the nodes, use src-nat to map outbound traffic to the same address as their incoming address range
add action=src-nat chain=src-nat src-address=10.20.20.0/24 out-interface=sfp-sfpplus1 to-addresses=******.18.107 
add action=src-nat chain=src-nat src-address=10.30.30.0/24 out-interface=sfp-sfpplus1 to-addresses=******.18.215 
# If your home network is not part of the 10.20 or 10.30's, you'll want one for that network mapped to whatever IP you want to use
##
add action=dst-nat chain=dstnat comment=100 dst-address=******.18.107 dst-port=2000-2499 protocol=udp to-addresses=10.20.20.2 to-ports=2000-2499
add action=dst-nat chain=dstnat comment=101 dst-address=******.18.107 dst-port=2500-2999 protocol=udp to-addresses=10.20.20.3 to-ports=2500-2999
### etc. #####
Once that's all done, make sure things work. Once you're happy with that, the next step is to try to offload the NAT rules to L3HW.

Go into Switch, Ports, and enable L3HW offloading on sfp-sfpplus2, and disable it on sfp-sfpplus1.
Then to Switch, Settings, and enable "L3 HW Offloading" and test.

So you dont think getting a ccr 1072 would fix the issue here as well? I asked grok and he told me that router would be the absolute best for running autonomi nodes

adamantasaurus · Sat Jun 07, 2025 4:37 am

Still, those NAT rule checks normally are only done once per tracked connection and would not cripple the router. The jump rules will help the performance but probably not much. But they will improve the organization of rules.
I'm not 100% sure on the NAT table. I know it comes before Filter but unsure if it has an implicit 'established/related' rule at the top to skip connection tracked packets if there is no 'established/related' filter rule?
Speaking of which, I don't see ANY filter rules in his config output. Which is..... alarming at best on a router that appears to have public IPs.... And may explain the piss poor performance if a botnet is constantly hammering the router by DNS/SSH/etc

You mean like it keeps trying to login to my router? I get constant login denials on my winbox all the time lol

sirbryan · Sat Jun 07, 2025 7:03 am

You mean like it keeps trying to login to my router? I get constant login denials on my winbox all the time lol

Three problems.

- Split-horizon bridging is killing your performance (and is completely unnecessary)
- Bridging both ports to the same interface is opening your internal network to your ISP's other customers (usually they have filters for that)
- Your router lacks decent firewall rules

If you fix those problems, you'll be sitting pretty with CPU headroom to spare. I gave you corrected configs for the first two issues. I'll have to dig up some of the default rules from a hAP or something, or you can search those out. Basically you want rules that 1) fasttrack all existing and related connections, also 2) accept all of those (in case fasttrack misses some), 3) blocks any new incoming TCP connections to the router itself (input), and 4) allows the NAT traffic to be forwarded.

I have a CCR2116 handling NAT for 700 households pushing 3-4Gbps right now (peak hours) tracking 54000 connections and it's holding steady between 20-30% with L3 hardware offload disabled. The CCR1072 would be nice, but seriously overkill. The 2116 and your MS-01 should be fine doing the work you're trying to do.

CGGXANNX · Sat Jun 07, 2025 7:27 am

This post has the default MikroTik firewall rules for the current version of ROS7 and ROS6 viewtopic.php?t=175129#p856824

adamantasaurus · Sat Jun 07, 2025 7:42 am

You mean like it keeps trying to login to my router? I get constant login denials on my winbox all the time lol

Three problems.

- Split-horizon bridging is killing your performance (and is completely unnecessary)
- Bridging both ports to the same interface is opening your internal network to your ISP's other customers (usually they have filters for that)
- Your router lacks decent firewall rules

If you fix those problems, you'll be sitting pretty with CPU headroom to spare. I gave you corrected configs for the first two issues. I'll have to dig up some of the default rules from a hAP or something, or you can search those out. Basically you want rules that 1) fasttrack all existing and related connections, also 2) accept all of those (in case fasttrack misses some), 3) blocks any new incoming TCP connections to the router itself (input), and 4) allows the NAT traffic to be forwarded.

I have a CCR2116 handling NAT for 700 households pushing 3-4Gbps right now (peak hours) tracking 54000 connections and it's holding steady between 20-30% with L3 hardware offload disabled. The CCR1072 would be nice, but seriously overkill. The 2116 and your MS-01 should be fine doing the work you're trying to do.

Yea I returned the Ms-01 today, right now on my network I have a ccr2004 & the 2116 the 2004 I will most likely sell on ebay once I get everything fixed with these nodes right now it just has all my other firewall rules on it thats just easier to have seperated at the moment. I did have another 2116 that amazon luckily let me return and I will be getting the refund for plus the refund for the ms-01 I might as well just grab the 1072 I found a good deal on a used one, that way I wont have a problem bc right now I'm at 63k p2p connections via nodes and I will most likely be tripling that number once I get the kinks worked out in the script and get my other server running (right now I'm testing the ram on it)

sirbryan · Sat Jun 07, 2025 4:41 pm

I have a CCR2116 handling NAT for 700 households pushing 3-4Gbps right now (peak hours) tracking 54000 connections and it's holding steady between 20-30% with L3 hardware offload disabled. The CCR1072 would be nice, but seriously overkill. The 2116 and your MS-01 should be fine doing the work you're trying to do.
I might as well just grab the 1072 I found a good deal on a used one, that way I wont have a problem bc right now I'm at 63k p2p connections via nodes and I will most likely be tripling that number once I get the kinks worked out in the script and get my other server running (right now I'm testing the ram on it)

Have you migrated your rules as suggested, and tried L3HW offload? I'd be curious to see your CPU results after doing that. You may be pleasantly surprised.

adamantasaurus · Sun Jun 08, 2025 5:01 am

I might as well just grab the 1072 I found a good deal on a used one, that way I wont have a problem bc right now I'm at 63k p2p connections via nodes and I will most likely be tripling that number once I get the kinks worked out in the script and get my other server running (right now I'm testing the ram on it)
Have you migrated your rules as suggested, and tried L3HW offload? I'd be curious to see your CPU results after doing that. You may be pleasantly surprised.

No not yet, Im still troubleshooting the nodes and testing ram and stuff I will get to it though