Not getting wireline speeds

trivex · Wed Apr 03, 2024 9:35 am

hello all!

i just got my first Mikrotik (

) and am trying to configure it properly. i have internet working right now for my AT&T Business Fiber internet, but i'm not getting the full gigabit up and down i'm supposed to be getting. additionally the Mikrotik really seems to have some high CPU when running these speed tests which leads me to believe that either a) its a hardware offloading problem, or b) ive set up routing incorrectly and packets are getting dropped/duplicated. i get approximately 500mbit down on fast.com and speedtest.com when it should be 1gbit.

some notes: internet comes through an ethernet SFP adapter on SFP1 via VLAN 2. it gets routed to the LAN bridge that bridges all other ports together. its a pretty standard config outside of the VLAN.

does anyone see any issues with my config? what would be some debugging steps i could take?

thank you a ton!

here is my export:

[admin@MikroTik] > export
# 2024-04-02 23:13:51 by RouterOS 7.14.2
# software id = T2XZ-91S8
#
# model = CRS310-8G+2S+

/interface bridge
add admin-mac=D4:01:C3:10:XX:XX auto-mac=no comment=defconf name=bridge port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=F8:F5:32:A4:XX:XX
/interface vlan
add interface=sfp-sfpplus1 name=att-vlan2 vlan-id=2
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=10.0.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
/interface dot1x client
add certificate=Client_00XXXX-27373200029XXXX.pem_0 eap-methods=eap-tls identity=F8:F5:32:A4:XX:XX interface=sfp-sfpplus1
/interface list member
add interface=bridge list=LAN
add interface=att-vlan2 list=WAN
/ip address
add address=10.0.1.1/24 interface=bridge network=10.0.1.0
/ip dhcp-client
add interface=att-vlan2
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.0.1.0/24 dns-server=10.0.1.1 gateway=10.0.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=att-vlan2 protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=att-vlan2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=att-vlan2

jaclaz · Wed Apr 03, 2024 12:06 pm

Before any thoughts on your current configuration, you seem to be using the CRS 310 configured as a router, so around 500 Mbps seems to be in the right ballpark for routing without firewall according to tests:
https://mikrotik.com/product/crs310_8g_ ... estresults

Usually the "reference" to have an idea of real life performance is the "Routing 25 ip filter rules" for 512 bytes packets which is 186.8 for that model, since you have no firewall filter set, you can take the "Routing none (fast path)" line that is 531.3.

This:

/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24

looks however very strange to me, what is this setting for?
It could be an artifact of using Quickset that *somehow* didn't work as intended, see:
viewtopic.php?t=203721

llamajaja · Wed Apr 03, 2024 7:18 pm

The 310 is a switch and yet your requirement is clearly routing.....................
Why the purchase of the 310??

With any kind of firewall rules applied your throughput is going to max out at 200Mbps or less!
Assuming by the way, this device is getting a public IP from a fiber modem/ont ( and not a private IP from an ATT Router/Modem)
If so you should unplug from the internet until you have some firewall rules added!!

The RB5009 is an excellent router that can handle easily up to a 2.5gb fiber connection ( room for growth )
If on a budget, the hap ax3 wifi router easily handles a 1 gig fiber connection ( just dont enable the wifi part if not required )

trivex · Wed Apr 03, 2024 8:11 pm

thanks a lot both. yeah i messed up expecting that since the os could do all these wonderful things, they'd not have loaded this panacea of functionality it couldn't run. totally my fault for not doing way more research ahead of time. fwiw i'd have expected that in 2024 devices could at least route *gigabit*, let alone the 2.5gbit of the ports. sigh. whelp that was a fast and disappointing journey into Mikrotik.

infabo · Wed Apr 03, 2024 8:26 pm

fwiw i'd have expected that in 2024 devices could at least route *gigabit*, let alone the 2.5gbit of the ports. sigh. whelp that was a fast and disappointing journey into Mikrotik.

Hardware specs don't have anything to do with calendar years. A lesson you could also learn without Mikrotik as well.

llamajaja · Wed Apr 03, 2024 9:32 pm

Routing expectations from a routing device are reasonable.
Switching expectations from a switching device are reasonable
Expecting a coffee bean grinder to make a smoothie not so much.

To echo the point, its 2024 and we still have wars and famine............

trivex · Wed Apr 03, 2024 10:31 pm

hey guys i love a newbie bashing as much as the next guy, but just to ground things a bit here: the mikrotik product line is a disaster of complication. unless i analyze the exact processor in each one and dig everywhere for every possible edge case, it seems pretty easy for someone to make a mistake when buying things. even on the product page of the product: "The amazing Marvell 98DX226S switch-chip and integrated dual-core ARM CPU can handle the full potential of RouterOS v7". maybe what they should add is "just dont use any kind of functionality that requires any kind of CPU processing or else that Marvell will cry in what is the world's loudest fan noise you've ever heard". to get a maximum throughput of 500mbit on freakin masquerading is simply surprising for what's otherwise a 2.5G device. i get that you guys know the products in and out, but please understand as first-time users, we don't know all the inside and out. but hey, again, it is on me that i bought a switch expecting the Router part of RouterOS v7.

jaclaz · Wed Apr 03, 2024 10:57 pm

@trivex
Well, you are not alone, not all members of the board are perfect creatures that never make any mistake and like to mock the other (fallibile) folks like us about their mistakes.
Maybe there is a slightly larger percentage of them when compared to other places, but it's not that bad, once you learn to not provoke them by criticizing anything Mikrotik does.
They do that, but they have a special permit.

infabo · Wed Apr 03, 2024 11:05 pm

Mikrotik devices are sold by distributors. So basically you can write down your requirements and maybe even draw your network topology and send this to the distributor where you like to buy your device. I am sure - despite not having done this myself - they will service you and give recommendations on the device.

Larsa · Thu Apr 04, 2024 12:40 am

@trivex, no offense intended, but a great place to start your research before buying any networking gear is always the manufacturer's own website. MikroTik has organized all its products into categories like switches, routers, and more: mikrotik.com/products.

sirbryan · Thu Apr 04, 2024 3:55 am

to get a maximum throughput of 500mbit on freakin masquerading is simply surprising for what's otherwise a 2.5G device.

The CRS310's are great routers, if you don't need the CPU to do anything (queueing, firewall, NAT, etc.). I have a few of the 5SFP/4SFP+ CRS310's at customer-facing sites, paired with Netonix POE switches. The 10G ports are connected to the backhauls and the 1G ports are LAG'd to the Netonix switch. They route at wirespeed, and also handle DHCP for customer equipment and BFD, OSPF and BGP to neighboring routers. I have CRS309's as aggregate routers in my core, which hand off the traffic to CCR2116's. Those guys handle the NAT for a few hundred people.

To salvage what you have, you could still attach it to an RB4011 or RB5009 and have that handle your firewall + NAT rules.

The CRS309, 312, and 317 have the hardware necessary to do NAT in the switch chip.

anav · Thu Apr 04, 2024 4:09 am

Sirbyran, lets make it real, .....................

OP
Quote: " ...... i have internet working right now for my AT&T Business Fiber internet, but i'm not getting the full gigabit up and down i'm supposed to be getting

MT SPECS

reality.jpg

......

WITH NO Rules, the OP will only achieve at best half of paid for throughput.

mkx · Thu Apr 04, 2024 8:28 am

Sirbyran, lets make it real, .....................

@Sirbyran is referring to CRS310 capability of doing L3HW offloading: https://help.mikrotik.com/docs/display/ ... iceSupport That makes CRS310 a wirespeed router. But, as he also noted, it can support only "trivial" tasks, in particular no firewall (and NAT) offloading is possible.

jaclaz · Thu Apr 04, 2024 10:37 am

@mkx
So, this brings us back to the second part of OP original question, can (for this speciific use case) LH3W offloading be enabled through changes to the current configuration?

And if yes, which particular features, capabilities, etc. need to be excluded from the setup?

On that page:
https://help.mikrotik.com/docs/display/ ... Offloading

Configuration Examples
Inter-VLAN Routing with Upstream Port Behind Firewall/NAT

This example demonstrates how to benefit from near-to-wire-speed inter-VLAN routing while keeping Firewall and NAT running on the upstream port. Moreover, Fasttrack connections to the upstream port get offloaded to hardware as well, boosting the traffic speed close to wire-level. Inter-VLAN traffic is fully routed by the hardware, not entering the CPU/Firewall, and, therefore, not occupying the hardware memory of Fasttrack connections.

OP's intended usage seems to me not that much different from the above.

At first sight the main differences are in firewall filter rules:
current config:

/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=att-vlan2 protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=att-vlan2

vs:
Mikrotik's example:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related

So, if it is acceptable to let all traffic go through, without filtering/dropping anything, the CRS310 can be - in this specific usage - be set to hardware offloading?

infabo · Thu Apr 04, 2024 8:32 pm

https://help.mikrotik.com/docs/display/ ... 2000Series

These devices do not support Fasttrack or NAT connection offloading.

And CRS310 is in this list of devices.

But I would give this a try as well and add the fasttrack filter rules and see what happens. see docs where to place the filter rules for fasttrack: https://help.mikrotik.com/docs/display/ ... onnections

Fasttrack is IIRC a software implementation in first place. With Hardware offloading you take away all load from the CPU.

trivex · Thu Apr 04, 2024 10:31 pm

note that if i have zero firewall rules, it's still low performing for any kind of routing/NAT/masquerading. i just added those at the end of the night so i dont have a vulnerable device overnight.

jaclaz · Thu Apr 04, 2024 10:54 pm

Yes and no.
The given page is - for once - very detailed in how to achieve that kind of hardware offloading and the sheer fact that it lists a whole lot of reasons why it might not work should mean that it is a rather "sensitive" setup that can break even if you look at It the "wrong" way.
Unless some other member has the needed knowledge/experience and the will/time to review your current setup, you can only find a "safe" way (added firewall or experimenting on a "mock" network made of expendable" devices) to reproduce exactly the given example and modify it adding your specific requirements until it breaks.

Thu Apr 04, 2024 11:31 pm

Despite doing forwarding by CPU if you configure Fast-Track (without HW L3 offload because this device does not supports it) you can achieve almost 1gbit of routing+NAT+some essential firewall filter rules

I think maybe you can hit the limit of the interface between CPU and Switch chip of 1.3gbps

Thu Apr 04, 2024 11:37 pm

Sirbyran, lets make it real, .....................

OP
Quote: " ...... i have internet working right now for my AT&T Business Fiber internet, but i'm not getting the full gigabit up and down i'm supposed to be getting

MT SPECS
reality.jpg
......

WITH NO Rules, the OP will only achieve at best half of paid for throughput.

CRS310-8G+2S+ has slightly better CPU than CRS310-1G-5S-4S+IN
2 cores VS 1 core, that can help

anav · Thu Apr 04, 2024 11:41 pm

Well either their ethernet results failed to include performance via L3HW offload and this is a brilliant router replacement, or their ethernet results are good and no one should fool themselves into thinking these are viable 1gig ethernet router capable, is all I am saying.

Perhaps someone with a 310-8G can test??

jaclaz · Thu Apr 04, 2024 11:41 pm

@chechito
Can you elaborate?
Mkx posted an official link about the CRS310 being capable of L3HW offloading (but not fasttrack).
Are you saying that the opposite is true?
Or something else?
I am confused.

Thu Apr 04, 2024 11:47 pm

@chechito
Can you elaborate?
Mkx posted an official link about the CRS310 being capable of L3HW offloading (but not fasttrack).
Are you saying that the opposite is true?
Or something else?
I am confused.

i am refering to making an hybrid config in the traditional way like you will do with a hEX-S for example (without HW L3 offload because this CRS310 does not supports it)

Only using L2 HW offload for Switching tasks

I have configured some crs326-24g-2s+rm in that way in some special situations like this working decently

one simple way to test this is ADDING on the top of firewall filter this rules

/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related \
  comment="fasttrack established/related"
add chain=forward action=accept connection-state=established,related \
  comment="accept established/related"

i emphasize this NOT do Fast-track HW offload, let's call it CPU fast-track

anav · Thu Apr 04, 2024 11:53 pm

Are your devices internet facing, with such sparse rules??

jaclaz · Fri Apr 05, 2024 12:02 am

@chechito
Thanks, but - maybe it is one of those days I am particularly bad at understanding - you did not clear at all the matter.

Mkx posted that this switch supports L3HW offloading.
You just re-stated that it doesn't.

One of the two must be accurate, not both.

mkx · Fri Apr 05, 2024 12:06 am

Mkx posted that this switch supports L3HW offloading.
You just re-stated that it doesn't.

One of the two must be accurate, not both.

We're both right ... I already mentioned that L3HW offload in this switch only covers routing, not firewalling. And @chechito is talking about firewalling in his latest posts.

Fri Apr 05, 2024 12:12 am

Mkx posted that this switch supports L3HW offloading.
You just re-stated that it doesn't.

One of the two must be accurate, not both.
We're both right ... I already mentioned that L3HW offload in this switch only covers routing, not firewalling. And @chechito is talking about firewalling in his latest posts.

Yeah one thing is
L3 HW offload (simple routing, without NAT, useful for example for inter VLAN routing on the LAN) which CRS310 supports
and another different thing is
Offloading Fast-track Connections which is a feature related with L3 HW offload but only available on more advanded models of CRS switches

jaclaz · Fri Apr 05, 2024 12:32 am

So it is the usual case of two very different things that - in order to better distinguish them - are called in Mikrotikish with the same or a very similar name.

Sort of homonyms or homographs.

I see, thanks to both.

mkx · Fri Apr 05, 2024 9:20 am

So it is the usual case of two very different things that - in order to better distinguish them - are called in Mikrotikish with the same or a very similar name.

Sort of homonyms or homographs.

Well not really. Routing is pure L3 function and according to that, all devices which MT says support L3HW actually do routing in hardware (if ASIC config resources are not exhausted). Statfull firewall can be L3 or L4 and fast-track is mostly L4. So L3HW doesn't really cover that. Some devices support this L4 functionality (but it's hidden in L3HW heap).

anav · Sat Apr 06, 2024 4:24 am

Too much for me. I like the on and off button.

Not getting wireline speeds

Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Re: Not getting wireline speeds

Who is online