7

I have a 951G-2HnD as a router. All connections are via ethernet cables. I observe the following:

  1. When I connect to the ISP via router, speed is about 270 Mbit/s, while ISP claims my plan has 500 Mbit/s speed limit.
  2. When I connect cable from ISP directly to ethernet port on my PC, I indeed get about 500 Mbit/s download speed.
  3. When I download files from another PC connected to the same router, the speed is about 900 Mbit/s which is correct for gigabit LAN.

Now because of 3, I think that the problem is not in router processing power. I suppose something is wrong with NAT processing. How do I improve speed so NAT connection is as fast as direct one? Or at least how do I debug the problem?

Just in case, I disabled all NAT rules except the main one:

/ip firewall nat chain=srcnat action=masquerade out-interface=ether1-gateway

This did not improve the speed.

Dessa Simpson
  • 1,697
  • 1
  • 15
  • 27
Uprooted
  • 187
  • 1
  • 1
  • 7
  • 4
    Test 3 doesn't measure router processing power because it doesn't involve any routing at all. – David Schwartz Mar 05 '18 at 17:24
  • If you can plug the PC directly into the 'modem' then the 'modem' is likely also a router, so you're probably suffering double NAT. – Tetsujin Mar 05 '18 at 17:28
  • @DavidSchwartz it involves copying a packet from one port to another based on arp cache. I don't see how that's more complex than copying packet based on NAT cache. I am not well-versed in networking though. – Uprooted Mar 05 '18 at 17:28
  • @Tetsujin there's no modem, there's a ethernet cable coming out of the wall. I am connected to ISP switch I presume. – Uprooted Mar 05 '18 at 17:29
  • 1
    @Rarity It's much more complex because it requires asking a CPU to check what rules apply while the other is a fixed process that's entirely done in dedicated harwdare. – David Schwartz Mar 05 '18 at 17:30
  • the cable has to come from somewhere in the building & has to have a router at the other end of it; however, David seems to have come up with a clear reason, aside from you are very likely also getting double NAT. – Tetsujin Mar 05 '18 at 17:34
  • Your router should support [FastTrack](https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack). However, it cannot work without appropriate firewall rules. Please verify you have rules that mask certain connections for FastTrack. – Daniel B Mar 05 '18 at 19:16
  • You should do a speed test over IPv6, as that doesn't require a NAT, but just a simple firewall – Ferrybig Mar 05 '18 at 19:33
  • @DanielB will try it out. Ferrybig, my ISP doesn't support v6. – Uprooted Mar 05 '18 at 20:01
  • "You're gonna need a bigger board." – Agent_L Mar 05 '18 at 20:13

2 Answers2

16

The 951G-2HnD has a rated peak routing speed of 250-300Mbps. It does its switching in hardware and should be able to switch at wire speed. So it sounds like you're getting roughly the performance the hardware is capable of.

David Schwartz
  • 61,528
  • 7
  • 100
  • 149
  • 1
    You went the same route as me... Here is the reference from MikroTek: https://mikrotik.com/product/RB951G-2HnD#fndtn-testresults – acejavelin Mar 05 '18 at 17:29
  • I see. This thing served well, but perhaps it's time for an upgrade. @acejavelin doesn't my setup (with single masquerade rule) counts as fast path? I suppose no, but is it possible to set things up in way that will be a fast path? – Uprooted Mar 05 '18 at 17:48
  • 1
    @Rarity That depends on how you are doing your tests, the manufacturers tests are almost always done to make the results better than real world... the packet size is probably the big thing. TBH, we see few budget commercial routers (under $300) that can consistently handle 250+Mbps in real world usage – acejavelin Mar 05 '18 at 17:58
  • 4
    @acejavelin I disagree. MikroTik has lots of devices for a very fair price that are quite fast. As do others like Ubiquiti. There is really no need to drop a lot of money on this particular piece of hardware. – Daniel B Mar 05 '18 at 19:14
  • @DanielB I said from my experience, which is limited to Cisco, Meraki, Sonicwall, and Watchguard in recent years... It is not all encompassing and there may well be other solutions out there but I cannot speak to them. – acejavelin Mar 05 '18 at 19:29
  • 2
    @Rarity: _"This thing served well, but perhaps it's time for an upgrade"_ I hate to see good kit thrown away. Why don't you save some money by getting a slower plan from your ISP, so you're not wasting capability? Do you _really_ need 500Mbps? – Lightness Races in Orbit Mar 06 '18 at 01:14
  • @LightnessRacesinOrbit I do. And I never mentioned throwing anything away. And nice moniker. – Uprooted Mar 06 '18 at 17:08
  • 1
    I have problem reading the test results and getting the 250-300Mbps, can someone helps? – nanda Feb 04 '21 at 19:06
6

David's answer is correct. To summarize, the hardware is capable of switching at the speed you got, but only routing at a fraction of that. Therefore, the problem is the routing, not just the NAT, although that probably doesn't help.

Take a look at these results for routers that should be capable of routing that much traffic:

https://mikrotik.com/product/RB750Gr3#fndtn-testresults

https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults

Any of these three should be enough unless you're doing a large amount of very small packet routing.

Another possibility is the CHR product - you can run your router in a VM and give it as much CPU and RAM as you need. $30 covers the cost for a 1Gbps cap.

EDIT: Somehow https://mikrotik.com/product/hap_ac2#fndtn-testresults has better results than the 3011 for non-full-size packets despite having significantly less CPU and RAM, and being on the same architecture.

Dessa Simpson
  • 1,697
  • 1
  • 15
  • 27
  • Test results for those are about the same as for my router, and browsing through their site I don't see anything much faster. Thanks for the suggestion with VM though. – Uprooted Mar 05 '18 at 18:33
  • 1
    @Rarity They're really not. The bottom row is what you should be looking at. – Dessa Simpson Mar 05 '18 at 19:09
  • @Rarity Actually you were right about the first. That one's about the same. The other two are higher. – Dessa Simpson Mar 05 '18 at 19:10
  • Yes, not quite right. I was looking for builtin wifi AP and 500+ Mbit routing on one device. The last one indeed can do 500Mbit, I filtered it out because it lacks wifi and is rack mounted. Wifi can be served separately ofc, but I'd prefer something smaller. – Uprooted Mar 05 '18 at 19:41
  • 1
    @Rarity It seems what you're looking for just does not exist as far as Mikrotik hardware goes. You're trying to take business class Internet and run it through a home router. The RB3011 is the cheapest router they have that will handle what you're giving it. – Dessa Simpson Mar 05 '18 at 19:48
  • 3
    @Rarity Hold on a second, I take that back. Take a look at this thing: https://mikrotik.com/product/hap_ac2#fndtn-testresults – Dessa Simpson Mar 05 '18 at 19:52
  • @Rarity I have no idea how or why, but somehow the hAP is better at small-packet routing but the RB3011 is better at large-packet routing. – Dessa Simpson Mar 05 '18 at 19:55
  • @Rarity Please upvote and accept my answer if it helped you. – Dessa Simpson May 31 '18 at 16:28
  • I upvoted it before. As to accepting I think David's answer is more to the point. Besides I didn't evaluate your suggestions because it turned out I can use vm on a server as a router without buying extra hardware. – Uprooted May 31 '18 at 19:16
  • @Rarity If you had already accepted his, I must've missed it. Sorry about that. Regarding the vm on a server as a router, that was one of my suggestions - the CHR. – Dessa Simpson May 31 '18 at 19:40
  • Missed that. I guess your answer is indeed closer to final solution. – Uprooted May 31 '18 at 21:02