Hey,
I'm having problems with configuring the vlans on rb5009 (fw 7.13.5). The issue is that with the config below the speed is only ~300Mbps between one of the vlans in the trunk and port 8.
From my investigation it looks like once I allow invalid connection state in the forward chain the speed is back to ~1gbps wire speed, I know I must be doing something wrong, any help appreciated.
I'm having problems with configuring the vlans on rb5009 (fw 7.13.5). The issue is that with the config below the speed is only ~300Mbps between one of the vlans in the trunk and port 8.
From my investigation it looks like once I allow invalid connection state in the forward chain the speed is back to ~1gbps wire speed, I know I must be doing something wrong, any help appreciated.
Code:
# 2024-02-24 10:02:32 by RouterOS 7.13.5# software id = VTG3-U53X## model = RB5009UG+S+######################################## Naming######################################## name the device being configured/system identity set name="Router Lesny"######################################## VLAN Overview######################################## 10 = STAFF_VLAN# 20 = VIDEO_VLAN# 30 = CR_VLAN# 40 = GUESTS_1_VLAN# 50 = GUESTS_2_VLAN# 60 = DEV_SANDBOX_VLAN# 210 = CC_VLAN# 99 = MGMT VLAN######################################## Bridge#######################################/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no######################################## Wireguard#######################################/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1 private-key=\ "blah blah"/interface wireguard peersadd allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\ "blah blah"add allowed-address=192.168.100.3/32 interface=wireguard1 public-key=\ "blah blah"/ip address add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0######################################### Ports######################################### ingress behavior/interface bridge port# Purple Trunk. Leave pvid set to default of 1add bridge=BR1 interface=ether2add bridge=BR1 interface=ether3add bridge=BR1 interface=ether4add bridge=BR1 interface=ether5add bridge=BR1 interface=ether6add bridge=BR1 interface=ether7# MGMT_VLAN, set aside a port for admin access to Winbox the device.add bridge=BR1 interface=ether8 pvid=99# egress behavior/interface bridge vlan# Purple Trunk. These need IP Services (L3), so add Bridge as memberadd bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 10add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 20add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 30add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 40add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 50add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 80add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\ 210add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=\ ether8 vlan-ids=99######################################## IP Addressing & Routing#######################################/ip dhcp-clientadd interface=ether1######################################## IP Services######################################## MGMT_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=MGMT_VLAN vlan-id=99/ip address add address=172.20.0.1/16 interface=MGMT_VLAN network=172.20.0.0/ip pool add name=MGMT_POOL ranges=172.20.128.1-172.20.255.254/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no/ip dhcp-server network add address=172.20.0.0/16 dns-server=172.20.0.1 gateway=172.20.0.1# STAFF_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=STAFF_VLAN vlan-id=10/ip address add address=172.21.0.1/16 interface=STAFF_VLAN network=172.21.0.0/ip pool add name=STAFF_POOL ranges=172.21.128.1-172.21.255.254/ip dhcp-server add address-pool=STAFF_POOL interface=STAFF_VLAN name=STAFF_DHCP disabled=no/ip dhcp-server network add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1# VIDEO_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=VIDEO_VLAN vlan-id=20/ip address add address=172.22.0.1/16 interface=VIDEO_VLAN network=172.22.0.0/ip pool add name=VIDEO_POOL ranges=172.22.128.1-172.22.255.254/ip dhcp-server option add code=43 name=infomir value="0x1635687474703a2f2f6d6964646c6577617265312e6c\ 65736e792f7374616c6b65725f706f7274616c2f632f696e6465782e68746d6c00"/ip dhcp-server add address-pool=VIDEO_POOL interface=VIDEO_VLAN name=VIDEO_DHCP disabled=no/ip dhcp-server network add address=172.22.0.0/16 dhcp-option=infomir dns-server=172.22.0.1 gateway=172.22.0.1 ntp-server=172.22.0.1# CR_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=CR_VLAN vlan-id=30/ip address add address=172.23.0.1/16 interface=CR_VLAN network=172.23.0.0/ip pool add name=CR_POOL ranges=172.23.128.1-172.23.255.254/ip dhcp-server add address-pool=CR_POOL interface=CR_VLAN name=CR_DHCP disabled=no/ip dhcp-server network add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1# GUESTS_1_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=GUESTS_1_VLAN vlan-id=40/ip address add address=172.24.0.1/16 interface=GUESTS_1_VLAN network=172.24.0.0/ip pool add name=GUESTS_1_POOL ranges=172.24.128.1-172.24.255.254/ip dhcp-server add address-pool=GUESTS_1_POOL interface=GUESTS_1_VLAN name=GUESTS_1_DHCP disabled=no/ip dhcp-server network add address=172.24.0.0/16 dns-server=172.24.0.1 gateway=172.24.0.1# GUESTS_2_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=GUESTS_2_VLAN vlan-id=50/ip address add address=172.25.0.1/16 interface=GUESTS_2_VLAN network=172.25.0.0/ip pool add name=GUESTS_2_POOL ranges=172.25.128.1-172.25.255.254/ip dhcp-server add address-pool=GUESTS_2_POOL interface=GUESTS_2_VLAN name=GUESTS_2_DHCP disabled=no/ip dhcp-server network add address=172.25.0.0/16 dns-server=172.25.0.1 gateway=172.25.0.1# DEV_SANDBOX_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=DEV_SANDBOX_VLAN vlan-id=60/ip address add address=172.26.0.1/16 interface=DEV_SANDBOX_VLAN network=172.26.0.0/ip pool add name=DEV_SANDBOX_POOL ranges=172.26.128.1-172.26.255.254/ip dhcp-server add address-pool=DEV_SANDBOX_POOL interface=DEV_SANDBOX_VLAN name=DEV_SANDBOX_DHCP disabled=no/ip dhcp-server network add address=172.26.0.0/16 dns-server=172.26.0.1 gateway=172.26.0.1# CC_VLAN interface creation, IP assignment, and DHCP service/interface vlan add interface=BR1 name=CC_VLAN vlan-id=210/ip address add address=192.168.1.1/24 interface=CC_VLAN network=192.168.1.0 disabled=yes################### DHCP static##################/ip dhcp-server leaseadd address=172.20.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\ E4:5F:01:C4:3E:64 server=MGMT_DHCPadd address=172.22.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\ E4:5F:01:C4:3E:64 server=VIDEO_DHCPadd address=172.20.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\ B8:27:EB:DD:F7:86 server=MGMT_DHCPadd address=172.22.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\ B8:27:EB:DD:F7:86 server=VIDEO_DHCPadd address=172.20.0.55 client-id=1:e0:46:ee:10:a9:ca mac-address=\ E0:46:EE:10:A9:CA server=MGMT_DHCPadd address=172.23.3.101 mac-address=44:07:0B:E9:F4:9B server=\ CR_DHCPadd address=172.24.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\ B8:27:EB:DD:F7:86 server=GUESTS_1_DHCPadd address=172.23.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\ B8:27:EB:DD:F7:86 server=CR_DHCPadd address=172.23.3.99 client-id=1:d4:ab:cd:b7:33:e7 mac-address=\ D4:AB:CD:B7:33:E7 server=CR_DHCPadd address=172.20.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\ D8:3A:DD:BA:29:68 server=MGMT_DHCPadd address=172.22.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\ D8:3A:DD:BA:29:68 server=VIDEO_DHCPadd address=172.23.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\ D8:3A:DD:BA:29:68 server=CR_DHCPadd address=172.24.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\ D8:3A:DD:BA:29:68 server=GUESTS_1_DHCPadd address=172.23.3.100 mac-address=44:09:B8:13:7B:E6 server=\ CR_DHCPadd address=172.20.1.60 client-id=1:f0:a7:31:d5:62:b4 mac-address=\ F0:A7:31:D5:62:B4 server=MGMT_DHCPadd address=172.20.1.20 client-id=1:5c:e9:31:81:c0:61 mac-address=\ 5C:E9:31:81:C0:61 server=MGMT_DHCPadd address=172.20.1.101 client-id=1:5c:e9:31:fb:83:5c mac-address=\ 5C:E9:31:FB:83:5C server=MGMT_DHCP################### DNS##################/ip dnsset allow-remote-requests=yes servers=8.8.8.8######################################## Firewalling & NAT#######################################/interface listadd name=WANadd name=VLANadd name=MGMTadd include=WAN name=STAFF_ACCESSadd include=WAN name=DEV_SANDBOX_ACCESSadd include=WAN name=GUESTS_1_ACCESSadd include=WAN name=GUESTS_2_ACCESSadd include=WAN name=VIDEO_ACCESSadd name=CC_ACCESSadd include=WAN name=CR_ACCESS/interface list memberadd interface=ether1 list=WANadd interface=MGMT_VLAN list=VLANadd interface=STAFF_VLAN list=VLANadd interface=VIDEO_VLAN list=VLANadd interface=CR_VLAN list=VLANadd interface=GUESTS_1_VLAN list=VLANadd interface=GUESTS_2_VLAN list=VLANadd interface=DEV_SANDBOX_VLAN list=VLANadd interface=CC_VLAN list=VLANadd interface=MGMT_VLAN list=MGMTadd interface=wireguard1 list=MGMTadd interface=DEV_SANDBOX_VLAN list=STAFF_ACCESSadd interface=CC_VLAN list=STAFF_ACCESSadd disabled=yes interface=MGMT_VLAN list=VIDEO_ACCESS/ip firewall filter################### INPUT CHAIN##################add action=accept chain=input comment="Allow Estab & Related" \ connection-state=established,relatedadd action=accept chain=input comment="allow WireGuard" dst-port=13231 \ protocol=udpadd action=accept chain=input comment="allow WireGuard traffic" src-address=\ 192.168.100.0/24add action=accept chain=input comment="Allow VLAN icmp" in-interface-list=\ VLAN protocol=icmpadd action=accept chain=input comment="Allow VLAN NTP" dst-port=123 \ in-interface-list=VLAN protocol=udpadd action=accept chain=input comment="Allow VLAN DNS" dst-port=53 \ in-interface-list=VLAN protocol=udpadd action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \ in-interface-list=VLAN protocol=udpadd action=accept chain=input comment="Allow Base_Vlan Full Access" \ in-interface=MGMT_VLANadd action=drop chain=input comment=Drop################### FORWARD CHAIN##################add action=fasttrack-connection chain=forward comment="Allow Estab & Related fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="Allow Estab & Related" \ connection-state=established,relatedadd action=accept chain=forward comment="MGMT-ALL routing" connection-state=\ new in-interface-list=MGMTadd action=accept chain=forward comment="CC routing" connection-state=new \ in-interface=CC_VLAN out-interface-list=CC_ACCESSadd action=accept chain=forward comment="CR routing" \ connection-state=new in-interface=CR_VLAN out-interface-list=\ CR_ACCESSadd action=accept chain=forward comment="GUESTS_1 routing" connection-state=\ new in-interface=GUESTS_1_VLAN out-interface-list=GUESTS_1_ACCESSadd action=accept chain=forward comment="GUESTS_2 routing" connection-state=\ new in-interface=GUESTS_2_VLAN out-interface-list=GUESTS_2_ACCESSadd action=accept chain=forward comment="STAFF routing" connection-state=new \ in-interface=STAFF_VLAN out-interface-list=STAFF_ACCESSadd action=accept chain=forward comment="VIDEO routing" connection-state=new \ in-interface=VIDEO_VLAN out-interface-list=VIDEO_ACCESSadd action=accept chain=forward comment="DEV_SANDBOX routing" \ connection-state=new in-interface=DEV_SANDBOX_VLAN out-interface-list=\ DEV_SANDBOX_ACCESSadd action=drop chain=forward comment="Drop forward"################### NAT##################/ip firewall natadd action=masquerade chain=srcnat comment="Default masquerade" \ out-interface-list=WAN######################################## VLAN Security#######################################/interface bridge portset bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]######################################## Services settings#######################################/ip serviceset telnet disabled=yesset ftp disabled=yes/system noteset show-at-login=no######################################## clock and NTP Server settings#######################################/system clockset time-zone-name=Europe/Warsaw/system ntp clientset enabled=yes/system ntp serverset enabled=yes/system ntp client serversadd address=pool.ntp.org######################################## MAC Server settings#######################################/ip neighbor discovery-settingsset discover-interface-list=MGMT/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=MGMT######################################## Turn on VLAN mode#######################################/interface bridge set BR1 vlan-filtering=yesStatistics: Posted by ostryck — Sun Feb 25, 2024 1:36 am