Connected directly into my ISP’s modem in passthrough mode, full gigabit. Through my mikrotik hex with known good cables (tested in previous scenario) ~400Mbps. The router’s cpu is pegged during the test, which seems obvious enough.
The question isn’t so much is it, but why is it? Obviously it’s computing power is finite. Are there specific features that are known to cause a heavy load?
As I continue testing, I would love to hear about general experiences with the capabilities of this or similar units. Or, if anybody is inclined to take a look at my attached config and provide direct feedback, that would be awesome.
Glad you know your cables are good and that your CPU is pegged. I too have a hex and hexS and they each can do line-rate PPPOE plus NAT and their typical firewalls with very little CPU. The pegged CPU seems suspicious.
I looked at your config and I didn’t see fasttrack entries as the other person already mentioned. To elaborate on this, I think fasttrack is the first thing to investigate.
From what I can see you could add these two lines to your firewall as the first two entries. Since rules are evaluated in order you want to fast-track things first, then let the device ponder other rules only for new and novel connections.
After that I’d consider whether the VPNs are gobbling your CPU, and actually I may be doing a project where I need to wireguard all traffic out of some hexS devices so I’d be interested to hear back from you how fast you can make it all go.
After reading through the mikrotik docs page on fast track and setting up the rules, I’m back up to full speed on speed tests. Thank you all for pointing me in the right direction
Luckily in my case, one wireguard client only ever gets up to ~20mbps (moonlight) and the other is limited to ~100mbps by the peer. Full load on the second client only gets the CPU into the 40%-50% range. I originally intended for the second client to be part of the truenas jail that routes through it, but ran into “don’t use wg-go, you have kernel support . . . kernel support is missing” errors, so setting it up through the router ended up being easier.
I’ll read that article on firewall setup, so far I’ve just been keeping an eye on the logs and blocking ports as I see failed login attempts.