My Mikrotik Hex choking on speed tests. Why?

Connected directly into my ISP’s modem in passthrough mode, full gigabit. Through my mikrotik hex with known good cables (tested in previous scenario) ~400Mbps. The router’s cpu is pegged during the test, which seems obvious enough.

The question isn’t so much is it, but why is it? Obviously it’s computing power is finite. Are there specific features that are known to cause a heavy load?

As I continue testing, I would love to hear about general experiences with the capabilities of this or similar units. Or, if anybody is inclined to take a look at my attached config and provide direct feedback, that would be awesome.

myconfig.txt (3.8 KB)

I have an hEX S and it’s capable of pushing GbE speeds. Make sure you have fastrack enabled.

1 Like

Hey there.

Glad you know your cables are good and that your CPU is pegged. I too have a hex and hexS and they each can do line-rate PPPOE plus NAT and their typical firewalls with very little CPU. The pegged CPU seems suspicious.

I looked at your config and I didn’t see fasttrack entries as the other person already mentioned. To elaborate on this, I think fasttrack is the first thing to investigate.

From what I can see you could add these two lines to your firewall as the first two entries. Since rules are evaluated in order you want to fast-track things first, then let the device ponder other rules only for new and novel connections. :slight_smile:

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid

This guide for routeros firewall was helpful to me when I was learning.

After that I’d consider whether the VPNs are gobbling your CPU, and actually I may be doing a project where I need to wireguard all traffic out of some hexS devices so I’d be interested to hear back from you how fast you can make it all go.

1 Like

you can’t fast track a wireguard tunnel and there is no hardware offloading

you will need to remove the wireguard tunnels from your router and enable hw offloading to achieve line rate speeds, or get a beefier router

2 Likes

After reading through the mikrotik docs page on fast track and setting up the rules, I’m back up to full speed on speed tests. Thank you all for pointing me in the right direction :grin:

Luckily in my case, one wireguard client only ever gets up to ~20mbps (moonlight) and the other is limited to ~100mbps by the peer. Full load on the second client only gets the CPU into the 40%-50% range. I originally intended for the second client to be part of the truenas jail that routes through it, but ran into “don’t use wg-go, you have kernel support . . . kernel support is missing” errors, so setting it up through the router ended up being easier.

I’ll read that article on firewall setup, so far I’ve just been keeping an eye on the logs and blocking ports as I see failed login attempts.

2 Likes

I’m reading through some docs on hw offloading now, thanks for the tip.

Glad it worked out :slight_smile: