Hi

I have two mikrotik routers connected via 1Gbit/s link. One CCR1016 (6.41) and CCR1009 (6.40)
When I measure link speed using build in bandwidth test I get results about 970Mbps. Its OK.
I added some EOIP (no IPSEC) tunnels and VLAN'a on this connection and when I test bandwidth over tunnel I get very low performance.
Eoip interface has MTU 1458 and VLAN has MTU 1400.

Test between two stations connected to routersTest between routers over EOIPCan it be faster?

sending 1500 octet packets over an MTU of 1400 leads to fragmentation and poor performance.
Match the bw test to the mtu of the eoip link.
for normal trafic, add mangle rules to clamp tcp-mss to pmtu.

In both side I added a mangle rule like that

1 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes
tcp-flags=syn protocol=tcp log=no log-prefix=""

and it doesn't make no difference.

In both side I added a mangle rule like that

1 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes
tcp-flags=syn protocol=tcp log=no log-prefix=""

and it doesn't make no difference.

It doesn't make difference for UDP (I see UDP on second screenshot) due tcp clamp istcpclamp.

In both side I added a mangle rule like that

1 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes
tcp-flags=syn protocol=tcp log=no log-prefix=""

and it doesn't make no difference.

It doesn't make difference for UDP (I see UDP on second screenshot) due tcp clamp istcpclamp.

but iperf uses tcp I guess.

I created a test configuration like this:

Router1
# feb/26/2018 10:43:17 by RouterOS 6.41.2
# software id = 0J1H-G60E
#
# model = 2011UiAS
[admin@TEST1] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; LAN
ether1 ether 1500 2000 4074 4C:5E:0C:37:B3:BB
1 R ;;; To Test2 Router
ether2 ether 1500 2000 4074 4C:5E:0C:37:B3:BC
2 ether3 ether 1500 1598 4074 4C:5E:0C:37:B3:BD
3 ether4 ether 1500 1598 4074 4C:5E:0C:37:B3:BE
4 ether5 ether 1500 1598 4074 4C:5E:0C:37:B3:BF
5 ether6 ether 1500 1598 2028 4C:5E:0C:37:B3:C0
6 ether7 ether 1500 1598 2028 4C:5E:0C:37:B3:C1
7 ether8 ether 1500 1598 2028 4C:5E:0C:37:B3:C2
8 ether9 ether 1500 1598 2028 4C:5E:0C:37:B3:C3
9 X ether10 ether 1500 1598 2028 4C:5E:0C:37:B3:C4
10 sfp1 ether 1500 1598 4074 4C:5E:0C:37:B3:BA
11 R eoip-tunnel1 eoip 1458 65535 02:9A:7A:EB:49:E7
12 R vlan10 vlan 1500 65531 02:9A:7A:EB:49:E7

[admin@TEST1] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 X 10.10.1.30/24 10.10.1.0 ether1
1 192.168.20.1/24 192.168.20.0 ether2
2 192.168.22.1/24 192.168.22.0 eoip-tunnel1
3 D 10.10.1.92/24 10.10.1.0 ether1
4 10.20.30.1/24 10.20.30.0 vlan10

[admin@TEST1] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection log=no log-prefix=""

[admin@TEST1] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.10.1.1 1
1 ADC 10.10.1.0/24 10.10.1.92 ether1 0
2 ADC 10.20.30.0/24 10.20.30.1 vlan10 0
3 ADC 192.168.20.0/24 192.168.20.1 ether2 0
4 ADC 192.168.22.0/24 192.168.22.1 eoip-tunnel1 0

[admin@TEST1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

[admin@TEST1] /interface eoip> print
国旗:X -禁用,R -运行
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:9A:7A:EB:49:E7 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0
remote-address=192.168.20.2 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes



Router2
# feb/26/2018 10:42:47 by RouterOS 6.41.2
# software id = B215-M847
#
# model = 951G-2HnD
[admin@TEST2] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 ether1 ether 1500 1598 4074 4C:5E:0C:B6:4E:2A
1 R ;;; To test1 router
ether2 ether 1500 2000 4074 4C:5E:0C:B6:4E:2B
2 ;;; PC test
ether3 ether 1500 2000 4074 4C:5E:0C:B6:4E:2C
3 ether4 ether 1500 1598 4074 4C:5E:0C:B6:4E:2D
4 ether5 ether 1500 1598 4074 4C:5E:0C:B6:4E:2E
5 X wlan1 wlan 1500 1600 2290 4C:5E:0C:B6:4E:2F
6 R eoip-tunnel1 eoip 1458 65535 02:82:9B:9C:20:3E
7 R vlan10 vlan 1500 65531 02:82:9B:9C:20:3E
[admin@TEST2] /interface> eoip
[admin@TEST2] /interface eoip> print
国旗:X -禁用,R -运行
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:82:9B:9C:20:3E arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=0.0.0.0
remote-address=192.168.20.1 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes
[admin@TEST2] /interface eoip> /ip address
[admin@TEST2] / ipaddress> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.2/24 192.168.20.0 ether2
1 192.168.21.254/24 192.168.21.0 ether3
2 192.168.22.2/24 192.168.22.0 eoip-tunnel1
3 10.20.30.2/24 10.20.30.0 vlan10
[admin@TEST2] / ipaddress> /ip firewall filter
[admin@TEST2] / ipfirewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection log=no log-prefix=""
[admin@TEST2] / ipfirewall filter> /ip firewall nat
[admin@TEST2] / ipfirewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=vlan10 log=no log-prefix=""
[admin@TEST2] / ipfirewall nat> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.20.30.1 1
1 ADC 10.20.30.0/24 10.20.30.2 vlan10 0
2 ADC 192.168.20.0/24 192.168.20.2 ether2 0
3 DC 192.168.21.0/24 192.168.21.254 ether3 255
4 ADC 192.168.22.0/24 192.168.22.2 eoip-tunnel1 0




When I test a connection between PC connected to TEST2 on ether3 and PC connected to LAN on TEST1 on ether1 I get results like: 234 Mbits/sec
In the same config but over EOIP not VLAN I get 787 Mbits/sec and without VLAN and EOIP only routing - 849 Mbits/sec

is it possible that VLAN causes such a performance loss? am I doing something wrong?

It is possible depending on how vlans are configured, and can be caused by:
* cpu limitation
* bandwidth limitation of the cpu port

But you didn't provide any info in that regard.

It is possible depending on how vlans are configured, and can be caused by:
* cpu limitation
* bandwidth limitation of the cpu port

But you didn't provide any info in that regard.

I did not do anything with cpu limitation.

I was able to determine that the bandwidth problem occurs when the VLAN is on eoip tunel, when vilan is on ethernet interface speed is 822 Mbit/sec

by cpu limitation I meant processing limits of the cpu

by cpu limitation I meant processing limits of the cpu

Where it sets? If it depends on the cpu limitation settings, why the speed is higher when the VLAN is not in the tunnel?

when I reduce MTU to 1400 on my ethernet interface - speed up to 845 Mbits/sec

by cpu limitation I meant processing limits of the cpu

Where it sets? If it depends on the cpu limitation settings, why the speed is higher when the VLAN is not in the tunnel?

when I reduce MTU to 1400 on my ethernet interface - speed up to 845 Mbits/sec

LOL, not a setting, just what the cpu can do, how fist it can go...

If the packets from your lan are not too large to fit in a single encapsulted packet, you get best performance. That's what you've observed with 1400 mtu on lan, for traffic going tunnel