Pour faire suite aux essais de @kaktuss77 dans le premier message, je me suis amusé à tester les perfs du RB5009 en IPv6, sans fast-track donc, tous les paquets traversent le CPU de bout en bout.
En contrepartie, on n'a plus la charge du NAT.
Le principe sera simple pour faire une boucle iPerf3 :
VLAN 10 = 3010::1/64
VLAN 20 = 3020::1/64
===== SFP+ : VLANS(10+20) ======
VM 1 sur VLAN 10 : 3010::2/64
VM 2 sur VLAN 20 : 3020::2/64
Test #1 :
- un unique bridge + vlan filtering (selon les recommandations Mtk)
- sans firewall, filtering, mangle... rien
Extrait de la config :
/interface bridge add admin-mac=XXXXXXXXXXXX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan add interface=bridge name=test-v10 vlan-id=10
/interface vlan add interface=bridge name=test-v20 vlan-id=20
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10,20
/ipv6 address add address=3010::1 interface=test-v10
/ipv6 address add address=3020::1 interface=test-v20
Résultat :
- single-thread : ~2.70 Gbps , un core à 100%, les 3 autres à 0%
- en parallel (-P 4) : ~8/9 Gbps, les 4 cores à 90/95%
- j'ai un doute sur ma machine de test (un vieux Xeon sous Proxmox) à tenir les 20 Gbps (entrée+sortie)
- on peut donc dire que le RB5009 est capable d'avaler ~10Gbps de "throughput", sans fast-track
Test #2, plus exotique- bridge "brwan" dédié WAN, avec des règles filters (pour simuler une QoS=6 sur le DHCP)
- règles firewall standard
- règle mangle large, pour remettre le DSCP à 0
- l'idée est de simuler une config type Orange
Extrait de la config :
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no name=brwan
/interface vlan
add interface=sfp-sfpplus1 name=sfp-sfpplus1.10 vlan-id=10
add interface=sfp-sfpplus1 name=sfp-sfpplus1.20 vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface bridge filter
add action=set-priority chain=output comment="Orange COS dhcpv4" dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-bridge=brwan passthrough=yes src-port=68
add action=set-priority chain=output comment="Orange COS dhcpv6" dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-bridge=brwan passthrough=yes src-port=546
add action=set-priority chain=output comment="Orange COS icmpv6 DST (fe00::/7 = fe80::/10 + ff02::/16)" dst-address6=fe00::/7 ip-protocol=icmpv6 mac-protocol=ipv6 new-priority=6 \
out-bridge=brwan passthrough=yes
add action=set-priority chain=output comment="Orange COS arp" mac-protocol=arp new-priority=6 out-bridge=brwan passthrough=yes
/interface bridge port
add bridge=brwan interface=sfp-sfpplus1.10
/interface list member
add interface=sfp-sfpplus1.20 list=LAN
add interface=brwan list=WAN
/ipv6 address
add address=3010::1 interface=brwan
add address=3020::1 interface=sfp-sfpplus1.20
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-dscp chain=postrouting dscp=!0 new-dscp=0 out-interface-list=WAN
add action=change-dscp chain=postrouting dscp=!0 new-dscp=0 out-interface-list=LAN
Résultat :
- single-thread : ~2.5/2.6 Gbps , quasi-identique au test #1, un core à 100%, les 3 autres fluctuent entre 10 et 40%
- les règles filter (et peut-être firewall ?) semblent donc se répartir sur les autres cores moins sollicités
- en parallel (-P 4) : ~5.4 Gbps, les 4 cores à 100%
- la température se stabilise autour de 45°C après 1h d'effort, contre 38°C à vide
On arrive donc à toucher aux limites du RB5009 à partir de ~5Gbps, sur une config non triviale (merci orange), on est donc pas dans le "wire-speed", mais c'est pas si mal.