La Fibre

Datacenter et équipements réseaux => Routeurs => MikroTik MikroTik RouterOS => Discussion démarrée par: dmfr le 19 octobre 2023 à 16:11:57

Titre: Mikrotik RB5009, test en IPv6
Posté par: dmfr le 19 octobre 2023 à 16:11:57
Pour faire suite aux essais de @kaktuss77 dans le premier message, je me suis amusé à tester les perfs du RB5009 en IPv6, sans fast-track donc, tous les paquets traversent le CPU de bout en bout.
En contrepartie, on n'a plus la charge du NAT.

Le principe sera simple pour faire une boucle iPerf3 :
VLAN 10 = 3010::1/64
VLAN 20 = 3020::1/64
===== SFP+ : VLANS(10+20) ======
VM 1 sur VLAN 10 : 3010::2/64
VM 2 sur VLAN 20 : 3020::2/64

Test #1 :

Extrait de la config :
Code: [Sélectionner]
/interface bridge add admin-mac=XXXXXXXXXXXX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan add interface=bridge name=test-v10 vlan-id=10
/interface vlan add interface=bridge name=test-v20 vlan-id=20
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10,20
/ipv6 address add address=3010::1 interface=test-v10
/ipv6 address add address=3020::1 interface=test-v20

Résultat :


Test #2, plus exotique

Extrait de la config :
Code: [Sélectionner]
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no name=brwan
/interface vlan
add interface=sfp-sfpplus1 name=sfp-sfpplus1.10 vlan-id=10
add interface=sfp-sfpplus1 name=sfp-sfpplus1.20 vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface bridge filter
add action=set-priority chain=output comment="Orange COS dhcpv4" dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-bridge=brwan passthrough=yes src-port=68
add action=set-priority chain=output comment="Orange COS dhcpv6" dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-bridge=brwan passthrough=yes src-port=546
add action=set-priority chain=output comment="Orange COS icmpv6 DST (fe00::/7 = fe80::/10 + ff02::/16)" dst-address6=fe00::/7 ip-protocol=icmpv6 mac-protocol=ipv6 new-priority=6 \
    out-bridge=brwan passthrough=yes
add action=set-priority chain=output comment="Orange COS arp" mac-protocol=arp new-priority=6 out-bridge=brwan passthrough=yes
/interface bridge port
add bridge=brwan interface=sfp-sfpplus1.10
/interface list member
add interface=sfp-sfpplus1.20 list=LAN
add interface=brwan list=WAN
/ipv6 address
add address=3010::1 interface=brwan
add address=3020::1 interface=sfp-sfpplus1.20
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-dscp chain=postrouting dscp=!0 new-dscp=0 out-interface-list=WAN
add action=change-dscp chain=postrouting dscp=!0 new-dscp=0 out-interface-list=LAN
Résultat :

(http://)

On arrive donc à toucher aux limites du RB5009 à partir de ~5Gbps, sur une config non triviale (merci orange), on est donc pas dans le "wire-speed", mais c'est pas si mal.
Titre: Mikrotik RB5009, test en IPv6
Posté par: nonolk le 20 octobre 2023 à 14:35:48
@dmfr, je voulais juste te dire merci, pour ses infos. J’ai ce routeur et je me posais cette question, un grand merci pour ton partage.

Pourrais tu juste donner ta version de ROS ?