And we’re back so first representation now the last one. So let’s talk about interesting technical stuff now, so one of our latest developments in Rotorua’s version six is called Fast Pass and I will give you the all information that you need to know about that. So where did this original idea from fastest came from? It was that many clients that had had a question while why this real tech, router with doing simple net and some stuff, can do a wire speed, and why, when you have a mikrotik router, you get a little bit slower performance, so not wire speed. So where is the problem?
Of course? The problem was that some of the hardware have this Hardware chips and they implement features in the hardware. So you can have up to 20 firewall rules, but not more because chip doesn’t support more. You can have a nut rule and that’s basically it you cannot have a custom configuration and so on, as and, as you know, rotaries have more than a few features, in fact to explain some of the customers. What happens when in routers we had to make a packet flow diagram to explain it, so it consists of ring and of course it stops in exactly the right moment.
So this is the rotaries version. Six packet flow diagram that basic diagram. If you go deeper okay, I have to turn it on. Yes, if we go deeper into this this – and this section, these look like these, so as you can see, there are lots of interesting boxes. Bridge destination, not use.
I before went so on. So all those are configuration facilities and routers and it shows exactly order in what order it happens in rotaries. So, for example, when will you see the address of the packet? That’S originally came to the router and when you will see the new address that already not changed and so on, so you really need that diagram and of course we have to go even deeper when we go talking about firewall stuff and such things so basically the Whole routers diagram is three pages and lots of explanation. So that’s why?
Because packet have to travel through all these facilities, we get a little bit slower performance than drive, speed routers that have hardware features, and that’s why we call right now we’ll call all the regular way our packet process through the router. We call it fast. A slow pass, so slow pass is a regular way, so basically, rotaries packet need to check through all the facilities and it’s a considerable number of steps and just to illustrate. For example, simple bridge forwarding is going through the diagram like this and in fact, if you look deeper, there are seven steps in what order simple bridge forwarding have to proceed through the router s. If we go for MPLS forwarding, so it’s the next big box MPLS is much more simpler and faster.
So only two boxes in in case of forwarding you need to cross and if we’re talking about the most complex stuff in rotor s, its routing forwarding. So you go through the last box over here in here it looks quite quite simple, but you need to remember that each of those boxes stand for many other options over here. So basically, this is explanation why some of our equipment cannot reach wire speeds when you use some specific features and such things, so that’s why we try to create a feature of fast pass. So if you don’t use most of those features, how can you get most out of the router mikrotik router that you have so we made a first implementation of fast pass, so initial implementation of fast pass. So what fast passes fast pass is an interface driver extension.
So basically, it’s addition to the driver of the of the Ethernet or Wireless or tunnels. So basically it allows to receive process and send traffic without any unnecessary processing. So basically router as driver, can talk directly to the specific facility that you need and skip everything else. So what you need to run fast pass, you need to interface driver support. You need to have Fast Pass, enabled in configuration, and you can’t come you don’t.
You should not supposed to have some configuration, some specific facilities so we’ll talk each step through so driver support. As you can see from the list over here, all the newest hardware have the driver, support that supports Fast Pass. So I can show you some ik on the exception. So, on 11, hundreds, as you can see, two ports are missing, 12 and 13 are not here and also on 800 and 600 Ethernet. Port 3 is not here.
Those ports are PCI Express ports, so they are not directly connected to the CPU. So fast pass is not possible on those. So that’s why they are excluded from that. Also on the wireless you just need to have a proper package, so it’s wireless cm, 2 or rep or discontinued wireless FP, which actually stands for Fast Pass. But all three packages like these have fast pass support.
If you still use old wireless package since I’m older version, it doesn’t have a fast pass support. Next thing, you need to make sure that fast pass is enabled in the configuration, so it’s enabled by default, but you can always uncheck this value here for IP forwarding or over here for bridge forwarding it’s a bridge settings and IP settings, and you can all also Check how much traffic travels through your device in a Fast Pass mode? So of course, that meant that we need to change something in our configuration before connection tracking was either on or off so enabled yes enabled. No. Now we added auto mode.
That means that if you don’t have any rules in your firewall, it will be off automatically as soon as you add at least one rule. It will enable itself also, so this initial fast pass works like this, so we basically check all the facilities. If there are any configuration, if there are no configuration building decision talks directly to the first pass in the driver, so the driver already knows exactly where to send that traffic out. So instead of going through the whole diagram, it just sends it to the out interface. That’S it that’s how fast pass works so only by communicating with bridging decision if we’re talking about routing it’s a principle exactly the same.
So if there’s no configuration in these facilities again, routing decision directly talks to the Fast Pass in the driver and traffic is sent directly to the next thing. Of course, when we’re talking about routing there’s much more facilities that you need to check to see that, are there any configuration and with these these changes, we actually were able to get the true potential of hardware out. So if anyone of you have seen router board comm page and go into any of our hardware, we have this table of performance for each product and you can see what happens if you put device in the simple bridge mode. So simple, bridge mode. No other configurations except the bridge, so that means that it is fast pass.
So, as you can see, you can get seven hundred seventy thousand packets per second. As soon as you add, 25 bridge firewall rules, you will go out of the Fast Pass. You will go. The normal, regular, slow pathway and you see that traffic performance drops drastically seven times in this case. So if we take a look at the cloud core router 72 core, you can actually get wire speed when you’re bridging in the Fast Pass.
So basically I don’t know why. But if you use 72 core as a switch so just bridge all the ports together, you can actually work on wire speed without any issues. So that’s 119 million packets per second, of course. As soon as we started to started to introduce this fast past, we realize that we don’t have tools to actually reach those speeds. So that’s why it?
One of the first features that we had to introduce when we introduced these cloud core routers. We had to introduce our own traffic generator program that can create traffic in enough quantity to load the device so old. All the table that you see there is repeatable in our lab environment using traffic generator. We have a special manual page that you can copy/paste configuration and test it yourself, also until 6.33 version.
We had the problem because, as soon as you connect the Mac wind box or mark telnet, it switches to the different driver, either the driver and switches off Fast Pass. So if you upgrade to the version that’s 6.33 or younger, that problem is gone, so you will be able to use Mach, wind box and mark telnet without worrying that you’re fast past will the say will be disabled and one of the first features that guys asked Us when we introduced new fast pass features was fast pass is very nice, but it’s skipping all my other facilities, including accounting. So I cannot charge my customer for the traffic anymore. So can you please add support for traffic flow?
So that’s why it’s also added and most important development. I think, over two year last, two years, besides, the wireless Reb package is connection tracking, fast path, support, so connection tracking plus fast pass. So now in connection tracking, you can have entries that have fast tracked flag. So it’s a special flag in connection tracking or you can mark those connections with that flag yourself by using faster connection action in the firewall. Yes, that’s initial implementation.
Now we added support for connection tracking. Now you can use connection tracking with the fast pass, but you have to use it using fast track flags. So you yourself choose what connections you want to fast-track these. This works only with the IP version for TCP and UDP traffic. So no IP version 6.
Now, ICMP enough, nothing else, just these two products at the moment so and why don’t we enable it automatically why you have to choose what to go fast, pass and so on? As soon as you put some traffic in this fast-track fast pass mode, the traffic will become invisible to other your facilities. So imagine the networking administrator but finds out that some traffic is arriving to the interface, but you cannot see it in the firewall. That’S like, like nightmarish situation, for any system administrator that thinks about security. So that’s why we gave this decision to you, so you have to make rules with FasTrak connection and as soon as you make the make those rules, you already know yourself what traffic goes.
The direct way and with what traffic doesn’t so it’s your responsibility, so you you need to track all that, but, as you probably know, the connection tracking have some timeouts some states connections and so on. So somehow we need to replenish them refresh them and so on. So that’s why some of the packets will go the regular way just to make sure that our app doesn’t timeout. Then TCP connection doesn’t timeout from connection tracking, so they will pass the regular way fix all the connections and the rest of the traffic will go. The Fastpass way so, basically how it looks in our new connection tracking, so I I hid, I hidden no source and destination.
Others is it’s not relevant here, but now you can see for each connection. You can see how much bites and packets arrived and send and how much of that traffic when, through the fast-track the fast way. So basically what we did. We teach the connection tracking to talk directly to the fast track so that it can be fast passed as a in previous example. So, right now you can have a configuration in a firewall and have a fast pass at the same time.
Just to show you illustration how it works, so this is default firewall that we send with our default configuration from the factory. Now it comes with a faster connection by default. So here we have faster connection rule. As you can see, this rule captured only 240 megabytes of traffic, but meanwhile, in the same amount of time, this amount of traffic passes through directly without going through the firewall and other facilities. So, as you can see, the number difference is quite impressive.
So in here I just basically mark all the connections that have reached related an established state in the firewall. I mark them that they can be fast tracked, so it’s quite hard close to impossible to actually jump in the middle of the connection and do some some bad things there. So most of the firewalls in nowadays are built based on connection state new. So you just checked which, which new connections are opened and so on so and as if the new connection goes through your firewall successful. You assume the rest of the packets from this connection can go without further checking through the Fast Pass mode.
So, let’s talk numbers 2011 default home access point set up from quick set. Throughput 358 megabits. Lord was 100 sent and if you take a look at tool profiler, you will see that firewall is taking 44 percents of this, so that was before FastTrack was invented. We add that one rule that I just showed you same board same configuration throughput in hundred 90 megabits per second CPU CPU load, not 100 percent and firewall CPU load dropped to the six percent. So, with one this one’s simple rule, you can get almost wire speed through our software based device.
So there’s no, no more need to buy real text to get to get that performance, so just to summarize so faster connection. It’S a action that works very similar to mark connection, so it does. It makes a change in connection tracking table. It doesn’t do anything with the packet itself. So that’s why just to make sure that you don’t drop that packet afterwards.
Usually, when you implement faster connection, you follow it by exactly the same rule in firewall that accepts those track. Those packets and most common setups right now are, first of all that I showed you that you faster connections that have reached connection state established and related. Second, most popular option is that you exclude some specific traffic that you trust for sure that it doesn’t need to go from through the firewall and the third option. You just fast track everything locals. For example, if you have dmz your local network and internet everything that goes from your local network to your local set servers, just fast-track that so and take Lord of your CPU.
So first first time we introduced that there was many tickets and supported my my firewall. Doesn’T work, my queues doesn’t work because guys enabled fast track and Samsung and lost the traffic. I see 50 megabits of traffic coming in, but I cannot capture it in the fire will help so we decided to help it this way. We introduced a new feature. Special dummy rule, which is actually not a rule, it’s just a simple counter which looks like a rule, and we placed it at very first position.
Just when you saw that you open up your firewall – and you are reminded that there’s some traffic – that you will not be not captured because it goes the direct way through the Fastpass, so this rule is created as soon as you have at least one faster connection. In connection tracking, but it will stay there until the last connection with the fast-track flag will count out. That will be timed out from your collection tracking. So it’s not like I enabled the rule dynamic rule appears, I disable faster connection. Rule dynamic rule disappears, so it’s based on entries, not on the state of your rule and again we introduce that and we got mix it replies some of the guys hated the idea about special Danny rule.
Some of the guys love the idea. So, that’s why we don’t know what to do with Q’s. Should we introduce dummy simple view also because on average per day we have at least four tickets stating that my fuel doesn’t work, so we have to even without checking first question. Have you enabled fast track connections recently? Yes, that’s why the traffic is going directly, so we are still thinking about that.
But what do in the situation when your driver doesn’t have fast bus support? So, for example, you use some kind of tunnel or something like that. Well, it’s actually quite easy for Fast Pass to operate. Router needs to receive traffic on the Fast Pass interface. Then it will go in the Fastpass mode through the so far until so it can travel through the router without any problems and if slow pass is needed.
You can it can slow down, but it doesn’t work other way. If you receive it in on a slow pass interface, it can no, it cannot speed up and skip something. It will have to go the slow, slow pathway all the time. So it’s very very important to have an interface support on receiving interface, or else you will not be able to use fast pass. So that’s why we had a very busy winter, adding support for logical interfaces, so we added bridge interface support.
So now you can wrote through the bridge, interface and bridge interface have fast path, support. We added support for weland’s. We are at Pease bondings on receive at the net over IP gray, IP IP tunnels and most recent development, pppoe, client and l2tp client, which of course, together means that fast pass is also available for micro elements feature. So but I need to stress it even more right now: this all works only in case you don’t use encryption and you don’t have fragmentation, so fragmentation and fast pass doesn’t work together. So you need to be very careful if you use tunnels to make sure that you don’t have fragmentation your network.
You need to have proper, empty use everywhere, change MSS segments and such things so that there are no fragments, because as soon as fragment arrives, it will go slow pass anyway. So, basically, what we did so if previously, we had a fast pass in this diagram movement. Now you can have a fast pass, also in this diagram movie with encapsulation and decapsulation. So, basically now the whole diagram. You can have a configuration when the whole diagram he’s in the Fastpass mode.
So, let’s again talk about performance, so I had a two CCR’s 36 cores connected with 10g interfaces and running a single tunnel single pppoe tunnel through them. So if we go way back to 6.7, when we talk about 64 byte packets, it was only 300,000 packets per second. So if we go to the first iteration of upgrade where we made the first optimisation 6.8 Darcy 1, it was 5
5 million packets per second and now if you enable and configure fast paths you can have full almost full wire speed it’s a it’s a full wire speed basically over so close to where speed is these arrived speeds so 10g pppoe connection through the CCR 36 core so same thing goes here if we have connection tracking gone as you see numbers increase so in this case in this case we can use pure Fast Pass in kiss in this case we can use only fast-track because of the connection tracking is on so the numbers are quite impressive so somebody can answer me why there is no 1,500 here or 1518 yes exactly there’s none doesn’t make sense to put it in here because it it will be fragmented and if it’s fragmented Fast Pass and fast track doesn’t work so no benefits for you there okay so when we talk about these tunnels so with a net over IP gray IP IP in layer 2 TP we have an option for each turn out there which is called allow Fast Pass that you need to check yourself again this is for a reason because as soon as you check this on tunnel traffic will become invisible for all the other facilities in Rotorua’s so it’s up to you to decide what tunnels you want to enable Fastpass and what tunnels you don’t so and I was dressed again fragments and encryption doesn’t work with Fast Pass but as I stated in the first slide some of the traffic sometimes some of the packets will go the regular way so when you’re building up your firewall your queues you need to count for that you just know can’t ignore the tunnel traffic for example if you have a in fire we have drop everything else strategy and you don’t account for a tunnel traffic that it might drop down to the slow path you will have a very strange performance so you always need to prepare your firewall and queues so that it accounts for a possibility that tunnel goes to the slope is because some of the packets need to go slope has to fix the counters and such things so next thing let’s have the same setup as before for pppoe now we go for l2tp and as you can see numbers here is a little bit lower but still impressive increase if you use fast paths and fast track compared to the situation when you don’t so six seven times faster with the first pass and four times faster with a fast track so let’s have a real life real life application home router provider gives you access through pppoe client so in this case you don’t have a pppoe support for fast pass you can see that it goes slow pathway firewall is 53% of the CPU CPU is a 99 and you can get barely three hundred eighty eight megabits through this device and everything is loaded now we add pppoe client fast path support to the equation and you can see that firewalling is just 2% cpu load is 95 and speed is 887 which combine it together with the PPP or overhead is basically wire speed so just by simply adding pppoe client fast path support you can have this one of the things that you also need to remember one of the last steps in router s is interface cues when traffic gets out of the interface it has a first last place where it’s cute and the only queue type that guarantees fast pass all the way it’s called only hard work you if you put anything else here like Wireless default it have to move to the slow path and then it will leave so if you want to be pedantic about fast paths all the way through this is last step that you need to think about to get traffic through so but don’t worry much it has a minimal impact on performance as it’s a last step so only one step need to go through in the slow path mode ok let’s check if you understood me I have four tasks for you and after the task I want to each task I want you to raise your hand if you think either Fast Pass will work or will not work there’s no third option so think carefully so set up in here so we have a we have a PP IP IP one traffic I P IP one Montano that’s build on Ethernet one so traffic travels through the Ethernet one encapsulated in PP IP IP tunnel and goes out through the Ethernet to both of these interfaces have Fast Pass support and I pap tano have allow a fast path setting enabled so you have IP forwarding with the fast path allowed you have ICMP traffic and you have a nut so masquerade or something like that so who thinks that this setup will work in Fast Pass who thinks that this setup will not work in Fast Pass ok and others ok why it will not work in Fast Pass exactly Fast Pass works fast track because they will use not fast track works only with UDP and TCP traffic so because of this ICMP this setup over here will go in a slow pass mode ok next task so we have exactly the same setup but this time like a travels other way so it it arrives through Ethernet to and leaves through IP IP tunnel that’s sending it out via either one so both interfaces have fast path support IP IP tunnel have allow Fast Pass enabled we have IP file forwarding we have fast-track TCP connection and we have simple cues so who thinks that this setup will work so fast pass will work yes okay yes my mistake like okay let’s assume that it’s enabled let’s assume that it’s enabled so what happens so will it work so support is this is enabled this is allowed tcp faster connection and simple cues so who thinks that it will work 1 2 3 4 5 ok is getting better by the second okay who thinks that it will not work so guys who think that it will work they are correct but but the queue will not see the traffic so if you fast track the connection it will skip the queues it doesn’t matter if they are there or not there they will be skipped set up fast fast pass works queues doesn’t the question was but was about Fast Pass later ok example number 3 a little bit more complex setup so we have we have 2 ports so wireless and Ethernet in the bridge and the traffic arrives through the Bridgeport was a wired connection and leaves through pppoe out on either net 1 both interfaces have fast path support IP forwarding fast past is allowed and we have IP version 6 TCP connection so who thinks that it will work ok and who thinks that it will not work impressive why exactly so IP version 6 doesn’t have support at the moment but it’s one of the it’s one of the things that we are working towards – and last example from me so exactly the same setup but again packet travels other way around so it arrives from either one from pppoe and goes out from the to the Bridgeport either – so again both interfaces have Fastpass support we have IP forwarding fast past allowed when we have fast-track TCP connection so who thinks that it will work I don’t need ask other question you are correct if you use version 6.
5 or younger if you use older version pppoe client support for Fast Pass was not added so that’s why it went slow passed way no bottom line just to summarize so fast pass is a feature that allows you to reduce CPU load in specific configurations it’s not a global solution for everything so if you have a configuration that runs at 40% of CPU load fast pass will not help you because we all know that CPU at 90% CPU at 40% or CPU at 10% still works instantly CPU doesn’t have to schedule anything so it works at the same speed here we talk about situations when you get to 100% loads of CPU then you can use fast pass to reduce that load and get more throughput through it but if your CPU never gets to 100% there is no really benefits to get fast pass for you so this yes yeah I was told that Scandinavians are very green in this regard but yes if you use Fastpass you you will skip all the cues and such things that can reduce your your latency but if your cues doesn’t have congestion and passes without any problems you should get the same result it shouldn’t it shouldn’t if you don’t hit 100% on single cord device on any core of the CPU CPU can handle all the traffic instantly as the tasks come 90 percent 70 percent 50 percent of 10 percent that doesn’t matter there is some myth going on in the networking environment that 10 percent of CPU load somehow is better than 19 or 90 but it’s not really true so until you if you don’t reach 100 percent you are fine of course we are talking about single core solutions right now if you have multiple cores like 72 core device you need to check that not even one of the CPU cores get to 100% but basically yes my idea here is you can reduce your CPU load used if you use Fast Pass so and what you do you basically trade some routers functionality for performance in case you don’t use it like a typical home roll user that doesn’t have any Q’s have just basic firewall or something it’s basically no no questions they just trade for more performance and everything is fine if you are administrating something you need to choose for example can you get more throughput through this access point or tree through this wireless section and eliminate a possibility of using queues for example or such things those decisions are up to you so we just give you the tools and you need to decide it yourself next thing again very very important is packet fragments it’s basically our worst enemy so if you please try to avoid any packet fragmentation and fragments so that you can use Fast Pass properly and the main thing is that you need a Fastpass support in a driver itself so we need to write that driver some of so x86 Fast Pass will not be really possible there are million drivers out there and we are not prepared to write rewrite them all especially because we will lose the possibility to upgrade them when the manufacturers upgrade them in the linux kernel so on x86 is Fastpass support will not be coming ok time for some questions Tom again most probably yes there will be currently there is no but we have plans for that so any more questions so ok so then everyone is ready for raffle get some prizes or everyone waiting for beer after ruffle so ok let’s let’s get let’s get the stuff going on so that’s a computer could moose downs okay so I’m not the one that prepares the prizes so I just given the list so I’m just a messenger so first that will be giving prizes out will be awesome so I have few prizes over here and we will start with a hop AC so I hope that it works the first way usually it doesn’t I will not try to pronounce your names correctly because it’s okay Monica I can pronounce so first winner okay that was fast so next one what what I have next one here so bonus gift pack from the mom registration so exactly the same copy that you’ve already had just get an extra Ullrich do we have him here okay very nice here you go translations so one more Sauron so Sauron here no three two one zero if somebody knows Sauron say in my regards Arnaz and as I noticed the most exciting gift that we could give because it’s get the most attention it’s mop light the small smallest device is that we have so Timothy Timothy are you here no okay three two one still no Timothy next one Allen hold yes okay okay that’s all from my critique so next one is satellite housing then limited a be okay okay so I think you can handle the microphone and yeah I only have one gift but it’s actually combined of free we’ve had it on our table the whole day it’s an M and 19’s and net metal box AC and it’s also with the flexi cables
