wrote: So port forwarding with translation will stop the hardware offload?
No, that will still work with offloading.
If you're adding "modify" rules as above (for example to alter the dscp value of a packet), that disables offloading. But these modify rules are not required for port forwarding and translation, you do that with NAT rules.
I'm having this same issue where I can't get hardware offload to turn on.
Attached is my Config, I can't figure out what's causing the hardware offload to not enable.
Thanks for any help you can provide.
wrote: I'm having this same issue where I can't get hardware offload to turn on.
Attached is my Config, I can't figure out what's causing the hardware offload to not enable.
Thanks for any help you can provide.
It's your bridge interface 
Bridging cannot be offloaded.
It looks like you have the ER-PoE. eth2, eth3, and eth4 can be members of the switch0 interface. Delete the bridge entirely, and give the switch0 interface the address 192.168.10.1/24. You can't use eth1 anymore on that network but you'll gain offloading. If you need more ports and don't plan to use vlans, a cheap switch will be fine.
wrote: wrote: I'm having this same issue where I can't get hardware offload to turn on.
Attached is my Config, I can't figure out what's causing the hardware offload to not enable.
Thanks for any help you can provide.
It's your bridge interface
Bridging cannot be offloaded.
Actually bridging doesn't disable offloading. Instead it is only traffic through a bridge that not eligible to be offloaded, though traffic through non-bridged interfades can still be offloaded (if offloading is enabled).
However, enabling netflow ('flow accounting') does disable offloading, and this is also configured here. From a configure prompt 'delete system flow-accounting' will remove this entirely and allow offloading to be enable, but then netflow is lost. Since it looks like UNMS is also configured this likely was enabled by UNMS.
YES! That was it, I think you're right. I recently setup a UNMS server and joined it.
I still get 100% CPU usage when downloading anything around 100-110mbit...
Cheers for the quick replies!
To echo redfive:
You have the same network, ie 192.168.0.0/24 on two different interfaces. This is an invalid configuration because by the very nature of routers, they need a Network ID to route traffic to.
You can change one of the interfaces to a different subnet, such as 192.168.1.0/24 or 192.168.2.0/24 or similar.
By default Edge Routers will route traffic between the interfaces. So you will need to create an IN firewall policy that limits or deny's the traffic to the other interface.
I know my Comcast connection supports IPV6 as I can get it working on the Comcast router.
I've followed several threads here on the forums and many people have it working however for some reason I cannot.
I believe I'm almost there it's probably just a firewall rule issue at this point. The router itself is able to ping an ipv6 host from the cli.
However when I try pinging from a connected client, it appears to resolve hosts to IPV6 addresses correctly, but cannot get a response. This is why I believe it's a firewall issue perhaps?
Here's my config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WAN6_IN {
default-action drop
description "IPv6 packets from the internet to LAN and WAN"
enable-default-log
rule 1 {
action accept
description "Allow established and related packets"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
log enable
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6 packets"
log enable
protocol icmpv6
}
}
ipv6-name WAN6_LOCAL {
default-action drop
description "IPv6 packets from internet to router"
enable-default-log
rule 1 {
action accept
description "Allow established and related packets"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid packets"
log enable
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow ICMPv6 packets"
log enable
protocol icmpv6
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 0 {
interface eth3 {
}
prefix-length /64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WAN6_IN
name WAN_IN
}
local {
ipv6-name WAN6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag true
max-interval 600
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 10.1.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.1.1.0/24 {
default-router 10.1.1.1
dns-server 1.1.1.1
dns-server 1.0.0.1
lease 86400
start 10.1.1.100 {
stop 10.1.1.200
}
static-mapping DESKTOP-95AN7PU {
ip-address 10.1.1.126
mac-address xxx
}
static-mapping Nemesis {
ip-address 10.1.1.125
mac-address xxx
}
static-mapping XboxOneS {
ip-address 10.1.1.95
mac-address xxx
}
unifi-controller 10.1.1.125
}
}
static-arp disable
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service afraid {
host-name xxx
login xxx
password xxx
server xxx
}
web xxx
}
}
forwarding {
cache-size 3072
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
host-name ubnt
login {
user stadmin {
authentication {
encrypted-password xxxxxx
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Indiana/Indianapolis
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
smart-queue SQ1 {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 90.5mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 20mbit
}
wan-interface eth0
}
}
Hi pguillem - thank you for the suggestion. I've tried enabling hardware offloading per the instructions in the link you provided and restarted the router, but it doesn't seem to have changed the results of the speed test.
i don't see much of a request for other hardware choices;
you seem to have decided that.
For Ubiquiti managed switches, you can use either EdgeSwitch
or the UniFi switch line; both are VLAN-capable. Dave
Check that the module is active. Later in the same guide there is a cmd to check the status.
It may be loaded ... but inactive due to some other function being used (QoS, NetFlow, etc).
are you sure QoS is off?
If you want full time monitoring with a PC, then I would be tempted to run pfsense on the PC with a dual intel nic for the routing and ntopng and use the ERX-SFP as a vlan-aware switch/Passive PoE.
I don't think there is a supported way to get integrated switch chip mirroring. There have been reports of using the unsupported /sbin/switch utility go get port mirroring working. /sbin/switch is an unsupported utility that evidently can "talk" to the integrated switch functionality.
test@test-ER-X:~$ /sbin/switch Usage: /sbin/switch acl etype add [ethtype] [portmap] - drop etherytype packets /sbin/switch acl dip add [dip] [portmap] - drop dip packets /sbin/switch acl dip meter [dip] [portmap][meter:kbps] - rate limit dip packets /sbin/switch acl dip trtcm [dip] [portmap][CIR:kbps][CBS][PIR][PBS] - TrTCM dip packets /sbin/switch acl port add [sport] [portmap] - drop src port packets /sbin/switch acl L4 add [2byes] [portmap] - drop L4 packets with 2bytes payload /sbin/switch add [mac] [portmap] - add an entry to switch table /sbin/switch add [mac] [portmap] [vlan id] - add an entry to switch table /sbin/switch add [mac] [portmap] [vlan id] [age] - add an entry to switch table /sbin/switch clear - clear switch table /sbin/switch del [mac] - delete an entry from switch table /sbin/switch del [mac] [fid] - delete an entry from switch table /sbin/switch dip add [dip] [portmap] - add a dip entry to switch table /sbin/switch dip del [dip] - del a dip entry to switch table /sbin/switch dip dump - dump switch dip table /sbin/switch dip clear - clear switch dip table /sbin/switch dump - dump switch table /sbin/switch ingress-rate on [port] [Kbps] - set ingress rate limit on port 0~4 /sbin/switch egress-rate on [port] [Kbps] - set egress rate limit on port 0~4 /sbin/switch ingress-rate off [port] - del ingress rate limit on port 0~4 /sbin/switch egress-rate off [port] - del egress rate limit on port 0~4 /sbin/switch filt [mac] - add a SA filtering entry (with portmap 1111111) to switch table /sbin/switch filt [mac] [portmap] - add a SA filtering entry to switch table /sbin/switch filt [mac] [portmap] [vlan id] - add a SA filtering entry to switch table /sbin/switch filt [mac] [portmap] [vlan id] [age] - add a SA filtering entry to switch table /sbin/switch igmpsnoop on [Query Interval] [default router portmap] - turn on IGMP snoop and router port learning (Query Interval 1~255) /sbin/switch igmpsnoop off - turn off IGMP snoop and router port learning /sbin/switch igmpsnoop enable [port#] - enable IGMP HW leave/join/Squery/Gquery /sbin/switch igmpsnoop disable [port#] - disable IGMP HW leave/join/Squery/Gquery /sbin/switch mymac [mac] [portmap] - add a mymac entry to switch table /sbin/switch mirror monitor [portnumber] - enable port mirror and indicate monitor port number /sbin/switch mirror target [portnumber] [0:off, 1:rx, 2:tx, 3:all] - set port mirror target /sbin/switch phy [phy_addr] - dump phy register of specific port /sbin/switch phy - dump all phy registers /sbin/switch pvid [port] [pvid] - set pvid on port 0~4 /sbin/switch pvid dump - dump port pvid setting /sbin/switch reg r [offset] - register read from offset /sbin/switch reg w [offset] [value] - register write value to offset /sbin/switch sip add [sip] [dip] [portmap] - add a sip entry to switch table /sbin/switch sip del [sip] [dip] - del a sip entry to switch table /sbin/switch sip dump - dump switch sip table /sbin/switch sip clear - clear switch sip table /sbin/switch tag on [port] - keep vlan tag for egress packet on prot 0~4 /sbin/switch tag off [port] - remove vlan tag for egress packet on port 0~4 /sbin/switch vlan dump - dump switch table /sbin/switch vlan set [vlan idx (NULL)][vid] [portmap] - set vlan id and associated member test@test-ER-X:~$
Unfortunately, about anything you run that is going to use the cpu to copy/inspect/classify traffic in process (vs interrupt) context is going to have a big impact on the performance of the ERX. That includes anything to copy traffic to eth5, if it isn't done by the integrated switch asic that's part of the SOC used by the ERX.
Asking a low power device like the ERX to compete with what a PC can do isn't really a fair contest.
Your other option if you don't want to use putty is to use the dashboard services tab or config tree. For me, the CLI is easier (and much easier to keep as a text file) than as a bunch of screen shots.
Just because there have been so many reports that turned out to be this, do you have ATT fiber and a Pace modem? And using DMZ+ mode?
If so google
ATT pace slow
and come to your own conclusions.
So I can definitely confirm for some reason when routing through the EdgeRouter the speed is significantly reduced.
My Macbook Pro connected to the ATT Gateway over wifi even pulled 120mbps, when hard wired to the gateway I also get 120mbps, when connected hard wired to the edgerouter I'm only seeing 30-40mbps. I've tested with ATT Uverses speedtest, dslreports.net and speedtest.net all returning the same results concisently.
So for some reason the edgerouter is bottlenecking the ATT uverse service.
Is there a way to run a speedtest via the CLI or management interface to the edgerouter directly?
Here are threads discussing this
EdgeRouter X-SPF as a switch with a port mirror this is the original thread referenced by the next
Edgerouter X Port Mirroring Issue
I haven't tried either, I have a MikroTik CSS106-5G-1S I use for that purpose (as a network tap, and much more detailed port counters, including buckets for different ethernet frame sizes)
ER has iperf 2 built in. You can use that to do spead test between ER and your local devices. E.g.,
Run iperf in server mode on ER:
iperf -s
Run iperf client from a linux box:
iperf -c <ER's IP address>
You may find iperf binary for other platforms from https://sourceforge.net/projects/iperf2/
So I've been trying to run it from the CLI / GUI via instructions as found here https://www.stevejenkins.com/blog/2015/10/using-the-ubiquiti-edgerouters-built-in-bandwidth-tester/
However I get
ubnt@ubnt:~$ iperf3 -c iperf.scottlinux.com
iperf3: error - unable to connect to server: Connection refused
ubnt@ubnt:~$
Same error when using IP via gui unable to connect to server: Connection refused
So I'm trying to see if I can find another server to test against