The new PSU has worked so far so it was back up into the attic rack for my R210ii. No other modifications although if it manages a couple of weeks I will most likely look into some Noctua fans to quiet it off a bit. A bit of a tidy up as well removing some old switches and getting the patch panel in line. One of the next jobs on the list will be to get a “CRS3XX” down into the cave so I can take advantage of some 10GB goodness with failover on 2 of the 3 fibres.
There has been a glimmer of hope for the CHR. I’ve come across a donor R210 with a power supply that is in brilliant condition, installed the power supply and it burst back into life. A good hour getting ESXi re-installed to the SSD I’d wiped and then reloading a CHR image onto it then carefully copying over the config and it’s just about ready to bring back into service.
I’ll be sorry to part ways again with the Hex and the FastTrack setup but this time around with the CHR I’ll be going for a really big QoS tree build.
Friday afternoon my beloved Dell R210ii decided to eat it’s
own PSU, completely rendering the box useless and along with it my CHR routing
my home network. It’s fine though as I made backups, which I stored within the
CHR, so can’t access them #feelsbadman
Never mind, I quickly pulled out my CCR1009 which I retrieved
from a scrap pile and whilst it had faulted 1 or 2 times had never completely
keeled over. I configured it up and replaced the CHR, after a few hours of
tweaking and trying to resume normality as well as activating fast track as CHR
can’t do that), home was up and running.
Monday morning, got some weird things going on in the
network, checked the CCR and it was reporting traffic on interfaces I knew
weren’t even connected as well as flapping on the SFP port which the other end
showed as solid. The CCR has now been marked for removal.
I am so thankful of having a “spare” RB750Gr3
Hex unit about though as that should keep the family quiet whilst I work out
where to go from here. Currently my poultry 55Mb connection won’t stress it but
I have been eyeing up a Virgin Media upgrade to 350Mb next which looks set to increase
to 500Mb in the next few months, who knows, Gigabit may be round the corner as
well. Either way, I’m not confident the little Hex can do that so back to the
drawing board and looking for a unit to suffice my needs.
I’ve finally had some time to pull drag a monitor up into the attic to make some changes to the ESXi server that hosts my CHR. After some extensive reading on the MikroTik forum, it looks to read that a virtual CHR benefits from a “real” core and not a virtual one, in some cases virtual cores hindering performance! Even though my residential 55/15 connection isn’t going to set the world alight, I want to do some really in depth packet inspection next year so having raw performance is top of my list.
The changes I’ve made were to move the server BIOS performance setting from “OS Control” which was initially set to try and minimise noise in the cave to maximum performance, a few packets made there maybe?
The second big change was to turn off the hyperthreading on my Xeon. When I bought the Xeon I went out of my way to buy one with 4c/8t for maximum cores but RouterOS itself is very single core based and can’t multi-thread so single core efficiency is key. It also benefits from L3 cache so splitting the cache between 4 rather than 8 helps more so. There is also some heat efficiency to be made by running the processor without HT which counter balances the BIOS performance setting which could increase heat.
Overall testing without firewall now yields a far healthier 10+Gbps speedtesting to itself on a single core compared to the previous 7(ish).
All will be undone though if/when rOS7 launches with multicore!
It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.
As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.
I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;