I have a gateway device in my company with Mikrotik RouterOS installed. When I tried to use a high-speed Internet connection over 500M, the WAN transporting speed was stuck below 400M, while the CPU usage was nearly 100%.
After got some information in Mikrotik forum, I found that the IP firewall may consume extra CPU resources. Some ip firewall rules applied to all the data packets before they were sending out, which overused the cpu resources. As a result, the data transmission had to run at a low speed.
The documentation shows that enabling the fasttrack allows to forward packets without additional processing in the Linux kernel. It improves forwarding speeds significantly if there are no more than 25 NAT or IP firewall rules.
Unfortunately, I found that the fasttrack hardware accelerate is not working as it designed. When I enabled it, the count of packets via fasttrack rules was 0, which means there is no data sent with this function.
After some research, I think the main reason why the fasttrack not working is that the “fasttrack connection” rule in the ip firewall rules is also one of the ip firewall rules. The fasttrack connection rule is a forwarding rule which should be placed in the forward chain of iptables. If there are any other user-defined forwarding rules before the “fasttrack connection” in the forward chain, the data packets will be processed by these rules before they reached the “fasttrack connection”. Especially the “accept”, if there is a “accept” before the fasttrack connection in the forward chain, all of the data packets will be forwarded directly before they reached the fasttrack.
The Mikrotik write those rules of fasttrack connection in the bottom of the forward chain by default. If you have the same problem, just move these rules after the “fasttrack connection” in the forward chain.
All the packets which matched the rules before “fasttrack connection” in the forward chain will NOT be processed by the fasttrack.
After modified the forward chain, it works normally and improved the connection speed significantly.
后续:
It is no need to use out-dated equipment, simply to change a new one with better CPU.