RB2011 slow internet even with fasttrack

bdubs85 · Fri Sep 07, 2018 5:01 am

Hi everyone,

I've had my RB2011UiAS-2HnD-IN for a few years now and have had no complaints until now. I moved to my new house and upgraded my internet speed from 150/10 to 400/20.
I ran fasttrack off and on at this speed for couple months and saw there were some updates to RouterOS and that I had been a little slacking on upgrading my firmware (as in firmware had never been upgraded since i had it...whoops!).
I update the RouterOS and the Firmware, including rebooting for both my 2011 and WAP AC and all seems to work fine at first glance.

Then I noticed that even with Fasttrack enabled, I was only getting between 150-200mbps max download with the exact same config as before with only about 5% CPU at idle, 30~% under load with fasttrack enabled. I even install a previous backup from a time when I know i was getting full speed just to see if I messed something up, but the speed issue remained. When I connect directly to my modem from my computer, I get about 440/22, so I know the issue is not on my ISP's side. I even tried to move all other wired connections to the other switch (the 100mbps ports) to rule out any interference from other ports on the same switch.

The internet speed also seems to be inconsistent when running through the 2011 through fasttrack: it sometimes starts out around 250-280mbps, then slows to 150-200 when using speedtest.net. Sometimes it starts at 150mbps and goes down to about 110mbps. With fasttrack disabled, i get about 73mbps down with 80% CPU usage.

I'm running 6.43 currently on routerOS and firmware
I have about 8 wired devices and about 10 wireless devices with about 25 Mangle rules, 3 nat rules (2 for plex server, 1 for masquerade), and a total of 17 firewall filter rules with fasttrack as the first after an invalid reject rule.
I've tried fasttrack set to my machine's marked packets, marked connections, and then all established and related connection states to try and bypass all filters and rules.
I've disconnected all other devices and cables, disabled WLAN, reset configuration...No Dice.

I'm not at all a mikrotik expert, but I'd appreciate any help!

bdubs85 · Mon Sep 10, 2018 10:21 am

Anything at all?

eider · Mon Sep 10, 2018 2:37 pm

I'm running 6.42.7 currently on routerOS and firmware

Read viewtopic.php?f=21&t=128915 and https://wiki.mikrotik.com/wiki/Manual:S ... Offloading
And next time when doing upgrade - read changelog for every version since the one you have installed.

bdubs85 · Mon Sep 10, 2018 5:15 pm

I've read that multiple times, but it's not clicking for me...isn't hardware offloading supposed to improve performance? So should i reformat and create the setup without master/slave setup from the beginning? I'll try and re-read it a bunch to see if I can figure it out.

eider · Tue Sep 11, 2018 9:22 am

You should verify that hardware offloading is being enabled (indicated by H indicator on bridge port) and verify which functions are supported with it for your device's switch chip and confirm you're not running with any of incompatible options enabled.

bdubs85 · Wed Sep 12, 2018 12:30 am

In the bridge ports, the wan port was not in the bridge (i assume this is correct, since i can't add it to the bridge).
I tried disabling the hardware offload that my computer is connected to and still get the same result. I disabled Unicast Flood, Multicast Flood, Broadcast Flood and still the same. Now, the speed test starts at my max download (400mbps) for a brief second and then quickly ramps down to 200mbps for the rest of the test. (attached

speed test2.jpg

speed test.jpg

CPU maxed at ~40% during 400mbps internet speed test download, then dropped back down to ~25% for the rest of the 200mbps average. When transferring files on local LAN at gigabit speed, CPU goes up to ~65% for 950mbps speed going from a hardware offloaded port to non hardware offloaded. On hardware offloaded port to hardware offloaded port on the same gigabit switch series, cpu doesn't go above 6% for same gigabit speed transfer, so hardware itself seems to be working fine.

Any idea on what settings might be causing the drop in speed after the initial good speed?

mkx · Wed Sep 12, 2018 9:13 am

Any idea on what settings might be causing the drop in speed after the initial good speed?

Round-trip latency with too small TCP window? Not that you can do much about TCP window size for random application ...

Any network device on the way between connection peers will add some delay. It sometimes really surprises me how can seemingly neglectable increase in delay (a few 100 microseconds) drastically change TCP performance.

bdubs85 · Wed Sep 12, 2018 2:36 pm

I've got cable internet connection. Setup is internet<->cable modem<->rb2011<->laptop with cat6 cable all ethernet connections at 1gbps full duplex. Ping times to bandwidth test server are under 20ms.
I took ethernet coupler and hooked my laptop ethernet cable to the ethernet cable from the modem to bypass the router but still using same cables and I get full consistent 400mbps down going straight through modem, so wiring is ok. I also tried to clone Mac address of my laptop to router after connecting straight to modem.

Not sure what setting I'd need to check? MTU is 1500, 1598 max l2 MTU (thought packets might be getting fragmented). Guess I can change wan port and see if problem persists?

bdubs85 · Wed Sep 12, 2018 3:11 pm

So I did some messing around:
Hops to bandwidth server is 8, total RTT is 12ms to bandwidth server.

So I started changing things:

I disconnected all other wires/wifi. Same speed

I reset RB2011 to vanilla WISP AP/Home AP configuration with only modem and laptop connected via ethernet. Same speed.

I used vanilla configuration to change ethernet port of WAN to Eth2 instead of 1. Same speed.

I'm thinking it had something to do with updating my firmware to current, since speed was good before that time. Is it wise to leave RouterOS updated but firmware not updated?

bdubs85 · Sun Sep 16, 2018 1:22 am

I got a response from mikrotik talking about how queues impact TCP single connection performance and i should just be able to get normal real-world speed outside of the synthetic speedtest.net test. I tried to download a large file, such as a ISO file via HTTP or torrent and still was stuck at about 200mbps maximum. I also tried to download a game via steam and still wasn't able to get above about 200mbps.
I went to dslreports.com and performed a speedtest and got a full 450mbps or so speed test

.

I understand how queues can impact tcp single connection performance, but I had fasttrack enabled and got the same results. I also reset the router to vanilla WISP AP and also Home AP and only had laptop and modem connected to the router with no queues or mangle rules and still only got 200mbps. Any ideas on how to improve TCP single connection performance?

I hate to look at a CCR or RB3011 or something more expensive to get the performance that i was already getting on the rb2011 until some strange gremlin reduced my speed.

CZFan · Sun Sep 16, 2018 1:39 am

I suspect something wrong with your config, I achieved ~850Mbpps up and down with my 2011

bdubs85 · Sun Sep 16, 2018 1:51 am

What firmware are you running? Could you share your configuration? I used to get great wan speed but still get great lan routing speed. I tried resetting to stock wisp ap defaults as well as home ap default config and can't get any better on that speedtest.net test, so I thought I eliminated bad config.

CZFan · Sun Sep 16, 2018 12:07 pm

Sorry, just looked at the speedtest results again, it was 812Mb down and 97Mb up as the link was a 1Gb/100Mb fibre link. About a month ago, I have reset the 2011 to Factory Default and downgraded the device to my Home Lab environment, using a HAP AC2 as "production" unit at home now.

If you don't mind placing a copy of "export hide-sensitive" of your config here, we can have a look and make suggestions

bdubs85 · Sun Sep 16, 2018 6:39 pm

Current config:

  MikroTik RouterOS 6.43 (c) 1999-2018       http://www.mikrotik.com/

[admin@MikroTik] > export hide-sensitive
# sep/16/2018 11:15:45 by RouterOS 6.43
# software id = GUWS-61RD
#
# model = 2011UiAS-2HnD
# serial number = 727B066F37B5
/interface bridge
add admin-mac=6C:3B:6B:F9:1A:86 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full comment="Wireless AP" name=ether2-WIFI speed=100Mbps
set [ find default-name=ether3 ] advertise=1000M-full comment=Laptop
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
set [ find default-name=ether1 ] advertise=1000M-full mac-address=6C:3B:6B:F9:1A:8F name=wan
/interface wireless
set [ find default-name=wlan1 ] amsdu-limit=2048 band=2ghz-g/n channel-width=20/40mhz-Ce country="united states" \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=xxx tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11 wps-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name="guest security" \
    supplicant-identity=""
/ip kid-control
add disabled=yes fri=7h-21h mon=7h-19h name=xxx sat=7h-21h sun=7h-19h thu=7h-19h tue=7h-19h wed=7h-19h
add disabled=yes fri=7h-21h mon=7h-19h name=xxx sat=7h-21h sun=7h-19h thu=7h-19h tue=7h-19h wed=7h-19h
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.100-10.10.10.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
/queue type
add kind=pcq name=max_upload_5m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=9M \
    pcq-src-address6-mask=64 pcq-total-limit=9000KiB
add kind=pcq name=upload_512k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=409KiB
add kind=pcq name=upload_16k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=12KiB
add kind=pcq name=upload_256k_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=204k \
    pcq-src-address6-mask=64
add kind=pcq name=upload_16k_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=12k \
    pcq-src-address6-mask=64
add kind=pcq name=max_download_400m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=400M \
    pcq-src-address6-mask=64 pcq-total-limit=400000KiB
add kind=pcq name=download_4m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=3276KiB
add kind=pcq name=download_2m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=1638KiB
add kind=pcq name=download_1m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=819KiB
add kind=pcq name=download_512k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=409KiB
add kind=pcq name=download_4m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=3276k \
    pcq-src-address6-mask=64
add kind=pcq name=download_2m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1638k \
    pcq-src-address6-mask=64
add kind=pcq name=download_1m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=819k \
    pcq-src-address6-mask=64
add kind=pcq name=download_512k_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=409k \
    pcq-src-address6-mask=64
add kind=pcq name=download_300m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=300000KiB
add kind=pcq name=download_100m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=100k \
    pcq-src-address6-mask=64 pcq-total-limit=100000KiB
add kind=pcq name=upload_15m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=15M pcq-src-address6-mask=\
    64 pcq-total-limit=15000KiB
add kind=pcq name=upload_5m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=4500KiB
add kind=pcq name=download_50m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=40000KiB
add kind=pcq name=download_20m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=16000KiB
add kind=pcq name=upload_19m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=19M pcq-src-address6-mask=\
    64 pcq-total-limit=19000KiB
add kind=pcq name=upload_2m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=1600KiB
add kind=pcq name=upload_1m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=800KiB
add kind=pcq name=upload_15m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=15M \
    pcq-src-address6-mask=64 pcq-total-limit=18000KiB
add kind=pcq name=upload_2m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1600k \
    pcq-src-address6-mask=64 pcq-total-limit=2400KiB
add kind=pcq name=upload_1m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=800 \
    pcq-src-address6-mask=64 pcq-total-limit=800KiB
add kind=pcq name=upload_5m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=5M \
    pcq-src-address6-mask=64 pcq-total-limit=5000KiB
add kind=pcq name=upload_9m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=9M \
    pcq-src-address6-mask=64 pcq-total-limit=9000KiB
/queue interface
set ether3 queue=ethernet-default
set wan queue=ethernet-default
/queue tree
add name=wan_download packet-mark=wan-all_in_pkt parent=global priority=1 queue=max_download_400m
add name=wan_upload packet-mark=wan-all_out_pkt parent=global priority=1 queue=upload_19m
add name=wan_d_unknown packet-mark=wan-all_unknown_in_pkt parent=wan_download queue=download_50m
add name=wan_u_unknown packet-mark=wan-all_unknown_out_pkt parent=wan_upload queue=upload_15m_rate
add name=wan_d_laptop packet-mark=wan-all_laptop_in_pkt parent=wan_download priority=2 queue=max_download_400m
add name=wan_u_laptop packet-mark=wan-all_laptop_out_pkt parent=wan_upload priority=2 queue=upload_19m
add name=wan_d_desktop_server packet-mark=wan-all_desktop_server_in_pkt parent=wan_download priority=3 queue=\
    download_50m
add name=wan_u_desktop_server packet-mark=wan-all_desktop_server_out_pkt parent=wan_upload priority=3 queue=\
    upload_15m_rate
add name=wan_d_desktop_new packet-mark=wan-all_desktop_new_in_pkt parent=wan_download priority=5 queue=download_50m
add name=wan_u_desktop_new packet-mark=wan-all_desktop_new_out_pkt parent=wan_upload priority=5 queue=upload_9m_rate
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-WIFI
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-WIFI list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-WIFI network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wan use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.103 always-broadcast=yes mac-address=xxx server=defconf
add address=192.168.88.101 client-id=xxx server=defconf
add address=192.168.88.99 client-id=xxx server=defconf
add address=192.168.88.102 client-id=xxx server=defconf
add address=192.168.88.100 client-id=xxx server=defconf
add address=192.168.88.98 always-broadcast=yes client-id=xxx server=\
    defconf
add address=192.168.88.43 mac-address=xxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.88.100 comment=laptop list=shaped
add address=192.168.88.101 comment=desktop_server list=shaped
add address=192.168.88.102 comment=desktop_new list=shaped
add address=198.168.88.0/24 list="Local LAN"
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
/ip firewall filter
add action=drop chain=input comment="Drop input invalid connection packets" connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=wan-all_laptop_in_conn \
    connection-state="" packet-mark=wan-all_laptop_in_pkt
add action=accept chain=input comment="Allow input established and related connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow all input for local net" src-address=192.168.88.0/24
add action=accept chain=forward comment="Allow forward established and related connections" connection-state=\
    established,related
add action=accept chain=forward comment="Allow all forward for local net" src-address=192.168.88.0/24
add action=accept chain=input comment="Allow input Ping" disabled=yes in-interface=wan protocol=icmp
add action=drop chain=input comment="All other inputs drop"
add action=drop chain=forward comment="Drop forward invalid connection packets" connection-state=invalid
add action=accept chain=forward comment="Allow forward Ping" protocol=icmp
/ip firewall mangle
add action=mark-connection chain=forward comment="Incoming Conn" in-interface=wan new-connection-mark=wan-all_in_conn \
    passthrough=yes
add action=mark-packet chain=forward comment="Incoming Pkt" connection-mark=wan-all_in_conn new-packet-mark=\
    wan-all_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Outgoing Conn" new-connection-mark=wan-all_out_conn out-interface=\
    wan passthrough=yes
add action=mark-packet chain=forward comment="Outgoing Pkt" connection-mark=wan-all_out_conn new-packet-mark=\
    wan-all_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="Unknown In Conn" dst-address-list=!shaped in-interface=wan \
    new-connection-mark=wan-all_unknown_in_conn passthrough=yes
add action=mark-packet chain=forward comment="Unknown In Pkt" connection-mark=wan-all_unknown_in_conn \
    new-packet-mark=wan-all_unknown_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Unknown Out Conn" new-connection-mark=wan-all_unknown_out_conn \
    out-interface=wan passthrough=yes src-address-list=!shaped
add action=mark-packet chain=forward comment="Unknown Out Pkt" connection-mark=wan-all_unknown_out_conn \
    new-packet-mark=wan-all_unknown_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="Laptop In Conn" dst-address=192.168.88.100 in-interface=wan \
    new-connection-mark=wan-all_laptop_in_conn passthrough=yes
add action=mark-connection chain=forward comment="Laptop In Conn" dst-address=192.168.88.98 in-interface=wan \
    new-connection-mark=wan-all_laptop_in_conn passthrough=yes
add action=mark-packet chain=forward comment="Laptop In Pkt" connection-mark=wan-all_laptop_in_conn new-packet-mark=\
    wan-all_laptop_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Laptop Out Conn" new-connection-mark=wan-all_laptop_out_conn \
    out-interface=wan passthrough=yes src-address=192.168.88.100
add action=mark-connection chain=forward comment="Laptop Out Conn" new-connection-mark=wan-all_laptop_out_conn \
    out-interface=wan passthrough=yes src-address=192.168.88.98
add action=mark-packet chain=forward comment="Laptop Out Pkt" connection-mark=wan-all_laptop_out_conn \
    new-packet-mark=wan-all_laptop_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_server In Conn" dst-address=192.168.88.101 in-interface=wan \
    new-connection-mark=wan-all_desktop_server_in_conn passthrough=yes
add action=mark-packet chain=forward comment="desktop_server In Pkt" connection-mark=wan-all_desktop_server_in_conn \
    new-packet-mark=wan-all_desktop_server_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_server Out Conn" new-connection-mark=\
    wan-all_desktop_server_out_conn out-interface=wan passthrough=yes src-address=192.168.88.101
add action=mark-packet chain=forward comment="desktop_server Out Pkt" connection-mark=wan-all_desktop_server_out_conn \
    new-packet-mark=wan-all_desktop_server_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_new In Conn" dst-address=192.168.88.102 in-interface=wan \
    new-connection-mark=wan-all_desktop_new_in_conn passthrough=yes
add action=mark-packet chain=forward comment="desktop_new In Pkt" connection-mark=wan-all_desktop_new_in_conn \
    new-packet-mark=wan-all_desktop_new_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_new Out Conn" new-connection-mark=\
    wan-all_desktop_new_out_conn out-interface=wan passthrough=yes src-address=192.168.88.102
add action=mark-packet chain=forward comment="desktop_new Out Pkt" connection-mark=wan-all_desktop_new_out_conn \
    new-packet-mark=wan-all_desktop_new_out_pkt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=wan
add action=dst-nat chain=dstnat dst-port=32400 in-interface=wan protocol=tcp to-addresses=192.168.88.101 to-ports=\
    32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=wan protocol=udp to-addresses=192.168.88.101 to-ports=\
    32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip kid-control device
add mac-address=xxx
add mac-address=xxx
add mac-address=xxx
add mac-address=xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24 port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add disabled=yes interface=wan type=external
/lcd
set default-screen=stat-slideshow enabled=no read-only-mode=yes touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether2-WIFI disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6-master disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set wlan1 disabled=yes
/lcd interface pages
set 0 interfaces=wan
/system clock
set time-zone-name=America/New_York
/system logging
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=38.88.18.251
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool mac-server ping
set enabled=no
[admin@MikroTik] >

These are both screenshots for speedtests i get with this configuration. CPU doesn't exceed 45% with the faster result speedtest. Slower speedtest cpu doesn't exceed 26%.

2018.09.16 speed test normal config RESULTS spectrum test.jpg

2018.09.16 speed test normal config RESULTS.jpg

bdubs85 · Sun Sep 16, 2018 7:04 pm

I tried resetting to vanilla WISP AP as such:

[admin@MikroTik] > export hide-sensitive
# sep/16/2018 11:48:34 by RouterOS 6.43
# software id = GUWS-61RD
#
# model = 2011UiAS-2HnD
# serial number = 727B066F37B5
/interface bridge
add admin-mac=6C:3B:6B:F9:1A:86 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto \
    mode=ap-bridge ssid=MikroTik-F91A8F wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

For some reason, this vanilla config gives even slower speed than my normal.

2018.09.16 speed test WISP AP default settings RESULTS.jpg

complex1 · Sun Sep 16, 2018 8:51 pm

Hi,

Do I understand it right and correct me if I’m wrong, but after resetting to vanilla WISP AP, the download speed is still lousy?
Please check the Routerboard “Current Firmware” is 6.43 and/or re-install the 6.43 packages.

bdubs85 · Sun Sep 16, 2018 9:00 pm

Yes router os and firmware are both updated. I posted some screenshots earlier today with dslreports speed test showing normal speed (multiple connections?) but any other speed test (single tcp connection?) shows slower speed. My modem is not a router, so no bridge mode possible there. I'll try and reinstall firmware and router os.

CZFan · Sun Sep 16, 2018 9:47 pm

Firstly, when pasting config, please place this between the code brackets, makes it easier to read and not such long posts.

Then, I am a bit confused, you are showing 2 speedtests screens, one with 158Mb download and another with 448Mb download. the 448Mb is not to bad.

In current config, you have many Q's and Mangle rules, at most I had about 3 simple Q's so difficult to compare, but you also have "passthrough=yes" on almost all Mangle Rules, that is not correct and will eat CPU cycles which will affect routing speeds.Have a search through @sindy's posts, some excellent explanations.

I will also reorganize the firewall filter rules, what I had in ordered list (Very basic but very effective I think):

chain forward action drop connection invalid
Chain forward action fasttrack est, rel & untracked
chain forward action accept est, related & untracked
chain forward action accept connections new from LAN
chain forward action accept connection state dstnat from WAN
chain forward action drop all from WAN
chain input action drop connection invalid
chain input action accept est, related & untracked
chain input action accept connections new from LAN
chain input action drop all from WAN

bdubs85 · Sun Sep 16, 2018 10:05 pm

Thanks CZfan, I fixed the code view. CPU never exceeds 45% or so when running at that 450mbps speed and my connection is going through fasttrack. Both of those screenshots were different bandwidth tests with that same configuration that I've been running for 2 years. One of the connection tests runs through multiple TCP connections is what mikrotik support was telling me, the other is only a single TCP stream. I used to get these speeds normally from speedtest.com when i first moved to this house in june, using that same configuration with fasttrack, but now i'm not. The only thing that changed is i updated my firmware and routerOS to current.

old speed test results.jpg

CZFan · Mon Sep 17, 2018 12:56 am

Apologies if you mentioned it earlier, but from what version to what version did you upgrade when you first noticed the difference?

bdubs85 · Mon Sep 17, 2018 1:42 am

Router os it was just incremental, firmware it was like 2 years of no firmware update (i forgot

, I was doing os updates though!)...I can't remember the exact firmware previously. Is there a way to find that? Pretty sure it was 6.35.4 and going to the one right before 6.43 and then to 6.43?

CZFan · Wed Sep 19, 2018 7:46 pm

Sorry, without actually being at the network, can't offer more

mducharme · Wed Sep 19, 2018 8:54 pm

Reset to default configuration and try disabling fasttrack and see how it changes the speed vs. fasttrack enabled.

bdubs85 · Thu Sep 20, 2018 3:47 am

Reset to default configuration and try disabling fasttrack and see how it changes the speed vs. fasttrack enabled.

On WISP AP default config, i disabled all other ports on the router except WAN and laptop. Without fasttrack enabled, speed only was 97mbps down, with 60% CPU usage. With fasttrack enabled, i got 123mbps down using about 20% cpu.

bdubs85 · Thu Sep 20, 2018 3:52 am

Sorry, without actually being at the network, can't offer more

Thank you for trying! This is really frustrating.

bdubs85 · Thu Sep 20, 2018 3:54 am

Weird enough, I put an old netgear WNDR3700 between the modem and router and it ran flat out speed (423mbps down) for 1 speed test and then speed dropped back down after that.

I wonder if it has to do with the modem...https://www.theregister.co.uk/2017/04/1 ... a_6_arris/

Arris TM1602 seems to have some issues

https://www.reddit.com/r/Ubiquiti/comme ... erouter_x/
someone else seems to be having similar issues using a ubiquiti device

bdubs85 · Thu Sep 20, 2018 9:29 am

Reset to default configuration and try disabling fasttrack and see how it changes the speed vs. fasttrack enabled.

I actually downgraded firmware and routerOS to 6.36.4 and factory firmware which is 3.33.
Full speed 450mbps internet not even going over 40% CPU.

2018.09.20 reverted OS speedtest.jpg

CZFan · Thu Sep 20, 2018 3:50 pm

Please log a call with support@mikrotik.com, inlcude reference to this post/topic

bdubs85 · Thu Sep 20, 2018 8:57 pm

I've had an open ticket with them trying to resolve at the same time posting on here

mducharme · Thu Sep 20, 2018 9:08 pm

I've had an open ticket with them trying to resolve at the same time posting on here

What kind of NIC do you have in your system? Is it running the latest driver?

bdubs85 · Thu Sep 20, 2018 9:21 pm

It's a laptop, Realtek PCIe GBE, used windows update for driver management.
It works at near wirespeed (950mbps plus overhead) on local LAN when moving files to my server, do you think the driver could influence the WAN throughput but not the LAN? I had disabled all energy efficient options and forced gigabit connection both on router and NIC, disabling jumbo packets.
I'm still getting 460mbps download today on that old OS, so I know it's probably not throttling or network congestion from my ISP.

Last night, i left firmware as-is and just updated RouterOS to current version and the problem came back, including on the 6.40.9 (Long-term) package as just vanilla WISP AP.

mducharme · Thu Sep 20, 2018 9:41 pm

It's a laptop, Realtek PCIe GBE, used windows update for driver management.
It works at near wirespeed (950mbps plus overhead) on local LAN when moving files to my server, do you think the driver could influence the WAN throughput but not the LAN?

I ask because recently I had a problem with FastTrack at home. I would only get a fraction of the correct rate when running a speedtest (same one you are using). Turning off fasttrack would fix the issue, turning it back on again would cause the problem again. Downgrading the RouterOS version would make fasttrack work again at full rate. Connecting my NIC directly to the ISP modem device (getting a public IP) also gave me full rate on a speedtest. Upgrading the NIC driver fixed everything. Fasttrack seems to make some small changes to the timing of packet delivery which can trigger issues that are otherwise not seen with a NIC driver. Perhaps it is causing the packets to be "bunched together" more and if the bunch arrives too quickly at the same time at the NIC, it may overwhelm the buffer.

vodokotlic · Thu Sep 20, 2018 10:13 pm

Weird enough, I put an old netgear WNDR3700 between the modem and router and it ran flat out speed (423mbps down) for 1 speed test and then speed dropped back down after that.

I wonder if it has to do with the modem...https://www.theregister.co.uk/2017/04/1 ... a_6_arris/

Arris TM1602 seems to have some issues

Just for clarification you connected your gear like this: (ISP -> cable modem -> netgear router -> RB2011 ->PC) and ran the speedtest? Was fine on the first run but slowed down afterwards?
If you have a spare computer, I'd connect it to the netgear and run iperf3 tests between it and a computer behind RB2011 (ie. test mikrotiks troughput but in a stable LAN enviroment).
I'd also check interface stats for your "WAN" port on RB2011(Rx, Tx and Link Auto Negotiation status) for errors, collisions....
My RB951 didn't like my ISP's fibre converter and was acting all stupid (with terrible speeds) until both were manually set to gigabit, full duplex.

bdubs85 · Fri Sep 21, 2018 12:01 am

Weird enough, I put an old netgear WNDR3700 between the modem and router and it ran flat out speed (423mbps down) for 1 speed test and then speed dropped back down after that.

I wonder if it has to do with the modem...https://www.theregister.co.uk/2017/04/1 ... a_6_arris/

Arris TM1602 seems to have some issues
Just for clarification you connected your gear like this: (ISP -> cable modem -> netgear router -> RB2011 ->PC) and ran the speedtest? Was fine on the first run but slowed down afterwards?
If you have a spare computer, I'd connect it to the netgear and run iperf3 tests between it and a computer behind RB2011 (ie. test mikrotiks troughput but in a stable LAN enviroment).
I'd also check interface stats for your "WAN" port on RB2011(Rx, Tx and Link Auto Negotiation status) for errors, collisions....
My RB951 didn't like my ISP's fibre converter and was acting all stupid (with terrible speeds) until both were manually set to gigabit, full duplex.

Yes, I threw the netgear in there for giggles to put something other than the mikrotik facing the modem. My thought was a buffer somewhere getting filled causing latency (since most times speed test would start high and then drop), but I wasn't really able to get it specifically nailed down.

I did try manually setting all related ports to full duplex gigabit with no change. I'll have to double check wan, ethernet, and bridge for errors, collisions, drops...

bdubs85 · Sat Sep 22, 2018 9:02 am

I'd also check interface stats for your "WAN" port on RB2011(Rx, Tx and Link Auto Negotiation status) for errors, collisions....
My RB951 didn't like my ISP's fibre converter and was acting all stupid (with terrible speeds) until both were manually set to gigabit, full duplex.

So I re-updated the RouterOS to current (6.43.2) and immediately ran into the same speed issue as before (starts at 400mbps, drops to 150-200). I also found a new driver for my network card and updated it as well. I opened up wan port, lan port, and bridge traffic pages and ran the same speed tests and found 0 drops and 0 errors on all of them, with temperature staying at 34 Celsius.

Basically, more of the same.

bdubs85 · Mon Sep 24, 2018 12:51 am

It's a laptop, Realtek PCIe GBE, used windows update for driver management.
It works at near wirespeed (950mbps plus overhead) on local LAN when moving files to my server, do you think the driver could influence the WAN throughput but not the LAN?
I ask because recently I had a problem with FastTrack at home. I would only get a fraction of the correct rate when running a speedtest (same one you are using). Turning off fasttrack would fix the issue, turning it back on again would cause the problem again. Downgrading the RouterOS version would make fasttrack work again at full rate. Connecting my NIC directly to the ISP modem device (getting a public IP) also gave me full rate on a speedtest. Upgrading the NIC driver fixed everything. Fasttrack seems to make some small changes to the timing of packet delivery which can trigger issues that are otherwise not seen with a NIC driver. Perhaps it is causing the packets to be "bunched together" more and if the bunch arrives too quickly at the same time at the NIC, it may overwhelm the buffer.

It's strange, I know that I have a good number of mangle rules in place to manage my queue tree structure. I have noticed since this problem started (or maybe I'm just not remembering right...) that CPU usage doesn't really go above 70% when running with fasttrack off. Using the multiple TCP connection dslreports.com test does push it a little higher than the speedtest.net single TCP stream test (maybe 75%?), but neither one gets close to maxing out CPU usage. Is there a setting as to how much % of cpu usage is allowed to happen?

mducharme · Mon Sep 24, 2018 1:52 am

It's strange, I know that I have a good number of mangle rules in place to manage my queue tree structure. I have noticed since this problem started (or maybe I'm just not remembering right...) that CPU usage doesn't really go above 70% when running with fasttrack off. Using the multiple TCP connection dslreports.com test does push it a little higher than the speedtest.net single TCP stream test (maybe 75%?), but neither one gets close to maxing out CPU usage. Is there a setting as to how much % of cpu usage is allowed to happen?

As far as I am aware, no. The only CPU related setting is the frequency choice drop down. I wouldn't expect you to be running into a limitation at 70% CPU.

bdubs85 · Mon Sep 24, 2018 1:58 am

It's strange, I know that I have a good number of mangle rules in place to manage my queue tree structure. I have noticed since this problem started (or maybe I'm just not remembering right...) that CPU usage doesn't really go above 70% when running with fasttrack off. Using the multiple TCP connection dslreports.com test does push it a little higher than the speedtest.net single TCP stream test (maybe 75%?), but neither one gets close to maxing out CPU usage. Is there a setting as to how much % of cpu usage is allowed to happen?
As far as I am aware, no. The only CPU related setting is the frequency choice drop down. I wouldn't expect you to be running into a limitation at 70% CPU.

I even tried to bump it up from stock 600mHz and there was very minimal performance gain if at all. CPU isn't getting fully utilized.

Jimmy · Thu Dec 13, 2018 8:47 pm

Is there any news about this?
I have just put A 2011 on instade of my dlink router but i get rely pur internet speed

I have newst firmware and os on.
I have 500/500 Mbit internet and the rb2011 only have 197 Mbit Down and 121 Mbit up

On my dlink i get 514/506

Cheers
Jimmy

bdubs85 · Thu Dec 13, 2018 9:07 pm

Aside from running an old firmware and router os version, I gave up. Maybe one day...

Jimmy · Fri Dec 14, 2018 11:02 pm

So you are using 6.36 and that is working ok?

bdubs85 · Fri Dec 14, 2018 11:13 pm

I just updated to the newest os and firmware and counted it as a loss being stuck at about 200mb down until I get a 3011 or something faster and can experiment with that faster hardware.

Jimmy · Fri Dec 14, 2018 11:26 pm

But before you upgrade the speed wars good?

bdubs85 · Fri Dec 14, 2018 11:58 pm

Yes, i believe I mentioned previously that 6.36.4 was the last version that gave me good speed.

Jimmy · Sat Dec 15, 2018 5:49 pm

Hmm i get the same rely slow speed about max 200 mbit and poor 140 upload

so back to DLINK router

I rely hope mikrotik can come up with an update wend 2011 still to bye ?
If I wars sure the speed wars ok I will go and bye an 4011 bye if it is the same as 2011 then it is to many mony to spend instead of buying asus or dlink?

Is there any that have hispeed internet over 500/500 mbit that can confirm that a 4011 can Handel that speed?

Cheers
Jimmy

nescafe2002 · Sat Dec 15, 2018 6:48 pm

RB2011 as a basic router can handle 890 Mbps of IPv4 TCP fasttracked traffic. Other configuration aspects can make it slower. Post config to be sure.

bdubs85 · Sat Dec 15, 2018 6:57 pm

RB2011 as a basic router can handle 890 Mbps of IPv4 TCP fasttracked traffic. Other configuration aspects can make it slower. Post config to be sure.

Any idea why vanilla config would have that issue? I always got fantastic lan performance, it just happens when hitting wan.

bdubs85 · Sat Dec 15, 2018 7:00 pm

Hmm i get the same rely slow speed about max 200 mbit and poor 140 upload so back to DLINK router
I rely hope mikrotik can come up with an update wend 2011 still to bye ?
If I wars sure the speed wars ok I will go and bye an 4011 bye if it is the same as 2011 then it is to many mony to spend instead of buying asus or dlink?

Is there any that have hispeed internet over 500/500 mbit that can confirm that a 4011 can Handel that speed?

Cheers
Jimmy

I'm sure 3011 and 4011 or a cloud router would be good for that, with routing rules and whatnot.

Jimmy · Sun Dec 23, 2018 2:45 am

I cut post a config but it is a standart router setup with no wireless so no need for config?

I have A 1100 dude ready i Will try that, just for fore A try and in the new year i Will ordre A 4011 but it Will be Nice og any had try A 4011 on A Line over 300/300 Mbit to make sure it can handel it?

The mikrotik is still Selling 2011 AS A 1 GB router but can only handel 200 Mbit it is relay bad for A hardware there is beging to make there rank up in the World ?

Cheers
Jimmy

bdubs85 · Wed Dec 26, 2018 2:49 am

So, Merry Christmas...without changing my config at all, my speeds are now back to normal. Maybe the most recent Mikrotik patch fixed whatever was wrong? Either way, thank you mikrotik!

Looking a little closer at the options on a certain speedtest site shows 2 options now: multiple or single stream tests.

Running a single stream test with fasttrack disabled shows horrible performance at sub-60mbps download speed at approximately 60% cpu utilization on the 2011.
Running a multiple stream test with fasttrack disabled shows slightly improved performance over the single stream test with 75mbps download speed at between 60-70% cpu utilization on the 2011.
Running a single stream test with fasttrack enabled still shows subpar performance, with average of 150-170mbps download speed at approximately 17-20% cpu utilization on the 2011.
Running a multiple stream test with fasttrack enabled shows greatly improved performance over the single stream test with ~400mbps download at between 35-50% cpu utilization on the 2011.

Still very weird that CPU is never close to being maxed out.

Edit: added the speed test options and results, RouterOS and firmware version 6.43.8 on RB2011: laptop is hardwired through the 2011 with wAP ac for wireless coverage through CAPsMAN for everyone else.

Jimmy · Fri Dec 28, 2018 1:50 am

I do not understand how you can get that speed? After update to 6.43.8 is the worst shit I have seen from mikrotik

Back to DLINK Again

# dec/28/2018 00:36:18 by RouterOS 6.43.8
# software id = 8N6V-6ATQ
#
# model = 2011UAS-2HnD
# serial number = 419E02286B23
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=1C:5F:2B:70:B2:9B
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Copenhagen
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sebastia · Fri Dec 28, 2018 2:02 am

Hey

I'm guessing the test was for forwarded traffic? And I'm hoping the test was not over wifi?!? And also not over the 100mbit ports? Any cpu usage data?
Do note that the gbit switch is connected over 1gbit line: so max you'll be able to do is 500 up + down = 1gbit total
Block diagram: https://i.mt.lv/cdn/rb_files/Block-RB2011UAS-2HnD.pdf

With the listed config all traffic is processed in full -> no fast-track.

Add this and retest

/ip firewall filter
add action=fasttrack-connection chain=forward comment="FastTrack: established & related" connection-state=established,related place-before=0

Jimmy · Fri Dec 28, 2018 2:38 am

standart router basic setup with cabel and Of cause 1gb. (if you see my config my wifi is distable

lucky i have a RB1100AHx4 for test, and now i no i will bye a RB4011 bur it is still sad about the speed on RB2011

This is on RB1100AHx4 with same setup and same version and firmware

sebastia · Fri Dec 28, 2018 2:44 am

2011 is not as fast as 4011, but with the suggested change it can do much better.

Jimmy · Fri Dec 28, 2018 3:12 am

The RB4011 uses a quad core Cortex A15 CPU, same as in our carrier grade RB1100AHx4 unit, so hopfull it will run as RB1100AHx4

bdubs85 · Fri Dec 28, 2018 11:47 pm

So did you enable fast track yet?

Jimmy · Sat Dec 29, 2018 12:32 am

No sorry i Will try it to morrow.

Cheers
Jimmy

neilticktin · Sat Dec 29, 2018 8:46 pm

When a new connection was being put it a couple days ago, we started doing testing and saw poor performance on a RB2011 -- around 100 mbps when the cable modem was testing directly at 900+ mbps. Decided to really streamline the rules and make sure that we were using FastTrack. A bit better, but not as much as one would think. So we went ahead and swapped out the RB2011 with a RB3011 that we had on hand, and found that it doubled the speed to 300-400 mbps -- but still nowhere near the 900+ mbps that we saw on a direct connect with the cable modem.

It feels to us like a bug in v6.43.8 -- any more that we can help provide to help identify?

Thanks!

Neil

nescafe2002 · Sun Dec 30, 2018 12:10 pm

RB3011 w/fasttrack should reach 850Mbps easily, more or less depending on configuration.

RB3011 at 6.43.8 reaches 335 Mbps without fasttrack and 550Mbps with fasttrack (500Mbps capped connection) in a single TCP connection based browser test.

Are you perhaps using an IPv6 test server?

bdubs85 · Sun Dec 30, 2018 5:07 pm

If you have ipv6 disabled in the router, it won't connect to ipv6 websites or connections, right?

bdubs85 · Sun Dec 30, 2018 5:11 pm

When a new connection was being put it a couple days ago, we started doing testing and saw poor performance on a RB2011 -- around 100 mbps when the cable modem was testing directly at 900+ mbps. Decided to really streamline the rules and make sure that we were using FastTrack. A bit better, but not as much as one would think. So we went ahead and swapped out the RB2011 with a RB3011 that we had on hand, and found that it doubled the speed to 300-400 mbps -- but still nowhere near the 900+ mbps that we saw on a direct connect with the cable modem.

It feels to us like a bug in v6.43.8 -- any more that we can help provide to help identify?

Thanks!

Neil

Can you try downgrading to 6.36.4 or earlier os and firmware and see if you have normal speed with fasttrack?

I just want to know if it's just my hardware (modem+router) or the 2011 itself/software bug.

bdubs85 · Mon Jan 14, 2019 8:44 am

Heck, why not...
It's a new year, nothing changed...
Speedtest.net gives 150 down/22 up
Dslreports gives 450 down/23 up

Gotta love the consistency.

bdubs85 · Fri Jan 18, 2019 9:33 pm

I'll be leaving cable for a fiber connection soon (either 250/25 or 500/50) so I will be able to test and see what happens on a different ISP/modem with the same router/config/computers.
Speed is still bad, much worse at times: only 75-200 down.

dasvos · Sun Jan 20, 2019 9:47 am

Have you ruled out the speedtest server as a possible issue?

Have you tried to connect another computer to WAN and test the throughput using a tool like iperf?

CsXen · Mon Jan 21, 2019 12:30 am

Hi.

Speedtest.net gives 150 down/22 up

On our 2011 this is the scenario too. When I upgraded it to 6.40.9 because of winbox vulnerability, it slowed down to about 150/28 Mbps... on a 350/30 UPC ConnectBox modem.
If I test the direct link without 2011, just PC->UPC... there is a full 350/30 speed. So something wrong with the RoS versions till 6.36.x
(I glued to 6.40.9 because it is the latest version, which uses master/slave port config instead of Hw offloading.

which is a pain in my *ss)

Best regards: CsXen

bdubs85 · Mon Jan 21, 2019 4:10 am

I really wish there was a solution to this. The 2011 is fairly powerful and I hate to upgrade it because of a software issue. I would be ok if it impacted lan traffic too or had some logical reason, but fasttrack thru wan shouldn't slow down that bad, especially without cpu maxing out...

mkx · Mon Jan 21, 2019 3:49 pm

Unrelated, but never the less:

I glued to 6.40.9 because it is the latest version, which uses master/slave port config instead of Hw offloading.

I'm using 6.44beta54 on my RB951G configured with traditional /interface ethernet setup, including VLANs in hardware ... and things work just fine. E.g. VLAN filtering works wire speed without RB's CPU noticing single bit.

The only big difference on ROS change 6.40->6.41 is how ports are grouped to a switch group (6.40) or bridge (6.41), nothing else is forced by this SW change.

CsXen · Mon Jan 21, 2019 4:25 pm

Hi.

I'm using 6.44beta54 on my RB951G configured with...

So.. your RB951 has 1 (one) switch chip, my RB2011 has 2 (two) different speed switch chip, and I can't do bridge the bridges.
(1 bridge for 1G and 1 bridge for 100M ports instead of switching... and can't bridge this 2 bridges.

In old time, I simply bridged the two master port, and filtered, what I want... So the new bridge scheme with Hw offloading is a pain in my *ss, as I said.)

Best regards: CsXen

mkx · Mon Jan 21, 2019 8:33 pm

In new time you simply add all 10 ports to the same bridge. Regardless, bridge will only see traffic sent towards it through switch1-cpu and switch2-cpu "interfaces" (those are actually old master-ports). The new bridge implementation doesn't mess with /interface ethernet switch settings unless you configure bridge with vlan-filtering=yes.

Why, instead of whining, don't you just try?

CsXen · Thu Jan 24, 2019 6:50 pm

Hi.

Why, instead of whining, don't you just try?

I tried... I can't got over about 100Mbps on the Giga ports. I think, this is because bridge is as fast as the slowest port in it.
When current issue will corrected (150M max even with fasttrack...) I will try again.

Best regards: CsXen

volkswagner · Sat Feb 09, 2019 5:44 pm

I wish MikroTik would help here. There is a serious issue with the later software or firmware or both.
It's frustrating to see their synthetic test results, while we can only realize a very small fraction in real world scenario.

With gigabit connections becoming more affordable, I'm now seeing MikroTik devices not keeping up.

I had a site with rb2011 with older software capping out at ~280Mbs in a gig connection. I thought
perhaps an update would help. Updated to latest software and firmware, which cause speed to cap
at about 120Mbs. I ended up using the providers router and and took the RB2011 home.

At home I performed a factory reset with default config and got the same speeds in my Gig services.
Additionally my hEX (750G r3) only gets ~550Mbs. I connected RB4011 and I get wire speed with
all other variables the same (computer, lan cable, modem, speed test site).

I see the same issue with CPU load never gets above ~70%. the RB2011 is the only device out of the
three that starts at it's max speed then slowly decreases over the test time (which appears to be some
sort of throttling). The hEX and RB4011 gradually speed up then maintain it's max speed.

I have a CRS125-24G-1S with 200Mbs circuit which maxes out at 50Mbs running 6.43.8.

I would love if MikroTik would stop saying we are just whiners. How about MikroTik tells
us which packages/firmware combination and which config will give us performance.
Like, hey MikroTik, put your money where your mouth is. Stop saying it's a problem with
our config, show me a good config that works, then I'll stop whining

Clearly vanilla/stock config does not cut the mustard.

sebastia · Sat Feb 09, 2019 6:14 pm

As a Tik admin you have a lot of features / possibilities in your hands, but also responsibility, as the choices made have significant impact.

Few examples:
* vlans & bridging: latest software introduces bridge level vlans, but it's has only limited switch chip support. one ends up quickly with full cpu processing. using switch menu features is better for performance.

* physical topology / connections of ports matters, see https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png. if wan is on eth1-5 and lan on 6-10, 100mb is max one can get! Knowing the platform is important. Same story for hex (https://i.mt.lv/cdn/rb_files/RB750Gr3-d ... 140316.png & https://i.mt.lv/cdn/rb_files/RB750Gr3-e ... 152443.png), depending on how it is connected and configured, throughput could be capped to 500mbps, and that even before accounting for the bi-directional traffic.

* Its necessary to measure / analyse at the right place and in context. Router itself won't speed up or slow down, it will just do it's thing. The up's and down's depend on quite a bit of aspects: window size at client, ISP situation, source server load, ...

* CRS is a switch! Don't try to route with it -> know the hardware

BTW, it's a user that mentioned something about "whining" not the company.

bdubs85 · Sat Feb 09, 2019 6:25 pm

I wish MikroTik would help here. There is a serious issue with the later software or firmware or both.
It's frustrating to see their synthetic test results, while we can only realize a very small fraction in real world scenario.

With gigabit connections becoming more affordable, I'm now seeing MikroTik devices not keeping up.

I had a site with rb2011 with older software capping out at ~280Mbs in a gig connection. I thought
perhaps an update would help. Updated to latest software and firmware, which cause speed to cap
at about 120Mbs. I ended up using the providers router and and took the RB2011 home.

At home I performed a factory reset with default config and got the same speeds in my Gig services.
Additionally my hEX (750G r3) only gets ~550Mbs. I connected RB4011 and I get wire speed with
all other variables the same (computer, lan cable, modem, speed test site).

I see the same issue with CPU load never gets above ~70%. the RB2011 is the only device out of the
three that starts at it's max speed then slowly decreases over the test time (which appears to be some
sort of throttling). The hEX and RB4011 gradually speed up then maintain it's max speed.

I have a CRS125-24G-1S with 200Mbs circuit which maxes out at 50Mbs running 6.43.8.

I would love if MikroTik would stop saying we are just whiners. How about MikroTik tells
us which packages/firmware combination and which config will give us performance.
Like, hey MikroTik, put your money where your mouth is. Stop saying it's a problem with
our config, show me a good config that works, then I'll stop whining
Clearly vanilla/stock config does not cut the mustard.

That has been my question/problem from the beginning. I get if the bridge performance changes how things work, but is it possible to give some insight into why things are acting weird.

Why did speed decrease only on wan traffic so dramatically since removing master/slave config?

Why even with fasttrack enabled does speed start out normal but slow down so dramatically without a corresponding maxing out of cpu? Speed often remains slower in subsequent tests. Is this an internal device buffer problem or packet timing issue? Can I troubleshoot this?

Why does cpu performance not go above 70-80% even when fasttrack is disabled?

Unfortunately I don't have another gigabit capable device at the moment to check config, but will within a month or 2.

volkswagner · Sat Feb 09, 2019 10:24 pm

As a Tik admin you have a lot of features / possibilities in your hands, but also responsibility, as the choices made have significant impact.

Few examples:
* vlans & bridging: latest software introduces bridge level vlans, but it's has only limited switch chip support. one ends up quickly with full cpu processing. using switch menu features is better for performance.

* physical topology / connections of ports matters, see https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png. if wan is on eth1-5 and lan on 6-10, 100mb is max one can get! Knowing the platform is important. Same story for hex (https://i.mt.lv/cdn/rb_files/RB750Gr3-d ... 140316.png & https://i.mt.lv/cdn/rb_files/RB750Gr3-e ... 152443.png), depending on how it is connected and configured, throughput could be capped to 500mbps, and that even before accounting for the bi-directional traffic.

* Its necessary to measure / analyse at the right place and in context. Router itself won't speed up or slow down, it will just do it's thing. The up's and down's depend on quite a bit of aspects: window size at client, ISP situation, source server load, ...

* CRS is a switch! Don't try to route with it -> know the hardware

BTW, it's a user that mentioned something about "whining" not the company.

@sebastia thanks for chiming in. Thanks for pointing out block diagrams, (which I'm already familiar with). I'm not sure what "if wan is on eth1-5 and lan on 6-10, 100mb is max one can get!" means. I certainly was not connecting to a 100Mb port and expecting greater than 100Mbs. Are you suggesting combining 1000Mbs and 100Mbs ports in same bridge, will degrade all 1000Mbs ports to 100Mbs Max?

I'm not sure what I'm supposed to learn from your post.
I asked some very direct questions and offered very direct challenge (please provide a working config that allows max NAT throughput).
I understand CRS is classified as a switch. A 600Mhz CPU with very modest routing needs, should be handled with ease.

MikroTik could be so much more if this forum offered real solutions vs pointing to existing documents. The Wiki is not clear, especially with so many variants of hardware and iterations of software advance. I don't think it's unreasonable to expect over 400Mbs from a RB2011 fully patched with default config, do you?

According to MikroTik, the CRS125 and RB2011 display nearly identical routing test results.
https://mikrotik.com/product/CRS125-24G ... estresults
https://mikrotik.com/product/RB2011UiAS ... estresults

Please tell me why I shouldn't consider them both for routing purposes?
If MikroTik doesn't show real world test results, how is anyone expected to pick the correct hardware for the desired workload?

So again, I challenge anyone to show me a config that will route NAT on RB2011 at the hardware's maximum limit.
Why can't we saturate the CPU with NAT traffic?
Why does the RB2011 appear to throttle at 70-75% CPU utilization (or after a 1 dec celsius increase).

My whining comment was not directly related to this thread, but from MikroTik employee at a MUM presentation.
I thought it was a worldly know fact (how MikroTik feels about it's user base complaining about misrepresented stats).
The consensus is always the same, "know your product". How are we supposed to "know it", when example stats are not
real world and when people ask for help, they simply get pointed to existing documentation, without any explanation.
Try giving your 12 year old child the keys to the car and a driving manual and expect them to learn how to drive
without any first hand instruction. Many of us need some on on one help.

People coming to these forums are looking for help, for products they genuinely like, but
since not all the users have the knowledge of how to wire a switch chip, it's hard to get real help. Why is there such
apprehension to share real world examples and individual help?

Claims have been made in this thread... the RB2011 has actually NAT'd over 800Mbs, but nobody has
posted a config that can do such. It's a simple request.

Please help educate your consumers MikroTik.

CZFan · Sat Feb 09, 2019 11:37 pm

I have managed to get ~ 850Mb/s with RB2011, using NAT (No PPPoE). About a year ago, the RB2011 retired to my lab area and has been replaced with a HAP AC2 and I no longer have a 1Gb/s Internet link.

Why do you not start by providing your full config, and we can make suggestions?

volkswagner · Sun Feb 10, 2019 12:55 am

Well hopefully I'll be able to call myself an idiot when all said and done!

You helped me see a potential issue. Ignorance on my part, or a failed reset has
left some configs, that I didn't expect to see.

Here is the config that I last use (which I expected to be bone stock default, out of the box experience).
Notice firewall rules pointing to address list "LAN" and other ipec related firewall rules (that I don't expect
would be in the default config). I see how firewall rules were carried over in reset, but the address lists weren't?

I'll have to do a better reset and try again.

# feb/06/2019 21:57:45 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-2C9E69 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sebastia · Sun Feb 10, 2019 2:56 am

My previous post was mean to provide perspective and context: performance depends not only on hardware, but also software, configuration and topology. There is no one good solution.

bdubs85 · Sun Feb 10, 2019 6:07 am

I have managed to get ~ 850Mb/s with RB2011, using NAT (No PPPoE). About a year ago, the RB2011 retired to my lab area and has been replaced with a HAP AC2 and I no longer have a 1Gb/s Internet link.

Why do you not start by providing your full config, and we can make suggestions?

Why don't you un-retire the RB2011, install new ROS and firmware and see what sort of performance change you get, vs whatever ISP speeds you get with your hap AC2? What is your link speed currently?
I remember you had given up after I reset to plain vanilla on page 1.

CZFan · Sun Feb 10, 2019 2:32 pm

Back in the times I had a 1Gb internet, my one son (Serious gamer) was living with us and he paid for the link. This is not the case anymore, he has moved out, moved the 1Gb link with him, so now I have a measly 40/20 fibre link so will not prove anything anymore unfortunately.

volkswagner · Sun Feb 10, 2019 5:59 pm

Well, it seems I'm progressing and can't blame hardware or software just yet. I have been able to achieve ~800Mbs
with the following config:

# feb/10/2019 10:54:43 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York

This offers no real firewall protection. Does anyone have any suggestions what to add to firewall to make it more secure, but not slow throughput?

CZFan · Sun Feb 10, 2019 6:17 pm

Generic, home use FW rules for me are: (With fwd chain rules first)

1. Drop invalid, fwd chain
2. accept Fastrack, fwd chain, est, rel
3. accept fwd chain, est, rel
4.allow new from lan, fwd chain
5. allow dst nat, in wan, connection new, fwd chain
6. drop all fwd chain

Then use similar for Input chain except the dst nat rule

volkswagner · Sun Feb 10, 2019 8:11 pm

I followed this post

and ended up with the following config, which still yielded 750-800Mbs NAT download.

# feb/10/2019 13:06:30 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop invalid, will need to update this rule when using ipsec" \
    connection-state=invalid
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York

volkswagner · Sun Feb 10, 2019 8:21 pm

Thanks to everyone (@sebastia & @CZfan) that helped me on my journey.

The most important things I learned:

Don't trust software reset (command line nor WebFig) they leave traces of user config even when not checked
FastTrack does work.
Make sure firewall rules make sense and always test after implementing firewall changes
Queues don't work with fasttrack. If I need Queues, I'll need a more powerful model. Next test is to see if I can use Queues with RB4011 and still get high throughput.

I was also able to modify my existing firewall rules on RB750 G3. I made sure FastTrack was enabled and working correctly.
I now get over 900Mbs on my hEX!

...
hEX results:

CZFan · Sun Feb 10, 2019 9:29 pm

Well done, glad I could help.

FYI, IIRC, that is exactly what I achieved with my 2011, 812Mb/s

The link you posted to the firewall config, I just did a quick scan through it and off the bat it looks over complicated for many environments, I will also be weary of the following 2 rules as generally you will want to limit this to access only from inside your network, else can become a target for DNS Amplification attacks

add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp

bdubs85 · Sun Feb 17, 2019 10:46 am

Well, I reset my 2011 to no config, copied and pasted your config and I still have exactly the same performance as before. This is irritating.

Then a few minutes later, I reset to my config with mangle rules and everything, with fasttrack enabled like usual:

It doesn't stay this good of course.

I followed this post

and ended up with the following config, which still yielded 750-800Mbs NAT download.

# feb/10/2019 13:06:30 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop invalid, will need to update this rule when using ipsec" \
    connection-state=invalid
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York

CZFan · Sun Feb 17, 2019 4:37 pm

Maybe you should approach your ISP?

bdubs85 · Sun Feb 17, 2019 4:47 pm

If i hook directly to the modem it runs flat out and they tell me it's my router. This modem isn't a "router", so can't put it into bridge or pass thru mode (i thought double nat issue maybe). I spent 3 hours one evening getting escalated and bounced around.

Maybe you should approach your ISP?

CZFan · Mon Feb 18, 2019 12:14 am

If I may ask, what device is this ISP modem, make, model, etc?

bdubs85 · Mon Feb 18, 2019 12:50 am

Arris TM1602a docsis 3.0 cable/telephony modem

If I may ask, what device is this ISP modem, make, model, etc?

bdubs85 · Tue Mar 12, 2019 1:58 am

I upgraded to a RB4011iGS+5HacQ2HnD and it's running max speed every time at around 4% CPU out of the box.

MarHazK · Tue Jul 02, 2019 1:10 am

so, anyone has a sample config how to solve this yet so that the TiK can achieve the expected speeds (ie should be 800mbps at 800mbps ISP internet plan but physically still stucked at 60-130mbps)?

Sent from my CPH1819 using Tapatalk

sebastia · Tue Jul 02, 2019 9:35 am

sure:
1. update to latest version of RouterOs
2. restore default home router config

psion · Sun Jul 21, 2019 12:35 am

I do not understand how you can get that speed? After update to 6.43.8 is the worst shit I have seen from mikrotik

Back to DLINK Again

# dec/28/2018 00:36:18 by RouterOS 6.43.8
# software id = 8N6V-6ATQ
#
# model = 2011UAS-2HnD
# serial number = 419E02286B23
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=1C:5F:2B:70:B2:9B
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Copenhagen
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jup getting exactly this drop off on upload, started a few updates back. Annoying as heck. With a useless DLINK its perfect.
Reseting and using basic config with no filter rules it still does not work. Changing to a different RB does the same, Something really has changed in how the software handle traffic.

rudykern · Sun Jul 21, 2019 1:34 am

Recent test in house

Sent from my iPhone using Tapatalk

JordanReich · Tue Jul 23, 2019 6:52 pm

Same issue experienced as those above. Except I upgraded the firmware on HEX to the newest release. I dropped from 983/875 to 120/6.

Where do we go to get older firmware packages? The links I have found do not appear to work any longer.

elico · Mon Jul 29, 2019 2:53 am

I have a local RB2011 (FW 6.44.3)with 2 LAN segments:
LAN - 10.0.0.138/24
SERVERS - 192.168.89.1/24

Client: 10.0.0.65
LAN SpeedTest Server: 10.0.0.79/10.0.0.13
SERVERS SpeedTest Server: 192.168.89.42

It works for a very long time now but always with the same max routing speed of 250-280 Mbps from one segment to the other.
I have tested couple setups with a local speed test server and iperf server.
Testing speed on the same broadcast segment Via a switch a get:
https://pasteboard.co/Iq8s1H2.png

And with iperf:

iperf3.exe -c 10.0.0.13
Connecting to host 10.0.0.13, port 5201
[ 4] local 10.0.0.65 port 53110 connected to 10.0.0.13 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 111 MBytes 933 Mbits/sec
[ 4] 1.00-2.00 sec 112 MBytes 936 Mbits/sec
[ 4] 2.00-3.00 sec 112 MBytes 938 Mbits/sec
[ 4] 3.00-4.00 sec 112 MBytes 942 Mbits/sec
[ 4] 4.00-5.00 sec 112 MBytes 941 Mbits/sec
[ 4] 5.00-6.00 sec 112 MBytes 943 Mbits/sec
[ 4] 6.00-7.00 sec 111 MBytes 932 Mbits/sec
[ 4] 7.00-8.00 sec 110 MBytes 924 Mbits/sec
[ 4] 8.00-9.00 sec 112 MBytes 938 Mbits/sec
[ 4] 9.00-10.00 sec 111 MBytes 928 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 1.09 GBytes 935 Mbits/sec sender
[ 4] 0.00-10.00 sec 1.09 GBytes 935 Mbits/sec receiver

iperf Done.

When I move the server to the servers segment and test I get these results:
https://pasteboard.co/Iq8uDS8.png

And with iperf:

iperf3.exe -c 192.168.89.42
Connecting to host 192.168.89.42, port 5201
[ 4] local 10.0.0.65 port 53127 connected to 192.168.89.42 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 9.00 MBytes 75.5 Mbits/sec
[ 4] 1.00-2.00 sec 17.1 MBytes 144 Mbits/sec
[ 4] 2.00-3.00 sec 15.4 MBytes 129 Mbits/sec
[ 4] 3.00-4.00 sec 23.6 MBytes 198 Mbits/sec
[ 4] 4.00-5.00 sec 23.6 MBytes 198 Mbits/sec
[ 4] 5.00-6.00 sec 16.0 MBytes 134 Mbits/sec
[ 4] 6.00-7.00 sec 23.9 MBytes 200 Mbits/sec
[ 4] 7.00-8.00 sec 24.0 MBytes 202 Mbits/sec
[ 4] 8.00-9.00 sec 23.1 MBytes 194 Mbits/sec
[ 4] 9.00-10.00 sec 23.4 MBytes 196 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 199 MBytes 167 Mbits/sec sender
[ 4] 0.00-10.00 sec 199 MBytes 167 Mbits/sec receiver

iperf Done.

When I am monitoring the speeds on the winbox gui I can see it is maxed on 250~ Mbps:
https://pasteboard.co/Iq8wql5.png

These speeds was always the same and I never managed to go above it.
With RB750Gr3 I managed to surpass this speed to something like 400~ Mbps.

I do not know what might cause this issue but it's clear to me that both RB750Gr3 and RB2011 cannot stream a single connection in routing mode faster then 400 Mbps.
... I have tested the speed in LAN and not against the Internet, the ping between the devices in 0.3 ms.
I have seen the mentioned configuration and I managed to reset the RB2011 and the RB750Gr3 into the default config with FastTrack and with minimal FW rules(defaults...).

For these who want to run a speedtest against a 1Gbps service try:
https://speed.rimon.net.il/

I really do not understand how anyone got 850Mbps on these devices.

Since I have upgraded to FW 6.44.5 and the speed decreased from max 280~ Mbps to 230~ Mbps for multiple HTTP streams and
about 170~ Mbps for a single stream with iperf:

iperf3.exe -c 192.168.89.42
Connecting to host 192.168.89.42, port 5201
[ 4] local 10.0.0.65 port 54016 connected to 192.168.89.42 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 14.5 MBytes 122 Mbits/sec
[ 4] 1.00-2.00 sec 21.0 MBytes 176 Mbits/sec
[ 4] 2.00-3.00 sec 21.0 MBytes 176 Mbits/sec
[ 4] 3.00-4.00 sec 21.1 MBytes 177 Mbits/sec
[ 4] 4.00-5.00 sec 22.4 MBytes 188 Mbits/sec
[ 4] 5.00-6.00 sec 14.9 MBytes 125 Mbits/sec
[ 4] 6.00-7.00 sec 20.8 MBytes 174 Mbits/sec
[ 4] 7.00-8.00 sec 21.0 MBytes 176 Mbits/sec
[ 4] 8.00-9.00 sec 22.0 MBytes 184 Mbits/sec
[ 4] 9.00-10.00 sec 20.4 MBytes 171 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 199 MBytes 167 Mbits/sec sender
[ 4] 0.00-10.00 sec 199 MBytes 167 Mbits/sec receiver

iperf Done.

elico · Wed Aug 14, 2019 7:59 pm

EDIT: It appears that the browser on client cannot reach higher speed then 500 ~ Mbps on the HTTP SpeedTest.
So I tried again with iperf and found out the next:
via RB2011 using iperf with or without NAT I am able to reach 750 ~ Mbps.
However when I am disabling route cache I am reaching a limit of: 170 ~ 200 Mbps.

So... now it's working as expected and the culprit for the 200 ~ Mbps issue was? Route cache disabled..
Hope it helps to sum this issue testing for others.

-----

I have a local RB2011 (FW 6.44.3)with 2 LAN segments:
LAN - 10.0.0.138/24
SERVERS - 192.168.89.1/24

Client: 10.0.0.65
LAN SpeedTest Server: 10.0.0.79/10.0.0.13
SERVERS SpeedTest Server: 192.168.89.42

I have also tried to followup the whole post with config.
With 6.36.4 it is still the same expected speed 200 ~ Mbps with iperf and 400 ~ Mbps with a local LAN to SERVERS http speedtest.
The CPU load is between 30-50 % with NAT enabled or disabled.

What do you think?

Attached default config for Direct routing (NAT is disabled)

# aug/14/2019 19:48:35 by RouterOS 6.44.5
# software id = ETRH-AEFB
#
# model = 2011UiAS
# serial number = 77AD0727C344
/interface bridge add admin-mac=64:D1:54:2A:1F:49 auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=ether9
/interface bridge port add bridge=bridge comment=defconf interface=ether10
/interface bridge port add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/system clock set time-zone-name=Asia/Jerusalem
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

CsXen · Wed Oct 09, 2019 11:14 am

Hi.

So... now it's working as expected and the culprit for the 200 ~ Mbps issue was? Route cache disabled..

So, where, and how did you changed the route cache seetings ?

Best regards: CsXen

StubArea51 · Wed Oct 09, 2019 4:44 pm

The route cache is set here

[admin@R1] > ip settings set route-cache=no

gedanjj9972 · Thu Nov 07, 2019 11:13 pm

So....disabling route cache got you the speeds you were looking for?

I'm having the same problem as you. I don't want to downgrade if I don't have to.

BobcatGuy · Fri Apr 10, 2020 10:28 am

Any follow up with this?
I have been thinking this for years that ROS and particular devices are acting strange. But no one believed me. Keep chasing problems that don't want to be fixed. Everyone says don't use the board to do the speed test.

Explain to me, why when I do the board to board speed test, I will get 150Mb over the wireless, BUT when I do the speedtest from a PC on the network to the ISP, who has 600mbit download, I only get 40 - 50 mbit?
This doesn't add up. There is other issues where I can plug in an ethernet cable into a laptop, and get around 50 mbit over the wireless link, through a Uniquiti switch. Then I take that SAME ethernet cable and plug it into a Rukus AP and then I connect the laptop to that wirelessly, and I get 80 Mbit. Keep in mind the ISP down speed is 600 Mbit.

I'm sitting here and listen to distributors that say I should be able to get 500mbit REAL through put over my wireless link, and sure the connected air modulation rate is 400-500mbit. But what should the REAL data rate be? Should it drop all the way down to 50-80mbit? I don't think so. But that same link worked at 180 -225 mbit and then it changed at some point.`

WHY? And the silence from MT only speaks to what there may be hidden problems.

You can get 700+ mbit on your RB2011, then why cant I? is it date of manufacture / Lot of product that was bad? why doesn't MT tell us if it is so we can dump this shit and move on.

ksuuk · Mon May 11, 2020 9:13 am

WHY? And the silence from MT only speaks to what there may be hidden problems.

You can get 700+ mbit on your RB2011, then why cant I? is it date of manufacture / Lot of product that was bad? why doesn't MT tell us if it is so we can dump this shit and move on.

Another "victim" - viewtopic.php?f=7&t=160943

bdubs85 · Mon May 11, 2020 9:48 am

After buying and being very unsatisfied with the 4011/wAP/RB260GSP, I'm planning my preliminary move/test of Ubiquiti.
Wireless tools and configuration is *meh* and the 4011 reboots itself at random times.

Edit:
A half year (approximately) later, the 4011 has stopped its antics and has become much more stable, possibly an update fix? I'm overall very happy with the price/performance value, just wish they would give a bit more love to the 2.4/5ghz AP wireless side.

bdubs85 · Mon Sep 14, 2020 8:19 pm

Explain to me, why when I do the board to board speed test, I will get 150Mb over the wireless, BUT when I do the speedtest from a PC on the network to the ISP, who has 600mbit download, I only get 40 - 50 mbit?

Often in the real world with crowded 2.4GHz spectrum, you won't realistically get more than 40-70 Mbps in a client/AP scenario. That's just the nature of 2.4GHz anymore in many cases. This is the biggest reason for migration to 5GHz. I haven't messed with the 2011 yet to give you an answer from my perspective yet, but I also have slower internet right now so it's not an issue at the moment.

elico · Wed Nov 04, 2020 8:18 pm

So....disabling route cache got you the speeds you were looking for?

I'm having the same problem as you. I don't want to downgrade if I don't have to.

Disabling route cache means disabling also FastTrack which technically is a "flow" offload into either hardware or software.
For normal and simple routers you would use FastTrack and Route Cache.
However when you are trying to use any mangle rules you would need to disable Router Cache and FastTrack.
For example, if you would want to run some kind of LoadBalancing based on PCC or any other way with some mangle rules, you must disable Route Cache for these to work.
The main issue is that the device has 5 x 1 Gbps links which can "Switch" packets without any problem however it's cpu cannot handle speed higher then 150 ~ Mbps.
It's the same thing for other devices from many vendors in the networking world.... It fits for most simple use cases based on "Flows".

If you need speeds above 400 Mbps you would need a device which will either have a special or programmable feature/cpu/other/flowtable or it should have a CPU that can handle Gbps..
ie specific ARM or other cpu's.

Who is online