Internet Speed

DavidGB · Wed Nov 20, 2019 9:18 pm

Hi,

I have a problem with my ISP internet speed.
I have 500/50Mb and when I connect directly to my ISP router I get 400/50 aprox but when I do the speed test connected to mikrotik I get 160/50 more or less.

Before adding fastrack connection in filter rules y got 100/50.
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

Can somebody help me?

Thanks

plhaar · Wed Nov 20, 2019 9:26 pm

more info needed. which mikrotik are you using? are you connecting wireless or over ethernet? what type of machine are you connecting from?

I had issues with wireless from my laptop but it was because I had the bandwidth throttled to 20Mhz from the default 80Mhz. On the HAP ac2 I had full speed (140 Mbps) using the factory defaults over ethernet.

DavidGB · Thu Nov 21, 2019 9:34 am

Sorry,

My Mikrotik is RB2011UiAS-2HnD.
My connection is directly to eth2 (LAN) over ethernet and is Gigabit connection.
I use a Laptot.

Thanks

Zacharias · Thu Nov 21, 2019 10:09 am

What is the CPU usage during the speed test ?

mkx · Thu Nov 21, 2019 1:35 pm

Official test results, with my added interpretation[*], show that RB2011 hits its ceiling at around 200Mbps (give or take) routing speed, exact number depends on number and type of firewall filter rules. A faster router is needed for WAN speed you've got. I suggest you to look at hAP ac², it offers awfully lots of bang per buck.

[*]My experience is, that the most relevant test result indicating real-world performance is the one under "Routing - 25 ip filter rules - 512 byte packets".

DavidGB · Thu Nov 21, 2019 4:20 pm

What is the CPU usage during the speed test ?

Hi,

When I do the speed test CPU usage is 50-70% more or less

DavidGB · Thu Nov 21, 2019 4:33 pm

Official test results, with my added interpretation[*], show that RB2011 hits its ceiling at around 200Mbps (give or take) routing speed, exact number depends on number and type of firewall filter rules. A faster router is needed for WAN speed you've got. I suggest you to look at hAP ac², it offers awfully lots of bang per buck.

[*]My experience is, that the most relevant test result indicating real-world performance is the one under "Routing - 25 ip filter rules - 512 byte packets".

I've bought this router recently TT. Isn´t there any solution with this router??

Zacharias · Thu Nov 21, 2019 5:56 pm

According to the test results that @mkx correctly indicated and since the CPU goes as high as 70% we can conclude that thats the best RB2011 can do...
Imagine that even if it goes a little bit higher your CPU will go to 100% which means that the router will perform really really bad...

DavidGB · Thu Nov 21, 2019 6:13 pm

According to the test results that @mkx correctly indicated and since the CPU goes as high as 70% we can conclude that thats the best RB2011 can do...
Imagine that even if it goes a little bit higher your CPU will go to 100% which means that the router will perform really really bad...

Ok, thanks.

Another question.

The Mikrotik hAP ac² is better than my router? Is the best option for me?
I thought a router was better option than wireless system.

Actualy I have my ISP router as bridge and Mikrotik as router.

Zacharias · Thu Nov 21, 2019 6:44 pm

If you take a look at the test results of hap ac 2 you will see that in routing mode with 25 ip firewall filters and a packet size of 1518 byte it can reach about 2Gbps.
With a packet size of 512 Byte can reach a speed of about 1Gbps.
So sure it can perform better.

mozerd · Thu Nov 21, 2019 9:13 pm

The Mikrotik hAP ac² is better than my router? Is the best option for me?
I thought a router was better option than wireless system.

Actualy I have my ISP router as bridge and Mikrotik as router.

The best option for YOU is the MikroTik RB3011UiAS-RM and Yes I agree that a dedicated Router - like the RB3011UiAS-RM - is far superior that one that includes integrated wireless like the Mikrotik hAP ac². And if you need to add wireless I strongly suggest you consider the Ubiquiti UAP-AC PRO Access Points .... I currently do NOT recommend MikroTik Wireless AP's.

DavidGB · Thu Nov 21, 2019 9:35 pm

The Mikrotik hAP ac² is better than my router? Is the best option for me?
I thought a router was better option than wireless system.

Actualy I have my ISP router as bridge and Mikrotik as router.
The best option for YOU is the MikroTik RB3011UiAS-RM and Yes I agree that a dedicated Router - like the RB3011UiAS-RM - is far superior that one that includes integrated wireless like the Mikrotik hAP ac². And if you need to add wireless I strongly suggest you consider the Ubiquiti UAP-AC PRO Access Points .... I currently do NOT recommend MikroTik Wireless AP's.

Thanks so much! I will think about this option

CZFan · Thu Nov 21, 2019 11:39 pm

My 2c
With my previous RB2011 I could get ~800Mb/s download with fasttrack enabled.

During the times the speed tests were done, found also that different browsers gave very different results

Zacharias · Thu Nov 21, 2019 11:58 pm

With my previous RB2011 I could get ~800Mb/s download with fasttrack enabled.

All depends on the config used.
Ofcorse 2011 can reach that speed, test results show even better performance than yours when fast path is used. But when you use firewall, queues ect then things change.

I strongly suggest you consider the Ubiquiti UAP-AC PRO Access Points .... I currently do NOT recommend MikroTik Wireless AP's.

In case you didn't notice its a Mikrotik forum here. If i was intetested in other manufacturers then i guess i wouldnt be here since they got their forum too...

nescafe2002 · Fri Nov 22, 2019 7:16 am

Just stick with RB2011 and enable fasttrack. 800 Mbps is achievable in default configuration.

https://wiki.mikrotik.com/wiki/Manual:I ... _on_RB2011

hAP ac2 is a good alternative with wireless.

Don't invest in a RB3011. They are really fine devices but if you want a dedicated router, RB4011iGS+RM (without wireless) is the best option, price wise. Performs really good with cAP ac and wAP ac.

Zacharias · Fri Nov 22, 2019 9:39 am

Just stick with RB2011 and enable fasttrack. 800 Mbps is achievable in default configuration.

Again, that speed is achievable without firewall rules and without queues.

nescafe2002 · Fri Nov 22, 2019 11:50 am

No need to disable firewall.

Fasttrack bypasses firewall filtering for established connections and is enabled in default config.

And there are no queues in default config.

TS is free to post config for further examination.

Zacharias · Fri Nov 22, 2019 1:54 pm

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong!

https://mikrotik.com/product/RB2011UiAS ... estresults

No one said queues exist in the default config. If i decide tommorow to use queues then what happens ?
The Link you posted shows the speed of over 800Mbps and the CPU at that point is almost at 90%.
You never want your CPU to go so up high because simply packets start to drop.

The speed depends on the configuration. As simple as that.!

CZFan · Fri Nov 22, 2019 2:18 pm

With my previous RB2011 I could get ~800Mb/s download with fasttrack enabled.
All depends on the config used.
Ofcorse 2011 can reach that speed, test results show even better performance than yours when fast path is used. But when you use firewall, queues ect then things change.

I strongly suggest you consider the Ubiquiti UAP-AC PRO Access Points .... I currently do NOT recommend MikroTik Wireless AP's.
In case you didn't notice its a Mikrotik forum here. If i was intetested in other manufacturers then i guess i wouldnt be here since they got their forum too...

The tone of your posts are not welcome here. Go and have a couple of Ouzo's or something...

FYI, I had about 10 - 15 FW rules when I achieved that speed on my RB2011, and I do not see anything from OP re queues, you the only one bringing that up, why did you not rather suggest he must get a CCR1036 or something, just in case he has to do mangling as well...

Also, as per @nescafe2002 results, that is at 800Mb the CPU utilization, OP is only looking for 500Mb/s so that will bring CPU to +- 70% which is nothing wrong running CPU at that, might just pay a little more on electricity bill

Zacharias · Fri Nov 22, 2019 3:45 pm

The tone of your posts are not welcome here. Go and have a couple of Ouzo's or something...

Thanks but am ok. ( is that considered a better tone ? ) Also what is wrong with my tone? . When someone disagrees with you has a wrong tone ?

FYI, I had about 10 - 15 FW rules when I achieved that speed on my RB2011, and I do not see anything from OP re queues, you the only one bringing that up, why did you not rather suggest he must get a CCR1036 or something, just in case he has to do mangling as well...

There are those who read and trust the test results of the manufacturer and those who dont. Those results are there for a reason. How would you know what best suits you if there is no point of refference ?
The test results do not agree with the results you say, and guess whose results i trust. Also you always choose the best case scenario...

Also, as per @nescafe2002 results, that is at 800Mb the CPU utilization, OP is only looking for 500Mb/s so that will bring CPU to +- 70% which is nothing wrong running CPU at that, might just pay a little more on electricity bill

I prefer my CPU to be always lower than 70%...
Also not always all packets get fast tracked.
That is a test result....! We dont know in what packet size that speed was achieved. So, we have the test results table for that.

If you guarantee that rb2011 achieves almost gigabit speeds no problem with me.

nescafe2002 · Fri Nov 22, 2019 4:49 pm

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong!
https://mikrotik.com/product/RB2011UiAS ... estresults

They are not wrong, these are just synthetical tests with certain preconditions.

Fasttrack follows (semi-)fastpath for most of (*) the established ipv4 tcp and udp connections.
(*) a small part of the packets follow regular packet flow to keep connection state and update statistics.

The referenced page shows an example specifically for RB2011:
https://wiki.mikrotik.com/wiki/Manual:I ... _on_RB2011

So, no, Mikrotik is not wrong. RB2011 can handle 800 Mbps with limitations explained and is enabled in default configuration.

(Note that e.g. package ipv6 is disabled by default)

Let's not argue in this thread, but try to improve our knowledge of Mikrotik or networking in general, and help DavidGB with his problem.

David, if you want help with your model, could you please share your configuration ( Terminal: /export hide-sensitive )?

Zacharias · Fri Nov 22, 2019 4:57 pm

The referenced page shows an example specifically for RB2011:
https://wiki.mikrotik.com/wiki/Manual:I ... _on_RB2011

Can you please tell me what is the packet size used on this test ? Since we use it as a point of refference ...

nescafe2002 · Fri Nov 22, 2019 5:22 pm

They are technically not comparable. Product page test results are synthetic tests (using packet generator), fasttrack page test result is based on a single stream TCP test. TCP packet sizes are not fixed.

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6).

Zacharias · Fri Nov 22, 2019 9:49 pm

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6).

Great..!
Please take a look at the test results for 25 filter rules and 512 Byte packets. Can you please tell me the speed ? Is it 244.1 Mbps ? Does it say that fast track is disabled? No...
Very important that only 0.1 packet fault tollerance is accepted.
Can you tell me the packet loss at 600-800Mbit of speed ?
Also, different configurations most likely will result in lower results as it is indicated at number 3 of the test result.
Anyways, anyone can suggest any type of device he believes its best. I wouldnt suggest the rb2011, for those speeds and the pottential of an upgrade. When you buy a router you always want an equipment at least a step higher than your actual needs. Otherwise you will change it in less than a year.

nescafe2002 · Fri Nov 22, 2019 10:58 pm

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6).
Great..!
Please take a look at the test results for 25 filter rules and 512 Byte packets. Can you please tell me the speed ? Is it 244.1 Mbps ?

I wrote "technically not comparable". There are plenty of topics discussing the differences between synthetic tests and real world applications. Know and understand that synthetic tests cannot be compared to real world setups.

I usually look at the 512 byte 25 filter values because in my own experience, these values most closely match my personally achieved values with my typical configurations.
Example: I got 250Mbps peak traffic with my rb2011 without fasttrack and 500Mbps (limited by ISP) after enabling fasttrack.

Does it say that fast track is disabled? No...

Check out this page and the absence of the fasttrack filter rule.
https://wiki.mikrotik.com/wiki/Manual:P ... _Generator

I wouldnt suggest the rb2011, for those speeds and the pottential of an upgrade. When you buy a router you always want an equipment at least a step higher than your actual needs. Otherwise you will change it in less than a year.

I wouldn't suggest buying a new rb2011 either, but I'd recommend optimizing the configuration of the existing hardware as opposed to buying new equipment just to lower the (average or peak) CPU usage. With 500Mbps connection, upgrading to a newer better router is makes only sense if you want to use IPv6 or need other features than in the default configuration (mangle, queues, pbr, any kind of tunneling or vpn, ...) which we can only guess without actual configuration.

DavidGB · Sat Nov 23, 2019 9:53 pm

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong!
https://mikrotik.com/product/RB2011UiAS ... estresults

They are not wrong, these are just synthetical tests with certain preconditions.

Fasttrack follows (semi-)fastpath for most of (*) the established ipv4 tcp and udp connections.
(*) a small part of the packets follow regular packet flow to keep connection state and update statistics.

The referenced page shows an example specifically for RB2011:
https://wiki.mikrotik.com/wiki/Manual:I ... _on_RB2011

So, no, Mikrotik is not wrong. RB2011 can handle 800 Mbps with limitations explained and is enabled in default configuration.

(Note that e.g. package ipv6 is disabled by default)

Let's not argue in this thread, but try to improve our knowledge of Mikrotik or networking in general, and help DavidGB with his problem.

David, if you want help with your model, could you please share your configuration ( Terminal: /export hide-sensitive )?

Hi,

Thanks for your help.

I thought I had the fasttrak and still didn't get more than 160Mb.

I've found a cheap RB4011iGS + RM but if there is a solution probably I'll keep the 2011

Here my configuration:

/interface bridge
add comment=Red_LAN name=LAN
/interface ethernet
set [ find default-name=ether1 ] comment=Proveedor_ISP name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=Grandes-Wifi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    frequency=auto ht-basic-mcs="" ht-supported-mcs="mcs-2,mcs-3,mcs-4,mcs-5,mcs\
    -6,mcs-7,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-17,mcs-18,mcs-1\
    9,mcs-20,mcs-21,mcs-22,mcs-23" mode=ap-bridge name=Grandes-Wifi rate-set=\
    configured security-profile=Grandes-Wifi ssid=Grandes-Wifi \
    wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=Red_LAN ranges=192.168.2.20-192.168.2.150
add name=Pool_VPN_Admin ranges=10.0.0.20-10.0.0.100
add name=Pool_VPN_User ranges=10.0.0.101-10.0.0.200
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=Red_LAN disabled=no interface=LAN name=DHCP_LAN
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
    PerfilAdmin remote-address=Pool_VPN_Admin use-encryption=yes
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
    PerfilUser only-one=yes remote-address=Pool_VPN_User use-encryption=yes
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
add bridge=LAN interface=Grandes-Wifi
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=Red_LAN interface=LAN network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server lease
add address=192.168.2.211 comment=Vacuum mac-address=40:31:3C:A2:E3:3B server=\
    DHCP_LAN
add address=192.168.2.210 client-id=1:c8:8:e9:9c:73:30 comment="TELE SALON" \
    mac-address=C8:08:E9:9C:73:30 server=DHCP_LAN
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" \
    mac-address=B8:AC:6F:9D:62:D6 server=DHCP_LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=\
    212.142.144.66,212.142.144.98,8.8.8.8,8.8.4.4,192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.20-10.0.0.100 list=Administradores
add address=10.0.0.20-101.0.0.200 list=VPN_Usuarios
add address=192.168.2.11-192.168.2.255 list=Red_LAN
add address=192.168.2.201 list=Acceso_VPN_Usuarios
add address=192.168.2.204 list=Acceso_VPN_Usuarios
add address=192.168.2.205 list=Acceso_VPN_Usuarios
add address=192.168.2.11-192.168.2.20 list=Administradores
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
    protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
    address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input src-address-list=BLACKLIST
add action=fasttrack-connection chain=forward comment=Fastrack \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment=\
    "##### Permite el trafico establecido y relacionado #####" \
    connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=log chain=input log=yes log-prefix="PING DENEGADO" protocol=icmp
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
    connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
    src-address-list=Administradores
add action=accept chain=forward src-address-list=Red_LAN
add action=accept chain=forward dst-address-list=Acceso_VPN_Usuarios \
    src-address-list=VPN_Usuarios
add action=accept chain=forward disabled=yes dst-address=192.168.2.205
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones VPN" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
    src-address-list=Administradores
add action=accept chain=output comment="##### Prermite trafico Saliente #####" \
    dst-address=192.168.2.205
add action=drop chain=forward comment="##### BLOQUEO POR DEFECTO #####" \
    connection-nat-state=!dstnat log-prefix="FORWARD DROP"
add action=drop chain=output connection-nat-state=!dstnat log-prefix=\
    "OUTPUT DROP"
add action=drop chain=input log-prefix="INPUT DROP"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 \
    in-interface=WAN protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment=MQTT dst-port=1883 in-interface=WAN \
    protocol=tcp to-addresses=192.168.2.201 to-ports=1883
add action=dst-nat chain=dstnat comment="Conexion NAS" dst-port=52100 \
    in-interface=WAN log=yes log-prefix="Conexi\F3n NAS" protocol=tcp \
    to-addresses=192.168.2.201 to-ports=443
add action=dst-nat chain=dstnat comment="Logic Machine" disabled=yes dst-port=\
    52101 in-interface=WAN log=yes log-prefix="Conexi\F3n LM" protocol=tcp \
    to-addresses=192.168.2.205 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=PerfilAdmin
add name=Usuario profile=PerfilUser
/system clock
set time-zone-name=Europe/Madrid
/interface bridge
add comment=Red_LAN name=LAN
/interface ethernet
set [ find default-name=ether1 ] comment=Proveedor_ISP name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=Grandes-Wifi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    frequency=auto ht-basic-mcs="" ht-supported-mcs="mcs-2,mcs-3,mcs-4,mcs-5,mcs\
    -6,mcs-7,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-17,mcs-18,mcs-1\
    9,mcs-20,mcs-21,mcs-22,mcs-23" mode=ap-bridge name=Grandes-Wifi rate-set=\
    configured security-profile=Grandes-Wifi ssid=Grandes-Wifi \
    wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=Red_LAN ranges=192.168.2.20-192.168.2.150
add name=Pool_VPN_Admin ranges=10.0.0.20-10.0.0.100
add name=Pool_VPN_User ranges=10.0.0.101-10.0.0.200
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=Red_LAN disabled=no interface=LAN name=DHCP_LAN
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
    PerfilAdmin remote-address=Pool_VPN_Admin use-encryption=yes
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
    PerfilUser only-one=yes remote-address=Pool_VPN_User use-encryption=yes
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
add bridge=LAN interface=Grandes-Wifi
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=Red_LAN interface=LAN network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server lease
add address=192.168.2.211 comment=Vacuum mac-address=40:31:3C:A2:E3:3B server=\
    DHCP_LAN
add address=192.168.2.210 client-id=1:c8:8:e9:9c:73:30 comment="TELE SALON" \
    mac-address=C8:08:E9:9C:73:30 server=DHCP_LAN
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" \
    mac-address=B8:AC:6F:9D:62:D6 server=DHCP_LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=\
    212.142.144.66,212.142.144.98,8.8.8.8,8.8.4.4,192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.20-10.0.0.100 list=Administradores
add address=10.0.0.20-101.0.0.200 list=VPN_Usuarios
add address=192.168.2.11-192.168.2.255 list=Red_LAN
add address=192.168.2.201 list=Acceso_VPN_Usuarios
add address=192.168.2.204 list=Acceso_VPN_Usuarios
add address=192.168.2.205 list=Acceso_VPN_Usuarios
add address=192.168.2.11-192.168.2.20 list=Administradores
/ip firewall filter
add action=tarpit chain=input comment="##### Filtra IPs en Lista Negra #####" \
    protocol=tcp src-address-list="BLACKLIST TARPIT"
add action=add-src-to-address-list address-list="BLACKLIST TARPIT" \
    address-list-timeout=1m chain=input src-address-list=BLACKLIST
add action=drop chain=input src-address-list=BLACKLIST
add action=fasttrack-connection chain=forward comment=Fastrack \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment=\
    "##### Permite el trafico establecido y relacionado #####" \
    connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=log chain=input log=yes log-prefix="PING DENEGADO" protocol=icmp
add action=drop chain=forward comment="##### Filtra Paquetes Invalidos #####" \
    connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=forward comment="##### Prermite trafico Forward #####" \
    src-address-list=Administradores
add action=accept chain=forward src-address-list=Red_LAN
add action=accept chain=forward dst-address-list=Acceso_VPN_Usuarios \
    src-address-list=VPN_Usuarios
add action=accept chain=forward disabled=yes dst-address=192.168.2.205
add action=accept chain=input comment=\
    "##### Prermite trafico Input ##### - Conexiones VPN" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="##### Prermite trafico Input ##### " \
    src-address-list=Administradores
add action=accept chain=output comment="##### Prermite trafico Saliente #####" \
    dst-address=192.168.2.205
add action=drop chain=forward comment="##### BLOQUEO POR DEFECTO #####" \
    connection-nat-state=!dstnat log-prefix="FORWARD DROP"
add action=drop chain=output connection-nat-state=!dstnat log-prefix=\
    "OUTPUT DROP"
add action=drop chain=input log-prefix="INPUT DROP"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 \
    in-interface=WAN protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment=MQTT dst-port=1883 in-interface=WAN \
    protocol=tcp to-addresses=192.168.2.201 to-ports=1883
add action=dst-nat chain=dstnat comment="Conexion NAS" dst-port=52100 \
    in-interface=WAN log=yes log-prefix="Conexi\F3n NAS" protocol=tcp \
    to-addresses=192.168.2.201 to-ports=443
add action=dst-nat chain=dstnat comment="Logic Machine" disabled=yes dst-port=\
    52101 in-interface=WAN log=yes log-prefix="Conexi\F3n LM" protocol=tcp \
    to-addresses=192.168.2.205 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=PerfilAdmin
add name=Usuario profile=PerfilUser
/system clock
set time-zone-name=Europe/Madrid

Thanks so much!

nescafe2002 · Sun Nov 24, 2019 12:23 am

Whats the version of RouterOS?
Why are you blocking output chain? You're e.g. blocking router originating DNS requests now.
Also you may want to exclude ipsec from fasttracking, from default config:

/ip firewall filter
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

Put these above the fasttrack entry.

In general, you can take a look at the default config without modifying or resetting the device. Just run /system default-configuration print in terminal.

DavidGB · Sun Nov 24, 2019 12:09 pm

Whats the version of RouterOS?
Why are you blocking output chain? You're e.g. blocking router originating DNS requests now.
Also you may want to exclude ipsec from fasttracking, from default config:
Code: Select all
/ip firewall filter
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
Put these above the fasttrack entry.

In general, you can take a look at the default config without modifying or resetting the device. Just run /system default-configuration print in terminal.

Hi,

My RouterOS version is 6.45.7.
I´m bloquing output chain because I followed the recommendations of a forum user. Isn´t necesary?

I´ve printed default config but i don´t see these two rules.

[David@MikroTik] >  /system default-configuration print
            script: :global ssid;
                    #| RouterMode:
                    #|  * WAN port is protected by firewall and enabled DHCP client
                    #|  * Wireless and Ethernet interfaces (except WAN port/s)
                    #|    are part of LAN bridge
                    #| LAN Configuration:
                    #|     IP address 192.168.88.1/24 is set on bridge (LAN port)
                    #|     DHCP Server: enabled;
                    #|     DNS: enabled;
                    #| wlan1 Configuration:
                    #|     mode:                ap-bridge;
                    #|     band:                2ghz-b/g/n;
                    #|     tx-chains:           0;1;
                    #|     rx-chains:           0;1;
                    #|     installation:        indoor;
                    #|     ht-extension:        20/40mhz-XX;
                    #| WAN (gateway) Configuration:
                    #|     gateway:  ether1 ;
                    #|     ip4 firewall:  enabled;
                    #|     NAT:   enabled;
                    #|     DHCP Client: enabled;
                    
                    :global defconfMode;
                    :log info Starting_defconf_script_;
                    #-------------------------------------------------------------------------------
                    # Apply configuration.
                    # these commands are executed after installation or configuration reset
                    #-------------------------------------------------------------------------------
                    :if ($action = "apply") do={
                      # wait for interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count +1); 
                      };
                      :local count 0;
                      :while ([/interface wireless print count-only] < 1) do={ 
                        :set count ($count +1);
                        :if ($count = 40) do={
                          :log warning "DefConf: Unable to find wireless interface(s)"; 
                          /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
                          /quit
                        }
                        :delay 1s;
                      };
                     /interface list add name=WAN comment="defconf"
                     /interface list add name=LAN comment="defconf"
                     /interface bridge
                       add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
                     :local bMACIsSet 0;
                     :foreach k in=[/interface find where !(slave=yes  || name="ether1" || name~"bridge")] do={
                       :local tmpPortName [/interface get $k name];
                       :log info "port: $tmpPortName"
                       :if ($bMACIsSet = 0) do={
                         :if ([/interface get $k type] = "ether") do={
                           /interface bridge set "bridge" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
                           :set bMACIsSet 1;
                         }
-- [Q quit|D dump|down]

I have removed the ouput chain and added those two rules to exclude ipsec but still I don't get more than 120-130Mb

nescafe2002 · Sun Nov 24, 2019 12:12 pm

I've set up my RB2011 according to your configuration.

explorer_2019-11-24_11-10-03.png

There is room for improvement, but 500Mbps is no problem.

Maybe you should check cabling. What rate are the ethernet links?

I´ve printed default config but i don´t see these two rules.

The default config is longer than that. Use space or arrows to go to the next page.

I´m bloquing output chain because I followed the recommendations of a forum user. Isn´t necesary?

You are blocking connections from a trusted device (the router). I'm not sure why you should do that.

Is your firmware current?

You might also want to set an administrative mac address on your LAN bridge. Currently it's dynamic and client pc's will detect a new network on every router reboot.

DavidGB · Sun Nov 24, 2019 12:49 pm

Hi,

Is not cabling.

This is the result connecting my PC directly to ISP router

ISP.PNG

And if I connect the same cable to Mikrotik and from mikrotik (WAN) to ISP router (both cables cat6) this is the result:

MT 1.PNG

MT 2.PNG

nescafe2002 · Sun Nov 24, 2019 1:06 pm

What's the link rate? It's in the interface property window, tab Status.

Could you try disabling bridge ports 6 through 10? Disabling the LCD?

Also, you're announcing a lot of dns servers in your dhcp network. You might want to limit the selection to just your routers address (192.168.2.1); the router is a single point of failure anyway, you will limit unexpected results and can properly use static dns entries if needed.

DavidGB · Sun Nov 24, 2019 2:00 pm

This is the link rate:

Captura.PNG

And this is the result disabling eth6 to eth10, DHCP network only with 192.168.2.1 DNS and disabling LCD:

MT 1.PNG

MT 2.PNG

MT.PNG

But the same result with LCD enabled

With eth6 to eth 10 enabled:

MT 4.PNG

nescafe2002 · Sun Nov 24, 2019 2:07 pm

You might want to create supout.rif of the device, running full bandwidth test and send it to support. Your device should be able to handle at least 3x those numbers with this config.

(One supout with bridge ports ether6-10 enabled, one with bridge ports ether6-10 disabled).

I suspect some sort of sync issues between switches or switch ports.

Are there any other ports in switch group 1 (ether1-ether5,sfp1) linked lower than 1 Gbps?

DavidGB · Sun Nov 24, 2019 2:14 pm

Are there any other ports in switch group 1 (ether1-ether5,sfp1) linked lower than 1 Gbps?

No, there isn´t.

You might want to create supout.rif of the device, running full bandwidth test and send it to support. Your device should be able to handle at least 3x those numbers with this config.

I´ll do it.

Thanks!

DavidGB · Sun Nov 24, 2019 6:03 pm

Where should I send Supout.rif?

mkx · Sun Nov 24, 2019 6:11 pm

To support@mikrotik.com

DavidGB · Sun Nov 24, 2019 6:12 pm

To support@mikrotik.com

Oks, Thanks

mozerd · Sun Nov 24, 2019 9:00 pm

To support@mikrotik.com
Oks, Thanks

If you can return the 2011 to the place you bought it from and get a refund Or exchange for a better model like the 3011 I suggest you do that ... if on the other hand you can no longer get a refund or exchange for a 3011 then good luck with all the hassles you will be going through.

IMO, THE 3011 is superior to the 4011 because the 3011 has a USB PORT that will allow you to add storage plus other options plus it’s dramatically faster than the 2011. Also the 4011 SFP port will not accommodate GPON transceivers based on the G.984.x standard which imo is ridiculous .... because the 4011 relies on nand memory only if you decide to blacklist a large number of IP’s and frequently refresh that blacklist that memory can get worn out rendering the 4011 useless.

deanMKD1 · Sun Nov 24, 2019 10:18 pm

The Mikrotik hAP ac² is better than my router? Is the best option for me?
I thought a router was better option than wireless system.

Actualy I have my ISP router as bridge and Mikrotik as router.
The best option for YOU is the MikroTik RB3011UiAS-RM and Yes I agree that a dedicated Router - like the RB3011UiAS-RM - is far superior that one that includes integrated wireless like the Mikrotik hAP ac². And if you need to add wireless I strongly suggest you consider the Ubiquiti UAP-AC PRO Access Points .... I currently do NOT recommend MikroTik Wireless AP's.

Agree 100% with all this writen. Mikrotik have inferior wireless department, compared with Ubiquiti for ex. Mikrotik have best Wired Routers. When you combine MTK for wired and Ubiquiti for Wireless = BINGO !

DavidGB · Mon Nov 25, 2019 9:49 am

To support@mikrotik.com
Oks, Thanks
If you can return the 2011 to the place you bought it from and get a refund Or exchange for a better model like the 3011 I suggest you do that ... if on the other hand you can no longer get a refund or exchange for a 3011 then good luck with all the hassles you will be going through.

IMO, THE 3011 is superior to the 4011 because the 3011 has a USB PORT that will allow you to add storage plus other options plus it’s dramatically faster than the 2011. Also the 4011 SFP port will not accommodate GPON transceivers based on the G.984.x standard which imo is ridiculous .... because the 4011 relies on nand memory only if you decide to blacklist a large number of IP’s and frequently refresh that blacklist that memory can get worn out rendering the 4011 useless.

Hi,

I have questions about 3011 and 4011.
I don´t need usb port and i can get 4011 only 10E more expensive than 3011.
Being 4011 quadcore is not a remarkable difference to buy it?
If not, I will decide on 3011.

Thanks for all!

mozerd · Mon Nov 25, 2019 2:23 pm

.
Being 4011 quadcore is not a remarkable difference to buy it?
If not, I will decide on 3011.

Yes 4011 quadcore is superior to the 3011 dualcore.

atcychew · Fri Dec 06, 2019 10:00 am

Hi David

I faced similar issue that you had which I am getting almost the same upload and download speed ~ 200 to 280Mbps that you had with the RB2011Uias. My RB is only configured with Mikrotik default configuration but with PPPOE dialup to my ISP. I have 500Mbps Internet access. T
I have done some other testing which I have put the RB2011 behind my ISP provided TPlink Ac1200 with default configuration which served as WAN link to replace the PPPOE dial up WAN and Mikrotik NAT the LAN network (For the sake of isolating issue). I can see the boost up on speed especially upload which can over 400Mbps. Download speed is slightly better ranging from 290 to 380Mbps when connecting from the LAN site of RB2011.

Then, I have replaced the TPlink AC1200 with the hAP AC2 and with the same configuration. I am able to get the Internet speed to around 380 to 5++Mbps when I connect my PC directly to hAP AC. I get similar performance i connect the RB2011 behind the hAP AC2. This step proofed that PPPOE has significant impact on performance. Then, I have connected another PC in another port on RB2011 which is same bridge with the ether port connecting to the hAP AC2(in short same subnet) and the speed are similiar to connecting directly to hAP AC2 LAN port. (This test is to simulate the performance without getting through any firewall fitler rule)

Hence, I will conclude that the RB2011 performance is indeed same as datasheet which the rules do effect the performance. Also, the test hAP AC2 which is having 4 core ARM processor. I would think RB4011 may be a better choice instead of RB3011 which only has 2 cores and performance is also slightly less than hAP Ac2.

JFI, I tested the speed with http://testyourspeed.time.com.my/index2.php and I always tested it during midnight in my time zone and will test with the TPLINK AP before changing to Mikrotik. (The TPLINK does a good job and i always get consistent and higher throughput then RB2011. Nevertheless, I am changing to Mikrotik because I am planning to do more with Mikrotik for future.)

By the way, i do notice a strange behavior which is the download speed is slower than upload speed on a few of my test cases including wifi transmission.between 2 Mikrotik AP. Not sure anyone notice this behavior?

CY
MTCNA MTCWE