Slow upload speed only with RB5009

enxamxel · Tue Dec 12, 2023 5:10 pm

Good morning all,

I have recently discovered (last 3 months) that I have not been getting my full upload speed as provided from my fiber provider. (275 Megabits/sec down and 275 Megabits/sec upload).
I can get full speed when connecting directly to the modem provided by the ISP. Using the RB5009 and connecting to any of the ports provides the correct download speed but greatly slowed down (5-25 megabits/sec) upload speeds.

Any suggestions?

Thanks

johnson73 · Wed Dec 13, 2023 10:51 am

Hello,
In your firewall configuration, the last 3 rolls in the ipv4 section should be moved above - add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
For proper firewall operation, the last roll should be :drop all from WAN.

enxamxel · Wed Dec 13, 2023 2:34 pm

Okay, made that change and no improvement! Thank you for commenting!

johnson73 · Wed Dec 13, 2023 7:54 pm

as a test option, you can try disabling ipv6 firewall (disable ipv6). Leave only ipv4. Look what happens then..
Question: is the routerbord firmware also updated? System-routerborad-> Current firmware is the same as - upgrade firmware?

enxamxel · Wed Dec 13, 2023 8:42 pm

as a test option, you can try disabling ipv6 firewall (disable ipv6). Leave only ipv4. Look what happens then..
Question: is the routerbord firmware also updated? System-routerborad-> Current firmware is the same as - upgrade firmware?

Okay, disabled the firewall and updated the routerboard firmware (it was 7.1 now is 7.12.1) and still no luck

enxamxel · Fri Dec 15, 2023 8:51 pm

un9edsda · Sat Jan 06, 2024 9:51 pm

Okay, made that change and no improvement! Thank you for commenting!

It would have helped if you if you had included a sketch from your network layout since your configuration has some "interesting" parts. Anyway it seems that you are using your 10Gbit SFP+ port for the 300/30 (down/up) Mbit Internet uplink as you are using a GPON or XGPON module and connect the fiber cable directly into your RB5009UG+S+. Also I presume that you don't have any other network devices (switch wireless AP, etc.) at your premises and all of your devices are connected via an Ethernet cable to your RB5009UG+S+ (as there are no comments indicating otherwise in your exported configuration file).

With the above considerations you may want to make the following changes (in the terminal):

/interface bridge
set 0 admin-mac=2C:C8:1B:FF:63:D8 ageing-time=5m arp=\
    enabled arp-timeout=auto auto-mac=no comment="defconf" \
    dhcp-snooping=yes disabled=no ether-type=0x8100 fast-forward=yes \
    forward-delay=15s frame-types=admit-all igmp-snooping=yes igmp-version=3 \
    ingress-filtering=yes last-member-interval=1s last-member-query-count=2 \
    max-hops=20 max-message-age=20s membership-interval=4m20s mld-version=2 \
    mtu=auto multicast-querier=no multicast-router=temporary-query name=bridge\
    priority=0x7000 protocol-mode=mstp region-name=my-multicast port-cost-mode=long \
    pvid=1 querier-interval=4m15s query-interval=2m5s query-response-interval=10s \
    startup-query-count=2 startup-query-interval=31s250ms \
    transmit-hold-count=6 vlan-filtering=yes
/ip dhcp-server
set 0 add-arp=yes address-pool=dhcp \
    allow-dual-stack-queue=yes always-broadcast=yes authoritative=yes comment=\
    "defconf" disabled=no interface=bridge \
    lease-script="" lease-time=15m name=defconf use-radius=no
/interface bridge port
set 0 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether2 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 1 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether3 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 2 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether4 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 3 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether5 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 4 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether6 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 5 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether7 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 6 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether8 internal-path-cost=10000 learn=\
    auto multicast-router=temporary-query path-cost=10000 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
set 8 auto-isolate=no bpdu-guard=no bridge=bridge \
    broadcast-flood=yes comment="defconf" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether1 internal-path-cost=7500 learn=\
    auto multicast-router=temporary-query path-cost=7500 point-to-point=auto \
    priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no \
    trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
remove numbers=7
/interface bridge settings
#enable the disabled fast path
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/interface list member
#as in the default configuration ether1 is member of WAN and I presume
#it has not been removed the following line removes it from WAN
remove numbers=1
/ip dhcp-client
set 0 use-peer-dns=yes add-default-route=yes
/ipv6 dhcp-client
add add-default-route=no comment=\
    "IPv6 address and prefix request from my ISP" dhcp-options="" \
    dhcp-options="" disabled=no interface=sfp-sfpplus1 pool-name=\
    myisp-ipv6-pool pool-prefix-length=56 prefix-hint=::/0 \
    request=address,prefix use-peer-dns=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\
    no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" disabled=no dynamic=no \
    list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" disabled=no \
    dynamic=no list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" \
    disabled=no dynamic=no list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" disabled=\
    no dynamic=no list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" disabled=no \
    dynamic=no list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\
    not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" disabled=no \
    dynamic=no list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" disabled=no dynamic=no \
    list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" disabled=no dynamic=no list=\
    bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" disabled=no dynamic=no \
    list=bad_dst_ipv4
add address=acme-v02.api.letsencrypt.org disabled=no dynamic=no list=\
    lets_encrypt_dns_ipv4
add address=acme-staging-v02.api.letsencrypt.org disabled=no dynamic=no list=\
    lets_encrypt_dns_ipv4
add address=letsencrypt.org disabled=no dynamic=no list=lets_encrypt_dns_ipv4
/ipv6 firewall address-list
remove numbers=8
remove numbers=7
remove numbers=6
remove numbers=5
remove numbers=4
remove numbers=3
remove numbers=2
remove numbers=1
remove numbers=0
add address=::/128 comment="defconf: unspecified address" disabled=no \
    dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=\
    bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no \
    list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no \
    dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=\
    bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no \
    list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no \
    dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no \
    list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=\
    bad_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" \
    disabled=no dynamic=no list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" disabled=no dynamic=no \
    list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" disabled=no dynamic=no list=\
    bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" disabled=no \
    dynamic=no list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" disabled=no dynamic=\
    no list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" disabled=no \
    dynamic=no list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" disabled=no \
    dynamic=no list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" disabled=no dynamic=no \
    list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" disabled=no dynamic=no \
    list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" disabled=no dynamic=no \
    list=bad_src_ipv6
add address=acme-v02.api.letsencrypt.org disabled=no dynamic=no list=\
    lets_encrypt_dns_ipv6
add address=acme-staging-v02.api.letsencrypt.org disabled=no dynamic=no list=\
    lets_encrypt_dns_ipv6
add address=letsencrypt.org disabled=no dynamic=no list=lets_encrypt_dns_ipv6
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=disabled mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 domain=lan
/ip firewall filter
remove numbers=13
remove numbers=12
remove numbers=11
remove numbers=10
remove numbers=9
remove numbers=8
remove numbers=7
remove numbers=6
remove numbers=5
remove numbers=4
remove numbers=3
remove numbers=2
remove numbers=1
remove numbers=0
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state pr!connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority ipsec-policy=in,ipsec \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=change-mss chain=forward new-mss=1480 out-interface=\
     sfp-sfpplus1 protocol=tcp tcp-flags=syn tcp-mss=1481-65535
/ip firewall nat
remove numbers=8
remove numbers=7
remove numbers=6
remove numbers=5
remove numbers=4
remove numbers=3
remove numbers=2
remove numbers=1
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec \
    !to-addresses !to-ports
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.216 to-ports=32400
add action=dst-nat chain=dstnat dst-port=52428 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.208 to-ports=52428
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.208 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.208 to-ports=53
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.208 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.208 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.208 to-ports=80
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \
    !nth !out-interface !out-interface-list !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" !content \
    disabled=no !dscp !dst-address dst-address-list=bad_ipv4 \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" !content \
    disabled=no !dscp !dst-address dst-address-list=bad_dst_ipv4 \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy \
    !ipv4-options !limit log=no log-prefix="" !nth !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random !src-address src-address-list=\
    not_global_ipv4 !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to icmp4 chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to bad_tcp chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=10m
set pptp disabled=no
set rtsp disabled=no ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 firewall filter
remove numbers=21
remove numbers=20
remove numbers=19
remove numbers=18
remove numbers=17
remove numbers=16
remove numbers=15
remove numbers=14
remove numbers=13
remove numbers=12
remove numbers=11
remove numbers=10
remove numbers=9
remove numbers=8
remove numbers=7
remove numbers=6
remove numbers=5
remove numbers=4
remove numbers=3
remove numbers=2
remove numbers=1
remove numbers=0
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \
    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmpv6 !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec \
    policy - CHECK IT NOT IN ADVANCED FIREWALL EXAMPLE" !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !headers \
    !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority ipsec-policy=in,ipsec \
    !limit log=no log-prefix="" !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid - DISABLED otherw\
    ise ping6 google.com does not work" !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate connection-state=\
    invalid !connection-type !content disabled=yes !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !headers \
    !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \
    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \
    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !random \
    !routing-mark !src-address src-address-list=no_forward_ipv6 \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address dst-address-list=no_forward_ipv6 !dst-address-type \
    !dst-limit !dst-port !headers !hop-limit !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !limit log=no log-prefix="" !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !headers !hop-limit !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy !limit \
    log=no log-prefix="" !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmpv6 !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not comin\
    g from LAN - DISABLED otherwise test-ipv6.com test fails: \"No IPv6 addres\
    s detected\"" !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=yes !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !headers !hop-limit !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \
    !ingress-priority !ipsec-policy !limit log=no log-prefix="" \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1480 out-interface=\
    sfp-sfpplus1 protocol=tcp tcp-flags=syn tcp-mss=1481-65535
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !headers !hop-limit !icmp-options !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !limit log=no log-prefix="" \
    !out-interface !out-interface-list !packet-size \
    !per-connection-classifier !port !priority !protocol !random !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
    hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
    icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
    2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
    3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
    4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
    icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
    icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router solic limit 10,20 only LAN" !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !headers hop-limit=equal:255 icmp-options=133:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router advert limit 10,20 only LAN" !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !headers hop-limit=equal:255 icmp-options=134:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor solic limit 10,20 only LAN" !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !headers hop-limit=equal:255 icmp-options=135:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor advert limit 10,20 only LAN" !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=136:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND solic limit 10,20 only LAN" !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=141:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND advert limit 10,20 only LAN" !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !headers hop-limit=equal:255 icmp-options=142:0-255 \
    !in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
    limit=10,20:packet log=no log-prefix="" !out-interface \
    !out-interface-list !packet-size !per-connection-classifier !port \
    !priority protocol=icmpv6 !random !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host
add action=drop chain=icmp6 comment="defconf: drop other icmp" !content \
    disabled=yes !dscp !dst-address !dst-address-list !dst-address-type \
    !dst-limit !dst-port !headers !hop-limit !icmp-options !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !limit log=no \
    log-prefix="" !out-interface !out-interface-list !packet-size \
    !per-connection-classifier !port !priority protocol=icmpv6 !random \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !tls-host
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no dns="" hop-limit=unspecified interface=\
    bridge managed-address-configuration=no mtu=\
    unspecified other-configuration=no pref64="" ra-delay=0s ra-interval=\
    3m-6m ra-lifetime=10m ra-preference=medium reachable-time=unspecified \
    retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=30m valid-lifetime=33m
/ipv6 dhcp-server
add name=myipv6-dhcp-server address-pool=myisp-ipv6-pool interface=bridge
/routing pimsm instance
add name=pimsm-instance-ipv4 afi=ipv4
add name=pimsm-instance-ipv6 afi=ipv6
/routing pimsm interface-template
add disabled=no hello-delay=5s hello-period=30s instance=\
    pimsm-instance-ipv4 interfaces=\
    bridge join-prune-period=1m \
    join-tracking-support=yes override-interval=2s500ms priority=2097152 \
    propagation-delay=500ms
add disabled=no hello-delay=5s hello-period=30s instance=\
    pimsm-instance-ipv6 interfaces=\
    bridge join-prune-period=1m \
    join-tracking-support=yes override-interval=2s500ms priority=2097152 \
    propagation-delay=500ms
/routing settings
set single-process=no
/ip cloud
update-time=no ddns-enabled=yes ddns-update-interval=10m
/system ntp client
set enabled=yes mode=unicast servers=\
    0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org \
    vrf=main
/system ntp server
set auth-key=none broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes \
    local-clock-stratum=5 manycast=no multicast=yes use-local-clock=no vrf=\
    main
/system ntp client servers
add address=0.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\
    10 min-poll=6
add address=1.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\
    10 min-poll=6
add address=2.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\
    10 min-poll=6
add address=3.us.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=\
    10 min-poll=6
/ip cloud
update-time=no ddns-enabled=yes ddns-update-interval=10m

If you want to have similar access to certain internal using IPv6 as you are now having with IPv4, than you have to add the right rules in /ipv6 firewall mangle for it.

Edit #1: fixed bridge type.

un9edsda · Tue Jan 09, 2024 1:43 am

A bit more detailed explanation:

In the default configuration ether1 is part of the WAN interface list and probably it has not taken out from it, just sfp-sfpplus1 was added to it, therefore it was removed from that list.
Fast Path was enabled on the bridge as it was not enabled.
Internal path costs were added to the ether interfaces in the bridge.
sfp-sfpplus1 was removed from the bridge as it is your Internet uplink.
32400 port was removed from the input and output chain as you need it only in /ip/firewall/nat section.
/ip/firewall/nat section’s by changing in-interface=all-ethernet to in-interface-list=WAN .
IPv4 and IPv6 firewall address lists were fixed.
Stateless firewall rules (/ip/firewall/raw and /ipv6/firewall/raw ) were added.
NTP client and server were added.

cwilmo · Sat Jan 13, 2024 9:53 pm

I experienced this also/similarly; just wanted to say for me it was fixed by downgrading to 7.9.2, don’t know why. My only comparison was a RB4011 I had at a different location that seemed to have no problem with latest firmwares and speed.

Slow upload speed only with RB5009

Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009

Re: Slow upload speed only with RB5009