Hi there,

I'm using a hEX S as a home-router on a FTTH connection.

The setup: The hEX S is connected to an ONT. That's it.
ISP requires to use VLAN-ID7 as well as PPPOE in a standard configuration.
ISP hast configured the line to provide 300Mbit in both directions.

If I connect a spare linux notebook, with VLAN-ID7 and PPPOE directly to the ONT, I get abour 310Mbit in both directions, without any issue. This is rock solid. Multiple tests showed this value.

BUT if I connect my hEX S to the ONT, I onle get up to about 200Mbit in download and a good 300Mbit in upload.

This differs a bit over the day, but all in all: Download is about 100Mbit missing compared to what I should be.

This is *not* a matter of a wrong/broken speedtest (proved with multiple tests on different devices, also without router). This is matter of configuration.
So, I need help on the config of my router.

What I checked so far:

* CPU load is quite okay, I think. While 300mbit upload, it rises to about 70% in total. While 200mbit download it's about 50%.
* I checked the cables: Did an iperf3 test with the used cables, and also with the used ethernet port on the hEX S... works as expected with almost 1000mbit.
* I checked that there is no queue or similar configured.


MTU on PPPOE interface is auto-tuned to 1492. Should be okay, see no way on how to change it, as it get's kind of autocofigured?

As only download is affected, I think it's the firewall configuration. Why? Most rules should affect the incoming traffic, not the outgoing.

BUT I have no idea on how to fix it or to track it down (beside deactivating one rule after another). Means: I'm a firewall noob

Is there some experience in this direction (slow download in relation to firewall rules), or can someone give me a hint on what to do?
Or is there some other ideas on what can cause this issue?

best regards,
Alex

[update]
I tried to reduce the firewall to a very minimum. I cleared all rules and fired up these commands:
Speed test result: Still the same I fear it's not the firewall?! But I have no idea what else it could check...

Although the CPU is never running at 100%:

Could it be that the hEX S is not sufficiently powered to drive a PPPOE connection with 300mbit?

Following the test results https://mikrotik.com/product/hex_s#fndtn-testresults for routing with 25 ip filter rules and 512byte Packet size, it's just 265mbit...


If so: How does it come, that it is able to provide 300mbit upload, but not download?

If the hEX S is really "too slow": Which model would fit best? RB4011?
5009 has similar price, but rack-mounting is "not that nice" if I only have one unit.

If considering RB4011 and RB5009 ... then RB4011 is technically inferior in many aspects (slower CPU, uses 2 switch chips and SFP is connected directly to CPU, doesn't have USB port, etc.).

Just thought to mention this to contrast higher WAF of RB4011

Regarding hEX S performance: that rule of thumb is "give or take", sometimes throughput is not limited by by processing power but by subtle timing issues ... or something else subtle ... but yet with unproportionaly big effect.

You don't have the fasttrack rule in your firewall. The hEX S can still route IPv4 (even with PPPoE) at 9xx Mbps with fasttrack active.

Using hex (RB750Gr3) rather than hex S myself, but that tops out at around 300Mb/s without fastpath on LAN-LAN.
You'll obviously be adding some overhead to that on the PPPoE also....

Thanks for the feedback.

Regarding missing fasttrack: Right, in the above example this was missing. In fact, my actual setup has fasttrack enabled.

> The hEX S can still route IPv4 (even with PPPoE) at 9xx Mbps with fasttrack active.

Hmm, how do you do it? Mikrotik itself states, that it's about 265Mbit with routing and 25 ip filter rules and a packet size of 512bytes, see: https://mikrotik.com/product/hex_s#fndtn-testresults

That matches somehow my experience.

CGGXANNX made me wonder why it's so different on my side... So I now googled a bit more about fasttrack, asked chatgpt, compared my setup (that actually had fasttrack) with the suggestions from chatgpt...

Result: There was a misconfiguration... So fasttrack was there, but was not working properly.

What should I say... ?! Now it works CPU load is below the previous maximum.

Still thinking about replacing the hex s with rb4011 which I already ordered... hmm.

Hmm, how do you do it? Mikrotik itself states, that it's about 265Mbit with routing and 25 ip filter rules and a packet size of 512bytes, see: https://mikrotik.com/product/hex_s#fndtn-testresults

When fasttrack can be used, and for the packets that could be fasttracked (some packets will still travel the slow way), the performance will be closer to the "Routing - none (fast path)" number. That's why the router can still saturate the 1Gbps with fasttrack.