Hello all

Been scratching my brain over this, family is mad a me and i suspect the dog also
First let me state i am not a network specialist or nothing of the kind, but for some reason Microtik came into my home and i wanted to slowly move and learn how to protect my iot devices.
But yeah.... seems i can't even go past the first challenge that is making this work as expected
So i kindly ask your assistance to help me figure out where is the problem and get to have the setup working as i would love it to.

My ISP provides 1Gb download and 100mbit upload.
It is a cable connection so i am forced to have a Fritzbox 6690 in front of the network.
Then i have the hEX and a switch.

ISP ---> fritzbox ----> hexs ----> lan switch

On the fritzbox i setup ip 192.168.200.1/24 and on hEX the ether1 with 192.168.200.2/24 (i think here i could use a mask for just likr 6 ips but well).
On hEX ether 3 i have the link to the lan switch and all connected devices.
All cables are cat7 on hex and fritz and cat6a on hex to switch - all links report 1Gbit.

Now....
If i plug my laptop to the fritz directly i get pretty much all speed i shoudl get (990Mbits download and 115mbit upload).
If i connect directly to the hEX i can not go past 210bit dowload and horrible like 8mbit upload.....

hEX is running on v7.14 and is pretty much the default config as i have reset is like 10000 times into a madness hoping for a different outcome.

Well and also because i also bought 2 cAP AC and struggled with capsman until i understood it but now these are disconnected and hEX is like default config.
One thing at the time.

Can you please help me understand where is my problem?
Thanks in advance

Are you using IPv6 for your speedtest? With IPv6 around 250Mbps is pretty much the most that you can expect with the RB750Gr3. Same with IPv4 if the router is unable to use Fasttrack. The CPU is not powerful enough.

Your hEX is only able to route at 1Gbps with the default firewall rules when Fasttrack is active and can be used. Can you check the IP - Firewall - Filter table, whether the dummy passthrough forward rule (to show fasttrack counters) at the top is the one with the most traffic (Bytes and Packets columns).

You can invest in a hAP ax²/ax³, RB4011, RB5009, or the CCR routers if you want to use the full 1Gbps of your WAN with IPv6 (and IPv4 regardless of fasttrack).

Generally I'd agree with @CGGXANNX ... but that 8Mbps of uplink smells rotten. Generally routers perform symmetrically unless there are rules (or interactions) which work asymmetrically. Since already MT's default setup reveals the asymmetry, I'd say that the problem lies somewhere between hEX's ether1 port and coaxial cable (or even further upstream) ... could be configuration on Fritzbox, could be its firmware (interacting with MT in some funny way), could be ISP doing some funny stuff ...

And could be some missing detail on MT which needs to be configured (and which doesn't bother a typical Windows PC connected to the same Fritzbox port).

Generally I'd agree with @CGGXANNX ... but that 8Mbps of uplink smells rotten. Generally routers perform symmetrically unless there are rules (or interactions) which work asymmetrically. Since already MT's default setup reveals the asymmetry, I'd say that the problem lies somewhere between hEX's ether1 port and coaxial cable (or even further upstream) ... could be configuration on Fritzbox, could be its firmware (interacting with MT in some funny way), could be ISP doing some funny stuff ...

And could be some missing detail on MT which needs to be configured (and which doesn't bother a typical Windows PC connected to the same Fritzbox port).

Oh right, that 8Mbps does look suspect. Sometime abysmal upload speed might be caused by mismatched MTU setting. Could it be that the ISP have a MTU < 1500 on the WAN line (maybe PPPoE)? Since your MikroTik router WAN port connects to the LAN port of the Fritzbox, it will see and use MTU = 1500. If for some reason Path MTU Discovery is not working (ICMP blocked maybe), your devices and the MikroTik router will keep sending 1500-byte packets to the Fritzbox, which will need to be fragmented or completely dropped, that can make uploads slowwww.

If your internet connection has a MTU smaller than 1500, you can try to set the MTU of the WAN ethernet port of your MikroTik router to that same value.

Thank you both for your replies!
Let me see if i can do this the RIGHT way

"Are you using IPv6 for your speedtest?"
I hope not Both fritz and hex have ipv6 disabled. I am too dumb to understand it so i always keep it off everywhere.



Please find below my config:

# 2024-03-10 15:07:15 by RouterOS 7.14
# software id = 0**A-8**8
#
# model = RB760iGS
# serial number = **********
/interface bridge
add admin-mac=DC**********:A0 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Interface"
set [ find default-name=ether3 ] comment="LAN Interface"
/disk
add parent=sd1 partition-number=1 partition-offset="4 194 304" \
partition-size="31 715 229 696" slot=disk1 type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.178.30-192.168.178.100
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.178.1/24 comment=defconf interface=bridge network=\
192.168.178.0
add address=192.168.200.2/24 interface=ether1 network=192.168.200.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add
*********
/ip dhcp-server network
add address=192.168.178.0/24 comment=defconf dns-server=192.168.178.1 domain=\
home.arpa gateway=192.168.178.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.200.1
/ip dns static
add address=192.168.178.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.200.1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/*******
/system identity
set name=guardian
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If your internet connection has a MTU smaller than 1500, you can try to set the MTU of the WAN ethernet port of your MikroTik router to that same value.

How do i find out my isp mtu?

Your configuration looks similar to the default configuration to me. IPv6 is disabled like you said, and Fasttrack appears to be working. In theory, your hEX S should be able to make use of your available bandwidth for IPv4 WAN traffic.

How do i find out my isp mtu?

If it's not displayed somewhere on the Fritzbox status/info page, you can perform the following to try to find out the MTU value yourself. If you use Windows, open a command prompt and run the command


if you use Linux, try this command instead


The command will try to send ICMP packets with the size equals to 1472 + 28 = 1500 bytes. If MTU is supported on the whole path between your computer and cloudflare's server (that include the MikroTik router, your Fritzbox, and your ISP) the ping command will suceed with no packet loss. Otherwise you'll either get no answer (timeout with 100% packet loss) or a error message about required fragmentation. Here is an example output when I tried with a packet size of 1501 (1743 + 28) which is larger than my MTU 1500 and a packet size of 1500:


If there are no problems with the payload size of 1472, MTU 1500 is fully supported and is not the cause of your problem. However, if the pings timed out, or you get error messages about fragmentation or message too long / packet too big, then we'll to try to find out the correct MTU value. You can try to reduce the parameter value 1472 by 8, to 1464, and try again. If it still doesn't work, further reduce the value by 4 each time until the pings succeed. The supported MTU value will be this payload size + 28 bytes.

Thank you so much to take the time to help me!
So will have to look somewhere else. As the mtu as you educated me about works without issues:



And just adding 1 to 1473 fails right away.

How come this is happening.... I do not know much about networks but i have no clue on what's going on.
I need to figure this out and get at least some stable and, let's say, some middle speed both ways to make sure a Microtik device works correctly with the fritz box.
A am willing to upgrade the hardware as mentioned before, but i can not do it and have the same problem again.

So for now i must invest and test all i can, ask help and figure this out.

Ok.....

Amazing....
So what happens is that my ISP is having on and off problems and some hours i have 10% the speed, others 30% and so on.....
Amazing...

Are the only connections to the hEX S ether1 to the Fritzbox and ether3 to the external switch?

What type of switch is connected to ether3. Is it a vlan-aware switch with a management interface or is it instead a basic plug and play switch with no management? If it is just a dumb switch, and you are just using it to "extend" the ports on the hEX S, then the default config should work.
What if you plug the laptop directly into ether3? Does it behave differently than when the external switch is between laptop and ether3? It should behave essentially the same. If it does not, what is between ether3 and the switch?

If I have ISP connection over PPPoE with 1492 MTU should this MTU be set only for the PPPoE Client interface or it should be set for whole network?

Are the only connections to the hEX S ether1 to the Fritzbox and ether3 to the external switch?

What type of switch is connected to ether3. Is it a vlan-aware switch with a management interface or is it instead a basic plug and play switch with no management? If it is just a dumb switch, and you are just using it to "extend" the ports on the hEX S, then the default config should work.
What if you plug the laptop directly into ether3? Does it behave differently than when the external switch is between laptop and ether3? It should behave essentially the same. If it does not, what is between ether3 and the switch?

Hey there.
I have a kind of smart switch with vlan support yes.
But even connected to the fritzbox i have the same speed as from the lan, amazing i have contacted support several times and so far my issue is not solved....
They have some problem on delivering the service as it should and i am in this situation until this moment...

But now you make me question what config should my switch have to be working correctly with the hexs?

So....
Finally had the tech support at home and after many tests it was found the fritzbox was defective and swapped to another.
After 1h of them trying to apply the right config now i am back to near 1Gbit/150Mbit speeds
Happy that my hex s performs almost exactly the same as my pc directly connected to the fritz, so routing quite well i must say

But in the end i have ordered a RB5009UG+S+IN just to have more flexibility for vlans on my setup

Thanks for the help.
Learned a lot about these devices.

If I have ISP connection over PPPoE with 1492 MTU should this MTU be set only for the PPPoE Client interface or it should be set for whole network?

I believe the lan will use 1500 by default and the interface that connects to ppoe will negotiate the mtu with carrier.