Hi,
I have a 300/30 connection and i’ve been able to navegate internet at full speed enabling Fasttrack in firewall rules. The problem is when download torrent files, the speed limit is 98-100mbs with 15% of cpu more or less.
Anyone has any idea?
Please post result of “/export hide-sensitive compact” between “code” tags.
And your device is?
MODEL: RB2011UiAS
Ether4 is where i am connected trough cable Ethernet.
[Linksys@Sarriko] > /export hide-sensitive compact
# feb/13/2019 12:07:27 by RouterOS 6.43.8
# software id = 0ASD-8Q78
#
# model = 2011UiAS
# serial number = 554F047F49B3
/interface bridge
add name=LAN
add name=WAN
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/ip pool
add name=POOL_LAN ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=POOL_LAN disabled=no interface=LAN name=dhcp1
/interface bridge port
add bridge=WAN hw=no interface=ether1
add bridge=LAN hw=no interface=ether5
add bridge=LAN interface=ether4
add bridge=LAN interface=ether3
/ip address
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server lease
add address=192.168.0.2 client-id=1:30:9c:23:47:e7:1 comment=Sergio mac-address=30:9C:23:47:E7:01 server=dhcp1
add address=192.168.0.3 client-id=1:78:8a:20:5c:b2:e5 comment=UniFI mac-address=78:8A:20:5C:B2:E5 server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip service
set telnet disabled=yes port=123
set ftp disabled=yes port=121
set www port=180
set ssh port=122
set api disabled=yes
set winbox port=18291
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Sarriko
On a normal download:
Torrent Downloads With direct access to modem works perfetly
On a Torrent Downloads doesn’t reach up 100mbps+
Hey
both download and p2p was over eth4 (wired)?
what is the cpu usage during p2p download? what is the result of cpu profiler?
config:
- why do you use bridge for wan with only one interface in it?
- what is the goal of “add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=“Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp tcp-flags=syn” and similar? I don’t think it’s being used right
- you make use of connection-limit quite extensively, but have you noticed the note on wiki?
Matches connections per address or address block up to and including given value. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive.
- your router is open dns resolver
- your are wide open on wan port
- your icmp chain shouldn’t be common for incoming and outgoing traffic
Yes both are over Eth4 wired.
CPU Load is Between 54% and 70%
NAME CPU USAGE
ethernet 5%
console 0%
firewall 16.5%
networking 16%
winbox 1%
management 2%
profiling 0%
bridging 6.5%
unclassified 3.5%
total 50.5%
Other questions IDK any other form of add WAN, Ive removed every firewall rule and keeps the same,
set [ find default-name=ether4 ] speed=100Mbps
You state you are connected on ether4 which you have locked to 100Mbps
Hi,
Here it says 1Gbps for Ether4, it’s strange, in status…
If i uncheck auto-negotiation in ethernet tab and set speed to 1gbps i can’t connect anymore…
try this config change:
/interface bridge remove WAN
/interface ethernet set [ find default-name=ether1 ] name=WAN
/interface bridge port
# why is it in hw=no mode?
set bridge=LAN interface=ether5 hw=yes
# remove all rules from firewall and add these, they are mostly default rules, except for the SUPPORT & bogons you had
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
And then retest. Monitor cpu usage during the p2p transfer with profiler.
Can you increase the number of concurrent session for p2p, just to check it’s not remote side limitation?
Note: it’s also possible that there is throttling upstream (by your isp) for p2p traffic
# feb/13/2019 21:38:05 by RouterOS 6.43.12
# software id = 0ASD-8Q78
#
# model = 2011UiAS
# serial number = 554F047F49B3
/interface bridge
add admin-mac=4C:5E:0C:D5:A7:3E auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrac
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,unt
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=ne
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Same speed limit 100mbps with this config
That’s default config right? Did you try to change the number of p2p peers?
With that config, on eth4 for normal download you get 300+mb but for p2p much less. Correct?
Then it’s not the Tik that’s doing it, and as mentioned before probably uplink limitation.
Correct, but if i connect directly to mi ISP router (bridge mode), it has no limitations, so frustating…
Well finally i solved the problem, and the problem was…
Killer network service limiting speed…
Thank you all.