750G download speed very slow

johnchon · October 22, 2020, 11:58am

i’m new for mikrotik device, recently just setup unifi fibre internet for my company. Just start using this device and not configure firewall and use default. Only setup few NAT but before setup NAT the download speed already just around 3-6mbps but upload speed up to 30mbps, my default download speed should be 100mbps for download and upload. Before using pfsense don’t have this issues. please recommend some solution for me. thank you.

anav · October 22, 2020, 2:25pm

Post you config
/export hide-sensitive file=anynameyouwish

Just ensure you scrub your wanip if stated anywhere.

johnchon · October 23, 2020, 5:20pm

This is the export file

johnchon · October 23, 2020, 5:21pm

this is the export file
default.rsc (16.9 KB)

mkx · October 23, 2020, 5:56pm

Setup is dangerous because firewall is virtually non-existant, not protecting neither router itself nor LAN. Setup is dangerous because router is running ancient version of ROS (5.4). Setup is slow because it’s got queues set up which are CPU intensive and your device is no speed monster.

My suggestion: netinstall router with recent version of ROS (long-term 6.46.7 should be fine), reset configuration to factory default, upgrade routerboot as well (/system routerboard upgrade after new ROS boots up). Then start off customizing router, but keep default config as a very decent starting point (don’t just follow some random youtube tutorial, those are mostly useless or plain wrong).

johnchon · October 23, 2020, 6:38pm

Thank you for you suggestion, i will try neinstall for version ROS. When upgrade already how to configure the firewall for more protecting for LAN and router. I’m new for mikrotik, and not familiar for the setup. Please give me some example or suggestion, thank you very much.

anav · October 23, 2020, 6:45pm

When back up with a fresh install of the latest stable ROS (better than the last one released IMHO). Then return here post your config and requirements and will help at that time.

mkx · October 23, 2020, 7:06pm

As I already wrote: default config which comes with recent versions of ROS, is decent config. Just be sure that “Keep old configuration” is not checked. As result, your device will be as if it came out of factory and initial step of configuring Routerboard device is to set basic working mode. While doing it, default configuration is applied and that default configuration includes decent firewall settings.

johnchon · October 25, 2020, 7:55am

I’m testing use the netinstall for the 750g but the netinstall not running. I have check other thread need using 3.29 version of the mikrotik. May i know how can i do for it ?

johnchon · October 25, 2020, 8:05am

i think i can reset it already, sorry for no see clear the instruction, net hold the button until LED light off.

johnchon · October 25, 2020, 9:28am

This is new upgrade the 750 device without any firewall and just 1 addon NAT configure. But the internet same slow, and may i know the firewall and LAN protection is enough for it ?
default.rsc (3.88 KB)

mkx · October 25, 2020, 10:48am

This is not default setup, it seems that it was transferred over from old config. You have to reset it to factory default. Log in via WebFix (using web browser), click “Quick Set” button top right, then click “Reset configuration” in lower right area. Reboot device (if it doesn’t do it itself). Then test performance again.

The problem with current config is that firewall is actually set up (even though only to protect router itself), but for that, connection tracking runs and connection tracking is pretty CPU intensive operation. In ROS there exists a feature called “fast track” which causes most packets to bypass most of firewall processing, but it’s not enabled in your setup. You could enable it (it’s simple to do it, but not trivial), but as you would really benefit from full default configuration, I strongly advise you to do factory reset before we move further.
After you do reset to factory defaults, study firewall rules to get acquainted to the philosophy … before you set up NAT rules. While you could verbatim copy-paste current NAT rule, they (both) are not most effective. You’ll notice that new default heavily uses interface lists … if your WAN interface (pppoe-client) does not land in WAN interface list, add it manually. Which will make your personal src-nat rule redundant because the default rule will cover it. Similarly dst-nat rule could be rewritten to use in-interface-list instead of dst-address … but that depends on whether you want to access your wlan camera through WAN IP also from LAN. If you want that, then your current dst-nat rule is just fine.

johnchon · October 25, 2020, 12:26pm

This is not default setup, it seems that it was transferred over from old config. You have to reset it to factory default. Log in via WebFix (using web browser), click “Quick Set” button top right, then click “Reset configuration” in lower right area. Reboot device (if it doesn’t do it itself). Then test performance again.

The problem with current config is that firewall is actually set up (even though only to protect router itself), but for that, connection tracking runs and connection tracking is pretty CPU intensive operation. In ROS there exists a feature called “fast track” which causes most packets to bypass most of firewall processing, but it’s not enabled in your setup. You could enable it (it’s simple to do it, but not trivial), but as you would really benefit from full default configuration, I strongly advise you to do factory reset before we move further.
After you do reset to factory defaults, study firewall rules to get acquainted to the philosophy … before you set up NAT rules. While you could verbatim copy-paste current NAT rule, they (both) are not most effective. You’ll notice that new default heavily uses interface lists … if your WAN interface (pppoe-client) does not land in WAN interface list, add it manually. Which will make your personal src-nat rule redundant because the default rule will cover it. Similarly dst-nat rule could be rewritten to use in-interface-list instead of dst-address … but that depends on whether you want to access your wlan camera through WAN IP also from LAN. If you want that, then your current dst-nat rule is just fine.

I have follow you say reset the configuration and setup for it, starting the network would’t get the internet but pppoe get connection. the configure attachment is "default’ after add NAT rules then can get internet “default2”
default2.rsc (1.19 KB)
default.rsc (1.02 KB)

johnchon · October 25, 2020, 12:29pm

For now the firewall only have one rules default, it’s correct ?

erlinden · October 25, 2020, 12:52pm

Not sure if the default configuration is correct, herewith the default firewall rules:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

anav · October 25, 2020, 1:31pm

No it is not correct - although I have no idea why MT would not include the default firewalls on new releases even for old equipment.

Did you use netinstall to work with the latest long term version of firmware?
OLD 750 unit is MIPSBE
Newer 750Gr3 is MMIPS

Probably time to upgrade your equipment that thing you have is ancient.

tdw · October 25, 2020, 2:33pm

MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE.

The /system routerboard settings set cpu-frequency=150MHz will be reducing the performance, it should be several times greater by default.

anav · October 25, 2020, 2:38pm

Thanks TDW I will edit my post accordingly…

johnchon · October 28, 2020, 8:37am

Not sure if the default configuration is correct, herewith the default firewall rules:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

i try to add the filter rules but for below command need configure add new policy at IPSEC also ?

add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec

johnchon · October 28, 2020, 8:41am

Already successful NETINSTALL now the v6.47.6 MIPSBE, i try to setup the mikrotik but the download speed and upload speed around 5mbps-8mbps look like internet slow. The mikrotik is configure vlan500 for pppoe setup, may i know need to do bridge ?