After change Router board 2011 to RB4011 very slow internet access

chucky2017 · July 16, 2023, 6:22pm

Hello everyone
I swapped the router board RB2011 to the RB4011. I more or less took over the configuration. Everything is going so far. only the internet is very slow. It takes several seconds for a page to load. It does not matter whether the access is via the LAN or WLAN or from which VLAN the access is made.
I would be grateful for any help.
thanks in advance.

Code:

2023-07-16 13:25:57 by RouterOS 7.10.1

software id = 4KFV-SNR6

model = RB4011iGS+

/interface bridge add frame-types=admit-only-vlan-tagged name=bridgeVLAN vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] name=e01_VL
/interface ethernet set [ find default-name=ether2 ] name=e02_CAP1
/interface ethernet set [ find default-name=ether3 ] name=e03_CAP2
/interface ethernet set [ find default-name=ether4 ] name=e04
/interface ethernet set [ find default-name=ether5 ] name=e05_CAM
/interface ethernet set [ find default-name=ether6 ] name=e06_WAN
/interface ethernet set [ find default-name=ether7 ] name=e07_conf
/interface ethernet set [ find default-name=ether8 ] name=e08
/interface ethernet set [ find default-name=ether9 ] name=e09
/interface ethernet set [ find default-name=ether10 ] name=e10
/interface ethernet set [ find default-name=sfp-sfpplus1 ] name=sfp_VLAN
/interface vlan add interface=bridgeVLAN name=VL10 vlan-id=10
/interface vlan add interface=bridgeVLAN name=VL40 vlan-id=40
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=e01_VL
/interface bridge port add bridge=bridgeVLAN frame-types=admit-only-vlan-tagged interface=sfp_VLAN
/interface bridge port add bridge=bridgeVLAN frame-types=admit-only-untagged-and-priority-tagged interface=e07_conf pvid=40
/interface bridge vlan add bridge=bridgeVLAN tagged=bridgeVLAN,e01_VL,sfp_VLAN,VL10 vlan-ids=10
/interface bridge vlan add bridge=bridgeVLAN tagged=bridgeVLAN,e01_VL,sfp_VLAN,VL40 untagged=e07_conf vlan-ids=40
/interface list member add interface=e06_WAN list=WAN
/interface list member add interface=VL40 list=LAN

/ip neighbor discovery-settings set discover-interface-list=all
/ip settings set max-neighbor-entries=8192
/ip address add address=10.66.10.1/24 interface=VL10 network=10.66.10.0
/ip address add address=10.77.40.1/24 interface=VL40 network=10.77.40.0
/ip pool add name=dhcp_pool_VL10 ranges=10.66.10.2-10.66.10.10
/ip dhcp-server add add-arp=yes authoritative=after-2sec-delay interface=VL20 lease-script=dhcpLeaseScript name=dhcp_VL20
/ip dhcp-server add authoritative=after-2sec-delay interface=VL40 name=dhcp_VL40
/ip dhcp-server add add-arp=yes address-pool=dhcp_pool_VL10 authoritative=after-2sec-delay interface=VL10 lease-script=dhcpLeaseScript name=dhcp_VL10WLan
/ip dhcp-server network add address=10.66.10.0/24 dns-server=10.66.10.1 domain=VL10 gateway=10.66.10.1 ntp-server=10.66.10.1 wins-server=10.66.10.1
/ip dhcp-server network add address=10.77.40.0/24 dns-server=10.77.40.1 domain=VL40 gateway=10.77.40.1 ntp-server=10.77.40.1 wins-server=10.77.40.1

/ip dhcp-client add interface=e06_WAN
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward connection-state=established,related,new
/ip firewall filter add action=drop chain=forward dst-address-list=Bogons in-interface=e06_WAN
/ip firewall filter add action=drop chain=forward connection-state=invalid
/ip firewall filter add action=drop chain=forward src-address-list=NoInternet
/ip firewall filter add action=drop chain=forward src-address-list=NoInternet_ocHome
/ip firewall filter add action=drop chain=forward protocol=tcp src-address-list=InternetZensiert src-port=!80,443
/ip firewall filter add action=drop chain=forward in-interface=VL40 src-address=!10.77.40.0/24
/ip firewall filter add action=drop chain=forward in-interface=VL10 src-address=!10.60.10.0/24
/ip firewall filter add action=accept chain=forward dst-port=53,80,443 log=yes protocol=tcp src-address-list=WLAN_Mobile
/ip firewall filter add action=accept chain=forward dst-port=53,80,443 log=yes protocol=tcp src-address-list=WLAN_Tab_Statisch
/ip firewall filter add action=accept chain=forward connection-state=new dst-port=80,443,8883 in-interface=VL10 protocol=tcp
/ip firewall filter add action=accept chain=forward connection-state=new in-interface=VL40
/ip firewall filter add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/ip firewall filter add action=drop chain=forward

/ip firewall filter add action=accept chain=input connection-state=established,related,new
/ip firewall filter add action=accept chain=input in-interface=VL10
/ip firewall filter add action=accept chain=input in-interface=VL40
/ip firewall filter add action=drop chain=input connection-state=invalid
/ip firewall filter add action=drop chain=input src-address-type=!unicast
/ip firewall filter add action=drop chain=input in-interface=e06_WAN src-address-list=Bogons
/ip firewall filter add action=drop chain=input
/ip firewall nat add action=masquerade chain=srcnat out-interface=e06_WAN src-address=10.66.10.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=e06_WAN src-address=10.77.40.0/24

anav · July 16, 2023, 6:27pm

Its not the full config and thus not a terribly helpful post.

/export file=anynameyouwish ( minus router serial# and any public WANIP information )

anav · July 16, 2023, 6:46pm

(1) Remove the admin changed part in orange - not necessary and may be part of the problem./interface bridge add frame-types=admit-only-vlan-tagged name=bridgeVLAN vlan-filtering=yes
(2) I see you have two vlans identified… They have no business normally of being identified in /interface bridge vlan config. They are not ports!!!
/interface bridge vlan add bridge=bridgeVLAN tagged=bridgeVLAN,e01_VL,sfp_VLAN,VL10 vlan-ids=10
/interface bridge vlan add bridge=bridgeVLAN tagged=bridgeVLAN,e01_VL,sfp_VLAN,VL40 untagged=e07_conf vlan-ids=40

(3) You only have 3 ports on the bridge ??

(4) Why is vlan10 not part of the LAN interface list ??

(5) Where is the pool for vlan40

(6) only requirement for Sourcenat is single rule
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

(7) Firewall rules are pretty garbagy…
Recommend firewall setup ( with two options on input chain admin parts)…

/ip firewall filter
{Input Chain}
( safe default rules )
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules option 1 - simple )
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
( admin rules option2 - for more precise access to config router )
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{forward chain}
(safe default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

Note: firewall address list of Authorized would be made of up of all IP addresses the admin has (statically set in dhcp leases), be it desktop, laptop, smartphone, ipad, even remote vpn IPs.

chucky2017 · July 19, 2023, 6:36pm

Hello anav
Thank you for your feedback and comments. I send the export as a file, it’s clearer.
(1) I will try
(2) I will remove
(3) The VLANS go to a switch where the ports are divided per VLAN
(4) VLAN10 is the guest VLAN and should therefore not have access to the router. Wrong reasoning?
(5) only static IP in VLAN40
(6) I will change
(7) Thanks for the inputs, I’ll try. Do you know a good tutorial for the firewall? Is not so easy for me
4011_20230716_2.rsc (21 KB)

chucky2017 · July 25, 2023, 6:10pm

Hello anav
I have implemented your suggestions. In the beginning the internet speed is normal. After a few hours, the internet speed becomes very slow. Attached is the current configuration and an excerpt from the firewall. The excerpt was made after 8 hours since the router was started. The count of the “passthrought” is very high. is that normal?
I am grateful for every hint.
Thanks in advance
4011_20230725.rsc (17.2 KB)