After few minutes PPPOE Client downstream speed cut in half

Solaris · January 23, 2020, 12:37pm

So my contract to my ISP is symmetrical 100 Mbps connection.

For some hidden reason, my ISP possibly make some changes to their BRAS/PPPOE server which resulting my PPPOE Client connections/downstream speed cut in half (only ~40 Mbps) after several minutes connecting to the BRAS. I don’t make any changes at all to my Mikrotik and windows configuration and yet the symptom is pointable at my ISP but they claim that they don’t do any QOS.

What i have found out are :

Cut in half after several minutes connected to the BRAS, this symptom only happened with ROS 6.46.2 and ROS 6.47beta19
Config remain unchanged before and after the BRAS changes
The same exact configuration is working fine without any cutting downstream bandwidth in ROS 6.44.6 - Long Term
My Mikrotik configuration is really minimalist without any internal QOS at all.
The downstream speed cut is happened after several minutes (varies between 15-45 Minutes).

Here is the configuration :

# jan/23/2020 11:22:00 by RouterOS 6.46.2
# model = RB4011iGS+
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full \
    auto-negotiation=no l2mtu=9014 mtu=9014 name=NAS rx-flow-control=on \
    tx-flow-control=on
set [ find default-name=ether1 ] auto-negotiation=no
set [ find default-name=ether2 ] advertise=1000M-full auto-negotiation=no
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether10 name=Biznet password=\
    password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_hotspot ranges=10.8.8.2-10.8.8.254
add name=dhcp_monster ranges=10.9.9.2-10.9.9.254
add name=dhcp_nas ranges=10.10.10.2-10.10.10.254
add name=dhcp_guest ranges=10.7.7.2-10.7.7.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_hotspot always-broadcast=yes disabled=no \
    interface=ether1 name=Hotspot
add add-arp=yes address-pool=dhcp_monster always-broadcast=yes disabled=no \
    interface=ether2 name=Monster
add add-arp=yes address-pool=dhcp_nas always-broadcast=yes disabled=no \
    interface=NAS name=NAS
add add-arp=yes address-pool=dhcp_guest always-broadcast=yes disabled=no \
    interface=ether3 name=Guest
/system logging action
add name=monster remote=10.9.9.254 target=remote
/interface bridge settings
set allow-fast-path=no
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/ip address
add address=10.8.8.1/24 interface=ether1 network=10.8.8.0
add address=10.9.9.1/24 interface=ether2 network=10.9.9.0
add address=10.10.10.1/24 interface=NAS network=10.10.10.0
add address=10.7.7.1/24 interface=ether3 network=10.7.7.0
/ip dhcp-server network
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.8.8.0/24 dns-server=10.8.8.1 gateway=10.8.8.1
add address=10.9.9.0/24 dns-server=10.9.9.1 gateway=10.9.9.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=10000 \
    max-concurrent-tcp-sessions=20000 servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=jump chain=forward comment="tcp mss" disabled=yes jump-target=mss \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=mss comment="tcp  mss fixation" disabled=yes \
    new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!536-1460
add action=change-mss chain=mss comment="tcp  mss 1440 for mtu 1492" \
    disabled=yes new-mss=1440 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=1453-65535
add action=change-mss chain=mss comment="TCP mss clamp-to-pmtu" disabled=yes \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-ttl chain=prerouting comment="TCP  mss ttl fix" disabled=\
    yes new-ttl=set:65 passthrough=yes
add action=change-mss chain=postrouting disabled=yes new-mss=1436 \
    out-interface=Biznet passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\
    !0-1436
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.8.8.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.7.7.0/24
/ip route
add check-gateway=ping comment=NAS disabled=yes distance=1 dst-address=\
    10.10.10.0/24 gateway=ether1
add check-gateway=ping comment=NAS disabled=yes distance=1 dst-address=\
    10.10.10.0/24 gateway=ether2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=internal
add interface=Biznet type=external
add interface=NAS type=internal
add interface=ether2 type=internal
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Sentinel
/system logging
add topics=pppoe
add topics=debug
add action=monster topics=critical
add action=monster topics=debug
add action=monster topics=error
add action=monster topics=info
add action=monster topics=pppoe
add action=monster topics=warning
/system ntp client
set enabled=yes primary-ntp=211.233.40.78 secondary-ntp=202.156.0.34

What have i done wrong ?

sid5632 · January 23, 2020, 5:32pm

Are you sure you aren’t just being hammered by unsolicited traffic causing things like DNS amplification attacks?
Your firewall protection is non-existent.
I would suggest you start from scratch with the default configuration and customise (with sanity checks) from there.

Solaris · January 24, 2020, 2:59am

@sid5632

Yes, i was already monitored incoming and the traffic is normal nothing is out of ordinary other than my speedtest.

The problem is consistent, after 30-40 minutes connected to BRAS then the downstream connection is limits into ~40 Mbps.

I have take the time to do it from scratch but the problem remains.

# model = RB4011iGS+

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether10 name=Biznet password=\
    password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_hotspot ranges=10.8.8.2-10.8.8.254
add name=dhcp_monster ranges=10.9.9.2-10.9.9.254
add name=dhcp_guest ranges=10.7.7.2-10.7.7.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_hotspot disabled=no interface=ether1 name=\
    Hotspot
add add-arp=yes address-pool=dhcp_monster disabled=no interface=ether2 name=\
    Monster
add add-arp=yes address-pool=dhcp_guest disabled=no interface=ether3 name=\
    Guest
/ip address
add address=10.8.8.1/24 interface=ether1 network=10.8.8.0
add address=10.9.9.1/24 interface=ether2 network=10.9.9.0
add address=10.7.7.1/24 interface=ether3 network=10.7.7.0
/ip dhcp-server network
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.8.8.0/24 dns-server=10.8.8.1 gateway=10.8.8.1
add address=10.9.9.0/24 dns-server=10.9.9.1 gateway=10.9.9.1
/ip dns
set allow-remote-requests=yes cache-size=9086KiB max-concurrent-queries=10000 \
    max-concurrent-tcp-sessions=20000 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.7.7.0/24 list=DNS_Accept
add address=10.8.8.0/24 list=DNS_Accept
add address=10.9.9.0/24 list=DNS_Accept
add address=172.16.0.0/12 list=DNS_Accept
add address=192.168.0.0/16 list=DNS_Accept
add address=8.8.8.8 comment="Add DNS Server to this List" list=DNS_Accept
add address=8.8.4.4 comment="Add DNS Server to this List" list=DNS_Accept
add address=4.2.2.1 comment="Add DNS Server to this List" list=DNS_Accept
add address=4.2.2.2 comment="Add DNS Server to this List" list=DNS_Accept
add address=203.142.82.222 comment="Add DNS Server to this List" list=\
    DNS_Accept
add address=203.142.84.222 comment="Add DNS Server to this List" list=\
    DNS_Accept
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=\
    DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 \
    protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" \
    dst-address-list=DNS_Accept port=53 protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS \
    address-list-timeout=none-dynamic chain=DNS_DDoS comment=\
    "Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp \
    src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" \
    src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.8.8.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.9.9.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat out-interface=Biznet src-address=\
    10.7.7.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add interface=Biznet type=external
add interface=ether1 type=internal
add interface=ether2 type=internal
add interface=ether3 type=internal
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Sentinel
/system logging
add topics=pppoe
add topics=debug

What i have tried :

Accessing from other PC, and getting the same limited 40 Mbps downstream
Changing the cable which connected to the ISP modem, the same thing.
Turn off windows packet auto tuning in windows 10 client, the same thing.

Solaris · January 24, 2020, 6:12am

Also found out that direct bypass and dial directly into modem from a Desktop also remain the same, hopefully my ISP will be able to pinpoint and fixing the problems.