Bad performance (slow) of RB2011UAS-2HnD

Psycho · October 27, 2018, 4:55pm

Hi All,

Recently I upgraded my network from 50/3 Mbps to 300/20 Mbps (just to increase upload performance). The issue is, I can observe huge difference in speed.
I tried measurement directly connected to ISP modem, I can measure ~ 300/20 Mbps, but once I connect behind my Mikrotik, speed is around 200/20 Mbps (!!!).
Topology is:
ISP << coax >> Modem (bridge) << CAT 6a >> RB2011 << CAT 6a >> LAN (/WLAN)
Eth1 is main (to ISP modem), Eth2+ are in bridge.
OS: 6.42.3 (stable)

I run only few services on my Mikrotik, 4 firewall rules and one NAT (masquerade):

[xxx@MT2011] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; SSH
      chain=input action=drop protocol=tcp in-interface=ether1 dst-port=22 log=no log-prefix="" 
 1    ;;; HTTP
      chain=input action=drop protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 
 2    ;;; DNS (TCP)
      chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix="" 
 3    ;;; DNS (UDP)
      chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix="" 

 /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
0    chain=srcnat action=masquerade src-address=10.0.80.0/24 log=no log-prefix=""

//UPDATE: Once I turn off all firewall rules, the performance is the same! CPU is utilized to max 60 - 70 %.

Do you have any advice how to increase performance over the LAN?
Or do I have to upgrade to something better?

Over WLAN I can measure ~30/20 Mbps, which is slow but it’s 2.4 GHz, so OK.

vortex · October 27, 2018, 6:40pm

I think you need to activate fast track.

Psycho · October 27, 2018, 6:57pm

Thank you! I have applied fast track rule and I can observe increase to 280 - 290/20 Mbps!!! Which is OK

Thank you once again!

/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related

vortex · October 28, 2018, 12:55am

It can handle 500 Mbps in one direction at least.

Psycho · October 30, 2018, 10:25pm

Oh… so do you have any advice how to increase bandwidth then?

Note · October 31, 2018, 10:11am

mangle rules are not working when u have fastrack enable , so… is not a global solution.

nescafe2002 · October 31, 2018, 10:30am

Psycho, please post your configuration ( /export hide-sensitive ) for an adequate advice, instead of us guessing what could be the cause.

RB2011 should handle 890 Mbps TCP IPv4 traffic with fasttrack on: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Edit:

Keep in mind though, that 300Mbit line speed can result in ~290 Mbps in speed test because of tcp/ip overhead.

@Note, there is no mention of mangle rules in this case, you are just guessing (repeatedly).
Fasttrack is a fine solution with limitations outlined in the linked document (yes, including mangle rules).

Note · October 31, 2018, 12:31pm

fasttrack is not an answer cause mangle is not working.

vortex · October 31, 2018, 7:16pm

280/290 looks good if you only have 300 service.

Psycho · October 31, 2018, 11:34pm

Hi All,

thank you very much for all responses.
The thing is, I tried multiple “speed measure” tools with results (measured 3x, average values):
p2p (over torrent): 290 Mbps (down)
bandwidthplace.com: 249 / 20 Mbps
speedof.me: 268 / 22 Mbps
openspeedtest.com 263 / 5.1 Mbps
meter.net 286 / 20 Mbps
speedtest.telstra.com 278 / 3 Mbps
fast.com 500 / 18 Mbps (LOL)
speedtest.net 252 / 19 Mbps

So I assume everything is OK now and the lower speed using online tools is caused by their imperfection (I guess?)

Configuration can be found here https://pastebin.com/XBvkH19H.
What I wonder, if using Open DNS may cause the slower speed?

nescafe2002 · November 1, 2018, 9:58am

You have some orphaned vlans on bridge, but what is worse.. no adequate firewalling (accepting all but http, ssh and dns to router and internal network).

Better take a look at the firewall from default configuration, it contains firewall list based protection and srcnat, allows dstnat (port forwarding) and enables fasttrack with correct ipsec exemptions.

From /system default-configuration print:

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
  filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
  filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
}

Psycho · November 1, 2018, 5:34pm

Hi,

thank you very much for your outputs!
I tried to remove as much firewall rules as possible to help CPU.

But after I applied default FW rules, I can measure 300/20 Mbps (and a bit more).

Thank you very much!