Can pppoe be improved with RB5009, or that's it

liviu2004 · April 18, 2026, 6:12pm

Since recent, I am on FTTH, 2.5Gbps symmetrical. Unfortunate with pppoe.

Using ISP modem/wifi/combo box, Huawei stuff, I can easily go to 2.3Gbps.

Removing ISP modem, and using RB5009, upload barely goes to 270-390 Mbps, with not much CPU load.

Is that it, is Huawei more capable than Mikrotik RB5009?

WAN is SFP+ port and VLAN is ether1.

I started with netinstall 7.22.1 including firmware, and built manually on that. No fix done to ether1 to solve the 2.5Gbps issue.

Any suggestions? I hate getting rid of the RB5009, but slowly thinking to go all the way other brands.

# 2026-04-18 19:43:10 by RouterOS 7.22.1

# model = RB5009UPr+S+

# serial number =

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=CCTV vlan-id=40
add interface=bridge1 name=Guest vlan-id=60
add interface=bridge1 name=IPTV vlan-id=50
add interface=bridge1 name=Internal vlan-id=10
add interface=bridge1 name=IoT vlan-id=20
add interface=bridge1 name=Management vlan-id=80
add interface=bridge1 name=SNLLR vlan-id=6
add interface=bridge1 name=Work vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=TRUSTED
/ip pool
add name=Internal ranges=192.168.10.100-192.168.10.200
add name=IoT ranges=192.168.20.100-192.168.20.200
add name=Work ranges=192.168.30.100-192.168.30.200
add name=CCTV ranges=192.168.40.100-192.168.40.200
add name=IPTV ranges=192.168.50.100-192.168.50.200
add name=Guest ranges=192.168.60.100-192.168.60.200
add name=Management ranges=192.168.80.100-192.168.80.200
/ip dhcp-server
add address-pool=Internal interface=Internal lease-time=3d name=Internal
add address-pool=IoT interface=IoT lease-time=3d name=IoT
add address-pool=Work interface=Work lease-time=3d name=Work
add address-pool=CCTV interface=CCTV lease-time=3d name=CCTV
add address-pool=IPTV interface=IPTV lease-time=3d name=IPTV
add address-pool=Guest interface=Guest lease-time=3d name=Guest
add address-pool=Management interface=Management lease-time=3d name=
Management
/interface pppoe-client
add add-default-route=yes disabled=no interface=SNLLR keepalive-timeout=30 
name=SNLLLR_pppoe password=trined profile=default-encryption 
use-peer-dns=yes user=trined@trined.nl
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 
pvid=6
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,ether1 vlan-ids=
6,10,20,30,40,50,60,80
/interface list member
add interface=Internal list=VLAN
add interface=IoT list=VLAN
add interface=Work list=VLAN
add interface=CCTV list=VLAN
add interface=IPTV list=VLAN
add interface=Guest list=VLAN
add interface=Management list=VLAN
add interface=Internal list=TRUSTED
add interface=Management list=TRUSTED
add interface=ether7 list=TRUSTED
add interface=SNLLLR_pppoe list=WAN
/ip address
add address=192.168.10.1/24 interface=Internal network=192.168.10.0
add address=192.168.20.1/24 interface=IoT network=192.168.20.0
add address=192.168.30.1/24 interface=Work network=192.168.30.0
add address=192.168.40.1/24 interface=CCTV network=192.168.40.0
add address=192.168.50.1/24 interface=IPTV network=192.168.50.0
add address=192.168.60.1/24 interface=Guest network=192.168.60.0
add address=192.168.80.1/24 interface=Management network=192.168.80.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1
add address=192.168.80.0/24 dns-server=192.168.80.1 gateway=192.168.80.1
/ip dns
set allow-remote-requests=yes cache-size=150000KiB
/ip dns adlist
add ssl-verify=no url="https://cdn.jsdelivr.net/gh/tarampampam/mikrotik-hosts-\
parser@master/.hosts/basic.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/What-Zit-Tooya/Ad-Blo\
ck/main/Main-Blocklist/Ad-Block-HOSTS.txt"
add ssl-verify=no url="https://justdomains.github.io/blocklists/lists/easypriv\
acy-justdomains.txt"
add ssl-verify=no url=
https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
add ssl-verify=no url=
https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt
add ssl-verify=no url=https://adaway.org/hosts.txt
add ssl-verify=no url="https://raw.githubusercontent.com/hagezi/dns-blocklists\
/main/hosts/native.winoffice.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/crazy-max/WindowsSpyB\
locker/master/data/hosts/spy.txt"
add ssl-verify=no url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@lates\
t/hosts/ultimate.txt"
add ssl-verify=no url=
https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
add ssl-verify=no url=
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add ssl-verify=no url="https://raw.githubusercontent.com/r0xd4n3t/pihole-adblo\
ck-lists/main/pihole_adlists.txt"
/ip dns static
add address=192.168.10.1 name=mylocal.ntp.server type=A
/ip firewall address-list
add address=192.168.40.0/24 list=Common-Destination
add address=192.168.10.8 list=Printers
add address=192.168.10.0/24 list=to_CCTV
add address=192.168.10.1 list=DNS_Servers
add address=192.168.20.1 list=DNS_Servers
add address=192.168.30.1 list=DNS_Servers
add address=192.168.40.1 list=DNS_Servers
add address=192.168.50.1 list=DNS_Servers
add address=192.168.60.1 list=DNS_Servers
add address=192.168.80.0/24 list=Authorized
add address=192.168.80.1 list=DNS_Servers
add address=192.168.10.0/24 list=Authorized
add address=192.168.80.0/24 list=to_CCTV
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" 
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept icmp" in-interface-list=TRUSTED 
protocol=icmp src-address-list=""
add action=accept chain=input comment="admin access" in-interface-list=
TRUSTED src-address-list=Authorized
add action=accept chain=input comment="accept internal dns requests" 
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="accept internal dns requests" 
dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment=fasttrack 
connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment=
"Allow established, related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Internal LAN to CCTV" 
dst-address-list=Common-Destination src-address-list=to_CCTV
add action=accept chain=forward comment="Work Devices to Printer" 
dst-address-list=Printers in-interface=Work
add action=accept chain=forward comment="internet traffic but CCTV" 
in-interface=!CCTV in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" 
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=!DNS_Servers dst-port=53 
protocol=udp src-address-list=!DNS_Servers to-addresses=192.168.10.1
add action=dst-nat chain=dstnat dst-address-list=!DNS_Servers dst-port=53 
protocol=tcp src-address-list=!DNS_Servers to-addresses=192.168.10.1
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set reverse-proxy disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip service webserver
set acme-plain=no crl-plain=no graphs-plain=no graphs-secure=no index-plain=
no index-secure=no rest-plain=no rest-secure=no scep-plain=no 
webfig-plain=no webfig-secure=no
/ipv6 dhcp-client
add custom-iana-id=0 custom-iapd-id=0 default-route-tables=main interface=
SNLLLR_pppoe pool-name=ipv6_pool pool-prefix-length=64 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" 
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from VLAN" in-interface-list=
!VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" 
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" 
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from VLAN" in-interface-list=
!VLAN
/ipv6 nd
set \[ find default=yes \] disabled=yes hop-limit=64 
managed-address-configuration=yes other-configuration=yes ra-preference=
low reachable-time=5m
add advertise-dns=yes interface=Internal other-configuration=yes 
ra-preference=high reachable-time=5m
add advertise-dns=yes interface=Work other-configuration=yes ra-preference=
high reachable-time=5m
add advertise-dns=yes interface=IoT other-configuration=yes ra-preference=
high reachable-time=5m
add advertise-dns=yes interface=IPTV other-configuration=yes ra-preference=
high reachable-time=5m
add advertise-dns=yes interface=Guest other-configuration=yes ra-preference=
high reachable-time=5m
add advertise-dns=yes interface=SNLLLR_pppoe ra-lifetime=none ra-preference=
low reachable-time=5m
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=SNLLR
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes

anav · April 18, 2026, 6:33pm

Observations:

The main issue seems to be how you handled the PPOE connection.

a. why is it attached to the bridge at all??
b. why do you have it setup like an accessport ( vlan required by provider is 6 and yet you have it untagged)

Just very confusing.
TRY> removing ether1 from the bridge altogether. Keep the vlan as is and the pppoe setting as is.
Should work fine.

PS dont forget to remove sfpplus1 from /interface bridge vlan settings as well.

++++++++++++++++++++++++++++++++++++++++++

Very confusing when looking at the /interface bridge vlan settings??
Why are you sending all the vlans back to the PPPOE modem??
Is there a switch in between aka
Modem device to managed switch and one port on managed switch goes to 5009 router and the rest of the managed switch sends the vlans to where they need to go???

Me thinks a network diagram is needed.

liviu2004 · April 18, 2026, 6:53pm

1.a. might not be the right answer, I always done it like that? Is it plain simple wrong to have WAN as a VLAN inside a bridge? How is router on a stick done then, I am curious.
1.b. thought that a trunk port can also have only one vlan defined. If it was access port, should of been admit only untagged set to?

But let me digest 1.a and 1.b further on.

Will test suggested ether1 and sfpplus1 and see what happens.

Yeah, should not be needed to send all vlans to pppoe. I can easily correct that.

No switch between rb5009 and FTU, ISP modem has been already packed and will not be used for the remainder of the contract with this ISP.

liviu2004 · April 18, 2026, 7:16pm

Some changes applied by removing WAN from VLAN bridge, download not too bad for a 13 year old PC, 1.7Gbps, upload is the same, 300Mbps with cpus average 4-5%.

# 2026-04-18 21:14:38 by RouterOS 7.22.1
# software id =
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=CCTV vlan-id=40
add interface=bridge1 name=Guest vlan-id=60
add interface=bridge1 name=IPTV vlan-id=50
add interface=bridge1 name=Internal vlan-id=10
add interface=bridge1 name=IoT vlan-id=20
add interface=bridge1 name=Management vlan-id=80
add interface=sfp-sfpplus1 name=SNLLR vlan-id=6
add interface=bridge1 name=Work vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=TRUSTED
/ip pool
add name=Internal ranges=192.168.10.100-192.168.10.200
add name=IoT ranges=192.168.20.100-192.168.20.200
add name=Work ranges=192.168.30.100-192.168.30.200
add name=CCTV ranges=192.168.40.100-192.168.40.200
add name=IPTV ranges=192.168.50.100-192.168.50.200
add name=Guest ranges=192.168.60.100-192.168.60.200
add name=Management ranges=192.168.80.100-192.168.80.200
/ip dhcp-server
add address-pool=Internal interface=Internal lease-time=3d name=Internal
add address-pool=IoT interface=IoT lease-time=3d name=IoT
add address-pool=Work interface=Work lease-time=3d name=Work
add address-pool=CCTV interface=CCTV lease-time=3d name=CCTV
add address-pool=IPTV interface=IPTV lease-time=3d name=IPTV
add address-pool=Guest interface=Guest lease-time=3d name=Guest
add address-pool=Management interface=Management lease-time=3d name=\
    Management
/interface pppoe-client
add add-default-route=yes disabled=no interface=SNLLR keepalive-timeout=30 \
    name=SNLLLR_pppoe password=trined profile=default-encryption \
    use-peer-dns=yes user=trined@trined.nl
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10,20,30,40,50,60,80
/interface list member
add interface=Internal list=VLAN
add interface=IoT list=VLAN
add interface=Work list=VLAN
add interface=CCTV list=VLAN
add interface=IPTV list=VLAN
add interface=Guest list=VLAN
add interface=Management list=VLAN
add interface=Internal list=TRUSTED
add interface=Management list=TRUSTED
add interface=ether7 list=TRUSTED
add interface=SNLLLR_pppoe list=WAN
/ip address
add address=192.168.10.1/24 interface=Internal network=192.168.10.0
add address=192.168.20.1/24 interface=IoT network=192.168.20.0
add address=192.168.30.1/24 interface=Work network=192.168.30.0
add address=192.168.40.1/24 interface=CCTV network=192.168.40.0
add address=192.168.50.1/24 interface=IPTV network=192.168.50.0
add address=192.168.60.1/24 interface=Guest network=192.168.60.0
add address=192.168.80.1/24 interface=Management network=192.168.80.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1
add address=192.168.80.0/24 dns-server=192.168.80.1 gateway=192.168.80.1
/ip dns
set allow-remote-requests=yes cache-size=150000KiB
/ip dns adlist
add ssl-verify=no url="https://cdn.jsdelivr.net/gh/tarampampam/mikrotik-hosts-\
    parser@master/.hosts/basic.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/What-Zit-Tooya/Ad-Blo\
    ck/main/Main-Blocklist/Ad-Block-HOSTS.txt"
add ssl-verify=no url="https://justdomains.github.io/blocklists/lists/easypriv\
    acy-justdomains.txt"
add ssl-verify=no url=\
    https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
add ssl-verify=no url=\
    https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt
add ssl-verify=no url=https://adaway.org/hosts.txt
add ssl-verify=no url="https://raw.githubusercontent.com/hagezi/dns-blocklists\
    /main/hosts/native.winoffice.txt"
add ssl-verify=no url="https://raw.githubusercontent.com/crazy-max/WindowsSpyB\
    locker/master/data/hosts/spy.txt"
add ssl-verify=no url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@lates\
    t/hosts/ultimate.txt"
add ssl-verify=no url=\
    https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add ssl-verify=no url="https://raw.githubusercontent.com/r0xd4n3t/pihole-adblo\
    ck-lists/main/pihole_adlists.txt"
/ip dns static
add address=192.168.10.1 name=mylocal.ntp.server type=A
/ip firewall address-list
add address=192.168.40.0/24 list=Common-Destination
add address=192.168.10.8 list=Printers
add address=192.168.10.0/24 list=to_CCTV
add address=192.168.10.1 list=DNS_Servers
add address=192.168.20.1 list=DNS_Servers
add address=192.168.30.1 list=DNS_Servers
add address=192.168.40.1 list=DNS_Servers
add address=192.168.50.1 list=DNS_Servers
add address=192.168.60.1 list=DNS_Servers
add address=192.168.80.0/24 list=Authorized
add address=192.168.80.1 list=DNS_Servers
add address=192.168.10.0/24 list=Authorized
add address=192.168.80.0/24 list=to_CCTV
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept icmp" in-interface-list=TRUSTED \
    protocol=icmp src-address-list=""
add action=accept chain=input comment="admin access" in-interface-list=\
    TRUSTED src-address-list=Authorized
add action=accept chain=input comment="accept internal dns requests" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="accept internal dns requests" \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment=\
    "Allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Internal LAN to CCTV" \
    dst-address-list=Common-Destination src-address-list=to_CCTV
add action=accept chain=forward comment="Work Devices to Printer" \
    dst-address-list=Printers in-interface=Work
add action=accept chain=forward comment="internet traffic but CCTV" \
    in-interface=!CCTV in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=!DNS_Servers dst-port=53 \
    protocol=udp src-address-list=!DNS_Servers to-addresses=192.168.10.1
add action=dst-nat chain=dstnat dst-address-list=!DNS_Servers dst-port=53 \
    protocol=tcp src-address-list=!DNS_Servers to-addresses=192.168.10.1
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set reverse-proxy disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip service webserver
set acme-plain=no crl-plain=no graphs-plain=no graphs-secure=no index-plain=\
    no index-secure=no rest-plain=no rest-secure=no scep-plain=no \
    webfig-plain=no webfig-secure=no
/ipv6 dhcp-client
add custom-iana-id=0 custom-iapd-id=0 default-route-tables=main interface=\
    SNLLLR_pppoe pool-name=ipv6_pool pool-prefix-length=64 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/ipv6 nd
set [ find default=yes ] disabled=yes hop-limit=64 \
    managed-address-configuration=yes other-configuration=yes ra-preference=\
    low reachable-time=5m
add advertise-dns=yes interface=Internal other-configuration=yes \
    ra-preference=high reachable-time=5m
add advertise-dns=yes interface=Work other-configuration=yes ra-preference=\
    high reachable-time=5m
add advertise-dns=yes interface=IoT other-configuration=yes ra-preference=\
    high reachable-time=5m
add advertise-dns=yes interface=IPTV other-configuration=yes ra-preference=\
    high reachable-time=5m
add advertise-dns=yes interface=Guest other-configuration=yes ra-preference=\
    high reachable-time=5m
add advertise-dns=yes interface=SNLLLR_pppoe ra-lifetime=none ra-preference=\
    low reachable-time=5m
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=SNLLR
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes

liviu2004 · April 18, 2026, 7:22pm

Next need to test removing ether1 from bridge, remove bridge, attach all VLANs to ether 1? How do I make the router vlan aware without a bridge? Now it gets confusing to me.

liviu2004 · April 18, 2026, 7:30pm

If I add ether2 to the bridge, and connect LAN there, I get uploads of 112Mbps, oh, dear Mikrotik.

Znevna · April 18, 2026, 7:58pm

kowal · April 18, 2026, 8:55pm

What’s model of Huawei ONT and which SFP GPON ONT are you using?

liviu2004 · April 18, 2026, 9:05pm

Huawei optixstar EN8255X6s-8X. Does the job perfectly, but it has the wrong name for me. It is what it is.

XGS-PON module I use FS XGS-SFP-ONT-MAC-I 185594 for the cheap price not of 240€.

liviu2004 · April 18, 2026, 9:08pm

Tomorrow morning will test that. Don't have hopes.

Znevna · April 18, 2026, 9:28pm

20260419-RB5009-PPPoE
Some speedtests. I had to search for a capable server at this hour.
No fasttrack used in this test.

anav · April 18, 2026, 11:33pm

The latest config you have seems fine so not sure where the issue lies.

liviu2004 · April 19, 2026, 6:23am

From that link:

Interfaces > Interface > Ethernet Advertise: 2.5G baseX: REMOVE

2.5G base X was never advertised coming directly from Netinstall

Switch > Settings > switch1 > CPU flow control: OFF

Now adjusted from ON to OFF.

System > Routerboard > Settings > CPU frequency: 1400MHz

Now adjusted from Auto to 1400MHz

Tests: download 1400Mbps, upload 377Mbps. No major wins.

Next tweak:
PPP > Profiles > default > General > Change TCP MSS: NO

Tests on same server: download 350Mbps, upload 392Mbps, wtf. All these so far made it not better. Reversing TCP MSS did not restore download speed.

Next tweak: remove hardware offloading from ether1.

Tests: download 354Mbps, upload 425Mbps. I don't know how to restore download.

LE: cancel that, reverse card this setting: Switch > Settings > switch1 > CPU flow control: OFF
and test download 979Mbps, upload 306Mbps.

That's it.

Znevna · April 19, 2026, 6:33am

Don't mess with the TCP MSS setting unless your provider supports rfc4638 and you actually get 1500 MTU/MRU on the pppoe connection.
If you don't, change it back to yes.
Anyway, you can see from my test above that it's not a hardware limitation.

liviu2004 · April 19, 2026, 6:36am

They say they support 1500 and RFC4638.

liviu2004 · April 19, 2026, 6:38am

CPU does not get hammered down. My gut feeling tells me it is just a mix of unfortunate solutions: xgs-pon from one maker, pppoe for multigiga, sfp+ port 10G to copper 2.5G, all in all not a consistent, clear, logical solution.

Znevna · April 19, 2026, 6:39am

In that case you need to increase the MTU of the interface on which the PPPoE client runs on by 8 bytes (1500 -> 1508).
LE: I see that it also uses a VLAN, you need to adjust all that properly.

liviu2004 · April 19, 2026, 6:49am

Lost internet connection completely when changing sfp+ MTU + WAN VLAN to 1508, but changing the WAN VLAN only to 1508 brought it back, with pppoe now showing MTU of 1500.

liviu2004 · April 19, 2026, 6:51am

Speedtest, oh god

liviu2004 · April 19, 2026, 6:53am

It's back somehow, download 1400Mbps, upload 345Mbps.

Tweaking this back to off:

Switch > Settings > switch1 > CPU flow control: OFF

Download 1487Mbps, upload 398Mbps.