Greetings Mikrotik Experts,
I have a client with many buildings on a single large property. We have a 1000mbps cable internet with a CCR2004 connected via a S-RJ01 in port 12. Very basic firewall with just 4 or 5 rules, and 1 NAT masquerade rule. This internet connection only has 1 dynamic IP address. The other buildings are connected via multi-mode fiber and Cisco MGBSX1 SFP modules.
Each building has a RB4011iGS+RM with a Cisco MGBSX1 SFP connected to the CCR2004. The RB4011s are setup as a standard config with NAT/firewall. (each building is separate, and they don’t want to share anything)
When I test internet speeds at the CCR2004 MGT port I get around 40 - 60 mbps, when tested at another building I get around 100mbps.
Below is the clean config for the CCR2004 router.
Is there anything I can change to get higher throughput / download speed?
Any help or assistance would be greatly appreciated.
/interface ethernet
set [ find default-name=ether1 ] name="GE1- Mgt"
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] arp=proxy-arp name="sfp1"
set [ find default-name=sfp-sfpplus2 ] arp=proxy-arp name="sfp2"
set [ find default-name=sfp-sfpplus12 ] name="sfp12 - Internet"
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface list
add name=WAN-OUT
add name=WAN-IN
/ip pool
add name="Mgt Pool" ranges=172.17.1.100-172.17.1.200
add name="Pool1" ranges=172.16.1.2
add name="Pool2" ranges=172.16.2.2
/ip dhcp-server
add add-arp=yes address-pool="Mgt Pool" disabled=no interface="GE1- Mgt" \
lease-time=1d name="Mgt DHCP"
add address-pool="Pool1" disabled=no interface="sfp1" lease-time=1w \
name="DHCP1"
add address-pool="Pool2" disabled=no interface="sfp2" lease-time=1w \
name="DHCP2"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=WAN-IN
/interface list member
add interface="sfp12 - Internet" list=WAN-OUT
add interface="GE1- Mgt" list=WAN-IN
add interface="sfp1" list=WAN-IN
add interface="sfp2" list=WAN-IN
add interface=sfp-sfpplus3 list=WAN-IN
add interface=sfp-sfpplus4 list=WAN-IN
/ip address
add address=172.17.1.1/24 comment=defconf interface="GE1- Mgt" network=\
172.17.1.0
add address=172.16.1.1/30 interface="sfp1" network=172.16.1.0
add address=172.16.2.1/30 interface="sfp2" network=172.16.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add !dhcp-options disabled=no interface="sfp12 - Internet"
/ip dhcp-server network
add address=172.16.1.0/30 gateway=172.16.1.1 netmask=30
add address=172.16.2.0/30 gateway=172.16.2.1 netmask=30
add address=172.17.1.0/24 dns-server=8.8.8.8,8.8.8.8 gateway=172.17.1.1 \
netmask=24
/ip firewall address-list
add address=172.17.1.0/24 list="Mgt Net"
/ip firewall filter
add action=drop chain=forward connection-state=invalid disabled=yes
add action=fasttrack-connection chain=forward connection-state=\
established,related,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="Mgt Net"
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Because we only have 1 IP" \
out-interface-list=WAN-OUT
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=WANCCR
/system resource irq rps
set "sfp1" disabled=no
set "sfp2" disabled=no
set "sfp12 - Internet" disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=WAN-IN
/tool mac-server mac-winbox
set allowed-interface-list=WAN-IN
/tool mac-server ping
set enabled=no
/tool netwatch
add down-script=\
"ip dhcp-server lease remove [find dynamic server=\"DHCP1\"]\r\
\n" host=172.16.1.2
add down-script=\
"ip dhcp-server lease remove [find dynamic server=\"DHCP2\"]\r\
\n" host=172.16.2.2
*Edited to include the missing CCR config.