Chateau Pro AX slow speed

Hello MK community.

Iam new to MK devices and just got the new Chateau Pro AX to replace my 10 year old router which is slowly dying.

From the get go i noticed that speeds are nowhere near what they are supposed to be on LAN and Wifi as well.
On my old Asus router on LAN connection i was getting close to 600mb/s as 600 is plan from my ISP.
Connecting and without doing ANYTHING on MK router just doing the first basic setup to give names to Wifi and selecting my country on LAN iam getting max 195mb/s and same numbers on wifi.

I’ve been reading through forums and post for past couple of days looking for similar problems or trying to understand bridging and HW offloud. I have tried changing couple of settings but with no effect to speed. I also tried reseting the whole config just in case but result was the same. At the moment i just added configs to use my PiHole as DNS as I want to continue using the device.
I also have a support ticket for couple of days about this with no reply so far.

I am looking for great minds in this forum to help me riddle this out what could be causing 3x slower speed than iam supposed to be getting?

Thank you in advance.

This device should easily handle 600mbit/s or you really mean 600 megabyte per second? anyway, please provide a config export so community can help.

Why are you using Pihole when you can use DoH with add blocking with you router just dandy as well as QOS if needed

Please share your current config, otherwise this will remain a riddle:

From terminal (or SSH):

/export file=anynameyoulike

Remove serial and any other private info and post between code tags by using the </> button.

Here is the export. Iam not too familiar with DoH yet. I just set DNS to be my PiHole as thats what i’ve been using for ages and it worked for me. If there are features in this router iam not too familiar, i will take time to familiarize and start using if i see the benefit. Thanks. For now my main concern is why iam not getting the speed i am supposed to. The speed iam talking about is the one we can check in such sites as speedtest.net. Oh and i also disabled ipv6.

Edit: Also updated to test branch to see if anything changes - nothing
Edit2: Wifi and LAN speed is identical. Also looking at total Tx under Interfaces i can see that it caps out at 200Mb/s. I have ISP cable on port 1 and cable to switch on port2. Switch just has LAN cables from all over my house, its simply to have LAN all over the place.

# 2025-01-04 21:43:55 by RouterOS 7.17rc3
# software id = 9RAU-STHA
#
# model = H53UiG-5HaxQ2HaxQ
# serial number = serial
/interface bridge
add admin-mac=my-mac auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac comment="5 Ghz" configuration.country=Lithuania .mode=ap .ssid=my-id disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac comment="2.4 Ghz" configuration.country=Lithuania .mode=ap .ssid=my-id  disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=macaddr name=ovpn-server1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip arp
home devices
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.253 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.253
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=" Redirect to PiHole TCP" dst-port=53 in-interface=bridge protocol=tcp src-address=!192.168.88.253 to-addresses=192.168.88.253
add action=dst-nat chain=dstnat comment=" Redirect to PiHole UDP" dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.88.253 src-address-list="" to-addresses=192.168.88.253
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vilnius
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system package update
set channel=development
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

At first sight it looks like a nearly default config. Just a few NAT rules and the fasttrack rule as first rule. Is this rule hit?
What is the cpu usage while performing a test?
Have you performed a test when connected directly wired to the Audience?
What does the speed test exactly consist of? Speedtest?

Do you use IPv6? Think not, why are all the firewall filter rules for IPv6 existing? Or are you running dual stack?

In regards to PiHole, have a look at AdList:
https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Adlist

I stopped using my PiHole and AdGuard servers and replaced it by AdList.
Make sure that you set a DNS server (/ip/dns), referring to a public DNS server.

DoH can be a next step, but has nothing to do with preventing ads.

Tip: if you use staic IP addresses (like the PiHole), make sure to exclude it from the DHCP pool. Or better, work with static leases.

Like i mentioned before, it looks like default config because it is default config, only with minor changes. I haven’t added any rules for IPv6, i just checked the box to disable it. I guess firewall rules are there by default?

The CPU usage doesn’t go above 10% regardless if i test or not. When iam not testing it stays between 0-2%. If i do test mostly jumps between 5-8% with occasional spikes to 10%

And yes, the speedtest was when i was directly wired to MK router, as well as WIFI, it always peeks at similar speed (195~ Mb/s) on both LAN and Wifi.
And speedtest is super plain and dumb, just speedtest.net and i let it download and upload some packets for me. I didn’t tried doing any manual tests on my own. But regardless i do get a transfer speed of 600Mb/s download and upload with my old router, so this one should definitely get at least same speeds. right?

Edit: No iam not dual stacking and not using IPv6, thats why i disabled it.

It is not (completely) default config. I.e. the IPv6 rules are not there by default. No problem…
As mentioned, the overlap could cause strange behavior (if there is a client using .253 as well). Can you check DHCP leases?

Do you see any errors/retries on the WAN interface?
Could you perform a speedtest (what test are you currently using?) with downloading a big file?
Can you reboot whatever is in front of the Audience and perform another test again?
Can you please answer all questions asked?

Please make sure that it is working properly with wired connection, wireless will be the next step.

Yes they are in ROS v7 (where IPv6 is not optional any more). And yes they are if ipv6 optional package in v6 is installed and enabled when ROS config is reset to factory default.

No overlaps when looking in DHCP leases. I have tried restarting MK, have tried restarting my lan devices and doing speed test after each restart always gets me similar results.
No errors on WAN interface, just a couple of tx queue drops.
My speedtest is by going to page http://speedtest.net and just checking the result I get there.

Wasn’t aware of this…

TS:
Can you reboot whatever is in front of the Audience and perform another test again?
And supply a complete network diagram including all relevant devices (brand/model/etc.)?
What ISP do you have?
Is the firmware upgraded (as well as RouterOS)?

I have tried not using a switch, even thought via switch iam technically also directly connected to the MK router, i took it out of the loop and wired directly to my computer but i still got the same result. Also removed my DNS configs and kept default ones, just in case it had something to do with this, again, result - same. Not only i rebooted my pc and MK itself but the device that ISP had put in my house ( the one that fiber optic connects to), but unfortunately no changes. Iam not sure what the name of ISP would help with? its called NTT. I have fiber optic coming to my house that connects to device i just mentioned and from that device CAT cable connects to MK. Removing MK from this loop and connecting my old router gives me full 600 Mb/s speed no problem. Just in case this question comes up - old router doesn’t have anything to do with ISP, i have used it with 3 or 4 different ISP providers without issues.
Also i think i mentioned but yes firmware is updated to latest, as well as routerBoard firmware. Router OS is v7 which came with router itself, i have not touched it as i dont think there is anything newer?

Now for models:
my old router - asus rt-ac55u
new mk router - chateau pro ax
and my pc with motherboard - TUF GAMING X670E-PLUS WIFI

iam testing everything on LAN right now. I have removed all of my IoT devices and switches. Only a single device is connected to MK right now. That is my computer i just mentioned.
With all this - results are still limited to about 200Mb/s

It starts sounding to me as if the ISP was doing something… “unusual” to put it softly. So far I’ve seen such things to happen only in France and the U.S..

But first, your export says the version is 7.17rc3, did the router indeed come out of the box with a release candindate version installed?

As you say you are now testing using just Ethernet interfaces (no wireless), can you please connect the WAN port of the Chateau to the LAN of the ASUS and the WAN of the ASUS to the ONU/modem/whatever provides the Ethernet uplink and check the speed again? This is related to the ISP suspicion, as some ISPs adjust the treatment based on MAC address of the connected customer device, some DHCP client options, or even the L2 priority value.

OMG, i think you are genius. I havent even thought about this being ISP issue. I just did what you suggested with my old router being connected to ISP modem and then MK router as second and my PC connected to MK router. I do have full 600Mb/s now. So basically i should call my ISP and hopefully they can do changes on their side and it should fix the issue? Is that how it is?

Or maybe i can just copy the MAC from my old router and just change it on MK?

That, or they will send you “behind a NAT” instead. Has the ASUS been provided by them back then or you’ve bought it yourself?

If it is just a MAC address issue, you can reverse the connection (i.e. connect the WAN of the ASUS to the LAN of the Chateau) and see in the ARP table of the Chateau what MAC address the ASUS has on its WAN, then set the same one on ether1 of the Chateau and see what happens to the speed. Two interfaces with the same MAC address must never be connected to the same network segment but that will not happen here so don’t worry.

If that helps alone, you’re good; if it doesn’t, it is possible to create an isolated bridge out of two ports of the Chateau, insert it between the uplink and the WAN of the ASUS, and sniff the initial communication once you connect the ASUS, to see what DHCP options the ASUS sends and later add the same ones to Mikrotik’s DHCP requests.

Yup. Changing MAC on MK router to the Asus WAN MAC solved it. Finally i have full speed via Chateau. Thanks again !
Asus router i have bought myself long ago

Just had a call with my ISP and they also confirmed that it is MAC related. Cloning MAC address is fine if it works for me. They prefer the new address in case i reset my router again and dont have old mac, etc.. But ill keep it like this for now. Thanks again everyone for your help