I hope my english is good enough, so that anyone can help me… 
I have a MikroTik CRS109 Router and a MikroTik CRS125. In the first time is use the CRS109 and my Internetspeed whas nearly 110 MBit Download-Transfer. My ISP give me 100 MBit, so i think its ok, why not 
I try the CRS125, first with a Config-Export from the CRS109, then i try a new configuration.
The result is, with the CRS125 is the Transferrate between 12Mbit and 35 Mbit. To slow, very slow. i call with the ISP, a technical Advisor come out and check the line. Its ok, 107 until 112 MBit. I try it self, direct at the Cablemodem and become also 109 MBit.
I try to disable the rules from the Firewall, same result as first time, 12 Mbit between 35 MBit.
I try the CRS109 again and here we are 80 MBit between 105 MBit.
Ok, this is the Problem, here the facts.
CRS125 with Firmware 6.29.1, same Firmware at the CRS109.
Firewall-Script as follow on both CRS
/ip firewall layer7-protocol
add name=SocialNetwork-Drop regexp="^.+(facebook|twitter).*\$"
/ip firewall address-list
add address=172.16.1.0/24 comment="Class B Subnet" list="Class B"
add address=172.16.1.0/28 comment="Class B Subnet A" list="Class B Subnet A"
add address=172.16.1.16/28 comment="Class B Subnet B" list="Class B Subnet B"
add address=172.16.1.32/28 comment="Class B Subnet C" list="Class B Subnet C"
add address=172.16.1.48/28 comment="Class B Subnet D" list="Class B Subnet D"
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 log=yes log-prefix="SSH connect drop" protocol=tcp src-address=!172.16.1.0/24 src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 log=yes log-prefix="Telnet connect drop" protocol=tcp src-address=!172.16.1.0/24 src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add chain=forward comment="Social Network accept from Subnet A" layer7-protocol=SocialNetwork-Drop src-address-list="Class B Subnet A"
add chain=forward comment="Social Network accept from Subnet B" layer7-protocol=SocialNetwork-Drop src-address-list="Class B Subnet B"
add action=drop chain=forward comment="Social Network drop form Subnet C" layer7-protocol=SocialNetwork-Drop log=yes log-prefix="Facebook drop from Subnet C" src-address-list="Class B Subnet C"
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-local
add chain=input comment="Allow connections that originated from LAN" connection-state=established,related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow anything from anywhere on any interface"
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-local
add chain=forward comment="Allow connections that originated from LAN" connection-state=established,related
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=forward disabled=yes new-connection-mark=users-con src-address=172.16.1.0/24
add action=mark-packet chain=forward connection-mark=users-con disabled=yes new-packet-mark=users
add action=mark-connection chain=forward disabled=yes new-connection-mark=Gigablue-con src-address=172.16.1.6
add action=mark-packet chain=forward connection-mark=Gigablue-con disabled=yes new-packet-mark=Gigablue
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.1.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
This Script work absolute fine at the CRS109…
Interface as follow on both CRS:
/interface bridge
add admin-mac=D4:CA:6D:CA:7F:60 auto-mac=no comment="Bridge Local Network (Port 2 - 8)" name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full comment="ISP Gateway to Unitymedia" name=ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] comment="iMac - Wolfgang" name=ether2-master-local
set [ find default-name=ether3 ] comment="Medion NAS" master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] comment="iMac - Simona" master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] comment="Gigablue Quad plus - Receiver" master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether2-master-local name=ether6-slave-local
set [ find default-name=ether7 ] comment="HP LaserJet 2430 DTN" master-port=ether2-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether2-master-local name=ether8-slave-local
set [ find default-name=sfp1 ] master-port=ether2-master-local name=sfp1-slave-local
/interface pppoe-client
add add-default-route=yes comment="ISP Gateway to Telekom DSL" interface=ether1-gateway max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 password=mypassword service-name="Telekom DSL" user=\
deactivate0001@t-online.de
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=S1ttendezernath wpa2-pre-shared-key=mypassword
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=WPA2-Profile supplicant-identity="" unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key=S1ttendezernath wpa2-pre-shared-key=mypassword
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above default-authentication=no disabled=no distance=indoors frequency=2432 l2mtu=2290 mode=ap-bridge security-profile=\
WPA2-Profile ssid=Lummerland-Devon wireless-protocol=802.11
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set use-ipsec=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wireless access-list
add comment=Wolfgang mac-address=E4:CE:8F:5B:9F:8B
add mac-address=34:A3:95:56:4E:D7
add mac-address=80:BE:05:86:71:C1
add comment=Simona mac-address=04:54:53:0F:60:CF
add mac-address=2C:F0:EE:4A:DF:3E
add mac-address=E0:C9:7A:3B:47:AA
add comment=Daniel mac-address=88:9F:FA:1C:97:48
add mac-address=00:37:6D:FD:7E:EC
I hope that’s enough, or did anyone anymore?
Please, how must i configure the CRS125 that they work at my configuration. Where is my failure?
I try to backup the Settings from the CRS109 and restore it to CRS125, than i reset the Mac-Address, but the same result, bad Download-Transfer…
Attach: I found the failure, it whas 2 feet in front of the interface…
I found 3 rules in the Firewall-script that doesn’t work correct.The last forward-Rules was not correct, i deleted and the Switch work fine. Thanks the telephone-support