I’m a newbie to this forum so please forgive my knowledge. I have a CRS125-24G-1S, configured as a router behind a 300Mbps service. I’ve setup a bridge and have ether1-WAN and ether2-LAN ports with the remaining slaved to ether2. The entire infrastructure is wired with CAT6 and all devices are 1Gb capable. In testing, I’m finding none of my devices will exceed 100-130Mbps with typical test sites like Google and Fast.com. If I remove the router/switch and connect a test device directly to the cable modern, it easily achieves the subscribed service level. So my CRS125-24G seems to be the bottleneck.
I’ve gone over the basic configuration but I must be missing something. Any advice on how to best narrow down would be greatly appreciated.
The S in CRS stands for switch, you are using a switch as router. It is functionally capable of working as router, but with the lack of routing performance.
Thanks, yes. I recall when I bought it several years ago that configuration as a router would reduce throughput, but at the time I only have 50Mbps service and thought this would be fine. I’m hoping to eek a little more then current 130Mbps max - 250Mbps would be a dream! I’ve captured the configuration as requested. I immediately see all ports seems to be bound to 100Mbps despite advertising 1000Mbps:
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=“ether1-[Internet]” speed=100Mbps
set [ find default-name=ether2 ] comment=“LAN - All ports are switched off Ethernet2” name=ether2-LAN speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] name=ether6-slave-local speed=100Mbps
set [ find default-name=ether7 ] name=ether7-slave-local speed=100Mbps
set [ find default-name=ether8 ] name=ether8-slave-local speed=100Mbps
set [ find default-name=ether9 ] name=ether9-slave-local speed=100Mbps
set [ find default-name=ether10 ] name=ether10-slave-local speed=100Mbps
set [ find default-name=ether11 ] name=ether11-slave-local speed=100Mbps
set [ find default-name=ether12 ] name=ether12-slave-local speed=100Mbps
set [ find default-name=ether13 ] name=ether13-slave-local speed=100Mbps
set [ find default-name=ether14 ] name=ether14-slave-local speed=100Mbps
set [ find default-name=ether15 ] name=ether15-slave-local speed=100Mbps
set [ find default-name=ether16 ] name=ether16-slave-local speed=100Mbps
set [ find default-name=ether17 ] name=ether17-slave-local speed=100Mbps
set [ find default-name=ether18 ] name=ether18-slave-local speed=100Mbps
set [ find default-name=ether19 ] name=ether19-slave-local speed=100Mbps
set [ find default-name=ether20 ] name=ether20-slave-local speed=100Mbps
set [ find default-name=ether21 ] name=ether21-slave-local speed=100Mbps
set [ find default-name=ether22 ] name=ether22-slave-local speed=100Mbps
set [ find default-name=ether23 ] name=ether23-slave-local speed=100Mbps
set [ find default-name=ether24 ] name=ether24-slave-local speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=sfp1-gateway
My complete config is attached. CRS125.txt (11.3 KB)
Appreciate the assist!
I’ve removed 3 filter rules from my firewall configuration. I’m now down to 7 from 10.
I tried to force negotiation to 1000Mbps on the LAN & WAN ports (ethernet 2 and 1 respectively). This failed and I lost internet! Connected back via winbox.exe / MAC address and reset.
I’m wondering if I can streamline my firewall ruleset further. I can’t help but think the issue is stemming from here.
I don’t know, but if the published tests talk of 240-250 with 25 firewall rules and you get 100-130 with 10 (or 7), it sounds like there is something else slowing down the network.
AFAIK test results are achievable if fasttrack is in use, otherwise not easily. OP’s config is a slight mess as it pulls lots if legacy (pre-6.40 bridge config, etc.). And it lacks quite a few useful firewall rules, fasttrack included. I’d reset it to defaults and apply default firewall config for small routers (it probably comes without routing config being a CRS). And then add specifics.
Or go for a faster router (any of modern hAP device can do at least 1Gbps) and use CRS for what it is: a switch.
Completely agree my config is a “slight mess” or more and going to be the bottleneck - not the network otherwise, which I have proven by removing the CRS from the equation. My experience with network routing and switching is limited so I’m sure I messed something up several years ago when I purchased and originally configured. Back then my service was only 50Mbps, so the performance loss was not a concern. I’ve only recently received the service uplift to 300Mbps so now it has become more apparent. I’m going to try the reset back to default configuration and layer in a simple firewall rule set to see if anything improves. Otherwise, I’ll just front it with an appropriate router (thinking of a basic hEX 5-port) and converting the CRS back to switch mode. Thanks for the responses everyone. I’ll update the thread when I finalize.
UPDATE
I reset the CRS back to factory defaults and configured QuickSet in ROUTER mode, using pretty much standard, out-of-box recommendations. I then:
Set a new password for admin access. (new user+password with admin disabled). Also only allow for MAC driven access - not internal IP.
Shutdown all external services that come enabled by default with the OOB config, including Telnet, WWW, SSH. Within the first 5 min of the being online, the device was flooded with “invalid login” attempts across a variety of standard usernames (admin, telecoadmin, root, etc.)
Set DNS resolution to my internal pi-hole which points to google and cloud flare upstream DNS servers.
Ran speedtest via Google. I immediately noticed 200-210Mbps download, almost doubling my hardwired speed. Much better. I was thinking I would be satisfied with this, but then I moved on to Mikrotik firewall recommended settings (help.mikrotik.com) and populated a recommended firewall ruleset, including FastTrack rules for established and related connections, giving me a total of 18 firewall rules.
Running speedtest now, I am getting above my subscribed rate (300/30), giving me 343Mbps down and 31Mbps up which is also beyond what is expected / published for the Mikrotik in router mode! I couldn’t be happier and didn’t need to purchase a new upstream router and revert the CRS to switch mode.
Thanks to everyone who steered me in the right direction!
This was before I set any firewall rules, period. Just highlighting how quickly I was being attacked when I simply set the default configuration which comes with Telnet, WWW, SSH open by default. Shutting down those services halted the attacks and now of course the new firewall ruleset shores everything up from external actors.
I have a CRS125-24G-1S, configured as a router behind a 300Mbps service. I’ve setup a bridge and have ether1-WAN and ether2-LAN ports with the remaining slaved to ether2. The entire infrastructure is wired with CAT6 and all devices are 1Gb capable. In testing, I’m finding none of my devices will exceed 100-130Mbps with typical test sites like Google and Fast.com. If I remove the router/switch and connect a test device directly to the cable modern, it easily achieves the subscribed service level. So my CRS125-24G seems to be the bottleneck.