Did Fasttrack break with recent updates?

CZFan · October 16, 2017, 12:10pm

Hi Experts,

Hope all of you are well.

I have a problem and can’t seem to get to the bottom of it, the only explanation is maybe fasttrack broke or only working 50% after recent updates? (Or possibly my FW Rule Order???)

When I originally swtiched over from DSL (20Mb/2Mb) to Fibre (1000Mb/100Mb), I could only get just over 200Mbps with RB2011UiAS-2HnD. I then enabled fast track which made a huge difference and managed to get over 800Mb/97Mb. This was July 2017.
I regularly update my network / PC equipment and update my my Mikrotik as and when updates become available, currently I am on 6.40.4
Yesterday we were doing some excessive downloads and noticed the download speeds max out on ± 430Mbps and started doing some troubleshooting.Bypassed the RB2011 and connected PC directly to fibre and we get 943Mb/97Mb (http://beta.speedtest.net/result/6709745290) which indicates no problem on the ISP / Internet side.

It does not matter if I disable all rules, only enable Fasttrack rules, etc, the internet download speed stays at ± 430Mb/97Mb when going through the Mikrotik router.

Any suggestions will help, please!!

 /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    chain=forward action=fasttrack-connection connection-state=established,related 
 2    ;;; Allow Established, Related connections
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 
 3    ;;; Allow New connections from Bridge
      chain=forward action=accept connection-state=new src-address-list=LocalLAN log=no log-prefix="" 
 4 X  chain=forward action=accept connection-nat-state=dstnat in-interface=ether1 log=no log-prefix="" 
 5    ;;; Allow Established, Related connections
      chain=input action=accept connection-state=established,related log=no log-prefix="" 
 6    ;;; Allow access to router from LAN
      chain=input action=accept connection-state=new src-address-list=LocalLAN log=no log-prefix="" 
 7    ;;; PPTP VPN Incoming
      chain=input action=accept protocol=tcp in-interface=ether1 dst-port=1723 log=no log-prefix="" 
 8    ;;; GRE VPN Incoming
      chain=input action=accept protocol=gre in-interface=ether1 log=no log-prefix="" 
 9    ;;; Drop Invalid Connections
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
10    ;;; Default Forward Drop Rule
      chain=forward action=drop log=no log-prefix="Drop-Forward" 
11    ;;; Default Input Drop Rule
      chain=input action=drop log=no log-prefix="Drop-Input"

 /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade to-addresses=<WAN Address> out-interface=ether1 log=no log-prefix="" 
 1    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix="" 
 2  D ;;; upnp <Internal Addr>: Skype UDP at <Internal Addr>:22756 (3941)
      chain=dstnat action=dst-nat to-addresses=<Internal Addr> to-ports=22756 protocol=udp dst-address=<WAN Addr> in-interface=ether1 
      dst-port=22756 
 3  D ;;; upnp <Internal Addr>: Skype TCP at <Internal Addr>:22756 (3941)
      chain=dstnat action=dst-nat to-addresses=<Internal Addr> to-ports=22756 protocol=tcp dst-address=<WAN Addr> in-interface=ether1 
      dst-port=22756

 /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 
 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 
 3 X  chain=prerouting action=mark-routing new-routing-mark=Guest-Traffic passthrough=no src-address=192.168.169.128/25 log=no log-prefix="" 
 4 X  chain=prerouting action=mark-routing new-routing-mark=Mweb-NS passthrough=no protocol=icmp dst-address=196.2.16.3 log=no log-prefix="" 
 5 X  chain=forward action=mark-connection new-connection-mark=LargeDownloadConn passthrough=yes protocol=tcp dst-address=!192.168.168.15 
      connection-bytes=5000000-0 in-interface=ether1 time=6h-20h,sun,mon,tue,wed,thu,fri,sat log=no log-prefix="" 
 6 X  chain=forward action=mark-packet new-packet-mark=LargeDownloadPacket passthrough=no connection-mark=LargeDownloadConn log=no log-prefix="" 
 7 X  chain=forward action=add-dst-to-address-list protocol=tcp dst-address=192.168.168.0/23 address-list=LargeDownload address-list-timeout=5m 
      connection-bytes=15000000-0 in-interface=ether1 log=no log-prefix=""

 /interface bridge settings> print  
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes
     bridge-fast-path-packets: 232
       bridge-fast-path-bytes: 88107
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0

 /ip settings> print       
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: yes
  ipv4-fasttrack-packets: 2018084
    ipv4-fasttrack-bytes: 1917646388

I made sure all conditions are met for fasttrack/fastpath

Please help, very frustrating, if you need any further info, please do not hesitate

CZFan · October 17, 2017, 10:09am

Any help here, no?

macgaiver · October 17, 2017, 10:20am

Routing mark doesn’t work on fasttracked traffic, it need to be excluded from the fasttrack-connection rule.

CZFan · October 17, 2017, 4:02pm

Thank you for your response macgaiver,

As per the config I posted in OP, those rules are disabled and make no difference.

My understanding was RouterOS does not process rules disabled, or is my understanding wrong?

CZFan · October 18, 2017, 9:19am

Please guys, I need help here.

I pay for a 1G internet pipe and can only use 45% of it, couple of months ago I could use 85% of the service which was acceptable so it seems something changed in Mikrotik.

How do I fix it, or replace with a different brand?

R1CH · October 19, 2017, 11:30am

Have you checked your CPU use to see if’s actually maxing out with non-fasttracked traffic?

CZFan · October 19, 2017, 3:17pm

Hmmmmm,

So Mikrotik support told me the max I will be able to get through the RB2011 is ± 500Mbps (Have it in writing). I then downgraded from 6.40.4 to 6.39.2 and now get 770Mbps as compared to 450Mbps, that is ± 320Mbps more with same firewall rules, etc and 220Mbps more than what Mikeorik Support told me I will get with this device..

This is the speed I use to get with the same device in July this year:
http://beta.speedtest.net/result/6561089941

Speedtest before RouterOS Downgrade (6.40.4):
http://beta.speedtest.net/result/6716513087

Speedtest after downgrade (6.39.2):
http://beta.speedtest.net/result/6720089582.png

So it seems like something has broke between 6.39.2 and 6.40.4

Any thoughts???