Hi,
Let me start by thanking you for taking the time to read this.
I have had my 2011UiAS-2HnD for quite some years now and overall I am very happy with it.
The last couple of years, I have had a 1GB up and down fiber connection and the router just can’t really cope with it.
My config has grown over the years and to be honest, I have not really done a lot with Mikrotik lately. So when I finaly had enough and told myself I would go and tackle this problem, I quickly noticed that a lot of my mikrotik knowledge was lost. When I completely reset the router and keep it as basic as possible, I can get about 600MB down. With the attached config, I get 250 max and the CPU is on 100% all the time during download.
My provider has internet on vlan 34
I share my connection with my neighbor, he is on the 192.168.115.0/24 network.
Is there some glaring error I made in my config that causes the slowdown? I would love it if someone could point out the obvious errors I have made.
# oct/09/2018 09:40:54 by RouterOS 6.42.6
# software id = HXGG-XIIP
#
# model = 2011UiAS-2HnD
# serial number = 444A02XXXX
/interface bridge
add fast-forward=no name=Bridge-Gast
add admin-mac=D4:CA:6D:1D:0F:34 auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] name=ether10-Gast
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=5 band=2ghz-b/g/n channel-width=\
20/40mhz-eC country=netherlands disabled=no frequency=auto mode=ap-bridge \
ssid="XXXXXX Onderkant" wireless-protocol=802.11
/interface vlan
add interface=ether1-gateway loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=VLAN34 vlan-id=34
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
XXXXXxxxXXXX wpa2-pre-shared-key=XXXXXxxxXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=GastenProfiel supplicant-identity=VuurMuur wpa-pre-shared-key=\
XXXXXxxxXXXX wpa2-pre-shared-key=XXXXXxxxXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=\
"Het Contoso Gasten" supplicant-identity="" wpa-pre-shared-key=\
XXXXXxxxXXXX wpa2-pre-shared-key=XXXXXxxxXXXX
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:1D:0F:3E \
master-interface=wlan1 multicast-buffering=disabled name=\
"Het Contoso Gasten" security-profile="Het Contoso Gasten" ssid=\
"Het Contoso Gasten" wds-cost-range=0 wds-default-cost=0
add disabled=no mac-address=D6:CA:6D:1D:0F:3D master-interface=wlan1 name=\
wlan2 security-profile=GastenProfiel ssid="Gasten Netwerk"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.200
add name=dhcppoolgast ranges=192.168.115.50-192.168.115.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=3d name=default
add address-pool=dhcppoolgast authoritative=after-2sec-delay disabled=no \
interface=Bridge-Gast name=DHCPS_GAST
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add disk-file-count=5 disk-file-name=AccountLog name=AccountLog target=disk
add disk-file-count=50 disk-file-name=Firewall disk-lines-per-file=5000 name=\
Firewall target=disk
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=Bridge-Gast interface=wlan2
add bridge=Bridge-Gast hw=no interface=ether10-Gast
add bridge=bridge-local interface="Het Contoso Gasten"
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-Gast list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=wlan2 list=discover
add interface=VLAN34 list=discover
add interface=Bridge-Gast list=discover
add interface="Het Contoso Gasten" list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=wlan1 list=mactel
add interface=sfp1 list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=wlan2 list=mac-winbox
/interface ovpn-server server
set certificate=cert_5 enabled=yes
/interface wireless access-list
add ap-tx-limit=1048576 client-tx-limit=1048576 interface=wlan2
add mac-address=AC:22:0B:64:B8:8F
add interface=wlan2
/ip address
add address=192.168.15.254/24 comment="default configuration" interface=\
ether2 network=192.168.15.0
add address=192.168.115.254/24 interface=Bridge-Gast network=192.168.115.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
add dhcp-options=hostname,clientid disabled=no interface=VLAN34
/ip dhcp-server lease
add address=192.168.15.224 client-id=1:0:c:29:56:84:f2 mac-address=\
00:0C:29:56:84:F2 server=default
add address=192.168.15.112 client-id=\
ff:2b:94:34:c1:0:2:0:0:ab:11:c5:ef:73:f1:6:1e:2b:a3 mac-address=\
00:0C:29:89:5E:AC server=default
add address=192.168.15.103 client-id=1:74:c6:3b:9f:2:7b mac-address=\
74:C6:3B:9F:02:7B server=default
add address=192.168.15.234 client-id=1:b8:27:eb:dd:a1:46 mac-address=\
B8:27:EB:DD:A1:46 server=default
add address=192.168.15.251 client-id=1:5c:e2:8c:78:bd:a0 comment=\
"Zyxel POE Switch" mac-address=5C:E2:8C:78:BD:A0 server=default
add address=192.168.15.253 comment=NAS mac-address=00:11:32:11:9B:6B
add address=192.168.15.241 client-id=1:38:af:29:46:83:3d comment=CAM01 \
mac-address=38:AF:29:46:83:3D server=default
add address=192.168.15.242 client-id=1:38:af:29:46:83:55 comment=CAM02 \
mac-address=38:AF:29:46:83:55 server=default
add address=192.168.15.243 client-id=1:38:af:29:46:83:2a comment=CAM03 \
mac-address=38:AF:29:46:83:2A server=default
add address=192.168.15.249 client-id=1:e8:2a:ea:49:f1:7e mac-address=\
E8:2A:EA:49:F1:7E server=default
add address=192.168.15.250 always-broadcast=yes client-id=1:0:e0:4c:68:2:81 \
mac-address=00:E0:4C:68:02:81 server=default
add address=192.168.15.244 client-id=1:b8:27:eb:e0:c7:eb comment=PiCam \
mac-address=B8:27:EB:E0:C7:EB server=default
add address=192.168.115.10 always-broadcast=yes client-id=1:0:11:32:8c:89:7a \
comment=NAS-XxxXXX mac-address=00:11:32:8C:89:7A server=DHCPS_GAST
add address=192.168.15.102 mac-address=00:17:88:B3:7D:50 server=default
add address=192.168.15.106 client-id=1:0:11:32:37:d2:27 mac-address=\
00:11:32:37:D2:27 server=default
/ip dhcp-server network
add address=192.168.15.0/24 comment="default configuration" dns-server=\
192.168.15.254,8.8.8.8 domain=thuis.lan gateway=192.168.15.254 netmask=24
add address=192.168.115.0/24 dns-server=192.168.115.254 domain=gast.lan \
gateway=192.168.115.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.15.254
/ip dns static
add address=192.168.15.253 name=XXXXXX
add address=192.168.15.234 name=XXXXXX
add address=192.168.15.234 name=XXXXXX
add address=192.168.15.251 name=XXXXXX
add address=192.168.15.250 name=XXXX
add address=192.168.15.254 name=XXXXXX
add address=192.168.15.241 name=cam01.XXXXXX.nl
add address=192.168.15.242 name=cam02.XXXXXX.nl
add address=192.168.15.243 name=cam03.XXXXXX.nl
add address=192.168.115.10 name=XXXXXX.synology.me
/ip firewall address-list
add address=62.XXXXXX.152.XXXXXX list=SMD-No-Logging
add address=40.XXXXXX.154.XXXXXX list=SMD-No-Logging
add address=40.XXXXXX.156.XXXXXX list=SMD-No-Logging
add address=40.XXXXXX.156.XXXXXX list=SSH-Allow-Home
add address=40.XXXXXX.154.XXXXXX list=SSH-Allow-Home
add address=62.XXXXXX.152.XXXXXX list=SSH-Allow-Home
/ip firewall filter
add action=log chain=forward disabled=yes dst-address=0.0.0.0/0 dst-port=\
!5938 log=yes log-prefix=VMWARE protocol=tcp src-address=192.168.15.250
add action=drop chain=forward disabled=yes dst-address=192.168.15.0/24 \
src-address=192.168.115.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.115.0 \
src-address=192.168.15.0
add action=drop chain=forward comment="Block CAM01 out" dst-address=0.0.0.0/0 \
log=yes log-prefix=CAM01 src-address=192.168.15.241
add action=drop chain=forward comment="Block CAM02 out" dst-address=0.0.0.0/0 \
log=yes log-prefix=CAM02 src-address=192.168.15.242
add action=drop chain=forward comment="Block CAM03 out" dst-address=0.0.0.0/0 \
log=yes log-prefix=CAM03 src-address=192.168.15.243
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established
add action=accept chain=input comment="default configuration" \
connection-state=related
add action=accept chain=input comment="Winbox from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
VLAN34
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=VLAN34
add action=dst-nat chain=dstnat comment=SynBackup1 dst-port=6281 \
in-interface=VLAN34 protocol=tcp to-addresses=192.168.15.253 to-ports=\
6281
add action=dst-nat chain=dstnat comment=SynBackup2 dst-port=873 in-interface=\
VLAN34 protocol=tcp to-addresses=192.168.15.253 to-ports=873
add action=dst-nat chain=dstnat comment=Domoticz dst-port=8080 in-interface=\
VLAN34 log=yes log-prefix=domo-nat-in protocol=tcp to-addresses=\
192.168.15.234 to-ports=8080
add action=dst-nat chain=dstnat comment=BlueIris dst-port=1118 in-interface=\
VLAN34 log=yes log-prefix=BlueIris-nat-in protocol=tcp src-port="" \
to-addresses=192.168.15.250 to-ports=1118
add action=dst-nat chain=dstnat comment="Poort80 Syno" disabled=yes dst-port=\
80 in-interface=VLAN34 protocol=tcp to-addresses=192.168.15.253 to-ports=\
80
add action=dst-nat chain=dstnat comment="Poort 443 Syno" disabled=yes \
dst-port=443 in-interface=VLAN34 protocol=tcp to-addresses=192.168.15.253 \
to-ports=443
add action=dst-nat chain=dstnat comment="SABNZB Synology" dst-port=7654 \
in-interface=VLAN34 protocol=tcp src-address=163.XXXXXX.155.XXXXXX \
to-addresses=192.168.15.253 to-ports=8080
add action=dst-nat chain=dstnat comment="Synology HTTP" dst-port=5000 \
in-interface=VLAN34 protocol=tcp src-address=163.XXXXXX.155.XXXXXX \
to-addresses=192.168.15.253 to-ports=5000
add action=dst-nat chain=dstnat comment="Synology HTTPS" dst-port=5001 \
in-interface=VLAN34 protocol=tcp src-address=163.XXXXXX.155.XXXXXX \
to-addresses=192.168.15.253 to-ports=5001
add action=dst-nat chain=dstnat comment="OpenVPN 2 NAS" dst-port=1194 \
in-interface=VLAN34 log=yes log-prefix=VPN protocol=udp to-addresses=\
192.168.15.253 to-ports=1194
add action=dst-nat chain=dstnat comment="SynoBackup1 XXXXXX" dst-port=6282 \
in-interface=VLAN34 protocol=tcp to-addresses=192.168.115.10 to-ports=\
6281
add action=dst-nat chain=dstnat comment="SynoBackup2 XXXXXX" dst-port=874 \
in-interface=VLAN34 protocol=tcp to-addresses=192.168.115.10 to-ports=873
add action=dst-nat chain=dstnat comment="SyvoDSFile XXXXXX" dst-port=5501 \
in-interface=VLAN34 protocol=tcp to-addresses=192.168.115.10 to-ports=\
5001
add action=dst-nat chain=dstnat comment="SynoBackup1 XXXXXX" dst-port=6283 \
in-interface=VLAN34 port="" protocol=tcp to-addresses=192.168.15.106 \
to-ports=6281
add action=dst-nat chain=dstnat comment="Syno Backup 2 XXXXXX" dst-port=875 \
in-interface=VLAN34 protocol=tcp to-addresses=192.168.15.106 to-ports=873
/ip upnp
set enabled=yes
/lcd
set enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces="sfp1,ether1-gateway,ether2,ether3,ether4,ether5,ether6-maste\
r-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-G\
ast"
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=VuurMuur-XXXXXX
/system logging
add action=AccountLog topics=system,error,critical
add action=AccountLog topics=system,info,account
add action=Firewall prefix=Firewall topics=firewall
/system ntp client
set enabled=yes primary-ntp=129.250.35.251 secondary-ntp=94.212.40.117 \
server-dns-names=nl.pool.ntp.org
/system routerboard settings
set silent-boot=no
/system scheduler
add comment="Update Dynamic DNS entry every 30 minutes" interval=30m name=\
"Update FreeDNS" on-event="/tool fetch url=\"http://freedns.afraid.org/dyn\
amic/update.php\XXXXXX"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
may/19/2014 start-time=18:45:27
add comment=09:36:33 interval=30s name=InlogMail on-event=":local scheduleName\
\_\"InlogMail\"\r\
\n:local emailAddress \"XXXXX@XXXXXX.nl\"\r\
\n:local startBuf [:toarray [/log find message~\"logged in\" || message~\"\
login failure\"]]\r\
\n:local removeThese (\"whatever string you want\")\r\
\n \r\
\n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
mment]\r\
\n \r\
\n:local currentBuf \"\"; :set currentBuf [:toarray \$currentBuf]\r\
\n \r\
\n:foreach i in=\$startBuf do={\r\
\n :local toggle 1\r\
\n :foreach j in=[:toarray \$removeThese] do={\r\
\n :if ([:typeof [:find [/log get \$i message] \"\$j\"]] = \"num\") do=\
{\r\
\n :set toggle 0\r\
\n }\r\
\n }\r\
\n :if (\$toggle = 1) do={\r\
\n :set currentBuf (\$currentBuf , \$i)\r\
\n }\r\
\n}\r\
\n \r\
\n:local currentLineCount [ :len \$currentBuf ]\r\
\n \r\
\nif (\$currentLineCount > 0) do={\r\
\n :local currentTime \"\$[ /log get [ :pick \$currentBuf (\$currentLine\
Count -1) ] time ]\"\r\
\n \r\
\n :if ([:len \$currentTime] = 15 ) do={\r\
\n :set currentTime [ :pick \$currentTime 7 15 ]\r\
\n }\r\
\n \r\
\n :local output \"\$currentTime \$[/log get [ :pick \$currentBuf (\$cur\
rentLineCount-1) ] message ]\"\r\
\n \r\
\n :if (([:len \$lastTime] < 1) || (([:len \$lastTime] > 0) && (\$lastTi\
me != \$currentTime))) do={\r\
\n /system scheduler set [find name=\"\$scheduleName\"] comment=\$cur\
rentTime\r\
\n /tool e-mail send to=\"\$emailAddress\" subject=\"MikroTik alert \
\$currentTime\" body=\"\$output\"\r\
\n }\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=jun/02/2014 start-time=13:56:40
add comment="Send Config Backup once a week to mail" interval=1w name=\
sched_backup_mail on-event=EmailBackup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/05/1970 start-time=22:53:00
/system script
add name="WOL HTPC" owner=admin policy=\
reboot,read,write,policy,test,password,sniff,sensitive source=\
"/tool wol mac=D4:3D:7E:56:D4:72 interface=bridge-local"
add name="Update FreeDNS" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/tool f\
etch url=\"http://freedns.afraid.org/dynamic/update.php\XXXXX""
add name="WOL HTPC-Slaapkamer" owner=AdminUser policy=\
reboot,read,write,policy,test,password,sniff,sensitive source=\
"/tool wol mac=3c:97:0e:3f:c1:55 interface=bridge-local"
add name="WOL NAS" owner=admin policy=\
reboot,read,write,policy,test,password,sniff,sensitive source=\
"/tool wol mac=00:11:32:11:9b:6b interface=bridge-local"
add name=EmailBackup owner=AdminUser policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
\_backup save name=mailbackup password=routerconfbu123; \\\
\n/tool e-mail send to=\"XXXXX@XXXXX.nl\" subject=([/system identity get\
\_name] . \" Backup \" . [/system clock get date]) file=mailbackup;\
\n\
\n\
\n"
add name="WOL PC-EJL" owner=AdminUser policy=\
reboot,read,write,policy,test,password,sniff,sensitive source=\
"/tool wol mac=44-8A-5B-9E-BF-B7 interface=bridge-local"
add name=WOL-LOG owner=AdminUser policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/tool wol mac=9C-EB-E8-14-F1-AA interface=bridge-local"
add name="WOL Random" owner=AdminUser policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/tool wol mac=D8-50-E6-A4-10-E4 interface=bridge-local"
/tool e-mail
set address=smtp.XXXXX.nl from=XXXXX@XXXXX.nl
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
