Hap Ac 2, not capable of 1Gbit transfer

RouterOS General
1

Hello
I have one customer with a 1000/300 FTTH Line.
I have installed to him one Hap AC 2, with latest long-term firmware.
I have a plain bridge, with hardware offload on it, I have enabled IP Fasttrack on the router.
Plain IP masquerade on it.

On the ETH1 is connected the ONU, and I tag the VLAN on it.
No PPPoE, only plain dhcp-client.
If I do the bandwidth test with the core router (at the end of the FTTH Line), I am able to transfer 900/300Mbps UDP traffic.
If I do a public speedtest from a PC connected at 1Gbit, I am not able to do more than 450mbps.
If I replace the MT with a AVM 5490, I easily reach 900Mbps/300

How can I verify the problem?
thank you

2

could you post the config?

3 
/interface bridge
add dhcp-snooping=yes name=bridge1-LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add comment=vlan_openfiber interface=ether1 name=835_openfiber_ra_cos0 vlan-id=835
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=protetto supplicant-identity="" wpa2-pre-shared-key=zzzzzzzzzzzzz
/interface wireless
[omitted]
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=LAN ranges=192.168.0.11-192.168.0.39
/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge1-LAN name=LAN
/system logging action
set 0 memory-lines=4096
/interface bridge port
add bridge=bridge1-LAN interface=ether3
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=wlan1
add bridge=bridge1-LAN interface=ether2
add bridge=bridge1-LAN interface=wlan2
add bridge=bridge1-LAN interface=ether5
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=1024
/ip address
add address=192.168.0.254/24 interface=bridge1-LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=835_openfiber_ra_cos0
/ip dhcp-server lease
add address=192.168.0.36 client-id=1:f4:81:39:32:53:22 mac-address=F4:81:39:32:53:22 server=LAN
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.254 gateway=192.168.0.254
/ip dns
set allow-remote-requests=yes cache-size=4096KiB
4

The only thing that draw my attention was dhcp-snooping on bridge, but its supposed to be done in hardware on AR8327…
some other thoughts

  • check that counters for FastPath are “moving”
  • check cpu usage during transfer
  • do you test with multiple streams?
  • check bridge ports have “H” flag
5

I tried also without bridge, with the IP on the eth port directly. no differences.
I tried with the dhcp-snooping disabled, hardware offload always enabled and H present.
CPU usage 5%
Counters in fasttrack moving quickly!
Everything looks fine but no throughput.

bandwidth test UDP between router and core router 900/300 Mbps.
The difference is after “NAT” masquerade, I tried multiple speedtest.net with multiple streams and different servers.
The server I test with is in direct peering with our network… so 2hop from us in fiber.

6

I think the firewall rules can be improved on, I.e order by moving established/related rules to top of chain

Have you tried by setting flow control to off?

7

Tried with no avail.
With the fasttrack the forwarding traffic is very fast and the cpu is very very low.
No apparent issues, but no throughput. The customers complains that in speedtest doesnt see 900mbps as his neighbour with AVM Fritzbox 4040…

Both of them are my customers, one with MT, the other with 4040… I am quite embarassed.

Maybe the problem in tagging the VLAN on the wan port (eth1) ?
I cannot do different.

8

I don’t think it is the device, but maybe the config or something in the environment.
My suggestion will be go back to basics, the beginning, do factory default the device and test.
Pending results, you should do further troubleshooting and keep support@mikrotik.com in the loop.

Also post updates here, maybe as you go through steps, someone might notice something skew

9

I remember I was doing a throughput test on the hAP ac² and it could reach 900 Mbit/s while routing between LAN and PPPoE client as WAN with NAT. So the hardware as such is fine, the question is why the throughput is so limited in your particular configuration. What does /interface ethernet monitor ether1 show - could it be that it has negotiated 1000 Mbit/s half-duplex?

10

hello
he has negotiated correctly 1000 full.

maybe the problem is related to VLAN tagging?

11

It should not be unless there’s a bug. You can try to create an /interface bridge name=br-wan protocol-mode=none, then switch on safe mode, and send the following line:
/interface bridge port add bridge=br-wan interface=ether1 ; /interface vlan set [find name~“openfiber”] interface=br-wan
This will change the VLAN processing a little bit so if there is an issue when /interface vlan is attached directly to an ethernet interface, this may help. But I somehow hesitate to believe it.

But there’s another question - do we talk about IPv6 testing or IPv4 testing? I have never tried IPv6 routing throughput, so if the test PC uses IPv6, it may change a lot - first, the hAP ac² itself may have some issue with IPv6 throughput, and second, something else upstream may have such issue whereas the Fritzbox client doesn’t use IPv6.

12

Hello.
I have ipv6 both enabled on fritz and mikrotik but the tests are done in ipv4.

I am not able to do that test right now.
I have the latest stable on it with no difference