Hi, I have a really weird issue that I've been debugging for hours.
Setup: MikroTik hAP ax2, RouterOS 7.22.1, PPPoE over VLAN 35 (T-Mobile Poland FTTH), public IPv4.
The problem: download speed over ethernet is around 200-300 Mbps to distant servers, but over wifi from the same router I get 925 Mbps to the exact same server (Clouvider LA). Upload is fine on both, around 900 Mbps. LAN to LAN over ethernet is full gigabit, no issues there.
What I've tried so far:
MSS clamping - no change
Disabling fasttrack - no change
Disabling hw offload on bridge ports - made it worse
Removing port from bridge entirely and routing directly - no change
Disabling flow control - already is off
Changing TCP congestion control to BBR on the client - no change
Setting bridge MTU to 1452 - no change
Different ethernet ports, different PCs, same result
No FCS errors, no interface errors anywhere
This happens on every wired client I've tested, including a PC plugged directly into the router. So it's not the cable.
Your distant servers through me off, so they are servers connected to your network?
What type of servers have both ethernet and wifi connectivity> Make model?
Best to see complete config preferably without all the changes trying to get it to work would be good as well as a networking diagram. (minus router serial number, any public WANIP information,keys, dhcp lease lists)
why dont we get some facts there patrikg, like the config will explain all that and the network diagram vice nickel and dime questions. Whackamole was not taught when I went to school
@anav Sorry for not including enough info, I’m a networking beginner so please understand.
I did not mean local servers. I mean public speedtest servers on the internet, far away geographically. For example Clouvider in Los Angeles, or Hetzner in Germany. The further away the server, the worse the ethernet download gets.
The test: same router, same PPPoE tunnel, same NAT, same firewall. PC on ethernet gets 200-300 Mbps download. Phone on wifi (wifi1 interface, 5Ghz) gets 925 Mbps download. Same remote server, tested seconds apart. Upload is fine on both. LAN to LAN ethernet is full gigabit.
@patrikg
Yes, wifi and ethernet are on the same bridge. Yes there are NAT and firewall rules.
Relevant config sections:
[XXXXX@MikroTik] > /interface bridge export
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment=defconf interface=XX_AP_XXXX
[XXXXX@MikroTik] > /interface bridge port export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment=defconf interface=XX_AP_XXXX
[XXXXX@MikroTik] > /ip firewall filter export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input protocol=udp src-address=10.2.0.0/16
add action=accept chain=input protocol=tcp src-address=10.2.0.0/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="block guest -> main" dst-address=10.0.0.0/16 src-address=10.2.0.0/16
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
[XXXXX@MikroTik] > /ip firewall nat export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=10.0.0.0/16 src-address=10.0.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.X.X to-ports=444
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.X.X to-ports=81
-- more dst nat / port forwards here like above 2, only difference is dst port, protocol (tcp/udp), to address and to-ports of course --
[XXXXX@MikroTik] > /ip firewall mangle export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-tmobile protocol=tcp tcp-flags=syn,ack
[XXXXX@MikroTik] > /interface pppoe-client export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan35-tmobile name=pppoe-tmobile user=XXXXXXXXXX
[XXXXX@MikroTik] > /interface vlan export
2026-04-13 20:05:09 by RouterOS 7.22.1
software id = XXXX-XXXX
model = C52iG-5HaxD2HaxD
serial number = XXXXXXXXXXX
/interface vlan
add arp=reply-only interface=bridge name=vlan20-guest vlan-id=20
add interface=ether1 name=vlan35-tmobile vlan-id=35
Nothing stands out right away other than you have vlan filtering but dont show anything related to vlan20 on either bridge ports or bridge vlans…. So if you doing any testing from vlan20 its not going to respond well.
Again not able to discern all, as the complete config less tricky parts was not included and thus IM outta here.
PS. to ensure hairpin works best to change this rule
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment=”internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=”PortF” connection-nat-state=dstnat
add action=drop chain=forward comment=”drop all else”
@patrikg
On my main PC I use the RTL8125 2.5GbE interface built into my motherboard.
I tried other PCs/Laptops/Cables and results were similar. Somehow ethernet always comes out worse than wifi.
@anav
I am not using vlan 20, that’s for guests, I am on the main network connected directly to the router with no vlan. And hairpin works at the moment.
