hapac2 low performance when copying files between vlan

Lilarcor · February 23, 2019, 9:37am

I have several vlans configured in HAP AC2, PC connected in vlan10 , and my nas connected in vlan6, when I copied files from my nas to my pc,the max speed is around 30MB/s. From hap ac2’s profile, I can see two cpu cores have around 95% used and firewall has around 50% loading. If I set up another PC in vlan6 same subnet as nas, then I can get around 100MB/s performance. So I trust something is wrong. Can someone help me?
Attached please find the export file, I removed other config like wireless,etc.
123.rsc (27.1 KB)

 # feb/23/2019 17:24:13 by RouterOS 6.43.11
# software id = 7SZH-X77H
#
# model = RouterBOARD D52G-5HacD2HnD-TC
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="wan port" speed=100Mbps
set [ find default-name=ether2 ] comment="to switch" speed=100Mbps
set [ find default-name=ether3 ] comment="iptv port" speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-telecom \
    use-peer-dns=yes user=ad79008136
/interface l2tp-client
add connect-to=hostusk.ecapsul.com name=l2tp-hostusk use-ipsec=yes user=\
    hostusk_l2tp
/interface pptp-client
add connect-to=194.150.21.67 name=tapfkvpn user=joey.lu
add connect-to=116.247.117.82 disabled=no name=tashivpn user=jlu
/interface vlan
add interface=bridge name=vlan6 vlan-id=6
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan55 vlan-id=55
add interface=bridge name=vlan98 vlan-id=98
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=vlan
add name=server_vlan
add name=vlan_server_wifi_lan_mgmt
/ip pool
add name=ikev2-pool ranges=192.168.13.2-192.168.13.200
add name=l2tp-pool ranges=192.168.12.2-192.168.12.200
add name=vlan6-pool ranges=192.168.6.50-192.168.6.200
add name=vlan20-pool ranges=192.168.20.50-192.168.20.200
add name=vlan55-pool ranges=192.168.55.50-192.168.55.200
add name=vlan10-pool ranges=192.168.10.50-192.168.10.200
add name=sstp-pool ranges=192.168.14.2-192.168.14.200
add name=ovpn-pool ranges=192.168.15.2-192.168.15.200
add name=vlan98-pool ranges=192.168.98.50-192.168.98.200
add name=vlan50-pool ranges=192.168.50.50-192.168.50.200
/ip dhcp-server
add address-pool=vlan55-pool disabled=no interface=vlan55 lease-time=1w10m \
    name=dhcp-vlan55
add address-pool=vlan20-pool disabled=no interface=vlan20 lease-time=1w10m \
    name=dhcp-vlan20
add address-pool=vlan10-pool disabled=no interface=vlan10 lease-time=1w10m \
    name=dhcp-vlan10
add address-pool=vlan6-pool disabled=no interface=vlan6 lease-time=1w10m \
    name=dhcp-6
add address-pool=vlan50-pool disabled=no interface=vlan50 lease-time=1w10m \
    name=dhcp-vlan50
add address-pool=vlan98-pool disabled=no interface=vlan98 lease-time=1w10m \
    name=dhcp-vlan98
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ecapsul5 pvid=55
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=guest pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ecapsul pvid=55
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge untagged=ether4,ether5,ether3 \
    vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ecapsul,ecapsul5 vlan-ids=55
add bridge=bridge tagged=ether2,bridge vlan-ids=6,20,50,98
/interface l2tp-server server
set default-profile=profile-l2tp enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan6 list=vlan
add interface=vlan10 list=vlan
add interface=vlan20 list=vlan
add interface=vlan50 list=vlan
add interface=vlan55 list=vlan
add interface=vlan98 list=vlan
add interface=vlan6 list=vlan_server_wifi_lan_mgmt
add interface=vlan98 list=vlan_server_wifi_lan_mgmt
add interface=vlan55 list=vlan_server_wifi_lan_mgmt
add interface=vlan10 list=vlan_server_wifi_lan_mgmt
add interface=vlan6 list=LAN
add interface=vlan10 list=LAN
add interface=vlan55 list=LAN
add interface=vlan98 list=LAN
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.6.1/24 interface=vlan6 network=192.168.6.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.55.1/24 interface=vlan55 network=192.168.55.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
add address=192.168.100.5/24 comment="to access telecom modem" interface=\
    ether1 network=192.168.100.0
add address=192.168.98.1/24 interface=vlan98 network=192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.6.0/24 dns-server=192.168.98.1 gateway=192.168.6.1
add address=192.168.10.0/24 dns-server=192.168.98.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.98.1 gateway=192.168.20.1
add address=192.168.50.0/24 dns-server=192.168.98.1 gateway=192.168.50.1
add address=192.168.55.0/24 dns-server=192.168.98.1 gateway=192.168.55.1
add address=192.168.98.0/24 dns-server=192.168.98.1 gateway=192.168.98.1
/ip dns
set allow-remote-requests=yes servers=192.168.98.1
/ip firewall filter
add action=drop chain=input comment="disable remote dns request" dst-port=53 \
    protocol=udp src-address-list=!whitelist
add action=drop chain=input dst-port=53 protocol=tcp src-address-list=\
    !whitelist
add action=accept chain=input comment="accept ping" connection-state=\
    established in-interface=pppoe-telecom protocol=icmp
add action=drop chain=input comment="disable ping" in-interface=pppoe-telecom \
    protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    src-address-list=!whitelist tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address-list=!whitelist
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!whitelist tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    src-address-list=!whitelist tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp src-address-list=!whitelist tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    src-address-list=!whitelist tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    src-address-list=!whitelist tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,2222 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=\
    22,2222 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,2222 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,2222 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22,2222 \
    protocol=tcp
add action=accept chain=input comment=winbox dst-port=8728,8729,8291 \
    protocol=tcp
add action=accept chain=input comment=sstp dst-port=44443 protocol=tcp
add action=accept chain=input comment=ovpn dst-port=11194 protocol=tcp
add action=accept chain=input comment=ipsec_l2tp_a protocol=ipsec-esp
add action=accept chain=input comment=ipsec_l2tp_b dst-port=1701,500,4500 \
    protocol=udp
add action=accept chain=forward comment="bypass fasttrack for ikev2" \
    src-address=192.168.13.0/24
add action=accept chain=forward comment="bypass fasttrack for ikev2" \
    dst-address=192.168.13.0/24
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "# Allow VLANs to access router services like DNS, Winbox" \
    in-interface-list=vlan
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=pppoe-telecom
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "# Optional: Allow all VLANs to access the Internet AND each other" \
    connection-state=new disabled=yes in-interface-list=vlan
add action=accept chain=forward comment=\
    "allow specified vlan to access other vlan" connection-state=new \
    in-interface-list=vlan_server_wifi_lan_mgmt out-interface-list=vlan
add action=accept chain=forward comment=\
    "# Allow all VLANs to access the Internet only, NOT each other" \
    connection-state=new in-interface-list=vlan out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-telecom
add action=reject chain=forward comment="isolate guest wifi to lan" disabled=\
    yes dst-address-list=vlan1_wired_lan-6.x log=yes reject-with=\
    icmp-network-unreachable src-address-list=vlan20_guest_ip-20.x
add action=reject chain=forward disabled=yes dst-address-list=\
    vlan10_wired_lan-10.x log=yes reject-with=icmp-network-unreachable \
    src-address-list=vlan20_guest_ip-20.x
add action=reject chain=forward disabled=yes dst-address-list=\
    vlan55_wireless_ip-55.x log=yes reject-with=icmp-network-unreachable \
    src-address-list=vlan20_guest_ip-20.x
add action=reject chain=forward disabled=yes dst-address-list=whitelist log=\
    yes reject-with=icmp-network-unreachable src-address-list=\
    vlan20_guest_ip-20.x
/ip firewall mangle
add action=mark-routing chain=prerouting comment="trammo route" \
    dst-address-list=trammo_subnet new-routing-mark=ta_route passthrough=no
add action=mark-routing chain=prerouting comment="gfw through linode " \
    disabled=yes dst-address=!192.168.0.0/16 dst-address-list=gfwlist \
    dst-address-type=!local in-interface=vlan6 log-prefix=vps_gfw \
    new-routing-mark=route_hostusk passthrough=no src-address-list=\
    00internal_usevpn
add action=mark-routing chain=prerouting comment=\
    "vpn clients to gfw through linode " disabled=yes dst-address=\
    !192.168.0.0/16 dst-address-list=gfwlist dst-address-type=!local \
    log-prefix=vps_gfw new-routing-mark=route_hostusk passthrough=no \
    src-address=192.168.12.0/22
add action=mark-connection chain=forward comment="Mark IPsec Out" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec In" \
    ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=prerouting comment=pcc-vpn1 \
    dst-address-list=gfwlist dst-address-type=!local new-connection-mark=\
    conn_hostusk passthrough=yes per-connection-classifier=both-addresses:2/0 \
    src-address-list=00internal_usevpn
add action=mark-routing chain=prerouting connection-mark=conn_hostusk \
    dst-address-list=gfwlist new-routing-mark=route_hostusk passthrough=yes \
    src-address-list=00internal_usevpn
add action=mark-connection chain=input dst-address-list=gfwlist in-interface=\
    sstp-hostusk new-connection-mark=conn_hostusk passthrough=yes \
    src-address-list=00internal_usevpn
add action=mark-routing chain=output connection-mark=conn_hostusk \
    dst-address-list=gfwlist new-routing-mark=route_hostusk passthrough=yes \
    src-address-list=00internal_usevpn
add action=mark-connection chain=prerouting comment=pcc-vpn3 \
    dst-address-list=gfwlist dst-address-type=!local new-connection-mark=\
    conn_bwg passthrough=yes per-connection-classifier=both-addresses:2/1 \
    src-address-list=00internal_usevpn
add action=mark-routing chain=prerouting connection-mark=conn_bwg \
    dst-address-list=gfwlist new-routing-mark=route_bwg passthrough=yes \
    src-address-list=00internal_usevpn
add action=mark-connection chain=input dst-address-list=gfwlist in-interface=\
    sstp-bwg new-connection-mark=conn_bwg passthrough=yes src-address-list=\
    00internal_usevpn
add action=mark-routing chain=output connection-mark=conn_bwg \
    dst-address-list=gfwlist new-routing-mark=route_bwg passthrough=yes \
    src-address-list=00internal_usevpn
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="access internet" out-interface=\
    pppoe-telecom
add action=masquerade chain=srcnat comment="access telecom modem" \
    dst-address=192.168.100.0/24 out-interface=ether1
# l2tp-hostusk not ready
add action=masquerade chain=srcnat comment=l2tp-hostusk out-interface=\
    l2tp-hostusk
add action=masquerade chain=srcnat comment=sstp-hostusk out-interface=\
    sstp-hostusk
add action=masquerade chain=srcnat comment=sstp-bwgvps out-interface=sstp-bwg
add action=masquerade chain=srcnat comment=pptp-tashi out-interface=tashivpn
add action=dst-nat chain=dstnat comment="access gfw through google dns" \
    disabled=yes dst-address=!192.168.0.0/16 dst-address-list=gfwlist \
    dst-port=53 log-prefix=google_dns protocol=udp src-address-list=\
    00internal_usevpn to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat comment=\
    "vpn clients access nonlocal through google dns" disabled=yes \
    dst-address=!192.168.0.0/16 dst-address-list=gfwlist dst-port=53 \
    log-prefix=google_dns protocol=udp src-address=192.168.12.0/22 \
    to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat comment="block porn" disabled=yes dst-port=53 \
    protocol=udp src-address-list="block porn" to-addresses=199.85.126.20 \
    to-ports=53
add action=masquerade chain=srcnat comment=l2tp src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment=ikev2 src-address=192.168.13.0/24
add action=masquerade chain=srcnat comment=sstp src-address=192.168.14.0/24
add action=masquerade chain=srcnat comment=ovpn src-address=192.168.15.0/24
add action=dst-nat chain=dstnat comment=win2008_rdp dst-port=23388 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.183 \
    to-ports=3389
add action=masquerade chain=srcnat comment=n4f_TransmissionWeb disabled=yes \
    dst-address=192.168.6.99 dst-port=9091 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=n4f_TransmissionWeb dst-address-list=\
    WAN_IP dst-port=9091 log=yes log-prefix=pt9091 protocol=tcp to-addresses=\
    192.168.6.99 to-ports=9091
add action=dst-nat chain=dstnat comment=n4f_TransmissionP2P dst-port=51413 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.99 \
    to-ports=51413
add action=dst-nat chain=dstnat comment=n4f_TransmissionP2P dst-port=51413 \
    in-interface=pppoe-telecom protocol=udp to-addresses=192.168.6.99 \
    to-ports=51413
add action=dst-nat chain=dstnat comment=n4f_ftp_passive dst-port=65530-65534 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.99 \
    to-ports=65530-65534
add action=dst-nat chain=dstnat comment=n4f_ftp dst-port=30021 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.99 to-ports=21
add action=masquerade chain=srcnat comment=plex disabled=yes dst-address=\
    192.168.6.99 dst-port=32400 log-prefix=plex out-interface=vlan6 protocol=\
    tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=plex dst-address-list=WAN_IP \
    dst-port=32400 log-prefix=plex protocol=tcp to-addresses=192.168.6.99 \
    to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
    pppoe-telecom log=yes log-prefix=plex protocol=tcp to-addresses=\
    192.168.6.99 to-ports=32400
add action=masquerade chain=srcnat comment=DSM_PSwebHttp disabled=yes \
    dst-address=192.168.6.122 dst-port=40080 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=DSM_PSwebHttp dst-address-list=WAN_IP \
    dst-port=40080 protocol=tcp to-addresses=192.168.6.122 to-ports=40080
add action=dst-nat chain=dstnat disabled=yes dst-port=40080 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.122 to-ports=40080
add action=masquerade chain=srcnat comment="DSM_http(s)" disabled=yes \
    dst-address=192.168.6.122 dst-port=45000-45001 out-interface=vlan6 \
    protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment="DSM_http(s)" dst-address-list=WAN_IP \
    dst-port=45000-45001 protocol=tcp to-addresses=192.168.6.122 to-ports=\
    45000-45001
add action=dst-nat chain=dstnat disabled=yes dst-port=45000-45001 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.122 \
    to-ports=45000-45001
add action=masquerade chain=srcnat comment=DSM_PSwebHttps disabled=yes \
    dst-address=192.168.6.122 dst-port=40443 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=DSM_PSwebHttps dst-address-list=\
    WAN_IP dst-port=40443 protocol=tcp to-addresses=192.168.6.122 to-ports=\
    40443
add action=masquerade chain=srcnat comment=centos_https_443 disabled=yes \
    dst-address=192.168.6.111 dst-port=443 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=centos_https_443 dst-address-list=\
    WAN_IP dst-port=443 protocol=tcp to-addresses=192.168.6.111 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.111 to-ports=443
add action=masquerade chain=srcnat comment=centos_https_33443 disabled=yes \
    dst-address=192.168.6.111 dst-port=33443 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=centos_https_33443 dst-address-list=\
    WAN_IP dst-port=33443 protocol=tcp to-addresses=192.168.6.111 to-ports=\
    33443
add action=dst-nat chain=dstnat disabled=yes dst-port=33443 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.111 to-ports=33443
add action=masquerade chain=srcnat comment=n4f_btsync_gui disabled=yes \
    dst-address=192.168.6.99 dst-port=8888 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=n4f_btsync_gui dst-address-list=\
    WAN_IP dst-port=8888 protocol=tcp to-addresses=192.168.6.99 to-ports=8888
add action=dst-nat chain=dstnat disabled=yes dst-port=8888 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.99 to-ports=8888
add action=dst-nat chain=dstnat comment=aria2_main dst-port=36800 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.121 \
    to-ports=36800
add action=dst-nat chain=dstnat comment=aria2_main dst-port=36800 \
    in-interface=pppoe-telecom protocol=udp to-addresses=192.168.6.121 \
    to-ports=36800
add action=dst-nat chain=dstnat comment=aria2_p2p dst-port=36801-36809 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.121 \
    to-ports=36801-36809
add action=dst-nat chain=dstnat comment=aria2_p2p dst-port=36801-36809 \
    in-interface=pppoe-telecom protocol=udp to-addresses=192.168.6.121 \
    to-ports=36801-36809
add action=masquerade chain=srcnat comment=hik2402 disabled=yes dst-address=\
    192.168.6.51 dst-port=60800 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=hik2402 dst-address-list=WAN_IP \
    dst-port=60800 protocol=tcp to-addresses=192.168.6.51 to-ports=60800
add action=dst-nat chain=dstnat comment=hik2402_https dst-port=60443 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.51 \
    to-ports=443
add action=masquerade chain=srcnat comment=baidupcs disabled=yes dst-address=\
    192.168.6.98 dst-port=1999 log-prefix=baidupcs out-interface=vlan6 \
    protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=\
    1999 protocol=tcp to-addresses=192.168.6.98 to-ports=1999
add action=masquerade chain=srcnat comment=smtp587 disabled=yes dst-address=\
    192.168.6.98 dst-port=587 log=yes log-prefix=smtp587 out-interface=vlan6 \
    protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=smtp587 dst-address-list=WAN_IP \
    dst-port=587 protocol=tcp to-addresses=192.168.6.98 to-ports=587
add action=masquerade chain=srcnat comment=smtp25 disabled=yes dst-address=\
    192.168.6.98 dst-port=25 log=yes log-prefix=smtp25 out-interface=vlan6 \
    protocol=tcp src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=smtp25 dst-address-list=WAN_IP \
    dst-port=25 protocol=tcp to-addresses=192.168.6.98 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-port=25 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.123 to-ports=25
add action=masquerade chain=srcnat comment=imap143 disabled=yes dst-address=\
    192.168.6.98 dst-port=143 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=imap143 dst-address-list=WAN_IP \
    dst-port=143 protocol=tcp to-addresses=192.168.6.98 to-ports=143
add action=dst-nat chain=dstnat disabled=yes dst-port=465 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.123 to-ports=465
add action=masquerade chain=srcnat comment=imap993 disabled=yes dst-address=\
    192.168.6.98 dst-port=993 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=imap993 dst-address-list=WAN_IP \
    dst-port=993 protocol=tcp to-addresses=192.168.6.98 to-ports=993
add action=dst-nat chain=dstnat disabled=yes dst-port=993 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.123 to-ports=993
add action=masquerade chain=srcnat comment=aria2 disabled=yes dst-address=\
    192.168.6.98 dst-port=6880 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=aria2 dst-address-list=WAN_IP \
    dst-port=6880 protocol=tcp to-addresses=192.168.6.98 to-ports=6880
add action=masquerade chain=srcnat comment=aria2 disabled=yes dst-address=\
    192.168.6.98 dst-port=6800 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=aria2 dst-address-list=WAN_IP \
    dst-port=6800 protocol=tcp to-addresses=192.168.6.98 to-ports=6800
add action=masquerade chain=srcnat comment=qbittorrent disabled=yes \
    dst-address=192.168.6.98 dst-port=16888 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=qbittorrent_web dst-address-list=\
    WAN_IP dst-port=16888 protocol=tcp to-addresses=192.168.6.98 to-ports=\
    16888
add action=dst-nat chain=dstnat comment=qbittorrent_data dst-port=16881 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.98 \
    to-ports=16881
add action=dst-nat chain=dstnat comment=qbittorrent_data dst-port=16881 \
    in-interface=pppoe-telecom protocol=udp to-addresses=192.168.6.98 \
    to-ports=16881
add action=dst-nat chain=dstnat comment=Centos_ssh dst-port=11122 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.111 \
    to-ports=22
add action=dst-nat chain=dstnat comment=emby_http dst-port=8096 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.98 to-ports=8096
add action=masquerade chain=srcnat comment=unifi disabled=yes dst-address=\
    192.168.6.98 dst-port=8443 out-interface=vlan6 protocol=tcp src-address=\
    192.168.0.0/16
add action=dst-nat chain=dstnat comment=unifi dst-address-list=WAN_IP \
    dst-port=8443 protocol=tcp to-addresses=192.168.6.98 to-ports=8443
add action=masquerade chain=srcnat comment=emby-https disabled=yes \
    dst-address=192.168.6.98 dst-port=8920 out-interface=vlan6 protocol=tcp \
    src-address=192.168.0.0/16
add action=dst-nat chain=dstnat comment=emby-https dst-address-list=WAN_IP \
    dst-port=8920 protocol=tcp to-addresses=192.168.6.98 to-ports=8920
add action=dst-nat chain=dstnat comment=n4f_webdav dst-port=873 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.99 to-ports=873
add action=dst-nat chain=dstnat comment=n4f_rsync dst-port=8081 in-interface=\
    pppoe-telecom protocol=tcp to-addresses=192.168.6.99 to-ports=8081
add action=dst-nat chain=dstnat comment=n4f_btsync_p2p dst-port=58222 \
    in-interface=pppoe-telecom protocol=tcp to-addresses=192.168.6.99 \
    to-ports=58222
/ip route
add distance=1 dst-address=10.25.0.0/16 gateway=tashivpn routing-mark=\
    ta_route
add distance=1 dst-address=10.32.0.0/16 gateway=tashivpn routing-mark=\
    ta_route
add distance=1 dst-address=10.120.0.0/16 gateway=tashivpn routing-mark=\
    ta_route
add distance=1 dst-address=10.179.0.0/16 gateway=tashivpn routing-mark=\
    ta_route
add check-gateway=ping distance=1 gateway=sstp-hostusk routing-mark=\
    route_hostusk
add check-gateway=ping distance=1 gateway=sstp-bwg routing-mark=route_bwg
add check-gateway=ping distance=1 gateway=l2tp-hostusk routing-mark=vps_gfw
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=sstp-hostusk
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=l2tp-hostusk
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=sstp-bwg
add comment=api.telegram.org distance=2 dst-address=149.154.167.220/32 \
    gateway=sstp-hostusk
add comment=api.telegram.org distance=2 dst-address=149.154.167.220/32 \
    gateway=l2tp-hostusk
add comment=api.telegram.org distance=2 dst-address=149.154.167.220/32 \
    gateway=sstp-bwg
add distance=1 dst-address=192.168.12.0/24 gateway=bridge
add disabled=yes distance=1 dst-address=192.168.20.253/32 gateway=\
    192.168.6.253
add disabled=yes distance=1 dst-address=192.168.55.253/32 gateway=\
    192.168.6.253
add distance=1 dst-address=192.168.66.0/24 gateway=192.168.10.50

sebastia · February 23, 2019, 10:35am

Hey

Note: next time use “code” tags.

The issue is that bridge level filtering is in hardware only on CRS3xx. On your platform, you can do it hardware only through switch menu.

/interface bridge
add name=bridge vlan-filtering=yes

Lilarcor · February 23, 2019, 10:46am

sebastia:

Hey

Note: next time use “code” tags.

The issue is that bridge level filtering is in hardware only on CRS3xx. On your platform, you can do it hardware only through switch menu.
/interface bridge
add name=bridge vlan-filtering=yes

I tried to vlan-filtering=no， then I lost all connection. Any idea?

Sent from my iPhone using Tapatalk

sebastia · February 23, 2019, 2:10pm

You’ll need to replicate the “/interface bridge port” config using switch functionality, see examples https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29

Lilarcor · February 23, 2019, 2:41pm

i am reading on it. But I am still confused with followings.
1.Shall I keep the settings in bridge vlans, or shall I removed them after I config in switch menu?
2.Shall I add cpu in all vlan ID in menu switch/vlan?
3.for switch/port menu, what setting shall I give for cpu?

mkx · February 23, 2019, 6:28pm

When your PC is copying files from NAS, your RBD52G is routing traffc with all of bloated firewall filter rules. It should be able to get better than 250Mbps, but quite probably it’s not capable of Gbps wirespeed routing.

sebastia · February 23, 2019, 7:08pm

sure it is: https://mikrotik.com/product/hap_ac2#fndtn-testresults

furthermore, “add action=fasttrack-connection chain=forward connection-state=established,related”. nuff said

Lilarcor · February 24, 2019, 6:15am

Finally, after I removed all settings in bridge vlans, and make settings in switch menu, I am using the hw offload now. Copy file speed is around 110MB/s, cpu usage is around 5%, amazing. Thanks for your help.

Sent from my iPhone using Tapatalk