Help needed: Poor download speed and semi frequent drops

Hi! I’ve been experiencing some issues with my router (MikroTik hEX S) and could use some help diagnosing and resolving them.

• CPU Bottleneck: When downloading large files from the internet, the network becomes very sluggish. This is especially noticable when I’m connecting with wireguard to the hEX S at the same time. RDP becomes almost unusable. CPU seems ok. About 30%, but 100% on one of the cores. Even though the download speed is just 30 Mbps on a 600/600 connnection, RDP becomes stuttering.
• Random Network Drops and HTTPS Errors: I’ve been experiencing random network drops and HTTPS errors, often under high load, but also with low load. This happens both on my phone and PC. When disconnecting from WiFi/wireguard the site will be working fine again. I have no idea how to reproduce this problem, which makes it quite hard to troubleshoot.

I’ve tried to upgrade firmware to latest version and remove some unused firewall rules. The workload on my proxmox host is plex/radarr/sonarr and all that jazz, but mostly just local users in my household. It this just too much to expect from a hEX S?

# 2025-04-01 18:47:16 by RouterOS 7.18.2
# software id = 7KG8-9573
#
# model = RB760iGS
# serial number = D4500F0CA973
/interface bridge
add admin-mac=DC:2C:6E:0B:34:89 auto-mac=no comment=defconf igmp-snooping=yes name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=WiFi
set [ find default-name=ether5 ] comment=VMHost
set [ find default-name=sfp1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=ISPWAN vlan-id=202
add interface=bridge name=bridge-vlan10-management vlan-id=10
add interface=bridge name=bridge-vlan50-server vlan-id=50
add interface=bridge name=bridge-vlan100-internal vlan-id=100
add interface=bridge name=bridge-vlan150-iot vlan-id=150
add interface=bridge name=bridge-vlan151-zaptec vlan-id=151
add interface=bridge name=bridge-vlan200-guest vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=138 name=Omada-Controller value=0x0A00321E
/ip dhcp-server option sets
add name=omada options=Omada-Controller
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=s2s nat-traversal=no
/ip ipsec peer
add address=[hidden]/32 exchange-mode=ike2 name=s2s port=500 profile=s2s
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=s2s pfs-group=modp2048
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.250
add name=l2tp_pool ranges=10.0.3.100-10.0.3.150
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
add name=vlan-200-guest-pool ranges=10.0.200.10-10.0.200.254
add name=vlan-151-zaptec-pool ranges=10.0.151.10-10.0.151.100
add name=vlan-10-management-pool ranges=10.0.10.100-10.0.10.254
add name=vlan-100-internal-pool ranges=10.0.100.10-10.0.100.254
add name=vlan-50-server-pool ranges=10.0.50.100-10.0.50.254
add name=vlan-150-iot-pool ranges=10.0.150.10-10.0.150.254
add name=VPN-POOL ranges=10.0.210.100-10.0.210.200
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge lease-time=10m name=LAN-dhcp
add address-pool=vlan-200-guest-pool interface=bridge-vlan200-guest lease-time=10m name=guest-dhcp
add address-pool=vlan-151-zaptec-pool interface=bridge-vlan151-zaptec lease-time=10m name=zaptec-dhcp
add address-pool=vlan-10-management-pool dhcp-option-set=omada interface=bridge-vlan10-management lease-time=10m name=management-dhcp
add address-pool=vlan-50-server-pool interface=bridge-vlan50-server lease-time=10m name=server-dhcp
add address-pool=vlan-100-internal-pool interface=bridge-vlan100-internal lease-time=10m name=internal-dhcp
add address-pool=vlan-150-iot-pool interface=bridge-vlan150-iot lease-time=10m name=iot-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add bridge=bridge dns-server=10.0.0.1 local-address=10.0.3.1 name=L2TP-Profile remote-address=l2tp_pool
add dns-server=10.0.210.1 local-address=10.0.210.1 name=OPENVPN-PROFILE remote-address=VPN-POOL use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing pimsm instance
add afi=ipv4 disabled=no name=pimsm-instance1 vrf=main
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=";;; defconf" ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge vlan-ids=50
add bridge=bridge tagged=ether2,bridge untagged=ether4 vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ether5 vlan-ids=100
add bridge=bridge tagged=ether2,bridge vlan-ids=150
add bridge=bridge tagged=ether2,bridge vlan-ids=151
add bridge=bridge tagged=ether2,bridge vlan-ids=200
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ISPWAN list=WAN
add interface=bridge-vlan200-guest list=LAN
add interface=wireguard1 list=LAN
add interface=bridge-vlan151-zaptec list=LAN
add interface=bridge-vlan10-management list=LAN
add interface=ether5 list=LAN
add interface=bridge-vlan100-internal list=LAN
add interface=bridge-vlan50-server list=LAN
add interface=bridge-vlan150-iot list=LAN
/interface ovpn-server server
add auth=sha1 certificate=server@MikroTik-hEX-S cipher=aes128-gcm,aes256-gcm default-profile=OPENVPN-PROFILE disabled=no mac-address=FE:9D:73:63:56:86 name=\
    ovpn-server1 require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.200.3/32 interface=wireguard1 name=sinmid-tyrkia public-key="lDckeSBt7Y8lFAQgC7EAF4haM1+xb3f0/CTnZL+mEwM="
add allowed-address=192.168.200.4/32 interface=wireguard1 name=kyv-laptop public-key="CTQ5I5fzp8Hrq8hRMbehdJiGKVyDVJFLKH7oEJMA5Ww="
add allowed-address=192.168.200.5/32 interface=wireguard1 name=iphone public-key="L0snMcGFnPrXzzSCI9RNInB5r5MpMj3nxOoffIcxqnE="
add allowed-address=192.168.200.6/32 interface=wireguard1 name=laptop public-key="DqU+48L/wGPYFsI5YeqoZofNTXXJkNPVz4jistMNRT8="
add allowed-address=192.168.200.7/32 interface=wireguard1 name=ipad public-key="/dxRzkxkkwvxL0PtD49GtyS5ZBmK4d61PwKktJVWEis="
/ip address
add address=192.168.100.1/24 comment="Guest address space" disabled=yes interface=*B network=192.168.100.0
add address=192.168.200.1/24 interface=wireguard1 network=192.168.200.0
add address=10.0.150.1/24 interface=bridge-vlan150-iot network=10.0.150.0
add address=10.0.0.1/24 interface=bridge network=10.0.0.0
add address=10.0.200.1/24 interface=bridge-vlan200-guest network=10.0.200.0
add address=10.0.151.1/24 interface=bridge-vlan151-zaptec network=10.0.151.0
add address=10.0.50.1/24 interface=bridge-vlan50-server network=10.0.50.0
add address=10.0.10.1/24 interface=bridge-vlan10-management network=10.0.10.0
add address=10.0.100.1/24 interface=bridge-vlan100-internal network=10.0.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-tables=main interface=ISPWAN
/ip dhcp-server lease
add address=10.0.50.15 client-id=ff:11:5d:24:63:0:1:0:1:2b:1b:c2:6d:16:a:bd:fb:7b:5b mac-address=52:BE:11:5D:24:63 server=server-dhcp
add address=10.0.50.30 client-id=ff:26:77:e7:a8:0:1:0:1:29:9c:32:0:9e:41:26:77:e7:a8 mac-address=9E:41:26:77:E7:A8 server=server-dhcp
add address=10.0.50.13 client-id=1:6e:b3:ec:b9:9f:6e mac-address=6E:B3:EC:B9:9F:6E server=server-dhcp
add address=10.0.10.234 client-id=1:e8:48:b8:56:b4:12 mac-address=E8:48:B8:56:B4:12 server=management-dhcp
add address=10.0.100.240 client-id=1:94:dd:f8:b:a3:cd mac-address=94:DD:F8:0B:A3:CD server=internal-dhcp
add address=10.0.50.147 client-id=ff:5d:e2:6c:15:0:2:0:0:ab:11:98:74:43:20:62:1c:28:57 mac-address=68:1D:EF:34:74:6C server=server-dhcp
add address=10.0.100.233 client-id=1:0:d4:9e:5f:99:16 mac-address=00:D4:9E:5F:99:16 server=internal-dhcp
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.50.30 gateway=10.0.1.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.50.30 gateway=10.0.10.1
add address=10.0.50.0/24 dns-server=10.0.50.30 gateway=10.0.50.1
add address=10.0.100.0/24 dns-server=10.0.50.30 gateway=10.0.100.1
add address=10.0.150.0/24 dns-server=10.0.50.30 gateway=10.0.150.1
add address=10.0.151.0/24 dns-server=1.1.1.1 gateway=10.0.151.1
add address=10.0.200.0/24 dns-server=10.0.50.30 gateway=10.0.200.1
add address=192.168.100.0/24 dns-server=1.1.1.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=bridge-vlan200-guest,bridge-vlan100-internal,bridge-vlan150-iot,bridge-vlan10-management,bridge-vlan50-server servers=\
    [hidden]
/ip dns static
add address=10.0.10.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=[hidden].sn.mynetname.net list=WAN-IP
add address=10.0.0.0/16 list=all-lan-ranges
add address=192.168.200.0/24 list=all-lan-ranges
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=WIREGUARD dst-port=13231 in-interface=ISPWAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related disabled=yes hw-offload=yes
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="LAN to Guest" in-interface=bridge out-interface=bridge-vlan200-guest
add action=accept chain=forward comment="L2TP Traffic out" out-interface-list=WAN src-address=10.0.3.0/24
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new
add action=accept chain=forward in-interface=bridge-vlan10-management out-interface=bridge-vlan50-server
add action=accept chain=forward in-interface=bridge-vlan10-management out-interface=bridge-vlan100-internal
add action=accept chain=forward in-interface=bridge-vlan10-management out-interface=bridge-vlan150-iot
add action=accept chain=forward in-interface=bridge-vlan10-management out-interface=bridge-vlan200-guest
add action=accept chain=forward in-interface=bridge-vlan50-server out-interface=bridge-vlan150-iot
add action=accept chain=forward in-interface=bridge-vlan50-server out-interface=bridge-vlan100-internal
add action=accept chain=forward in-interface=bridge-vlan100-internal out-interface=bridge-vlan150-iot
add action=accept chain=forward dst-address=10.0.10.237 dst-port=22,3389 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward in-interface=bridge-vlan200-guest out-interface=bridge-vlan150-iot
add action=accept chain=forward dst-address=10.0.50.30 dst-port=443,80 in-interface=bridge-vlan200-guest protocol=tcp
add action=accept chain=forward dst-address=10.0.50.30 in-interface=bridge-vlan100-internal protocol=icmp
add action=accept chain=forward comment="Wireguard to webserver" dst-address=10.0.50.30 dst-port=443,80 in-interface=wireguard1 protocol=tcp
add action=accept chain=forward dst-address=10.0.10.237 in-interface=wireguard1
add action=accept chain=forward dst-address=10.0.50.30 dst-port=443,80 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward comment="Sonos -> Home Assistant" dst-address=10.0.50.13 dst-port=1400 in-interface=bridge-vlan150-iot protocol=tcp
add action=accept chain=forward comment="Access portainer from internal" dst-address=10.0.50.30 dst-port=9443 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward comment=redlib dst-address=10.0.50.30 dst-port=1337 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward in-interface=bridge-vlan10-management out-interface=wireguard1
add action=accept chain=forward comment="openvpn out" out-interface-list=WAN src-address=10.0.210.0/24
add action=accept chain=forward dst-address=10.0.50.30 dst-port=53,67 protocol=tcp src-address-list=all-lan-ranges
add action=accept chain=forward dst-address=10.0.50.30 dst-port=53,67 protocol=udp src-address-list=all-lan-ranges
add action=accept chain=forward dst-address=10.0.50.10 dst-port=445,139 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward dst-address=10.0.50.10 dst-port=445,139 in-interface=wireguard1 protocol=tcp
add action=accept chain=forward comment="Management to Jano" disabled=yes dst-address=172.30.100.0/24 src-address=10.0.10.0/24
add action=drop chain=forward comment="Drop anything else"
/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=172.30.100.0/24 new-mss=1400 protocol=tcp src-address=10.0.10.0/24 tcp-flags=syn tcp-mss=!0-1400
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.50.30 to-ports=443
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-list=WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.50.30 to-ports=80
add action=masquerade chain=srcnat dst-address=10.0.50.30 out-interface-list=LAN protocol=tcp src-address=10.0.50.0/24
add action=masquerade chain=srcnat comment="management out" out-interface-list=WAN src-address=10.0.10.0/24
add action=masquerade chain=srcnat comment="server network out" ipsec-policy=out,none out-interface-list=WAN src-address=10.0.50.0/24
add action=masquerade chain=srcnat comment="LAN out" out-interface-list=WAN src-address=10.0.100.0/24
add action=masquerade chain=srcnat comment="IOT network out" out-interface-list=WAN src-address=10.0.150.0/24
add action=masquerade chain=srcnat comment=zaptec-out out-interface-list=WAN src-address=10.0.151.0/24
add action=masquerade chain=srcnat comment="Guest network out" out-interface-list=WAN src-address=10.0.200.0/24
add action=masquerade chain=srcnat comment="VPN out" out-interface-list=WAN src-address=192.168.200.0/24
add action=masquerade chain=srcnat comment="openVPN out" out-interface-list=WAN src-address=10.0.210.0/24
add action=dst-nat chain=dstnat comment="traefik http" dst-address-list=WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.50.30 to-ports=80
add action=dst-nat chain=dstnat comment="traefik https" dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.50.30 to-ports=443
add action=dst-nat chain=dstnat comment=torrents dst-port=13339 in-interface-list=WAN protocol=tcp src-address-list="" to-addresses=10.0.50.30 to-ports=13339
add action=dst-nat chain=dstnat comment=plex dst-address-list=WAN-IP dst-port=32400 protocol=tcp to-addresses=10.0.50.30 to-ports=32400
add action=masquerade chain=srcnat comment="L2TP out" out-interface-list=WAN src-address=10.0.3.0/24
/ip ipsec identity
add peer=s2s
/ip ipsec policy
add dst-address=172.30.100.0/24 peer=s2s proposal=s2s src-address=10.0.0.0/16 tunnel=yes
add disabled=yes dst-address=172.30.100.0/24 peer=s2s proposal=s2s src-address=10.0.0.0/16 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=10.0.210.0/24 gateway=10.0.210.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/16
set ftp address=10.0.0.0/16
set www address=10.0.0.0/16
set ssh address=10.0.0.0/16
set api address=10.0.0.0/16
set winbox address=10.0.0.0/16
set api-ssl address=10.0.0.0/16
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add name=asd profile=L2TP-Profile service=l2tp
add disabled=yes name=sinmid profile=L2TP-Profile service=l2tp
add name=sinmid profile=OPENVPN-PROFILE service=ovpn
/routing bfd configuration
add disabled=no
/routing igmp-proxy interface
add disabled=yes interface=bridge upstream=yes
add disabled=yes interface=*D
add disabled=yes interface=bridge-vlan200-guest
/routing pimsm interface-template
add disabled=no instance=pimsm-instance1 interfaces=bridge
add disabled=no instance=pimsm-instance1 interfaces=bridge-vlan200-guest
/system identity
set name=MikroTik-hEX-S
/system note
set show-at-login=no
/system ntp client
set enabled=yes

My topology looks something like this:

You should NOT enable IGMP Snooping (nor DHCP Snooping) on the hEX S. Doing so will disable hardware offload on the bridge, switching and VLAN filtering will need to be done entirely by the main CPU and even L2 traffic will all need to share the single 1Gbps link to the main CPU (the other link is used by sfp1).

You should disable IGMP snooping on the bridge “bridge” and make sure that all ports under Bridge → Ports have the H flag (hardware offload active).

Unrelated but you should not disable the “defconf: accept ICMP” rule in your firewall configuration. ICMP is not only used for ping! And enable ingress-filtering on all the bridge ports (it’s the default value in RouterOS 7). Detect Internet should not be used neither (set all lists to none), it can cause many problems.

Other than that, if you have a lot of inter-VLAN traffic then maybe the hEX S is too weak for it (but with hardware offload and fasttrack working correctly, 930Mbps iperf3 throughput is still achievable).

Thanks a lot! I actually think this solved it for me. Even simple browsing seems more responsive.

I’m curious what IGMP snooping does, is it security related?
I’m only at advanced rookie status compared to what I read here.

10-15 years ago I was on this forum every few days, now I seldom get on because my stuff works fine, or I’m under the impression it does.

I’m on 7.18.2 and all my ingress filters are no. I don’t recall changing them from the default. I’m using an hAP ac but don’t recall how long ago I moved to this from my hAP lite. Would v6 have been the default firmware with an older router and my imported rules set the filters to no?

I think that flow control by default is disabled on most devices. RB951Ui-2HnD running ROS v6 has both Rx and Tx flow control disabled (and since setting is not present in export, it’s default). hAP ac lite, running v6, has them disabled (and not present in export), hAP ac2, netinstalled to v7 and configuration built on v7 defaults, has them disabled (again, not present in export). wAP ax, came with 7.15 (and netinstalled to 7.17), has them disabled as well.

So flow control might be enabled by default, but it’s gotta be device-specific default.

No, it’s not related to security. Turning on IGMP Snooping helps reduce the amount bandwidth used on the ports (like ether1, ether2, sfp1, etc…) of the bridge/switch if there is a lot of multicast traffic.

Without IGMP Snooping, if you have a device in a subnet (broadcast domain such as a VLAN, or the bridge interface if you have IP address on it) receiving multicast packets (like when you are watching IPTV on that device), the switch (or the router if you use its bridging functionality) will flood those multicast packets to all ports of the bridge interface or VLAN interface, even if there a no devices that need the packets connected to those ports. When you turn on IGMP snooping, the switch (or router) listens to IGMP and MLD traffic and remember which ports has devices subscribing to which multicast groups (IPv4 addresses under 224.0.0.0/4, IPv6 addresses under ff00::/8). Later it will only deliver multicast packets to the ports that have subscribed to the address range matching the destination of the packet, and will no longer flood all port.

The default value has changed to yes in RouterOS 7, previously under 6.4x it was no. If you upgraded from ROS 6 to ROS 7 then the existing setting values are normally not modified.

HOWEVER, because your router is a hAP ac with a QCA8337 switch chip, it would be more efficient setup VLAN with the /interface ethernet switch menu (see examples https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-SetupExamples) and not Bridge VLAN Filtering.

Yes, flow control is disabled by default on all devices. But in the previous post I wrote about ingress filtering, which is a setting on the VLAN property sheet of the ports

Thanks for the reply, do you have a blog, website or video channel where you spread more info?