Basically it works as expected, except for one thing: Our customers report slow access to our server, via HTTPS. Everything looks normal but certainly there is some lagging when we connect from outside.
If I go to www.speedtest.net and test my internet speed I get this result:
However, if I plug the server directly to the modem I get this result:
I’m totally new to the Mikrotik OS and honestly don’t know what else to do to get the correct speed with my server connected behind the firewall. Attached is my configuration file. Please take a look at it and let me know what I can do.
CRS devices are not routers, they are switches (regardless the marketing BS name which includes Router). Yeah, since they run ROS, they can route, but at shitty throughputs. And you’re getting what is realistically expected.
Now, the device does support L3 HW offload, so it can do some of functions at wirespeed, but it has to be configured very carefully (and from a quick glance at your config it’s not really close). Document about L3 hardware offloading may clear a few things for you.
JFYI, the usual parameter suggested on the forums to evaluate a Mikrotik device speed in routing is the 25 ip filter rules with 512 bytes packets, that for your device: https://mikrotik.com/product/crs312_4c_8xg_rm#fndtn-testresults
is reported as 169.6 Mbps, and this is - understandably - with a “perfect” configuration, so you are not very distant from that.
Your WAN connections are to two DSL modem/routers (possibly provided by your ISP), aren’t they?
I am asking because your ip firewall filter rules seem (mind you, I am not an expert in this) very reduced when compared with the default configuration ones on Mikrotik routers (or from those often suggested on the forum) and appear as not being secure or tight enough, and when/if you will add more rules your speed is likely to further decrease.
If you need the speed you likely need to add a “real” router such as a RB5009, or - to save some money - you could do with a hap AX2 or AX3 (that although being categorized as Access Points are more than decent routers for internet speeds up to 1 GB).
“Pro” line of devices (RB1100, CRS, CHR and CCR) all come with empty default config. So one can’t really blame someone fresh to ROS for coming up with sub-optimal firewall setup.
Noone is blaming anyone, only pointing out that the current firewall rules seem incomplete and adding more will most probably further slow down the achievable speed.
Thank you very much. That’s what I was suspecting.
For now I’ve done some tweaking in my network. There was a Synology backup unit which was using most of the bandwidth (despite having it set to use only half of it). I moved it directly to the modem (or first firewall if you like) and CPU usage went down from 100% to 2%. That is helping a little bit.
You mentioned “compared with default configuration” and I was pointing out that CRS devices don’t have any default … meaning that an unsuspecting fresh ROS user (without experience with MT devices which do have a very decent default firewall ruleset) can’t do any comparison. I simply pointed this out (if you weren’t aware of this fact, then I pointed this out for you ).
The sure do have a builtin default which you can see through “/system/default-configuration/print” or whatever the command is or just do a “/reset-configuration” with “no-defaults=no” and compare with how it looks if you run the same command with “no-defaults=yes”.
).