Hello, I’m new to networking. So I’ve been given a task to set up a MikroTik hotspot network where the user authentication is handled by a remote MikroTik router (RB1100AHx4) using User Manager.
Here’s the setup:
[Client Devices]
↓
RB750Gr3 (Hotspot + WireGuard Client) → ISP
↓
RB1100x4 (WireGuard Server + User Manager) ->ISP
My problem is clients connecting to the hotspot on the RB750Gr3 experience very slow internet speeds (around 1–2 Mbps), but it only happened when using username and password from user manager. Both router using ROS 7.6. Here is my configuration:
# aug/01/2025 08:33:11 by RouterOS 7.6
# software id = **ELIDED**
# model = RB1100x4
# serial number = **ELIDED**
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP
set [ find default-name=ether2 ] name=ether2-AP
/interface wireguard
add listen-port=51820 mtu=1380 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-chap,https,http-pap use-radius=\
yes
add dns-name=kumala-group-hotspot.com hotspot-address=10.10.10.1 login-by=\
cookie,http-chap,https,http-pap name=hsprof1 use-radius=yes
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool2 ranges=103.94.9.169-103.94.9.172,103.94.9.174
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether1-ISP name=dhcp1
/ip hotspot
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=hotspot1 \
profile=hsprof1
/port
set 0 name=serial0
set 1 name=serial1
/user-manager profile
add name=admins name-for-users=admins starts-when=first-auth
add name=users name-for-users=users starts-when=first-auth
/user-manager user
add name=kumala-user
add name=kumala-user2
add name=kumala-admin
add name=fadiyah shared-users=10
add name=ardi shared-users=10
add name=nanes shared-users=10
/interface bridge port
add bridge=bridge1 interface=ether2-AP
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether6
/interface l2tp-server server
set enabled=yes
/interface wireguard peers
add allowed-address=192.168.10.2/32 interface=wireguard1 public-key=\
[spoiler]"B/JdMlsamYxmDzxQdAiHk4w+Cud6r2mP88TAa+4bTXM="[/spoiler]
/ip address
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
add address=192.168.10.1/24 interface=wireguard1 network=192.168.10.0
add address=103.94.9.173/29 interface=ether1-ISP network=103.94.9.168
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=103.94.9.168/29 gateway=103.94.9.173
/ip dns
set servers=103.94.11.127,103.94.10.147
/ip firewall filter
add action=accept chain=input comment="Allow RADIUS from WG client" port=\
1812,1813 protocol=udp src-address=192.168.10.2
add action=accept chain=input disabled=yes dst-port=1813 protocol=udp \
src-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=1812 protocol=udp \
src-address=127.0.0.1
add action=accept chain=input disabled=yes src-address=127.0.0.1 \
src-address-list=127.0.0.1
add action=accept chain=input disabled=yes dst-address=127.0.0.1
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input disabled=yes port=1812 protocol=udp \
src-address=10.10.20.1
add action=accept chain=input comment="Allow WireGuard VPN" dst-port=13231 \
protocol=udp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1-ISP
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes out-interface=ether1-ISP src-address=10.10.10.0/24
/ip hotspot user
add name=kumala-admin
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=103.94.9.170 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox port=8877
set api-ssl disabled=yes
/radius
add address=127.0.0.1 service=login,hotspot src-address=127.0.0.1
/radius incoming
set accept=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=kumala-server
/system logging
add topics=radius
add topics=radius,debug
add topics=manager
add topics=interface
add topics=interface
add topics=route
/user-manager
set certificate=*0 enabled=yes use-profiles=yes
/user-manager router
add address=192.168.10.2 name=RB750
add address=127.0.0.1 name=server
/user-manager user-profile
add profile=users user=kumala-user
add profile=admins user=kumala-admin
add profile=admins user=fadiyah
add profile=users user=kumala-user2
add profile=admins user=ardi
add profile=users user=nanes
# aug/01/2025 09:31:36 by RouterOS 7.6
# software id = **ELIDED**
# model = RB750Gr3
# serial number = **ELIDED**
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP
set [ find default-name=ether2 ] disabled=yes name=ether2-Zerotier_VPN
set [ find default-name=ether3 ] name=ether3-AP
/interface wireguard
add listen-port=51820 mtu=1380 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=kumala-hotspot.com use-radius=yes
add dns-name=kumala-hotspot.com hotspot-address=10.10.20.1 html-directory=\
flash/hotspot name=hsprof1 use-radius=yes
/ip pool
add name=dhcp_pool0 ranges=\
192.168.30.1-192.168.30.9,192.168.30.11-192.168.30.254
add name=dhcp_pool1 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool2 ranges=\
192.140.20.1-192.140.20.27,192.140.20.29-192.140.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp2
/ip hotspot
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=hotspot1 \
profile=hsprof1
/port
set 0 name=serial0
/queue type
add kind=pcq name=UPLOAD pcq-classifier=src-address pcq-rate=512k
add kind=pcq name=DOWNLOAD pcq-classifier=dst-address pcq-rate=1M
/routing table
add disabled=yes fib name=via-softeth
/interface bridge port
add bridge=bridge1 interface=ether3-AP
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=103.94.9.173 endpoint-port=\
51820 interface=wireguard1 persistent-keepalive=5h47m44s public-key=\
[spoiler]"iGGwdtEPDkkKcKIhZz1sDRCJlNGivIWcSj8VlRqdNE8="[/spoiler]
/ip address
add address=10.10.20.1/24 interface=bridge1 network=10.10.20.0
add address=192.168.10.2/24 comment="wireguard ip's" interface=wireguard1 \
network=192.168.10.0
/ip dhcp-client
add interface=ether1-ISP
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=8.8.8.8 gateway=10.10.20.1
add address=192.140.20.0/24 gateway=192.140.20.28
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward disabled=yes hotspot=auth
add action=accept chain=forward comment=\
"Allow established/related connections" connection-state=\
established,related disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=accept chain=pre-hotspot disabled=yes hotspot=auth
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface=ether1-ISP src-address=10.10.20.0/24
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=srcnat comment="Bypass NAT for RADIUS via WG" \
dst-address=192.168.10.1 dst-port=1812,1813 protocol=udp src-address=\
192.168.10.2
/ip hotspot user
add disabled=yes name=kumala-admin
add name=admin
/ip proxy
set enabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/radius
add address=192.168.10.1 service=login,hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Asia/Makassar
/system identity
set name=kumala-hotspot
/system logging
add topics=hotspot
add topics=manager
add topics=firewall
add topics=radius