Internet slow with Mikrotik router

rdok · September 6, 2024, 11:32am

Hi, beginner with Mikrotik here.
Borrowing from Internet I got my RB4011iGS working. Port ether1 is for connection to the ISP. It configured using vlan2 and vlan4. If I got it right.
It works all right, but instead of the high speed from the fiber connection to the ISP is sticks at 20 mbps.
The Mikrotik replaces a Fritzbox router provided by the ISP. The Fritzbox does show the high speeds I expect.
If I play around with the settings in the Mikrotik sometimes the speed is ok in a first speedtest, but when I repeat it it is slow. And remains slow.
I configured ether2 on the Mikrotik to connect to the Fritzbox and then the speed is ok. So the Mkrotik’s inherent speed is not the problem.

Can anyone on the forum shed some light on what I maight have done wrong?
The configuration file is attached to this message.
Any help would be greatly welcomed!
ConfigRob.rsc (3.26 KB)

tangent · September 6, 2024, 11:54am

It configured using vlan2 and vlan4.

Is this a requirement from your ISP? That is, do you need to “join” these two VLANs from your ISP in order to get Internet access?

If so, then you should only be using the VLAN virtual interfaces, not the physical interfaces.

what I maight have done wrong?

You gutted the default configuration, is what you did. Compare the stock version to see how far you’ve strayed.

If I were you, I’d take the new configuration as a guide to work from, then reset to the stock configuration and reapply the minimal set of changes to get it working. Then, back up your now-working configuration and apply the rest of your changes one by one, testing at each change. Update the backup on each successful test, rollback on each failure.

Also, some broad advice: don’t rip all the IPv6 stuff out. Instead, get it working properly. The time for ignoring IPv6’s existence is long past.

rdok · September 6, 2024, 12:33pm

Thanks for your prompt answer!

It is not a requirement from the ISP is not to join the vlans. According to them
vlan2 is for internet
vlan4 is for tv
vlan6 is for phone. I don’t use that.

However, when I first got it working, the signal came through vlan4. Don’t know what made vlan2 to work as well.

mkx · September 6, 2024, 12:55pm

Apart from making configuration as similar to default (as suggested by @tangent) … I’d start by

removing DHCP client from anything but vlan2 interface. If your router manages to obtain DHCP lease on more than one interface, it may get lost as to which default route it should use.
removing vlan4 interface … you very likely don’t want to route IPTV traffic (you may want to switch it to IPTV set-top boxes, but if this is the case, you’ll have to approach L2 setup quite a bit differently than you have it now)
adding vlan2 interface to WAN interface list … this should make firewall and NAT rules work as intended without butchering all the firewall config

johnson73 · September 6, 2024, 1:11pm

firewall rules also need to be fixed because there is a big mix there. Not the correct roll order, etc. As an example:

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN  (replace as needed)
add interface=bridge1 list=LAN (replace as needed)

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=LAN_List
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"

rdok · September 7, 2024, 2:27pm

Thanks guys, I got the speed all right now.

The tips from @mkx did the trick.

I will follow the advice of @Tangent and @johnson73 to get a more decent configuration, especially of the firewall.

gtg925j · August 4, 2025, 4:21am

I am having a similar problem. I am new to Mikrotik so I would appreciate some guidance on my config. I did enable Fast Path which improved speed a little, but i am still only at about 40% of my ISP speed. With FastTrack disabled I am at about 25%. When I set the router to be in Bridged mode, I get 100% of the speed. Let me know if you need any more detail and thanks in advance for your help here!

SFP 1 is my ISP Fiber ONT
SFP 2 and 3 are used.
SFP 4-7 are not used.
SPF8 is a wireless access point.

# aug/03/2025 19:48:32 by RouterOS 6.49.19
# software id = D6B7-USIA
#
# model = CRS309-1G-8S+
# serial number = ###########
/interface bridge
add admin-mac=##:##:##:##:##:## auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=2500M-full
set [ find default-name=sfp-sfpplus2 ] advertise=10000M-full
set [ find default-name=sfp-sfpplus3 ] advertise=1000M-half,1000M-full
set [ find default-name=sfp-sfpplus4 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
set [ find default-name=sfp-sfpplus5 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
set [ find default-name=sfp-sfpplus6 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
set [ find default-name=sfp-sfpplus7 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
set [ find default-name=sfp-sfpplus8 ] advertise=2500M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
/ip settings
set allow-fast-path=no
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add disabled=no interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:a0:36:9e:15:81:ed mac-address=\
    A0:36:9E:15:81:ED server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface-list=LAN src-address=\
    192.168.88.0/24
add action=drop chain=input in-interface-list=!LAN
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp \
    tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp \
    tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set boot-os=router-os

liviu2004 · August 4, 2025, 5:27am

No, you don’t, CRS309 is a network switch, not a router.

gtg925j · August 4, 2025, 11:29am

It is a switch but can use RouterOS or SwitchOS. Seems like it can be either?

holvoetn · August 4, 2025, 11:54am

Yes, but a switch at first.
It CAN route, but it’s not really good at it.

What do you see as throughput ?
I would expect somewhere from 300 - 500 mbps max.

gtg925j · August 4, 2025, 12:24pm

Yes, that is about right. The max i got was ~700Mbs. My ISP is 2Gb. When in bridge mode i get 2.3Gb. I need a switch anyway so if CRS309-1G-8S+ can’t handle it, then i think i will get CCR2004-1G-12S+2XS for the routing function.

mbovenka · August 4, 2025, 1:11pm

The CRS309 can do L3 offload with NAT, so it can handle it if you can stay within the limits of its capabilities: L3 Hardware Offloading - RouterOS - MikroTik Documentation