Internet Speed Issue

Hello Mikrotik Friends,
I have an RB4011 running ROS 7.9.2 at home.
My broadband service is a fiber to the property type service, although I found out after I had it activated that the connection to my apartment is via something called GPON which means that I can’t use the Fiber port on my RB4011 as a fiber port, rather I have to use the provided router from the supplier in Bridge mode.

So, Provided Router is connected to my RB4011 via the Fiber port (which has an SFP to Ethernet module thing in it) with a CAT6 cable.
My laptop is connected to my RB4011 via CAT6 cable.
My internet service is apparently a 1Gbps service.

When I connect the laptop directly to the service provider router and use a PPPoE client on my laptop to connect to the internet, a speedtest shows around 950Mbps download and around 500Mbps upload… which I think is quite OK.
When I connect the RB4011, using PPPoE client to connect to the internet etc etc, and connect my laptop using the same CAT6 cable to the RB4011, I only get around 400Mbps download but still around 500Mbps upload.
Currently, just my laptop (via cable) and my phone (via WiFi) connected.

Does anyone have any suggestions for anything to try or check or do?

Thanks

Colin

First thing that comes to mind is…what MTU did you specify?
Can you share your config?

/export file=anynameyoulike

Make sure to remove serial and any personal info (like public IP).

Not aware that I’ve “set” an MTU anywhere… I think the MTU that is showing up on the PPPoE interface (1480) comes from the provider (well, from the router that the service provider gave me I guess). But here’s what I guess is the relevant bit of the config:

/interface pppoe-client add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 use-peer-dns=yes user=xxxxxx

Is this something that I could try to increase myself? I’ve just checked somewhere else where I have an RB4011 with the internet coming in via PPPoE connection via the fiber port and the MTU there is 1492.

My recent experience when moving from VDSL (30/5 Mbps subscription) to PPPoE over GPON (1000/100 Mbps subscription): I was using a hAP ac2 running 6.49.7 (at that time) and simply changing ISP’s devices restored services for me. But initially the speed was a disappointment as well, I could see something like 300/100.

Then I decided my hAP ac2 was long overdue for upgrade to v7 and I prepared a RB951G (running 7. as temporary replacement. And it blew my mind as the venerable RB951G was able to route at 950Mbps (then CPU usage peaked). The configuration between old hAP ac2 and RB951G wasn’t different so much that it would explain the huge difference in performance. Then I netinstalled hAP ac2 and configured it according to my wishes (keeping default config as a base) and now hAP ac2 (serving as main router) can shift those 1000/100 with 25% of CPU load (average over all 4 CPU cores, none of them go above 50% when running multi-threaded speedtest). I left MTU settings (and other as well) at default (for MTU that’s 1480 as negotiated between PPPoE client and server on ISP side).
Then I performed another test: keeping exactly the same configuration, but disabling fasttrack rule, router could route at around 450Mbps (but load of none of CPU cores peaked above 70% so this leaves me wondering where’s the bottleneck). This test indicates the performance in IPv6 (as fasttrack is not supported for IPv6) with decently high error margin.

So I’d recommend you to netinstall your RB4011 to get rid of any of lingering garbage in configuration which only causes slowdowns.

Thanks very much,
I’ve had a read about the NetInstall tool - think I’ll try it on one of my other devices that I’m not actively using first, but does look good.

Regarding the MTU situation… I’ve increased the MTU for the physical interface on which the PPPoE client is running (increased to 1540)… strangely, the MTU for the PPPoE client starts out with 1492 and then after 10-15 seconds drops to 1480 again. Not sure what that is all about.

Interestingly, when I disabled the FastTrack rules, the internet speed test got worse.
I tried disabling the SSTP VPN client that’s running (it’s a site-to-site connection that I’ve got setup between two Mikrotik boxes) but that made no difference.

The connection between your PPPoE client (i.e.e RB4011) and ISP’s gadget may not be the only bottleneck. And even if it was, also MTU on ISP gadget would have to be changed accordingly. There are other interfaces which might be out of control of you and your ISP equally (GPON network could be run by yet another company). Hence PPPoE determines MTU and (luckily) ROS sets MTU of pppoe-out interface accordingly. Which reduces amount of problems.

However: MTU reduction you see doesn’t cause throughput drop you see (from 1Gbps to a few 100 Mbps). If this was the reason, then you’d likely see a few 100 kbps of throughput if anything at all. The lower-than-ideal MTU throughput reduction is marginal, it’s around 1.37% (due to higher ratio of overhead … PPPoE encapsulated TCP packet has total of 48 bytes of headers, when using MTU of 1500 the payload is then 1460 bytes meaning overhead is 3.29%, and when using MTU of 1480 the payload is 1440 bytes with overhead of 3.33%). Which is only true if PMTUD works as it should (sometimes it doesn’t due to errors in routers’ configurations).

Before I go and reset my config and re-build from scratch, here’s the full config (using export hide-sensitive of course). If anyone has any thoughts as to what could be causing my issue that would be great. Config is fairly vanilla, other than maybe the SSTP stuff and Certificate Renewal Script (I’ve already tried disabling all the SSTP stuff but that had no effect).

/interface bridge add admin-mac=48:A9:8A:5C:CD:E5 auto-mac=no comment=defconf name=LocalNetwork
/interface ethernet set [ find default-name=ether10 ] mtu=1540
/interface ethernet set [ find default-name=sfp-sfpplus1 ] mtu=1540
/interface wireless set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-2,5ghz ssid="My Home Network" wireless-protocol=802.11
/interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-5ghz secondary-frequency=auto ssid="My Home Network (5GHz)" wireless-protocol=802.11
/interface pppoe-client add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 use-peer-dns=yes user=[xxx]
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=192.168.157.100-192.168.157.254
/ip dhcp-server add address-pool=dhcp interface=LocalNetwork lease-time=10m name=defconf
/port set 0 name=serial0
/port set 1 name=serial1
/ppp profile add dns-server=192.168.157.1 local-address=192.168.157.1 name="SSTP VPN" remote-address=dhcp
/interface sstp-client add connect-to=[xxx] disabled=no name=SSTP-to-DH profile=default-encryption user=[xxx]
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether2
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether3
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether4
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether5
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether6
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether7
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether8
/interface bridge port add bridge=LocalNetwork comment=defconf interface=ether9
/interface bridge port add bridge=LocalNetwork comment=defconf interface=wlan-5ghz
/interface bridge port add bridge=LocalNetwork comment=defconf interface=wlan-2,5ghz
/interface bridge port add bridge=LocalNetwork interface=ether1
/interface bridge port add bridge=LocalNetwork interface=ether10
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=LocalNetwork list=LAN
/interface list member add interface=pppoe-out1 list=WAN
/interface list member add interface=sfp-sfpplus1 list=WAN
/interface list member add interface=ether10 list=WAN
/interface sstp-server server set certificate=letsencrypt-autogen_2023-06-14T12:22:12Z enabled=yes
/ip address add address=192.168.157.1/24 comment=defconf interface=LocalNetwork network=192.168.157.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf disabled=yes interface=sfp-sfpplus1
/ip dhcp-server lease add address=192.168.157.10 client-id=1:a0:ce:c8:98:f:b1 mac-address=A0:CE:C8:98:0F:B1 server=defconf
/ip dhcp-server network add address=192.168.157.0/24 comment=defconf gateway=192.168.157.1 netmask=24
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.157.1 comment=defconf name=router.lan
/ip dns static add address=192.168.10.2 name=[xxx]
/ip dns static add address=192.168.10.16 name=[xxx]
/ip dns static add address=192.168.10.2 name=[xxx]
/ip dns static add address=192.168.10.17 name=[xxx]
/ip dns static add address=192.168.30.2 name=[xxx]
/ip dns static add address=192.168.10.2 name=[xxx]
/ip firewall address-list add address=192.168.150.0/24 list=MySubnets
/ip firewall address-list add address=192.168.10.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.20.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.30.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.40.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.178.0/24 list=MySubnets
/ip firewall address-list add address=192.168.151.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.152.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.153.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.154.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.155.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.156.0/24 list=DH-Subnets
/ip firewall address-list add address=192.168.157.0/24 list=MySubnets
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow SSL VPN" dst-port=443 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Accept from Local Subnets" src-address-list=MySubnets
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=MySubnets
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=DH-Subnets
/ip firewall filter add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="Accept from Local Subnets" src-address-list=MySubnets
/ip firewall filter add action=accept chain=forward comment="Accept from Local Subnets" src-address-list=DH-Subnets
/ip firewall filter add action=accept chain=forward comment="Allow DNS" dst-port=53 protocol=udp src-address=192.168.157.0/24
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat dst-address=!192.168.157.50 src-address=192.168.157.50
/ip route add disabled=no dst-address=192.168.10.0/24 gateway=SSTP-to-DH routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=SSTP-to-DH pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=SSTP-to-DH pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=SSTP-to-DH pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=192.168.150.0/24 gateway=SSTP-to-DH routing-table=main suppress-hw-offload=no
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set www-ssl certificate=letsencrypt-autogen_2023-06-14T12:22:12Z
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret add local-address=192.168.157.1 name=cs remote-address=192.168.157.50 service=sstp
/system clock set time-zone-name=Asia/Kuala_Lumpur
/system identity set name=[xxx]
/system leds add interface=wlan-2,5ghz leds=wlan-2,5ghz_signal1-led,wlan-2,5ghz_signal2-led,wlan-2,5ghz_signal3-led,wlan-2,5ghz_signal4-led,wlan-2,5ghz_signal5-led type=wireless-signal-strength
/system leds add interface=wlan-2,5ghz leds=wlan-2,5ghz_tx-led type=interface-transmit
/system leds add interface=wlan-2,5ghz leds=wlan-2,5ghz_rx-led type=interface-receive
/system note set show-at-login=no
/system routerboard settings set enter-setup-on=delete-key
/system scheduler add interval=10w5d name=RenewLetsEncrypt on-event=LetsEncryptRenewal policy=read,write start-date=jun/15/2023 start-time=06:43:11
/system script add dont-require-permissions=no name=LetsEncryptRenewal owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"Script - Certificate renewal start\"\r\
    \n\r\
    \n:local commName \"[xxx]\"\r\
    \n:local dnsName  \"[xxx]\"\r\
    \n\r\
    \n/ip firewall filter\r\
    \nenable [find where comment=\"LetsEncrypt\"]\r\
    \n\r\
    \n#Delete old certificate, create new certificate\r\
    \n/certificate\r\
    \nremove [find where common-name=\$commName]\r\
    \nenable-ssl-certificate dns=\$dnsName\r\
    \n\r\
    \n# better insert here a loop that check when cert is ready, or timeout after x seconds\r\
    \n:delay 45s\r\
    \n\r\
    \n/certificate\r\
    \n:local certName [get [find where common-name=\$commName] name]\r\
    \n\r\
    \n#Set new certificate in SSTP Profile\r\
    \n/interface sstp-server server\r\
    \nset certificate=\$certName\r\
    \n\r\
    \n/ip firewall filter\r\
    \ndisable [find where comment=\"LetsEncrypt\"]"
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

On the topic of resetting the config. If I reset the device and tell it NOT to use the default config, how do I connect to the device? Presumably set a fixed IP on my laptop within the 192.168.88.x IP range, and then connect to one of the interfaces other than ether1 right? Will Winbox let me connect with this?

If you reset the config to no defaults (or better yet, netinstall the device), you enter device by using winbox with MAC connectivity (winbox will display discovered MT devices, click on device’s MAC address).

Perhaps I dodn’t state it loud and clear in my anecdotical post #4 above: I couldn’t spot anything particularly weird in my previous (v6) config that would explain low router performance. But then I didn’t bother looking for such problem too much as I wanted to start with v7 from scratch. I did use then-production configuration as role about what I wanted to achieve, so from functional point of view configuration did not change.

So - I did the following:

/system reset-configuration no-defaults=yes skip-backup=yes

I put back just the bare bones config (as described in the online documentation) and still not change.
I’m going to park this issue for now.
The netinstall app doesn’t want to work for me at the moment. Seems that (again, according to the documentation) this is because I’m using a USB Network adapter (new laptop doesn’t have built in LAN port) so I need to get a switch to connect this up. Will do this on my next visit (this is all being done in my new apartment in Malaysia, company relocation, and I’m about to come back to Europe in a few days… so will deal with this on my next visit). The broadband is fast enough for me to at least use it at the moment.

Thanks for the input - I’ll bring one of the switches at have at home with me on the next trip.

It seems that there is some bug lurking in the dark … bug which seemingly existed in older ROS versions and which causes that some config remains in the actual configuration databse and is not visible through UIs. But it seems that it’s present in backup fiel (the binary blob one, not textual export). Even though that config is nowhere to be seen it can still affect device performance (and in worst case even functionality). When device enters such an ureliable/unexplainable state, the only way out is to perform netinstall and configure device from scratch … using textual export only as reminder on what was previously done.

Hi Everyone
Don’t know if this might trigger something in someone’s mind but… the speed issues I’m having seem to be specifically related to downloading files in one form or another - could be pure downloads from websites or installing apps on my phone for example.
Streaming videos (Netflix etc) seems to be fine and generally browsing the internet seem to be fine.. which I don’t really understand as there’s clearly a download element to all of this as well.

I’ve tried the NetInstall approach already suggested, but that hasn’t made any improvement.

Any suggestions?

Thanks.