L009UiGS-RM low transfer and high CPU usage

Hi,
I have been using TP-Link routers for many years (easy configuration and basic functions).
I wanted to clean up my home network a bit, separate the guest network and IoT devices.
The choice fell on MikroTik L009UiGS-RM
The first moments were terrible, but slowly I managed to configure most of the functions.
Currently, I have internet connection from the provider (D:1Gb/s, U:60Mb/s).
I have the ETH1 port configured as WAN, the ETH2 port connected to the switch, ETH6 and ETH7 connected to the Unifi AP.
In Unifi I have VLAN 30 configured for guests.

And it all works but…
I have a problem with internet connection speed and high CPU usage.
If I connect my computer directly to the Internet operator’s router, I get download: 948Mb/s and upload: 60Mb/s
When I connect via Mikrotik, I have D: 640Mb/s and U: 60Mb/s.
When performing speedtest on a desktop computer, on Mikrotik the CPU usage increases to 96%.

I also tried disconnecting all devices and leaving only one computer to run the test, but this did not help.

Please help me find the error and correct my configuration.

# software id = GIAU-Z6W9
# model = L009UiGS
/interface bridge
add name=LAN
add name=Vlan30-gosc
add name=WAN
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes poe-lldp-enabled=yes poe-priority=1
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether7 name=vlan30-gosc vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_DHCP ranges=192.168.2.2-192.168.2.253
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=LAN_DHCP interface=LAN name=LAN_DHCP
add address-pool=dhcp_pool3 interface=Vlan30-gosc lease-time=23h30m name=Vlan30-gosc
/port
set 0 name=serial0
/interface bridge port
add bridge=WAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether7
add bridge=LAN interface=ether6
add bridge=Vlan30-gosc interface=vlan30-gosc pvid=30 tag-stacking=yes
/interface bridge vlan
add bridge=LAN disabled=yes untagged=ether1,ether2 vlan-ids=1
add bridge=Vlan30-gosc tagged=vlan30-gosc vlan-ids=30
/ip address
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
add address=192.168.1.10/24 interface=WAN network=192.168.1.0
add address=192.168.30.1/24 interface=vlan30-gosc network=192.168.30.0
/ip arp
/ip dhcp-client
add disabled=yes interface=WAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.2.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.30.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Check test results for that device.
https://mikrotik.com/product/l009uigs_rm#fndtn-testresults

That device is not capable to route that amount of traffic for most cases.

As I have already written, this is my first encounter with MikroTik equipment, so I apologize if I write something stupid.

“That device is not capable to route that amount of traffic for most cases.”

You mean to tell me that MikroTik with 1Gb+2.5Gb connectors is not able to cope with a 1Gb/s connection. The cheapest Tp-Link can handle this connection.
This problem occurs not only during speedtest, it also occurs when downloading one large file.
I’m downloading a 20GB file and the MikroTik processor is still at 94-96% and the transfer is unstable.
If you don’t have any other idea, tomorrow I will try to make factory settings, run the basic configuration and perform a test, if there is no improvement, I will take it to the store and look for another solution

As a switch, it can do it easily.
As a router, not really.

But I guess we can say that the Marketing Division of Mikrotik has been very good in representing the L009 as the third best thing in the world (after ice-cream and sliced bread).

OK,
Your answer worried me a bit.
Can you advise me what I can do to get back to network performance of 920-940Mb/s and stable transfer?
What I have now:

• router from the Internet provider - 1xWAN, 1xLAN (no configuration possible)
• MikroTik L009UiGS-RM - I can replace it
• swich (hub) TP-Link SG1024D - the plan is to replace it with a managed swich
• 2x AP Unifi

What I have/plan in my network:

• WIFI SSID for household members (about 10 devices)
• WIFI SSID for guests - isolated network
• WIFI SSID for IoT - (about 30 devices) - separate subnet without Internet access
• ETH IoT - (10 devices) - subnet without Internet access
• ETH for household members - (12 devices)
• ETH - server - here I need full Internet speed (1000/60) - I understand that when household members use the Internet, the speed of the server will decrease.

Previously, it all worked on one network on Tp-Link Archer AX73 (WIFI for household members + for guests) + swich. Everything worked great with the cable. WIFI had problems with range and delays with IoT.
Changing to 2x Unifi AP eliminated the WIFI problem, but TP-Link did not have a VLAN configuration and I could not isolate separate networks. I replaced Tp-Link with Mikrotik

Can you advise me what to do to make it all work?

First answer, same package (but different color):
RB5009
A bit pricier but it should last you several years from now.
Depending on the ethernet ports you need, you may not even need a managed switch (RB5009 can do that too, it has a 2.5Gb port, 7 Gb ports plus 1 SFP port).

Or have a look at AX3 (BIG wifi ears !) or AX2. They should be able to handle the routing load but at the limit (AX3 would be better then AX2)
You can even choose to disable wifi on those devices if you want to keep using this U_i APs. 3 less ports, no SFP.

For switch: you can keep L009 as managed switch. It can handle that task just fine.

From official Mikrotik product list:
L009 120-130
RB5009 220-300

If we take the cheaper base models (no-wi-fi) L009 and compared with the (not-so-PoE) RB5009, this latter is almost double the price of the former.

Online prices I could find are respectively 103 and 175 Euro, a little less difference, still IMHO a little more than “a bit” pricier.

Not that the prices are not both “appropriate” for the respective performances.

New definitions for the devices :
L009, the more than a router that switches.
RB5009, the router that routes.

If you want more bang for your buck and stay with Mikrotik: https://mikrotik.com/product/RB750Gr3

It’s less switch than the RB5009 and more router than the L009 for a lower price. A possible drawback is the L4 license compared to L5 on the other models but only if you consider this a drawback. If you need an SFP you could go for the “hEX S” model.

True but it’s not arm so e.g. no zerotier, no containers and whatelse they will bring out.
For future safety, I would choose at least arm, preferably arm64 platform.

Hex is a nice device (was my first Tik and still use it) but it can become a problem in future.

And if we compare the test results routing speed for 1518/25 firewall rules we have:

L009 970.3 Mbps - Personal comment: meh
Hex 1,128.2 Mbps - Personal comment: better, around 16% faster
RB5009 9365.6 Mbps - Personal comment: another planet

Probably the “right” device in the OP case would be the mid-range:
RB3011 2,453.1 - Personal comment: more than double the L009/Hex speed

But it is ARM32 (and not 64) and I have seen on the forum that there are performance issues reported for it with Ros 7.x.

That would cost some 30-40 Euro less than the RB5009, but for this difference it is not worth IMHO to get this older architecture, the RB5009 is definitely more “future proof”.

hAP ax2: 2625Mbps … winner in “bang for buck” category.

(already suggested couple of posts up)
I would still go with AX3 then, even when you disable wifi.

• faster processor then AX2 (or better put: AX2 is limited in speed, it’s the same processor)
• USB slot (you never know what it comes useful for)

Pure price: yes, AX2 even with wifi disabled.
But personally … really personally ? RB5009 every time

Thank you very much for the information and enlightenment.
I read your suggestions and came to the conclusion that I was a terrible loser when I bought the router based on the description and without checking detailed tests
Now I compared the tests and, despite the much higher price, I decided to replace the RB5009.
After all, you don’t replace the router every month

I think that the real issue, that no one noticed, is that the user is not using fasttrack in the nat configuration. That is the reason of high CPU load.
We use HEX for 1G internet connections and the HEX can do 1g symmetric with no issue (fasttrack enabled and very simple (basic) firewall rules to keep the CPU at minimum.
Enable fasttrack and the L009 will met your expectations.
No need to have 4011 or 5009 for your enveroniment, the L009 appropiate. It is not a powerful router, but is able to keep your network running.

Also I will use the switch chip to use VLANs in your enveroniment.