Hi,
I’m having an issue with my configuration. I have a 600Mbps internet speed but im only getting around 150-160Mbps on LAN and WIFI network.
Here is my configuration
Mikrotik-New-Config.rsc (20.4 KB)
.ether1-LAN is connected to my PC with a 2.5G ethernet, and ether5-WAN1 is with my ISP with 600Mbps. ether2-3-Trunk as TAG port to my Switch and ether4-WAN2 as failover only.
Thank you
Besides the fact that you have no clue when it comes to setting up wireguard, I would say the speed issue is probably related to either
the bloatware you call a config ( ditch all the bogus firewall rules ) or the fact that you have queuing rules AND mangling rules that dont mix well with the fasttrack rule in the forward chain.
Try disabling the fasttrack rule for starters.
Hi,
I tried removing all mangle and firewall rules and have fasttrack but the result is still the same. Same result even if the fasttrack is disabled. I also tried different cables but had the same result.
here is my latest config.
NewConfig.rsc (3.53 KB)
Thank you
Well I will comment on the config as far down as I dont get disgusted. 
Modify ( missing important parameters )
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether1-LAN pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=LAG1 comment=“trunked ether2,3”
Modify (Missing important tagging of bridge!!
/interface bridge vlan
add bridge=BR1 tagged=bridge,LAG1 untagged=ether1-LAN vlan-ids=100
add bridge=BR1 tagged=bridge,LAG1 vlan-ids=110,120
ANY REASON why you have a primary WAN and a backup WAN vice make both WANS available in a shared usage load balancing type of approach???
More accurate way of sourcenat with static IP:s… Optional.change.
/ip firewall nat
add action=src-nat chain=srcnat our-interface=ether5-WAN1 to-address=192.168.1.2
add action=src-nat chain=srcnat our-interface=ether4-WAN2 to-address=192.168.10.2
ROUTE keeping wan1 primary MODIFY - using recursive routing.
Option A: keeping the same intent P/B
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add dst-address=1.0.0.1/32 gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main
The backup route needs no recursive nor check-gateway=ping as there are no other options to go to if WAN1 is down.
+++++++++++++++++
Load Balance approach
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add dst-address=1.0.0.1/32 gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add dst-address=1.1.1.1/32 gateway=192.168.10.1 routing-table=main scope=10 target-scope=11
The router will automatically provide ECMP load balancing between each WAN.
In this case we want both wan1 and wan2 to come back online if one or the other goes off line, so both get check-gateway=ping.
Since you are behind other routers firewall rules are NOT as critical but still should be applied…
/ip firewall filter
{ default rules to keep }
add chain=input action=accept connection-state=established,related,untracked
add chain=input action=drop connection-state=invalid comment=“drop invalid”
add chain=input action=accept protocol=icmp
add chain=input action=accept dst-address=127.0.0.1
( admin rules )
add chain=input action=accept in-interface-list=LAN { Later we change this to only allow admin and other rules allow lan users only to services }
add chain=input action=drop comment=“drop all else” { insert this rule here last after all other rules in place }
++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
( admin rules )
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
***************** Add here, any other allow rules aka between vlans etc. ***************************************
add action=drop chain=forward comment=“drop all else”
SOME OTHER missing rules…
/ip neighbor discovery-settings
set discover-interface-list=LAN
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hi,
I figured out what is causing the limited bandwidth with the internet. When I use the WAN IP of 192.168.1.200/24 on the WAN1 interface, it causes the limited bandwidth. I have configured this IP for port forwarding on my ISP router/modem. So when I use 192.168.1.2/24 on WAN1, I have full BW of my ISP. Here is my latest configuration
HapAx3-08Mar2025.rsc (10.9 KB)
Since I need port forwarding, I’m thinking of using another Mikrotik router (Hex) as to serve as a router for port forwarding and fail over for my backup ISP. Currently my Backup ISP is connected to Hap AX.
So both Mikrotik will be connected to the Main ISP. Hap AX3 (Main internet) and Hex S (Port-forwating and backup ISP).
Hap AX3 Ether5-WAN will use 192.168.1.2/24
Hex S Ether1-WAN1 will use 192.168.1.200/24
Backup internet on Hex S Ether2-WAN2 will use 192.168.10.2/24
Connection between routers
Hap AX3 Ether4-Link will use 172.168.1.2/24
Hex S Ether5-Link will use 172.168.1.1/24
Any help on how I start configuring the Hex S? Thank you.