Locating the bottleneck

RouterOS General
1

Hello,

I have a mikrotik setup at home.

Mac → UniFi AP → Mikrotik RB2011UiAS-2HnD → LAN
Mikrotik is also the router behind a bridged modem (It’s a cable modem from cable tv).

I’m experiencing speed issues when I’m accessing the raspberry server in the LAN. When I check my speed with the raspberry pi 4; I’s 1000Mbit full-duplex.
if_list.png
and here’s the proof of the link.
rp_link.png
the issue here is when I test the connection with Raspberry using iperf3; I’m getting package drops.
iperf_results.png
I’m having connection issues when the communication goes thru Mikrotik. You can see the retries. I tried changing the cable and I tried with a new raspberry. If I transfer files between 2 computers using my 5Ghz wifi network; I can easily reach 600-800mbps.

How can I identify and fix the issue?

Thanks,

2

I could share a brief config export as well.

# apr/03/2020 22:44:13 by RouterOS 6.46.4
# software id = 4413-2GY8
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add admin-mac=E4:8D:8C:21:B6:83 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=InternetCikis speed=100Mbps
set [ find default-name=ether4 ] name=Raspberry speed=100Mbps
set [ find default-name=ether3 ] name=SonyTV speed=100Mbps
set [ find default-name=ether2 ] name=WiFi5Ghz speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether6-master-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-slave-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether8-slave-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether9-slave-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=0 band=2ghz-onlyn country=turkey disabled=no distance=\
    indoors frequency-mode=manual-txpower mode=ap-bridge name=WirelessLAN \
    preamble-mode=short ssid="Baslak's Misafir" tx-power=30 tx-power-mode=\
    all-rates-fixed wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=\
    xxx wpa2-pre-shared-key=\
    xxx
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ios-ikev2-proposal
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
add name=vpn ranges=192.168.2.1-192.168.2.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local lease-time=4w2d name=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=1
/interface bridge port
add bridge=bridge-local interface=WiFi5Ghz
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=WirelessLAN
add bridge=bridge-local interface=Raspberry
add bridge=bridge-local interface=SonyTV
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/interface list member
add interface=sfp1 list=discover
add interface=WiFi5Ghz list=discover
add interface=SonyTV list=discover
add interface=Raspberry list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=WirelessLAN list=discover
add interface=bridge-local list=discover
add interface=WiFi5Ghz list=mactel
add interface=SonyTV list=mactel
add interface=WiFi5Ghz list=mac-winbox
add interface=Raspberry list=mactel
add interface=SonyTV list=mac-winbox
add interface=ether5 list=mactel
add interface=Raspberry list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether10-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=WirelessLAN list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=WirelessLAN list=mac-winbox
add interface=bridge-local list=mactel
add interface=bridge-local list=mac-winbox
add interface=InternetCikis list=WAN
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=WiFi5Ghz \
    network=192.168.1.0
add address=192.168.2.0/24 interface=WiFi5Ghz network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" disabled=no interface=InternetCikis \
    use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
    176.103.130.130,176.103.130.131 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=\
    176.103.130.132,176.103.130.134
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=176.240.0.0/16 list=orcunev
add address=192.168.0.0/16 list=orcunev
add address=62.248.0.0/16 list=orcunev
/ip firewall filter
add action=accept chain=input comment="input: established - related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf : accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow UDP 500,4500 IPSec" dst-port=\
    500,4500 protocol=udp
add action=accept chain=input comment="Enable Http" disabled=yes dst-port=80 \
    protocol=tcp
add action=accept chain=input comment="Enable Http" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=input comment="Allow IPSec-Esp" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "Allow ALL Incoming Traffic from IPSec Connection" ipsec-policy=in,ipsec \
    src-address=192.168.2.0/24
add action=accept chain=forward comment="IPSec to LAN Enabled" dst-address=\
    192.168.1.0/24 ipsec-policy=in,ipsec src-address=192.168.2.0/24
add action=accept chain=forward comment="IPSec to Outer World" dst-address=\
    0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.2.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="forward: established - related" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    InternetCikis
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=InternetCikis
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
    InternetCikis protocol=tcp to-addresses=192.168.1.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    InternetCikis protocol=tcp to-addresses=192.168.1.100 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip ipsec policy
set 0 dst-address=192.168.1.0/24 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=InternetCikis type=external
add interface=WiFi5Ghz type=internal
add interface=WirelessLAN type=internal
add interface=bridge-local type=internal
/lcd
set time-interval=weekly
/lcd interface pages
set 0 interfaces="sfp1,InternetCikis,WiFi5Ghz,SonyTV,Raspberry,ether5,ether6-m\
    aster-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether\
    10-slave-local"
/snmp
set contact=orcun enabled=yes location="Baslaks Home" \
    trap-version=2
/system clock
set time-zone-name=Europe/Istanbul
/system identity
set name=Baslak
/system logging
add action=disk disabled=yes topics=debug
add action=disk disabled=yes topics=ipsec,debug,!packet
/system ntp client
set enabled=yes server-dns-names=\
    0.tr.pool.ntp.org,1.tr.pool.ntp.org,2.tr.pool.ntp.org,3.tr.pool.ntp.org
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add interface=bridge-local
add interface=WirelessLAN
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=bridge-local filter-ip-address=192.168.1.14/32
3

I made small changes to firewall.

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="forward: established - related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "input: established - related - untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf : accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    connection-state="" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=InternetCikis out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
    InternetCikis protocol=tcp to-addresses=192.168.1.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\
    InternetCikis protocol=tcp to-addresses=192.168.1.100 to-ports=443

This made the connection better. I can reach 120-130mbits now but this is still behind what I expect from the system.

When I test for BW; CPU gets to %100 and I get a way lower bw than expected.
profi1.png
Any ideas anyone? Shall I do a factory reset and start over?

4

Well,

I did reset the mikrotik and started from scratch. Nothing got better. Etherner cables are tied to power cables. I suspect of an interference. I’ll try with Cat7 STP cables in a few days. Let’s see what will happen.