Loss of speed

RouterOS General
1

I have a problem with a client. We have a Mikrotik RB2011iL-iN device connected to a router from the provider that the client has at its headquarters (Movistar). We have it mounted behind because with the Mikrotik we have configured an IPsec tunnel against a Cisco ASA that is in a data center, it cannot be done on the provider's router. Up to this point everything works correctly. There is access to the Internet, the tunnel is raised and the two networks are visible. The problem is in the speed of the circuit. We connect a PC directly to the provider's router to do a speed test, giving the speed of the circuit (between 800/900 Mb). If we do the same test on a Mikrotik port we do not get more than 300 Mb.
The connection between the two computers is a private network, the provider's router has only opened the ports that we use for IPsec and the winbox port to access the mikrotik. What can cause you to lose so much speed. I leave you the configuration that I have on the router.
I hope you can help me to improve the speed.

2023-09-27 11:15:13 by RouterOS 7.11.2
# software id = 1D7M-HH6H
#
# model = RB2011iL
# serial number = <edit>
/interface bridge
add name=lan
add name=wan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=217.116.5.94/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=5s enc-algorithm=aes-128 nat-traversal=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=VPN-Cisco pfs-group=none
/ip pool
add name=Red-Lan ranges=192.168.23.100-192.168.23.150
/ip dhcp-server
add address-pool=Red-Lan interface=lan lease-time=10m name=DHCP-Lan
/interface bridge port
add bridge=wan interface=ether1
add bridge=lan interface=ether2
add bridge=lan interface=ether3
add bridge=lan interface=ether4
add bridge=lan interface=ether5
add bridge=lan interface=ether6
add bridge=lan interface=ether7
add bridge=lan interface=ether8
add bridge=lan interface=ether9
add bridge=lan interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set allow-fast-path=no
/ip address
add address=192.168.23.254/24 interface=lan network=192.168.23.0
add address=172.16.2.2/24 interface=wan network=172.16.2.0
/ip dhcp-server network
add address=192.168.254.0/24 dns-server=192.168.5.3,192.168.5.4,8.8.8.8 gateway=192.168.23.254
/ip dns
set allow-remote-requests=yes servers=192.168.5.3,192.168.5.4,8.8.8.8
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=192.168.23.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=src-nat chain=srcnat out-interface=wan src-address=192.168.23.0/24 to-addresses=172.16.2.2
add action=dst-nat chain=dstnat dst-address=172.16.2.2 dst-port=9100 in-interface=wan protocol=tcp to-addresses=192.168.23.51 to-ports=9100
add action=dst-nat chain=dstnat dst-address=172.16.2.2 dst-port=9100 in-interface=wan protocol=udp to-addresses=192.168.23.51 to-ports=9100
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.5.0/24 peer=peer1 proposal=VPN-Cisco src-address=192.168.23.0/24 tunnel=yes
/ip route
add distance=1 gateway=172.16.2.1
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Alvac-Barcelona
/system logging
set 3 disabled=yes
/system note
set show-at-login=no
2

enable fasttrack

3

I have activated it as you say but it remains the same, the speed does not increase.

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FW_CONN_ESTABLISHED_Y_RELATED connection-state=established,related hw-offload=yes

4

What configuration do you have in the firewall section? It is not visible in your post..
/ip/firewall/filter/export

5

RB2011iL is pretry old device and for today’s standards pretty slow. Official test results indicate[*], that this device is capable of routing at around 250Mbps, give or take. Which is what you’re getting. With some optimization it is possible to increase throughput, but I strongly doubt it’s possible to reach anything close to wirespeed.

[*]The experience goes that number, shown in Ethernet test results table as “Routing → 25 ip filter rules → 512 bytes” pretty well resembles real life performance. In any particular configuration actual number can be higher or lower, but this value is a decent estimate. Running ROS v7 doesn’t help either, experience shows that v7 speed is almost the same as in v6 in best case and it can be 20-30% lower in worst case.

6

I’ll give you the configuration that you tell me.

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FW_CONN_ESTABLISHED_Y_RELATED connection-state=established,related hw-offload=yes

7

If I change it to an RB3011UIAS-RM, would it get more speed? How much does this model support?

8

Yes, it would be faster. How much? Check the official test results and do the math.

While RB3011 us a fery decent device, we’re still talking about old technology. If you’re going to invest non-negligible amount of money, then you may want to choose a more modern device. E.g. RB5009 is more or less in the same performance group (but faster since it’s 10 years younger).

9

I have 2011s that are still in service… 10 years later. But… They all have low speed WANs.

The 3011 and above are a good choice once you pass a 300M connection.

A hAP AC2 will do just below gigabit on it wired ports even without fast track.

10

tcp mss ?

11

If TCP MSS was the problem, then it would

  1. have minor effect if client and server would successfully negotiate lower MTU value. Speed would drop by 10%-20% (depending on negotiated PMTU due to relatively higher overhead), @OP sees speeds in range of 1/3 of wanted, which is way lower than lower PMTU would cause
  2. cause speed to drop even lower or even completely break connectivity because all oversize packets would be dropped if the offending router doesn’t perform IP packet fragmentation.
    Only in case when offending router does fragmentation but suffers from performance bottleneck (I guess it would have to fragment all packets), the performance drop would be anything imaginable, including what @OP sees.

But it’s clear that RB2011 can not route at anything near 1Gbps, so even if MSS / MTU is an issue here, it’s not the only one.