Low upload speeds on Xbox One, Download speeds are normal

RouterOS Beginner Basics
1

Hello,

I’m a beginner to this scene but have some network experience. I got my Mikrotik RB750Gr3 setup and configured through many nights of reading and struggling. I’ve been troubleshooting my last issue for a couple months, off and on. My internet speed is 940Mbps download and 880 Mbps Upload through Verizon Fios.

My issue is that my Xbox, which is hardwired into ether5, doesn’t get high upload speeds. The max I consistently see is around 20Mbps. My google wifi that is hardwired in gets 525+ upload consistently. My Xbox previously saw upload speeds over 300Mbps. I can’t seem to track down this issue. I’ve tried disabling my firewall rules but that doesn’t even increase upload over 50Mbps. I’m at a complete loss and looking for some assistance. Firewall and NAT rules are posted below:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward out-interface=ether1 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=xxx.xxx.xxx.xxx dst-port=xxxx in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=xxx.xxx.xxx.xxx in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Is there anything I am missing or could there be an issue elsewhere in my config that I’m not thinking of. Thanks for any assistance anyone can provide!

2

that’s only firewall part, but can’t see anything wrong
ether1 is wan I guess?

Note:
this one is not needed “add action=accept chain=forward out-interface=ether1 src-address=192.168.1.0/24”

How do you connect to internet? direct ethernet? or some encapsulation?

3

ether1 is WAN
My connection to the internet is through ethernet with no encapsulation.

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether4 ] name=MoCA
set [ find default-name=ether3 ] name=Wifi
set [ find default-name=ether2 ] name=Wired
set [ find default-name=ether5 ] advertise=1000M-full name=Xbox
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.6-192.168.1.50
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=Wired
add bridge=bridge comment=defconf interface=Wifi
add bridge=bridge comment=defconf interface=MoCA
add bridge=bridge comment=defconf interface=Xbox
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.9 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.9
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.1.x dst-port=xxxxx in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.1.x dst-port=xxxxx protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.1.9 dst-port=53 protocol=udp src-address=!192.168.1.9 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=!192.168.1.9 dst-port=53 protocol=tcp src-address=!192.168.1.9 to-addresses=192.168.1.9
add action=masquerade chain=srcnat dst-address=192.168.1.9 dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.9 dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface=ether1 protocol=tcp to-addresses=192.168.1.5 to-ports=53
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=tcp to-addresses=192.168.1.5 to-ports=3074
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=udp to-addresses=192.168.1.5 to-ports=3074
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp to-addresses=192.168.1.5 to-ports=88
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp to-addresses=192.168.1.5 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=udp to-addresses=192.168.1.5 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 to-ports=4500
add action=dst-nat chain=dstnat dst-port=56033 in-interface=ether1 protocol=tcp to-addresses=192.168.1.5 to-ports=56033
add action=dst-nat chain=dstnat dst-port=56033 in-interface=ether1 protocol=udp to-addresses=192.168.1.5 to-ports=56033
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=xxx.xxx.xxx.xxx port=xxxx
set api disabled=yes
set winbox address=xxx.xxx.xxx.xxx
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes
/ip upnp
set show-dummy-rule=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=xxxx
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Entire configuration above. If I give my Xbox the pubic IP, direct connection to the incoming line, then I get full speed also so it’s definitely not an Xbox issue or internet connection issue. I’ve also tested this with my Xbox being the only other connection to the RB750Gr3 and get the same results.

4

The ones that’s curious:
/ip dhcp-server add-arp=yes …

/ip settings
set accept-source-route=yes

Other than that and some filter / nat stuff, default config.
Maybe mtu issue, what is the output of “/interface print”?

5

Output of /interface print:

Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 RS MoCA ether 1500 1596 2026 xx:xx:xx:xx:xx:xx
1 RS Wifi ether 1500 1596 2026 xx:xx:xx:xx:xx:xx
2 RS Wired ether 1500 1596 2026 xx:xx:xx:xx:xx:xx
3 RS Xbox ether 1500 1596 2026 xx:xx:xx:xx:xx:xx
4 R ether1 ether 1500 1596 2026 xx:xx:xx:xx:xx:xx
5 R ;;; defconf
bridge bridge 1500 1596 xx:xx:xx:xx:xx:xx

6

all mtu’s are same, so that’s not it.
Have you tried disabling the source routing and arp addition?

7

Yeah, I did that after you called that into question. The source routing I added in attempts to resolve the issue but it didn’t change.

8

Try profiling cpu “/tools profile” while doing transfer.
Also verify routing from xbox, trace route.
Verify the status of connections in “/ip firewall connection”.

And finally, which protocol is used for that upload? maybe it’s some kind of p2p, and being behind firewall, incoming connections will not be forwarded to xbox. Only outgoing, from inside, will be allowed.