My Mikrotik is sometimes incredible slow, need help.

Hello all you Mikrotik experts!
Im in need of some help, and Im NOT an mikrotik expert, so I really need you to guide me through as good as you can in the helping.

I have an issue with my old Mikrotik CRS125-24G-1S switch.
My internet (or LAN connection) is sometimes incredible slow! Using my ethernet connected pc is sometimes only 1-2Mbit/sec, same if I test with another computer, or through a Wireless AP.
Its so low I barely is able to get in to my router remotely to reboot it! (which is why I beleive its not the internet speed that is low, it something going on in my LAN or Router)
But as soon as I have rebooted my router, my speed is up OK again. For a while… until I need to reboot it again, and again… and so on!

Looking at Resources, it says cpu load is somewhere between 20-75% isch… Free memory is fine.

Any idea what is going on? How can I fault trace this? Maybe there is some logging I can share that someone of you experts could take a look at?

Any help or idea of what to do is really appreciated!

Or you using your switch as router?

It’s a switch, not a router, it has a different use. Do you drink broth with a fork?

Whatever happens, you need to show the switch configuration export (not screenshot),
because it should still be able to rotate at least 100Mbps for sure, so it could be the configuration that sinks it.
https://mikrotik.com/product/CRS125-24G-1S-IN#fndtn-testresults

Or maybe you’re using a hand-built configuration where half the world is using your switch as a source for DDoS attacks…

Or your provider simply doesn’t work.
You don’t wrote that you put another router and with that the internet is fast…

@crazytok; your CRS125-24G-1S has a very weak CPU, which struggles when used as a router. This device is primarily designed as a switch, meaning that when it operates in switch mode, the CPU is only used for configuration. After that, all Ethernet traffic flows directly without involving the CPU.

But when you use it as a router, the CPU has to process all traffic, which it simply isn’t powerful enough for. If you need proper routing, the best solution is to use a dedicated router and let the CRS125 handle just switching. That should fix your slow speeds!

As a router yes, been doing in like 9 year now and have worked just fine.

Have used it as a router last 9years and it have worked flawless... its maybe the last half year it has been acting more and more strange I woud say.

Here is my configuration export:

# mar/05/2025 11:42:19 by RouterOS 6.43.8
# software id = LAH2-21J1
#
# model = CRS125-24G-1S
# serial number = 5A8C058B7CF7
/interface bridge
add admin-mac=E4:8D:8C:81:A8:B7 arp=proxy-arp auto-mac=no fast-forward=no \
    mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether01-master-local-vince speed=\
    100Mbps
set [ find default-name=ether2 ] name=ether02-slave-local-vince speed=100Mbps
set [ find default-name=ether3 ] name=ether03-slave-local-kontor speed=\
    100Mbps
set [ find default-name=ether4 ] name=ether04-slave-local-kontor speed=\
    100Mbps
set [ find default-name=ether5 ] name=ether05-slave-local-tvrum speed=100Mbps
set [ find default-name=ether6 ] name=ether06-slave-local-tvrum speed=100Mbps
set [ find default-name=ether7 ] name=ether07-slave-local-joline speed=\
    100Mbps
set [ find default-name=ether8 ] name=ether08-slave-local-joline speed=\
    100Mbps
set [ find default-name=ether9 ] name=ether09-slave-local-vardagsrum speed=\
    100Mbps
set [ find default-name=ether10 ] name=ether10-slave-local-vardagsrum speed=\
    100Mbps
set [ find default-name=ether11 ] name=ether11-slave-local-vardagsrum speed=\
    100Mbps
set [ find default-name=ether12 ] name=ether12-slave-local-vardagsrum speed=\
    100Mbps
set [ find default-name=ether13 ] name=ether13-slave-local-kok speed=100Mbps
set [ find default-name=ether14 ] name=ether14-slave-local-kok speed=100Mbps
set [ find default-name=ether15 ] name=ether15-slave-local-masterbedroom \
    speed=100Mbps
set [ find default-name=ether16 ] name=ether16-slave-local-masterbedroom \
    speed=100Mbps
set [ find default-name=ether17 ] name=ether17-slave-local-server_laptop \
    speed=100Mbps
set [ find default-name=ether18 ] name=ether18-slave-local speed=100Mbps
set [ find default-name=ether19 ] name=ether19-slave-local speed=100Mbps
set [ find default-name=ether20 ] name=ether20-slave-local speed=100Mbps
set [ find default-name=ether21 ] name=ether21-slave-local-garage speed=\
    100Mbps
set [ find default-name=ether22 ] name=ether22-slave-local-garage speed=\
    100Mbps
set [ find default-name=ether23 ] name=ether23-ubiquiti-ap speed=100Mbps
set [ find default-name=ether24 ] name=ether24-gateway-fiber speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    sfp1-slave-local-NOT-USED
/interface pptp-server
add name=pptp-in1 user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name="dhcp range" ranges=192.168.1.161-192.168.1.199
add name=pptp-pool ranges=192.168.1.151-192.168.1.160
/ip dhcp-server
add address-pool="dhcp range" authoritative=after-2sec-delay disabled=no \
    interface=bridge1 lease-time=3h name=dhcp1
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=pptp-pool name=\
    PPTP-Profile only-one=yes remote-address=pptp-pool use-encryption=yes
set *FFFFFFFE bridge=bridge1 local-address=pptp-pool remote-address=\
    192.168.1.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add name=homeassistant policy="reboot,read,write,policy,test,api,!local,!telne\
    t,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1 interface=ether01-master-local-vince
add bridge=bridge1 interface=ether02-slave-local-vince
add bridge=bridge1 interface=ether03-slave-local-kontor
add bridge=bridge1 interface=ether04-slave-local-kontor
add bridge=bridge1 interface=ether05-slave-local-tvrum
add bridge=bridge1 interface=ether06-slave-local-tvrum
add bridge=bridge1 interface=ether07-slave-local-joline
add bridge=bridge1 interface=ether08-slave-local-joline
add bridge=bridge1 interface=ether09-slave-local-vardagsrum
add bridge=bridge1 interface=ether10-slave-local-vardagsrum
add bridge=bridge1 interface=ether11-slave-local-vardagsrum
add bridge=bridge1 interface=ether12-slave-local-vardagsrum
add bridge=bridge1 interface=ether13-slave-local-kok
add bridge=bridge1 interface=ether14-slave-local-kok
add bridge=bridge1 interface=ether15-slave-local-masterbedroom
add bridge=bridge1 interface=ether16-slave-local-masterbedroom
add bridge=bridge1 interface=ether17-slave-local-server_laptop
add bridge=bridge1 interface=ether18-slave-local
add bridge=bridge1 interface=ether19-slave-local
add bridge=bridge1 interface=ether20-slave-local
add bridge=bridge1 interface=ether21-slave-local-garage
add bridge=bridge1 interface=ether22-slave-local-garage
add bridge=bridge1 interface=ether23-ubiquiti-ap
add bridge=bridge1 interface=sfp1-slave-local-NOT-USED
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether01-master-local-vince network=\
    192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=\
    ether24-gateway-fiber
add dhcp-options=hostname,clientid interface=ether01-master-local-vince
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:4:18:d6:d0:55:83 comment=ACCESSPUNKT \
    mac-address=04:18:D6:D0:55:83 server=dhcp1
add address=192.168.1.52 client-id=1:0:1d:ec:8:ce:4c mac-address=\
    00:1D:EC:08:CE:4C server=dhcp1
add address=192.168.1.51 client-id=1:0:1d:ec:a:52:b2 mac-address=\
    00:1D:EC:0A:52:B2 server=dhcp1
add address=192.168.1.111 client-id=1:28:cf:da:2a:d8:97 comment="APPLE TV" \
    mac-address=28:CF:DA:2A:D8:97 server=dhcp1
add address=192.168.1.31 client-id=1:f0:b4:79:6:0:db comment=\
    "AIRPORT EXPRESS" mac-address=F0:B4:79:06:00:DB server=dhcp1
add address=192.168.1.112 client-id=1:98:d6:bb:1c:30:36 mac-address=\
    98:D6:BB:1C:30:36 server=dhcp1
add address=192.168.1.101 client-id=1:8c:2d:aa:4a:1e:c7 mac-address=\
    8C:2D:AA:4A:1E:C7 server=dhcp1
add address=192.168.1.42 client-id=1:cc:f7:35:e2:ed:56 mac-address=\
    CC:F7:35:E2:ED:56 server=dhcp1
add address=192.168.1.41 comment="AMAZON ECHO" mac-address=44:00:49:4A:6C:C0 \
    server=dhcp1
add address=192.168.1.50 client-id=1:70:2a:d5:ec:39:de comment=\
    "DIGITALBOXAR & TV" mac-address=70:2A:D5:EC:39:DE server=dhcp1
add address=192.168.1.102 client-id=1:c8:63:f1:f9:25:aa mac-address=\
    C8:63:F1:F9:25:AA server=dhcp1
add address=192.168.1.100 client-id=1:d0:17:c2:d4:84:e0 comment="PC & IMAC" \
    mac-address=D0:17:C2:D4:84:E0 server=dhcp1
add address=192.168.1.201 comment=SHELLY mac-address=CC:50:E3:1D:9C:6F \
    server=dhcp1
add address=192.168.1.105 mac-address=00:23:C1:0D:BA:8A server=dhcp1
add address=192.168.1.122 client-id=1:30:10:e4:6c:ef:cf mac-address=\
    30:10:E4:6C:EF:CF server=dhcp1
add address=192.168.1.202 mac-address=84:F3:EB:E2:C6:E4 server=dhcp1
add address=192.168.1.104 mac-address=50:EC:50:04:72:08 server=dhcp1
add address=192.168.1.44 client-id=1:44:0:49:9e:55:bd mac-address=\
    44:00:49:9E:55:BD server=dhcp1
add address=192.168.1.43 client-id=1:3c:5c:c4:ca:e8:da mac-address=\
    3C:5C:C4:CA:E8:DA server=dhcp1
add address=192.168.1.45 client-id=1:3c:5c:c4:5a:e5:72 mac-address=\
    3C:5C:C4:5A:E5:72 server=dhcp1
add address=192.168.1.4 client-id=1:b8:27:eb:e0:c4:19 comment=\
    "NIBE F1245 - BERGV\C4RMEPUMP" mac-address=B8:27:EB:E0:C4:19 server=dhcp1
add address=192.168.1.204 mac-address=84:F3:EB:E2:C9:FB server=dhcp1
add address=192.168.1.203 mac-address=84:F3:EB:E2:00:79 server=dhcp1
add address=192.168.1.3 client-id=1:80:2a:a8:40:3a:22 mac-address=\
    80:2A:A8:40:3A:22 server=dhcp1
add address=192.168.1.120 client-id=1:8a:80:41:59:82:8b comment=\
    "\D6VRIGA ENHETER" mac-address=8A:80:41:59:82:8B server=dhcp1
add address=192.168.1.21 client-id=1:da:9b:90:45:17:fc mac-address=\
    DA:9B:90:45:17:FC server=dhcp1
add address=192.168.1.121 client-id=1:66:d4:7d:1a:e3:ae mac-address=\
    66:D4:7D:1A:E3:AE server=dhcp1
add address=192.168.1.11 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:3:64:da:69:79:f6:af:95 mac-address=\
    BE:E4:64:99:C6:06 server=dhcp1
add address=192.168.1.15 client-id=1:0:11:32:7a:e4:52 mac-address=\
    00:11:32:7A:E4:52 server=dhcp1
add address=192.168.1.6 mac-address=4C:EB:D6:59:11:6C server=dhcp1
add address=192.168.1.208 mac-address=C4:5B:BE:E4:4B:DB server=dhcp1
add address=192.168.1.205 mac-address=48:55:19:02:B6:F0 server=dhcp1
add address=192.168.1.206 mac-address=98:CD:AC:13:18:7E server=dhcp1
add address=192.168.1.207 mac-address=E8:DB:84:D3:00:F0 server=dhcp1
add address=192.168.1.5 client-id=1:58:ae:a8:b4:97:18 mac-address=\
    58:AE:A8:B4:97:18 server=dhcp1
add address=192.168.1.12 client-id=1:b4:45:6:2a:81:b3 mac-address=\
    B4:45:06:2A:81:B3 server=dhcp1
add address=192.168.1.199 client-id=1:cc:15:31:35:5c:4b mac-address=\
    CC:15:31:35:5C:4B server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 domain=local \
    gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.1.1 name=mikrotik.local
add address=192.168.1.2 name=ubiquiti1.local
add address=192.168.1.3 name=ubiquiti2.local
add address=192.168.1.11 name=server1.local
add address=192.168.1.21 name=raspberrypi1.local
add address=192.168.1.31 name=airport1.local
add address=192.168.1.32 name="airport2.local "
add address=192.168.1.33 name="airport3.local "
add address=192.168.1.34 name="airport4.local "
add address=192.168.1.35 name="airport5.local "
add address=192.168.1.41 name=echospot1.local
add address=192.168.1.42 name=echodot1.local
add address=192.168.1.50 name=samsungtv.local
add address=192.168.1.51 name=vuzero.local
add address=192.168.1.52 name=vusolo2.local
add address=192.168.1.100 name=pc.local
add address=192.168.1.101 name=imac.local
add address=192.168.1.102 name=ps4.local
add address=192.168.1.103 name=yamaha.local
add address=192.168.1.111 name=appletv1.local
add address=192.168.1.112 name=appletv2.local
add address=192.168.1.201 name=shelly1.local
add address=192.168.1.202 name="shelly2.local "
add address=192.168.1.203 name="shelly3.local "
add address=192.168.1.204 name="shelly4.local "
add address=192.168.1.205 name="shelly5.local "
add address=192.168.1.120 name="Thomas iPhone"
add address=192.168.1.121 name="Sofie's iPhone"
add address=192.168.1.122 name="iPad Air"
add address=192.168.1.11 name=cloud.xport.se
/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow established" connection-state=\
    established
add action=accept chain=input comment="Allow related" connection-state=\
    related
add action=accept chain=input comment="Allow PPTP Server Gre" protocol=gre
add action=accept chain=input comment="Allow PPTP Server 1723" dst-port=1723 \
    protocol=tcp
add action=drop chain=input comment="Drop everything else - Input" \
    in-interface=ether24-gateway-fiber
add action=accept chain=input dst-port=443 protocol=tcp src-port=443
add action=accept chain=forward dst-port=15637 protocol=tcp
add action=accept chain=forward dst-port=15636 protocol=tcp
add action=accept chain=forward dst-port=15637 protocol=udp
add action=accept chain=forward dst-port=15636 protocol=udp
add action=accept chain=forward dst-port=5900 protocol=tcp
add action=accept chain=forward dst-port=5900 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether24-gateway-fiber
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=\
    all-ethernet protocol=tcp to-addresses=192.168.1.2 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=\
    all-ethernet protocol=tcp to-addresses=192.168.1.2 to-ports=8443
add action=dst-nat chain=dstnat disabled=yes dst-port=10001 in-interface=\
    all-ethernet protocol=udp to-addresses=192.168.1.2 to-ports=10001
add action=dst-nat chain=dstnat disabled=yes dst-port=10001 in-interface=\
    all-ethernet protocol=udp to-addresses=192.168.1.100 to-ports=10001
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=\
    all-ethernet protocol=tcp to-addresses=192.168.1.100 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=1900 in-interface=\
    all-ethernet protocol=udp src-port="" to-addresses=192.168.1.100 \
    to-ports=1900
add action=dst-nat chain=dstnat comment="Raspberry Pi - Home Assistant" \
    dst-port=8123 in-interface=ether24-gateway-fiber protocol=tcp \
    to-addresses=192.168.1.21 to-ports=8123
add action=dst-nat chain=dstnat dst-port=3389 in-interface=\
    ether24-gateway-fiber protocol=tcp to-addresses=192.168.1.100 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-port=443 in-interface=\
    ether24-gateway-fiber protocol=tcp to-addresses=192.168.1.11 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=\
    ether24-gateway-fiber protocol=tcp to-addresses=192.168.1.11 to-ports=80
add action=redirect chain=dstnat comment=\
    "DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER" dst-port=53 \
    protocol=udp to-addresses=192.168.1.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=15637 protocol=tcp to-addresses=\
    192.168.1.12 to-ports=15637
add action=dst-nat chain=dstnat dst-port=15636 protocol=tcp to-addresses=\
    192.168.1.12 to-ports=15636
add action=dst-nat chain=dstnat dst-port=15637 protocol=udp to-addresses=\
    192.168.1.12 to-ports=15637
add action=dst-nat chain=dstnat dst-port=15636 protocol=udp to-addresses=\
    192.168.1.12 to-ports=15636
add action=dst-nat chain=dstnat dst-port=5900 protocol=tcp to-addresses=\
    192.168.1.12 to-ports=5900
add action=dst-nat chain=dstnat dst-port=5900 protocol=udp to-addresses=\
    192.168.1.12 to-ports=5900
/ip service
set www-ssl port=444
/lcd
set backlight-timeout=never default-screen=interfaces
/ppp secret
add name=jonas password=X profile=default-encryption service=pptp
add name=thomas password=X profile=default-encryption service=\
    pptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Stockholm
/system ntp client
set enabled=yes primary-ntp=192.36.133.17
/system scheduler
add interval=1h name="NO-IP UPDATE" on-event=no_ip_update policy=\
    read,write,test start-date=nov/17/2015 start-time=20:14:00
/system script
add dont-require-permissions=no name=no_ip_update owner=admin policy=\
    read,write,test source="# No-IP automatic Dynamic DNS update\
    \n\
    \n#--------------- Change Values in this section to match your setup -----\
    -------------\
    \n\
    \n# No-IP User account info\
    \n:local noipuser \"X\"\
    \n:local noippass \"X\"\
    \n\
    \n# Set the hostname or label of network to be updated.\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotat\
    ions below with your host names.\
    \n# To specify multiple hosts, separate them with commas.\
    \n:local noiphost \"xport.no-ip.org\"\
    \n\
    \n# Change to the name of interface that gets the dynamic IP address\
    \n:local inetinterface \"ether24-gateway\"\
    \n\
    \n#-----------------------------------------------------------------------\
    -------------\
    \n# No more changes need\
    \n\
    \n:global previousIP\
    \n\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\
    \n# Get the current IP on the interface\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
    \_disabled=no] address]\
    \n\
    \n# Strip the net mask off the IP address\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \
    \n           :set currentIP [:pick \$currentIP 0 \$i]\
    \n       } \
    \n   }\
    \n\
    \n   :if (\$currentIP != \$previousIP) do={\
    \n       :log info \"No-IP: Current IP \$currentIP is not equal to previou\
    s IP, update needed\"\
    \n       :set previousIP \$currentIP\
    \n\
    \n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
    red since \? is a special character in commands.\
    \n       :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curr\
    entIP\"\
    \n       :local noiphostarray\
    \n       :set noiphostarray [:toarray \$noiphost]\
    \n       :foreach host in=\$noiphostarray do={\
    \n           :log info \"No-IP: Sending update for \$host\"\
    \n           /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuse\
    r password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
    . \".txt\")\
    \n           :log info \"No-IP: Host \$host updated on No-IP with IP \$cur\
    rentIP\"\
    \n       }\
    \n   }  else={\
    \n       :log info \"No-IP: Previous IP \$previousIP is equal to current I\
    P, no update needed\"\
    \n   }\
    \n} else={\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so there\
    fore will not update.\"\
    \n}"
add dont-require-permissions=no name=force_reboot owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    ":execute {/system reboot;}"
/tool graphing interface
add interface=ether24-gateway-fiber

Interesting, did not know this! But the thing is I have used it like 9years and it has been working really good! Its like the last half year it has been acting strange… Actually when you say it, Im looking at the CPU load right now… and when downloading something it goes up to 100% constantly! But still.. I have never had any issues before? Still seems strange I think.

Your “router” might be compromised, especially while running v6.43.8 and having web access publically.
Check if there are users not known to you.

What I would do in your situation (and no new users):
Close all ports from public (including the DNS server and VPN)
Upgrade RouterOS and firmware to LTS (currently v6.49.18).

From there, get some good advise on everything firewall related.

At least you can try to enable fasttrack?

Please explain more, dont know what it is?

This is the doc for RouterOS 6 https://wiki.mikrotik.com/Manual:IP/Fasttrack. You’ll need the two firewall rules under the Initial configuration section. As well as this:

• FastPath and Route cache is enabled under IP/Settings

CRS125 is a very old device, dont expect great performance

He has all ethernet ports set to 100Mbps. I don’t know if it’s deliberate. But auto-negotiation seems to still be enabled.

Ouch…
RouterOS 6.43.8

fast-forward off???
/interface bridge
add fast-forward=no name=bridge1

all the bridge config is obsolete for new versions, just upgrade to last v6 long term.

pptp server enabled whit blank user??? the world is not enough… open door for all the world…
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface pptp-server
add name=pptp-in1 user=“”
easy hackable the pptp server…
/ppp secret
add name=jonas password=X profile=default-encryption service=pptp
add name=thomas password=X profile=default-encryption service=pptp
/ip firewall filter
add action=accept chain=input comment=“Allow PPTP Server Gre” protocol=gre
add action=accept chain=input comment=“Allow PPTP Server 1723” dst-port=1723 protocol=tcp

ovpn server enabled???..
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes require-client-certificate=yes

The address must go on the bridge, but all the bridge/port config is obsolete.
/ip address
add address=192.168.1.1/24 interface=ether01-master-local-vince network=192.168.1.0

DNS open to the world???.. DDoS a go-go…
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall nat
add action=redirect chain=dstnat comment=“DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER” dst-port=53 protocol=udp to-addresses=192.168.1.1 to-ports=53

a space on DNS???..
/ip dns static
add address=192.168.1.32 name="airport2.local "
add address=192.168.1.33 name="airport3.local "
add address=192.168.1.34 name="airport4.local "
add address=192.168.1.35 name="airport5.local "
add address=192.168.1.202 name="shelly2.local "
add address=192.168.1.203 name="shelly3.local "
add address=192.168.1.204 name="shelly4.local "
add address=192.168.1.205 name="shelly5.local "

Seriously???
add address=192.168.1.120 name=“Thomas iPhone”
add address=192.168.1.121 name=“Sofie’s iPhone”
add address=192.168.1.122 name=“iPad Air”

is www-ssl ENABLED on port 444…
winbox is enabled on default port…
/ip service
set www-ssl port=444

No firewall rules???
First thing is netinstall to latest ver6 for sure, dont even bother to do anything else, unless its buy a Hex Refresh or RB5009.

That’s a leftover from even older ROS versions when default setting was speed=100M-baseT-full … with not so ancient versions, default changed to speed=1G-baseT-full, but running settings never change on ROS upgrade … only export started to show that setting (due to being different than default for that particular ROS version).

Im expecting to get same performance as before, which has been really god! =)

I do have firewall rules… But if it is enough, I cant say.

Wow, a lot to fix I assume then!
Thanks for your help and time!

Unfortunately, I dont follow everything you are saying here... but I will try my best!

RouterOS
Updated to latest now!

fast-forward off???
Yepp, never heard about it before! I have now enabled it in the Bridge configuration, is that correct?

all the bridge config is obsolete for new versions, just upgrade to last v6 long term.
Not really sure what you mean about this?

pptp server enabled whit blank user???
looks like it yes, dont know why though. May be some old configurations I have used before or just tested and not fully configured it. I have now added a name, is that enough?

/ppp secret
add name=jonas password=X profile=default-encryption service=pptp
add name=thomas password=X profile=default-encryption service=pptp
/ip firewall filter
add action=accept chain=input comment="Allow PPTP Server Gre" protocol=gre
add action=accept chain=input comment="Allow PPTP Server 1723" dst-port=1723 protocol=tcp
Not sure what you want here?

ovpn server enabled???
again, probably som old settings... not using anymore anyway so I disabled it!

The address must go on the bridge, but all the bridge/port config is obsolete.
/ip address
add address=192.168.1.1/24 interface=ether01-master-local-vince network=192.168.1.0
Dont understand what to do.

DNS open to the world???
Yes, tried to change "allow remote request" to Disabled but then my internet dont work on all my devices anymore?

a space on DNS???
No, cant see this in my configurations. Also it does not exist when exporting new config file with new mikrotik os update?

Seriously?????
add address=192.168.1.120 name="Thomas iPhone"
add address=192.168.1.121 name="Sofie's iPhone"
add address=192.168.1.122 name="iPad Air"
Totaly serious! But I dont know why... again probably some old things I tested.

is www-ssl ENABLED on port 444...
winbox is enabled on default port....
/ip service
set www-ssl port=444
No? Looking into IP->Services www-ssl is disabled?

You assigned an IP address to an ether interface (ether01-master-local-vince), but then you included it in a bridge:

/interface bridge port
add bridge=bridge1 interface=ether01-master-local-vince
…

so this port is not anymore self-standing and it having an address is not needed (and void of any effect).

Overall (and mind you this is just my opiinion, man) your “needed” configuration appears to be somehow hiding below several layers of cruft deriving from leftovers from tests/old settings and what not, it is very difficult from the outside to understand (sometimes guess) which parts are needed and which parts are just leftovers (that may only represent a visual complucation or actually prevent somethign else from working correectly).
IMHO it would be much easier if you would enumerate what you actually need, then restart from a reset configuration and re-add only what is actually needed, for two reasons, the first to make sure that there is nothing compromising the working of the device, the second to make the whole stuff simpler, more readable and thus easier to mantain/change/fine tune-