Not getting full speed on RB5009

I installed a RB5009 for a friend several months ago, and yesterday they upgraded to full-fibre 1Gb. Howevr the RB5009 seems it can only manage 520mbps. I know its capable of more as I have an RB5009 at home that does 1Gb easy.

If I temporarily replace the Mikrotik with the ISP supplied router, we get 980mbps. The ISP is not known to reduce speed based on equipment, and its the same ISP and setup I have at home which is working OK.

The incoming internet is fibre to a media convertor, then into port 2 of the Mikrotik. The internet is authenticated and encapsulated in PPPoE.

The config is really simple. There aren’t any port forwards or fancy tricks. There is a VPN back to their office which allows me to remotely access the system.

Fasttrack is working. We get ~10% CPU during a speed test.

Any ideas? Config below.

# 2024-07-09 08:52:03 by RouterOS 7.15.2
# software id = XF57-Z2MA
#
# model = RB5009UG+S+
# serial number = ###########
/interface bridge add admin-mac=78:9A:18:4A:49:28 auto-mac=no name=bridge port-cost-mode=short
/interface ethernet set [ find default-name=ether1 ] disabled=yes name=ether1_wan1
/interface ethernet set [ find default-name=ether2 ] name=ether2_wan2
/interface ethernet set [ find default-name=ether8 ] name=ether8_config
/interface pppoe-client add add-default-route=yes disabled=no interface=ether2_wan2 max-mtu=1480 name=pppoe-zen user=zen000000@zen
/interface list add name=LAN
/interface list add name=WAN
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 lifetime=8h name=profile1
/ip ipsec peer add address=195.xx.xx.194/32 exchange-mode=ike2 name=velox.sonicwall profile=profile1
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name=proposal1 pfs-group=none
/ip pool add name=config-dhcp ranges=192.168.88.2-192.168.88.6
/ip pool add name=lan-dhcp ranges=192.168.161.1-192.168.161.99
/ip dhcp-server add address-pool=config-dhcp interface=ether8_config lease-time=10m name=config
/ip dhcp-server add address-pool=lan-dhcp bootp-support=none interface=bridge lease-time=3d12h name=lan
/ip smb users set [ find default=yes ] disabled=yes
/interface bridge port add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=all
/ipv6 settings set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes forward=no
/interface list member add interface=bridge list=LAN
/interface list member add interface=ether8_config list=LAN
/interface list member add interface=ether1_wan1 list=WAN
/interface list member add interface=ether2_wan2 list=WAN
/interface list member add interface=pppoe-zen list=WAN
/ip address add address=192.168.88.1/29 comment=config interface=ether8_config network=192.168.88.0
/ip address add address=192.168.161.254/24 comment=lan interface=bridge network=192.168.161.0
/ip dhcp-client add default-route-distance=2 interface=ether1_wan1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease add address=192.168.161.205 client-id=1:38:42:b:2f:29:55 comment="Sonos Box (Garage)" mac-address=38:42:0B:2F:29:55 server=lan
/ip dhcp-server lease add address=192.168.161.243 client-id=1:f4:e2:c6:49:43:fe comment="FBAP03-Bedroom Unfi AP U6+" mac-address=F4:E2:C6:49:43:FE server=lan
/ip dhcp-server lease add address=192.168.161.245 client-id=1:f4:e2:c6:49:92:1a comment="FBAP05-Garage Unfi AP U6+" mac-address=F4:E2:C6:49:92:1A server=lan
/ip dhcp-server lease add address=192.168.161.241 client-id=1:f4:e2:c6:49:73:2e comment="FBAP01-Lounge Unfi AP U6+" mac-address=F4:E2:C6:49:73:2E server=lan
/ip dhcp-server lease add address=192.168.161.242 client-id=1:f4:e2:c6:49:22:2 comment="FBAP02-Office Unfi AP U6+" mac-address=F4:E2:C6:49:22:02 server=lan
/ip dhcp-server lease add address=192.168.161.240 client-id=1:d8:b3:70:11:ca:d7 comment="FBSW01 Unifi Switch USW 48 PoE" mac-address=D8:B3:70:11:CA:D7 server=lan
/ip dhcp-server lease add address=192.168.161.244 client-id=1:F4:E2:C6:49:99:36 comment="FBAP04-Bedroom Unfi AP U6+" mac-address=F4:E2:C6:49:99:36 server=lan
/ip dhcp-server lease add address=192.168.161.246 client-id=1:F4:E2:C6:49:99:36 comment="FBAP06-Outside Unfi AP U6+" mac-address=AC:8B:A9:D3:F8:09 server=lan
/ip dhcp-server lease add address=192.168.161.230 client-id=1:a4:5d:36:5f:32:4a comment=FBPR01-HPLaserJet700M775 mac-address=A4:5D:36:5F:32:4A server=lan
/ip dhcp-server lease add address=192.168.161.210 comment="Dahua NVR" mac-address=F4:B1:C2:0E:01:47
/ip dhcp-server lease add address=192.168.161.206 comment="Sonos Zone Controller (Garage)" mac-address=10:97:BD:67:96:A8 server=lan
/ip dhcp-server network add address=192.168.88.0/29 dns-none=yes domain=fridaybridge.config
/ip dhcp-server network add address=192.168.161.0/24 dns-server=192.168.161.254 domain=fridaybridge.local gateway=192.168.161.254
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static add cname=unifi.______.net. name=unifi.fridaybridge.local type=CNAME
/ip firewall address-list add address=fw1.wan1.______.net comment="Steve WAN1" list=NET_TRUSTED
/ip firewall address-list add address=82.xx.xx.128/29 comment="Steve WAN2" list=NET_TRUSTED
/ip firewall address-list add address=195.xx.xx.192/28 comment="Work Velox" list=NET_TRUSTED
/ip firewall address-list add address=192.168.101.0/24 comment="Steve VPN via Home" list=NET_TRUSTED
/ip firewall address-list add address=192.168.200.201 comment="Work HPVAPP01" list=NET_TRUSTED
/ip firewall address-list add address=172.30.205.201 comment="Steve VPN via Work" list=NET_TRUSTED
/ip firewall address-list add address=192.168.101.0/24 comment="Steve VPN via Work" list=NET_VPN
/ip firewall address-list add address=192.168.200.0/24 comment="Work INFRA" list=NET_VPN
/ip firewall address-list add address=192.168.0.0/16 list=NET_PRIVATE
/ip firewall address-list add address=10.0.0.0/8 list=NET_PRIVATE
/ip firewall address-list add address=172.16.0.0/12 list=NET_PRIVATE
/ip firewall address-list add address=192.168.200.220 comment="Work Oxidized (via HPVDOCK01)" list=NET_TRUSTED
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept trusted" src-address-list=NET_TRUSTED
/ip firewall filter add action=drop chain=input comment="drop from !LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=change-mss chain=output comment="resolve issue sending emails with attachments over VPN, caused by MTU" dst-address-list=NET_VPN new-mss=1380 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity add my-id=user-fqdn:mikrotik@fridaybridge peer=velox.sonicwall remote-id=user-fqdn:sonicwall@velox
/ip ipsec policy add comment="INFRA - Access to SMTP Relay" dst-address=192.168.200.0/24 level=unique peer=velox.sonicwall proposal=proposal1 src-address=192.168.161.0/24 tunnel=yes
/ip ipsec policy add comment="Steve Network" dst-address=192.168.101.0/24 level=unique peer=velox.sonicwall proposal=proposal1 src-address=192.168.161.0/24 tunnel=yes
/ip ipsec policy add comment="LAN - Access to HPVDC01 LDAP" dst-address=10.0.1.0/24 level=unique peer=velox.sonicwall proposal=proposal1 src-address=192.168.161.0/24 tunnel=yes
/ip ipsec policy add comment="Steve VPN IP" dst-address=172.30.205.201/32 level=unique peer=velox.sonicwall proposal=proposal1 src-address=192.168.161.0/24 tunnel=yes
/ip service set www-ssl disabled=no
/ip smb shares set [ find default=yes ] directory=/pub
/system clock set time-zone-name=Europe/London
/system identity set name=mikrotik-fridaybridge
/system logging add disabled=yes topics=ipsec,!debug
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=0.uk.pool.ntp.org
/system ntp client servers add address=1.uk.pool.ntp.org
/tool e-mail set from=mikrotik-fridaybridge@______.com server=192.168.200.201
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool sniffer set filter-ip-address=192.168.110.11/32
/user group add name=oxidized policy=ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api

The only obvious thing I can see is that you’re using fasttrack (as per default config) and mangle (even though it’s only supposed to affect router-originated traffic) … but they are mutually exclusive. Since fasttrack takes precedence, your mangle rule may not be effective. Try to disable fasttrack and see if things change. Yes, CPU load will almost certainly rise much higher, but my guess is that RB5009 should be able to route at 1Gbps+ even without fasttrack.

Check these:
http://forum.mikrotik.com/t/invalid-mtu-1492-on-pppoe-out1/175450/1
http://forum.mikrotik.com/t/rb5009-drops-packets-and-speed-on-eth1-vlan-pppoe/175466/1

I have tried disabling Fasttrack with similar speed results.

CPU obviously quite a bit higher. I also tried pegging the CPU to 1400Mhz in both scenerios with no difference.

The speeds were very similar, as the actual result was +/- 50mb anyway.

I know this device is capable of 1Gb. It is frustrating, and now I look silly for recommending the Mikrotik when the ISP device performs better

Edit: Also the MTU is a weird figure at the moment as I was trying lower MTUs. 1492 works fine and can ping test up to that amount, but was trying lower anyway.

Fasttrack enabled

Fasttrack disabled

Could it be something along the lines of these issues with 2.5GB speed settings/ports?
http://forum.mikrotik.com/t/rb5009-slow-speed-2-5g-bug-report-as-requested/155362/1
http://forum.mikrotik.com/t/rb5009-2-5gbe-problems/169157/21

They do indeed look like similar symptoms. However I’m using ether2 which isn’t 2.5G capable.

I’m getting to the point where I may pull it out the network cabinet it is in, replace cables, wipe and restart etc. As I can’t see where the config could be causing this.

I personally would make a backup and then reset it to the most basic config in order to determine if the config or hardware is bad. That would be the easiest way to confirm/eliminate the RB5009 as the source of your problem. So maybe try a default config with the PPPoE set up?

Yea I’m thinking the same. I have another RB5009 here (my home one) – my wife can do without internet for a morning right?

I can already hear the screams - “babe there’s no Internet!!!”. I keep a backup Hex around for things like this. Nothing spectacular but enough to get people past the shakes and cold sweats.

You can diff both exports and look for relevant differences.