Hi,
I have a CCR1009 which is running as router on my 500/500 - when I test the speed I am only able to get maximum 400/500 at all tests I have done. If I test with my laptop directly on the modem I am able to get 500/500.
The CCR is mostly idling around 3-4% CPU so I would not think the reduce in throughput is due to CPU.
Anyone has any ideas about where to tweak so I can get full speed.
Below is my firewall config - which should be pretty standard
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.0/24 list=allowed_to_router
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=10.10.10.0/24 list=allowed_to_router
add address=10.11.11.0/24 list=allowed_to_router
add address=10.20.20.2-10.20.20.254 list=Clientisolation
add address=10.90.90.0/24 list=NordVPN-vlan
add address=10.12.12.0/24 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=input comment="CAPs to CAPsMAN" disabled=yes dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=FW_invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new \
in-interface=ether1 log=yes log-prefix=FW_!NAT
add action=accept chain=input comment="Accept any Lan interface connections" in-interface-list=LAN
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=\
FW_!public src-address-list=not_in_internet
add action=reject chain=forward comment="Isolate clients in Guest network" dst-address-list=Clientisolation log=yes log-prefix=\
FW_guest_isolation reject-with=icmp-network-unreachable src-address-list=Clientisolation
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward dst-address=LOCALADDRESS src-address-list=not_in_internet
add action=accept chain=forward dst-address=LOCALADDRESS src-address-list=not_in_internet
add action=accept chain=forward dst-address=LOCALADDRESS in-interface=1-vlan1
add action=accept chain=forward dst-address=LOCALADDRESS in-interface=1-vlan1
add action=accept chain=forward out-interface-list=WAN src-address=LOCALADDRESS
add action=accept chain=forward connection-state=new dst-address=LOCALADDRESS log=yes src-address=LOCALADDRESS
add action=accept chain=forward connection-state=new dst-address=LOCALADDRESS log=yes src-address=1LOCALADDRESS
add action=accept chain=forward connection-state=new dst-address=1LOCALADDRESS log=yes src-address=1LOCALADDRESS
add action=accept chain=forward in-interface-list=LAN log=yes out-interface-list=WAN
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=accept chain=forward dst-port=999 in-interface-list=WAN log=yes log-prefix=FW_xxy protocol=tcp
add action=accept chain=forward dst-port=55555 in-interface-list=WAN log=yes log-prefix=FW_zzx protocol=tcp
add action=accept chain=forward disabled=yes dst-address=LOCALADDRESS dst-port=53 protocol=udp src-address=LOCALADDRESS\
src-address-list=Clientisolation
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=\
FW_Drop_all_from_WAN
add action=drop chain=input
add action=drop chain=forward log=yes log-prefix=F_droprest
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Allow zzx" dst-address=EXTIP dst-port=55555 log=yes log-prefix=FW_NAT_xxz protocol=\
tcp to-addresses=1LOCALADDRESS to-ports=12345
add action=dst-nat chain=dstnat comment="Allow zxx" dst-address=EXTIP dst-port=999 log=yes log-prefix=FW_NAT_xyz\
protocol=tcp to-addresses=LOCALADDRESS to-ports=999