RB2011 slow internet even with fasttrack

Hi everyone,

I’ve had my RB2011UiAS-2HnD-IN for a few years now and have had no complaints until now. I moved to my new house and upgraded my internet speed from 150/10 to 400/20.
I ran fasttrack off and on at this speed for couple months and saw there were some updates to RouterOS and that I had been a little slacking on upgrading my firmware (as in firmware had never been upgraded since i had it…whoops!).
I update the RouterOS and the Firmware, including rebooting for both my 2011 and WAP AC and all seems to work fine at first glance.

Then I noticed that even with Fasttrack enabled, I was only getting between 150-200mbps max download with the exact same config as before with only about 5% CPU at idle, 30~% under load with fasttrack enabled. I even install a previous backup from a time when I know i was getting full speed just to see if I messed something up, but the speed issue remained. When I connect directly to my modem from my computer, I get about 440/22, so I know the issue is not on my ISP’s side. I even tried to move all other wired connections to the other switch (the 100mbps ports) to rule out any interference from other ports on the same switch.

The internet speed also seems to be inconsistent when running through the 2011 through fasttrack: it sometimes starts out around 250-280mbps, then slows to 150-200 when using speedtest.net. Sometimes it starts at 150mbps and goes down to about 110mbps. With fasttrack disabled, i get about 73mbps down with 80% CPU usage.


I’m running 6.43 currently on routerOS and firmware
I have about 8 wired devices and about 10 wireless devices with about 25 Mangle rules, 3 nat rules (2 for plex server, 1 for masquerade), and a total of 17 firewall filter rules with fasttrack as the first after an invalid reject rule.
I’ve tried fasttrack set to my machine’s marked packets, marked connections, and then all established and related connection states to try and bypass all filters and rules.
I’ve disconnected all other devices and cables, disabled WLAN, reset configuration…No Dice.

I’m not at all a mikrotik expert, but I’d appreciate any help!

Anything at all?

I’m running 6.42.7 currently on routerOS and firmware

Read http://forum.mikrotik.com/t/v6-41-current/114978/1 and https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading
And next time when doing upgrade - read changelog for every version since the one you have installed.

I’ve read that multiple times, but it’s not clicking for me…isn’t hardware offloading supposed to improve performance? So should i reformat and create the setup without master/slave setup from the beginning? I’ll try and re-read it a bunch to see if I can figure it out.

You should verify that hardware offloading is being enabled (indicated by H indicator on bridge port) and verify which functions are supported with it for your device’s switch chip and confirm you’re not running with any of incompatible options enabled.

In the bridge ports, the wan port was not in the bridge (i assume this is correct, since i can’t add it to the bridge).
I tried disabling the hardware offload that my computer is connected to and still get the same result. I disabled Unicast Flood, Multicast Flood, Broadcast Flood and still the same. Now, the speed test starts at my max download (400mbps) for a brief second and then quickly ramps down to 200mbps for the rest of the test. (attached


CPU maxed at ~40% during 400mbps internet speed test download, then dropped back down to ~25% for the rest of the 200mbps average. When transferring files on local LAN at gigabit speed, CPU goes up to ~65% for 950mbps speed going from a hardware offloaded port to non hardware offloaded. On hardware offloaded port to hardware offloaded port on the same gigabit switch series, cpu doesn’t go above 6% for same gigabit speed transfer, so hardware itself seems to be working fine.

Any idea on what settings might be causing the drop in speed after the initial good speed?

Round-trip latency with too small TCP window? Not that you can do much about TCP window size for random application …

Any network device on the way between connection peers will add some delay. It sometimes really surprises me how can seemingly neglectable increase in delay (a few 100 microseconds) drastically change TCP performance.

I’ve got cable internet connection. Setup is internet<->cable modem<->rb2011<->laptop with cat6 cable all ethernet connections at 1gbps full duplex. Ping times to bandwidth test server are under 20ms.
I took ethernet coupler and hooked my laptop ethernet cable to the ethernet cable from the modem to bypass the router but still using same cables and I get full consistent 400mbps down going straight through modem, so wiring is ok. I also tried to clone Mac address of my laptop to router after connecting straight to modem.

Not sure what setting I’d need to check? MTU is 1500, 1598 max l2 MTU (thought packets might be getting fragmented). Guess I can change wan port and see if problem persists?

So I did some messing around:
Hops to bandwidth server is 8, total RTT is 12ms to bandwidth server.

So I started changing things:

• I disconnected all other wires/wifi. Same speed
  
  
  
• I reset RB2011 to vanilla WISP AP/Home AP configuration with only modem and laptop connected via ethernet. Same speed.
  
  
  
• I used vanilla configuration to change ethernet port of WAN to Eth2 instead of 1. Same speed.

I’m thinking it had something to do with updating my firmware to current, since speed was good before that time. Is it wise to leave RouterOS updated but firmware not updated?

I got a response from mikrotik talking about how queues impact TCP single connection performance and i should just be able to get normal real-world speed outside of the synthetic speedtest.net test. I tried to download a large file, such as a ISO file via HTTP or torrent and still was stuck at about 200mbps maximum. I also tried to download a game via steam and still wasn’t able to get above about 200mbps.
I went to dslreports.com and performed a speedtest and got a full 450mbps or so speed test .

I understand how queues can impact tcp single connection performance, but I had fasttrack enabled and got the same results. I also reset the router to vanilla WISP AP and also Home AP and only had laptop and modem connected to the router with no queues or mangle rules and still only got 200mbps. Any ideas on how to improve TCP single connection performance?

I hate to look at a CCR or RB3011 or something more expensive to get the performance that i was already getting on the rb2011 until some strange gremlin reduced my speed.

I suspect something wrong with your config, I achieved ~850Mbpps up and down with my 2011

What firmware are you running? Could you share your configuration? I used to get great wan speed but still get great lan routing speed. I tried resetting to stock wisp ap defaults as well as home ap default config and can’t get any better on that speedtest.net test, so I thought I eliminated bad config.

Sorry, just looked at the speedtest results again, it was 812Mb down and 97Mb up as the link was a 1Gb/100Mb fibre link. About a month ago, I have reset the 2011 to Factory Default and downgraded the device to my Home Lab environment, using a HAP AC2 as “production” unit at home now.

If you don’t mind placing a copy of “export hide-sensitive” of your config here, we can have a look and make suggestions

Current config:

  MikroTik RouterOS 6.43 (c) 1999-2018       http://www.mikrotik.com/

[admin@MikroTik] > export hide-sensitive
# sep/16/2018 11:15:45 by RouterOS 6.43
# software id = GUWS-61RD
#
# model = 2011UiAS-2HnD
# serial number = 727B066F37B5
/interface bridge
add admin-mac=6C:3B:6B:F9:1A:86 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full comment="Wireless AP" name=ether2-WIFI speed=100Mbps
set [ find default-name=ether3 ] advertise=1000M-full comment=Laptop
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
set [ find default-name=ether1 ] advertise=1000M-full mac-address=6C:3B:6B:F9:1A:8F name=wan
/interface wireless
set [ find default-name=wlan1 ] amsdu-limit=2048 band=2ghz-g/n channel-width=20/40mhz-Ce country="united states" \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=xxx tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11 wps-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name="guest security" \
    supplicant-identity=""
/ip kid-control
add disabled=yes fri=7h-21h mon=7h-19h name=xxx sat=7h-21h sun=7h-19h thu=7h-19h tue=7h-19h wed=7h-19h
add disabled=yes fri=7h-21h mon=7h-19h name=xxx sat=7h-21h sun=7h-19h thu=7h-19h tue=7h-19h wed=7h-19h
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.100-10.10.10.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
/queue type
add kind=pcq name=max_upload_5m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=9M \
    pcq-src-address6-mask=64 pcq-total-limit=9000KiB
add kind=pcq name=upload_512k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=409KiB
add kind=pcq name=upload_16k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=12KiB
add kind=pcq name=upload_256k_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=204k \
    pcq-src-address6-mask=64
add kind=pcq name=upload_16k_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=12k \
    pcq-src-address6-mask=64
add kind=pcq name=max_download_400m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=400M \
    pcq-src-address6-mask=64 pcq-total-limit=400000KiB
add kind=pcq name=download_4m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=3276KiB
add kind=pcq name=download_2m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=1638KiB
add kind=pcq name=download_1m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=819KiB
add kind=pcq name=download_512k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=409KiB
add kind=pcq name=download_4m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=3276k \
    pcq-src-address6-mask=64
add kind=pcq name=download_2m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1638k \
    pcq-src-address6-mask=64
add kind=pcq name=download_1m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=819k \
    pcq-src-address6-mask=64
add kind=pcq name=download_512k_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=409k \
    pcq-src-address6-mask=64
add kind=pcq name=download_300m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=300000KiB
add kind=pcq name=download_100m_rate pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=100k \
    pcq-src-address6-mask=64 pcq-total-limit=100000KiB
add kind=pcq name=upload_15m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=15M pcq-src-address6-mask=\
    64 pcq-total-limit=15000KiB
add kind=pcq name=upload_5m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=4500KiB
add kind=pcq name=download_50m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=40000KiB
add kind=pcq name=download_20m pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=16000KiB
add kind=pcq name=upload_19m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=19M pcq-src-address6-mask=\
    64 pcq-total-limit=19000KiB
add kind=pcq name=upload_2m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=1600KiB
add kind=pcq name=upload_1m pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-src-address6-mask=64 \
    pcq-total-limit=800KiB
add kind=pcq name=upload_15m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=15M \
    pcq-src-address6-mask=64 pcq-total-limit=18000KiB
add kind=pcq name=upload_2m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1600k \
    pcq-src-address6-mask=64 pcq-total-limit=2400KiB
add kind=pcq name=upload_1m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=800 \
    pcq-src-address6-mask=64 pcq-total-limit=800KiB
add kind=pcq name=upload_5m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=5M \
    pcq-src-address6-mask=64 pcq-total-limit=5000KiB
add kind=pcq name=upload_9m_rate pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=9M \
    pcq-src-address6-mask=64 pcq-total-limit=9000KiB
/queue interface
set ether3 queue=ethernet-default
set wan queue=ethernet-default
/queue tree
add name=wan_download packet-mark=wan-all_in_pkt parent=global priority=1 queue=max_download_400m
add name=wan_upload packet-mark=wan-all_out_pkt parent=global priority=1 queue=upload_19m
add name=wan_d_unknown packet-mark=wan-all_unknown_in_pkt parent=wan_download queue=download_50m
add name=wan_u_unknown packet-mark=wan-all_unknown_out_pkt parent=wan_upload queue=upload_15m_rate
add name=wan_d_laptop packet-mark=wan-all_laptop_in_pkt parent=wan_download priority=2 queue=max_download_400m
add name=wan_u_laptop packet-mark=wan-all_laptop_out_pkt parent=wan_upload priority=2 queue=upload_19m
add name=wan_d_desktop_server packet-mark=wan-all_desktop_server_in_pkt parent=wan_download priority=3 queue=\
    download_50m
add name=wan_u_desktop_server packet-mark=wan-all_desktop_server_out_pkt parent=wan_upload priority=3 queue=\
    upload_15m_rate
add name=wan_d_desktop_new packet-mark=wan-all_desktop_new_in_pkt parent=wan_download priority=5 queue=download_50m
add name=wan_u_desktop_new packet-mark=wan-all_desktop_new_out_pkt parent=wan_upload priority=5 queue=upload_9m_rate
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-WIFI
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-WIFI list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-WIFI network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wan use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.103 always-broadcast=yes mac-address=xxx server=defconf
add address=192.168.88.101 client-id=xxx server=defconf
add address=192.168.88.99 client-id=xxx server=defconf
add address=192.168.88.102 client-id=xxx server=defconf
add address=192.168.88.100 client-id=xxx server=defconf
add address=192.168.88.98 always-broadcast=yes client-id=xxx server=\
    defconf
add address=192.168.88.43 mac-address=xxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.88.100 comment=laptop list=shaped
add address=192.168.88.101 comment=desktop_server list=shaped
add address=192.168.88.102 comment=desktop_new list=shaped
add address=198.168.88.0/24 list="Local LAN"
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
/ip firewall filter
add action=drop chain=input comment="Drop input invalid connection packets" connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=wan-all_laptop_in_conn \
    connection-state="" packet-mark=wan-all_laptop_in_pkt
add action=accept chain=input comment="Allow input established and related connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow all input for local net" src-address=192.168.88.0/24
add action=accept chain=forward comment="Allow forward established and related connections" connection-state=\
    established,related
add action=accept chain=forward comment="Allow all forward for local net" src-address=192.168.88.0/24
add action=accept chain=input comment="Allow input Ping" disabled=yes in-interface=wan protocol=icmp
add action=drop chain=input comment="All other inputs drop"
add action=drop chain=forward comment="Drop forward invalid connection packets" connection-state=invalid
add action=accept chain=forward comment="Allow forward Ping" protocol=icmp
/ip firewall mangle
add action=mark-connection chain=forward comment="Incoming Conn" in-interface=wan new-connection-mark=wan-all_in_conn \
    passthrough=yes
add action=mark-packet chain=forward comment="Incoming Pkt" connection-mark=wan-all_in_conn new-packet-mark=\
    wan-all_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Outgoing Conn" new-connection-mark=wan-all_out_conn out-interface=\
    wan passthrough=yes
add action=mark-packet chain=forward comment="Outgoing Pkt" connection-mark=wan-all_out_conn new-packet-mark=\
    wan-all_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="Unknown In Conn" dst-address-list=!shaped in-interface=wan \
    new-connection-mark=wan-all_unknown_in_conn passthrough=yes
add action=mark-packet chain=forward comment="Unknown In Pkt" connection-mark=wan-all_unknown_in_conn \
    new-packet-mark=wan-all_unknown_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Unknown Out Conn" new-connection-mark=wan-all_unknown_out_conn \
    out-interface=wan passthrough=yes src-address-list=!shaped
add action=mark-packet chain=forward comment="Unknown Out Pkt" connection-mark=wan-all_unknown_out_conn \
    new-packet-mark=wan-all_unknown_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="Laptop In Conn" dst-address=192.168.88.100 in-interface=wan \
    new-connection-mark=wan-all_laptop_in_conn passthrough=yes
add action=mark-connection chain=forward comment="Laptop In Conn" dst-address=192.168.88.98 in-interface=wan \
    new-connection-mark=wan-all_laptop_in_conn passthrough=yes
add action=mark-packet chain=forward comment="Laptop In Pkt" connection-mark=wan-all_laptop_in_conn new-packet-mark=\
    wan-all_laptop_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="Laptop Out Conn" new-connection-mark=wan-all_laptop_out_conn \
    out-interface=wan passthrough=yes src-address=192.168.88.100
add action=mark-connection chain=forward comment="Laptop Out Conn" new-connection-mark=wan-all_laptop_out_conn \
    out-interface=wan passthrough=yes src-address=192.168.88.98
add action=mark-packet chain=forward comment="Laptop Out Pkt" connection-mark=wan-all_laptop_out_conn \
    new-packet-mark=wan-all_laptop_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_server In Conn" dst-address=192.168.88.101 in-interface=wan \
    new-connection-mark=wan-all_desktop_server_in_conn passthrough=yes
add action=mark-packet chain=forward comment="desktop_server In Pkt" connection-mark=wan-all_desktop_server_in_conn \
    new-packet-mark=wan-all_desktop_server_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_server Out Conn" new-connection-mark=\
    wan-all_desktop_server_out_conn out-interface=wan passthrough=yes src-address=192.168.88.101
add action=mark-packet chain=forward comment="desktop_server Out Pkt" connection-mark=wan-all_desktop_server_out_conn \
    new-packet-mark=wan-all_desktop_server_out_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_new In Conn" dst-address=192.168.88.102 in-interface=wan \
    new-connection-mark=wan-all_desktop_new_in_conn passthrough=yes
add action=mark-packet chain=forward comment="desktop_new In Pkt" connection-mark=wan-all_desktop_new_in_conn \
    new-packet-mark=wan-all_desktop_new_in_pkt passthrough=yes
add action=mark-connection chain=forward comment="desktop_new Out Conn" new-connection-mark=\
    wan-all_desktop_new_out_conn out-interface=wan passthrough=yes src-address=192.168.88.102
add action=mark-packet chain=forward comment="desktop_new Out Pkt" connection-mark=wan-all_desktop_new_out_conn \
    new-packet-mark=wan-all_desktop_new_out_pkt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=wan
add action=dst-nat chain=dstnat dst-port=32400 in-interface=wan protocol=tcp to-addresses=192.168.88.101 to-ports=\
    32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=wan protocol=udp to-addresses=192.168.88.101 to-ports=\
    32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip kid-control device
add mac-address=xxx
add mac-address=xxx
add mac-address=xxx
add mac-address=xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24 port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add disabled=yes interface=wan type=external
/lcd
set default-screen=stat-slideshow enabled=no read-only-mode=yes touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether2-WIFI disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6-master disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set wlan1 disabled=yes
/lcd interface pages
set 0 interfaces=wan
/system clock
set time-zone-name=America/New_York
/system logging
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=38.88.18.251
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool mac-server ping
set enabled=no
[admin@MikroTik] >

These are both screenshots for speedtests i get with this configuration. CPU doesn’t exceed 45% with the faster result speedtest. Slower speedtest cpu doesn’t exceed 26%.

I tried resetting to vanilla WISP AP as such:

[admin@MikroTik] > export hide-sensitive
# sep/16/2018 11:48:34 by RouterOS 6.43
# software id = GUWS-61RD
#
# model = 2011UiAS-2HnD
# serial number = 727B066F37B5
/interface bridge
add admin-mac=6C:3B:6B:F9:1A:86 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto \
    mode=ap-bridge ssid=MikroTik-F91A8F wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

For some reason, this vanilla config gives even slower speed than my normal.

Hi,

Do I understand it right and correct me if I’m wrong, but after resetting to vanilla WISP AP, the download speed is still lousy?
Please check the Routerboard “Current Firmware” is 6.43 and/or re-install the 6.43 packages.

Yes router os and firmware are both updated. I posted some screenshots earlier today with dslreports speed test showing normal speed (multiple connections?) but any other speed test (single tcp connection?) shows slower speed. My modem is not a router, so no bridge mode possible there. I’ll try and reinstall firmware and router os.

Firstly, when pasting config, please place this between the code brackets, makes it easier to read and not such long posts.

Then, I am a bit confused, you are showing 2 speedtests screens, one with 158Mb download and another with 448Mb download. the 448Mb is not to bad.

In current config, you have many Q’s and Mangle rules, at most I had about 3 simple Q’s so difficult to compare, but you also have “passthrough=yes” on almost all Mangle Rules, that is not correct and will eat CPU cycles which will affect routing speeds.Have a search through @sindy’s posts, some excellent explanations.

I will also reorganize the firewall filter rules, what I had in ordered list (Very basic but very effective I think):

chain forward action drop connection invalid
Chain forward action fasttrack est, rel & untracked
chain forward action accept est, related & untracked
chain forward action accept connections new from LAN
chain forward action accept connection state dstnat from WAN
chain forward action drop all from WAN
chain input action drop connection invalid
chain input action accept est, related & untracked
chain input action accept connections new from LAN
chain input action drop all from WAN

Thanks CZfan, I fixed the code view. CPU never exceeds 45% or so when running at that 450mbps speed and my connection is going through fasttrack. Both of those screenshots were different bandwidth tests with that same configuration that I’ve been running for 2 years. One of the connection tests runs through multiple TCP connections is what mikrotik support was telling me, the other is only a single TCP stream. I used to get these speeds normally from speedtest.com when i first moved to this house in june, using that same configuration with fasttrack, but now i’m not. The only thing that changed is i updated my firmware and routerOS to current.

Apologies if you mentioned it earlier, but from what version to what version did you upgrade when you first noticed the difference?