I just switch provider. My provider delivers an pre-configured and very limited mediaconverter/router/access point. It is an Genexis Platinum 7840. They give no support using own hardware. At the moment i have it working, but i’am not happy with the current solution. I have connected my RB2011iL to the Genexis as an exposed host/DMZ. But now i have to NAT two times and i do like this solution in general.

I have bought an mediaconverter KTI Networks Model: KGC-300 with an SC SFP BiD.
When i connect the RB2011iL to the mediaconverter i get an IP address on ether1. This is een 10.45.0.0 /16 address and not the public IP address i expect. I have used the torch function and discoverd that i have two VLAN’s 100 and 101. I’m almost certain that VLAN 100 is internet and 101 IPTV.
I added an VLAN interface, WAN-INTERNET-100 with VLAN 100 to ether1 and made an extra DHCP client on this interface. I get an public IP address in the correct network.

Interfaces ether2 to ether8 are added to the bridge: BRIDGE-LOCAL, my LAN, and ether1 and WAN-INTERNET-100 are added to the interface-list: WAN

The problem at the moment is that i’m not able to get from my LAN to internet. I was not able to test of incoming connections worked, because i have some NAT and firewall rules active to internal devices.

Can somebody help me? Do i have to add an extra route or do i have to make changes to my firewall rules or NAT MASQUERADE rule?

Thanks in advance.

Post config (/export hide-sensitive and obfuscate any personal information … LAN IPs are not sensitive, WAN IP is) …

Thanks. I did get it to work.

Only problem i have now is that my TV starts stuttering when downloading at full speed (speedtest.net for example).

ether6 says it uses Hardware offloading. But i'm not able to enable it on the VLAN interface WAN-IPTV-101. When downloading the CPU goes to 90 to 99% usage.

This is my configuration:

nov/27/2018 22:25:42 by RouterOS 6.42.12

software id = CQY3-X8R2

model = 2011iL

serial number =

/interface bridge
add fast-forward=no name=bridge-IPTV protocol-mode=none
add admin-mac=E4:8D:8C:2C:30:0E auto-mac=no fast-forward=no igmp-snooping=yes name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=CAIWAY
set [ find default-name=ether2 ] comment="Mikrotik AP BG"
set [ find default-name=ether3 ] comment="Synology NAS"
set [ find default-name=ether6 ] comment=STB
set [ find default-name=ether10 ] full-duplex=no poe-out=off speed=1Gbps
/interface vlan
add interface=ether1 name=WAN-INTERNET-100 vlan-id=100
add interface=ether1 name=WAN-IPTV-101 vlan-id=101
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=J&J
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name="J&J WPA/WPA2"
/caps-man configuration
add country=netherlands datapath=J&J mode=ap name=J&J security="J&J WPA/WPA2" ssid="Jip en Janneke"
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=netherlands datapath=J&J mode=ap name=Cams security="J&J WPA/WPA2" ssid=SC
/interface list
add name=mactel
add name=mac-winbox
add name=WAN
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=IPTV_RG value="'IPTV_RG'"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.76.10-192.168.76.75
add name=SSTP ranges=192.168.77.2-192.168.77.10
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=1d name=DHCP-Thuis
/ppp profile
set *FFFFFFFE bridge=bridge-local change-tcp-mss=default dns-server=192.168.76.1 local-address=192.168.77.1 remote-address=SSTP
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
add addresses=0.0.0.0/0 name=private security=private
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-90..20 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-120..-91 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=J&J name-format=identity slave-configurations=Cams
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local interface=ether5
add bridge=bridge-local hw=no interface=ether7
add bridge=bridge-local hw=no interface=ether8
add bridge=bridge-local hw=no interface=ether9
add bridge=bridge-local hw=no interface=ether10
add bridge=bridge-local interface=ether4
add bridge=bridge-IPTV broadcast-flood=no interface=ether6 learn=no unknown-unicast-flood=no
add bridge=bridge-IPTV interface=WAN-IPTV-101
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether9 list=mactel
add interface=ether10 list=mactel
add interface=bridge-local list=mactel
add interface=ether7 list=mac-winbox
add interface=ether8 list=mac-winbox
add interface=ether9 list=mac-winbox
add interface=ether10 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=ether1 list=WAN
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge-local list=discover
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=default-encryption enabled=yes force-aes=yes pfs=yes port=3389
/ip accounting
set threshold=2560
/ip accounting web-access
set address=192.168.77.10/32
/ip address
add address=192.168.76.1/24 comment="default configuration" interface=ether2 network=192.168.76.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid,IPTV_RG disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=WAN-INTERNET-100
/ip dhcp-server lease
add address=192.168.76.230 comment="CAM Achtertuin" mac-address=28:F3:66:60:1F:B4
add address=192.168.76.231 comment="CAM Voortuin" mac-address=E0:B9:4D:69:3F:1F
add address=192.168.76.232 always-broadcast=yes mac-address=A0:9D:C1:D0:75:85
add address=192.168.76.233 client-id=1:0:40:8c:95:74:f3 comment="Axis cam" mac-address=00:40:8C:95:74:F3 server=DHCP-Thuis
/ip dhcp-server network
add address=192.168.76.0/24 comment="default configuration" domain=thuis gateway=192.168.76.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=212.45.45.45,212.45.33.3
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="Blokkeer internet toegang camara voortuin" log=yes log-prefix=block_voortuin out-interface=ether1 src-address=192.168.76.230
add action=drop chain=forward comment="Blokkeer internet toegang camara achtertuin" log=yes log-prefix=blockachtertuin out-interface=ether1 src-address=192.168.76.231
add action=drop chain=forward comment="Blokkeer internet toegang camara werkkamer" disabled=yes log-prefix=blockwerkkamer out-interface=ether1 src-address=192.168.76.232
add action=accept chain=input comment="SSTP VPN naar Router" dst-port=3389 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="HTTPS verbinding naar MikroTik beheer" disabled=yes dst-port=1976 protocol=tcp
add action=accept chain=forward comment=IGMP protocol=udp
add action=accept chain=input comment=IGMP protocol=udp
add action=accept chain=forward comment=IGMP disabled=yes protocol=igmp
add action=accept chain=input comment=IGMP protocol=igmp
add action=drop chain=input comment="default configuration" in-interface=ether1
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid log-prefix=ipv4_fw_drop
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="default configuration" in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default configuration" out-interface=WAN-INTERNET-100
add action=masquerade chain=srcnat comment="Default configuration" src-address=192.168.77.0/24
add action=dst-nat chain=dstnat comment="SSH naar NAS" disabled=yes dst-port=22 in-interface=ether1 protocol=tcp to-addresses=192.168.76.2 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP naar NAS" dst-port=5000 in-interface=WAN-INTERNET-100 protocol=tcp to-addresses=192.168.76.2 to-ports=5000
add action=dst-nat chain=dstnat comment="HTTPS naar NAS" dst-port=5001 in-interface=WAN-INTERNET-100 protocol=tcp to-addresses=192.168.76.2 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTP naar NAS" dst-port=80 in-interface=WAN-INTERNET-100 log-prefix=HTTPNAS protocol=tcp to-addresses=192.168.76.2 to-ports=80
add action=dst-nat chain=dstnat comment="Synology Drive" dst-port=6690 in-interface=WAN-INTERNET-100 log-prefix=SynDrive protocol=tcp to-addresses=192.168.76.2 to-ports=6690
add action=dst-nat chain=dstnat comment="HTTPS naar NAS" dst-port=443 in-interface=WAN-INTERNET-100 log-prefix=HTTPSNAS protocol=tcp to-addresses=192.168.76.2 to-ports=443
add action=dst-nat chain=dstnat comment="SMTP naar mailserver NAS" dst-port=25 in-interface=WAN-INTERNET-100 protocol=tcp to-addresses=192.168.76.2 to-ports=25
add action=dst-nat chain=dstnat comment=PLEX disabled=yes dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.76.2 to-ports=32400
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=1701 in-interface=WAN-INTERNET-100 protocol=udp to-addresses=192.168.76.2 to-ports=1701
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=500 in-interface=WAN-INTERNET-100 protocol=udp to-addresses=192.168.76.2 to-ports=500
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=4500 in-interface=WAN-INTERNET-100 protocol=udp to-addresses=192.168.76.2 to-ports=4500
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=1723 in-interface=WAN-INTERNET-100 protocol=tcp to-addresses=192.168.76.2 to-ports=1723
/ip proxy
set anonymous=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set www disabled=yes port=1976
set www-ssl disabled=no port=1976
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge-local type=internal
/ppp secret
add name=deefje profile=default-encryption service=sstp
/snmp
set contact=Dave enabled=yes location=Thuis trap-generators=*ABC0002 trap-version=2
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Router
/system logging
add topics=sstp
/system ntp client
set primary-ntp=130.89.0.19 secondary-ntp=216.239.35.0 server-dns-names=time1.google.com
/system package update
set channel=long-term
/system routerboard settings
set silent-boot=yes
/system watchdog
set watchdog-timer=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
set file-name=test only-headers=yes

There are quite a few things that prevent you from having HW offload properly:

1. Only single bridge per switch port group can have HW offload. Your RM2011iL has two switch chips, one spanning ether1-ether5 and the other spanning ether6-ether10.
2. VLANs, handled by bridges, can’t be HW offloaded
3. high CPU load while you’re downloading is not due to lack of HW offload for VLAN 101, but due to lack of HW offload overall
4. high CPU load might be due to setting /interface bridge settings set use-ip-firewall=yes … are you really sure you want to force all LAN traffic and IPTV through IP firewall?
   I guess LAN traffic can be trusted while you might not want to care about IPTV (it’s just the set-top box that might get hit by hackers which would hack IPTV provider’s network beforehand). Internet traffic if being firewalled without this setting as that’s L3 traffic which doesn’t pass just through bridge, it’s shuffled across IP interfaces.

In addition to that, you should be aware that ether6-ether10 are only 100Mbps. If your internet link is up to 100Mbps, you might want to connect it to one of ether6-ether10 ports and free ether1 for LAN connection with high-speed switching.

In any case, RB2011 is not a beast when it comes to routing speed, I doubt it could handle much more than 200Mbps with all those firewall filter rules.

For this post to be complete: there’s nothing wrong with the way you’re dealing with IPTV VLAN. However, since RouterOS version 6.42 the idea is to have single bridge per device and configure VLAN stuff on bridge. However, on most devices (but CRS3xx and CCR?) HW offload is lost when VLANs are configured on bridge. This particular case I’d advise to stick to 2-bridge scenario.

I suggest you to make the following changes to your setup:

1. move WAN connection to ether10. Move specific config (i.e. vlan interfaces) with it.
2. don’t set hw=no to ports members of bridge-local (in /interface bridge port.
3. don’t set /interface bridge settings set use-ip-firewall=yes
4. router’s IP config should go to bridge, not to ether2 (that’s in /ip address
5. use interface-list in firewall filter rules (instead of interface). And firewall nat rules as well. E.g. use in-interface-list=WAN instead of in-interface=ether1. Makes firewall filter rules more readable and easier to make topology changes (i.e. change WAN interface from ether1 to ether10 … firewall filter rules would stay unchanged, only change in /interface list member would be necessary).
6. reconsider firewall filter rules allowing all UDP traffic in any direction (comment=IGMP protocol=udp) as they might be a tad too liberal. Try to make it more specific by adding some more checks (e.g. in-interface=ether6 or ports=xxxx-yyyy).
7. the second-to-last and third-to-last filter rules are exactly the same … either one can be removed (according to suggestion #5 above I’d remove third-to-last rule).
8. why do you have second src-nat rule? If it’s to allow SSTP connected clients to access internet, then already the first rule (more general one) does the trick. If it’s to masquerade SSTP clients when accessing normal LAN, then … well, I wouldn’t do it, this should be already possible without it. In any case, reconsider this rule to assess security implications.

Thanks mkx. You’re advise is great and very welcome. Maybe i should replace my router with an new one, one with an SFP, thus eliminating the need for a mediavonverter. Could the: RB960PGS do the job? This because you’re stated that the device could possible have problems with routing at speeds higher than 200mbps.

I have resetted the router and started from scratch.

I have a 300 Mbit/s internet connection therefor i prefer to use ether1 as my WAN interface. I have tried to implement as much as possible of your advise. It feels ast it works a little bit better. By i have still have some stuttering when downloading at full speed or performing speedtest.net tests. On the IPTV bridge and the assigned interface ether6 HW offloading is not active. On the interface in the default bridge HW offloading is active.

Hereby my current config:

# feb/14/2019 11:05:47 by RouterOS 6.42.12
# software id = CQY3-X8R2
#
# model = 2011iL
# serial number = 
/interface bridge
add admin-mac=E4:8D:8C:2C:30:0E auto-mac=no comment=defconf name=bridge
add name=bridge-iptv protocol-mode=none
/interface vlan
add interface=ether1 name=WAN-INTERNET-100 vlan-id=100
add interface=ether1 name=WAN-IPTV-101 vlan-id=101
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=J&J
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name="J&J WPA/WPA2"
/caps-man configuration
add channel.control-channel-width=20mhz country=netherlands datapath=J&J mode=ap name=J&J security="J&J WPA/WPA2" ssid="Jip en Janneke"
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=netherlands datapath=J&J mode=ap name=Cams security="J&J WPA/WPA2" ssid=SC
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=bridge lease-time=1d name=defconf
/ip pool
add name=default-dhcp ranges=192.168.76.10-192.168.76.75
add name=SSTP ranges=192.168.77.2-192.168.77.10
/ppp profile
set *FFFFFFFE bridge=bridge change-tcp-mss=default dns-server=192.168.76.1 local-address=192.168.77.1 remote-address=SSTP
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=J&J name-format=identity slave-configurations=Cams
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-iptv comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge-iptv interface=WAN-IPTV-101
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WAN-INTERNET-100 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=default-encryption enabled=yes force-aes=yes pfs=yes port=3389
/ip address
add address=192.168.76.1/24 comment=defconf interface=bridge network=192.168.76.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=WAN-INTERNET-100
/ip dhcp-server lease
add address=192.168.76.230 comment="CAM Achtertuin" mac-address=28:F3:66:60:1F:B4
add address=192.168.76.231 comment="CAM Voortuin" mac-address=E0:B9:4D:69:3F:1F
add address=192.168.76.232 always-broadcast=yes mac-address=A0:9D:C1:D0:75:85
add address=192.168.76.250 mac-address=CC:2D:E0:47:9F:14
add address=192.168.76.12 mac-address=FC:3F:7C:F1:36:3B
/ip dhcp-server network
add address=192.168.76.0/24 comment=defconf gateway=192.168.76.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.76.1 name=router.thuis
add address=192.168.76.2 name=nas.thuis
add address=192.168.76.2 name=thuis.familieelbers.nl
add address=192.168.76.4 name=printer.thuis
add address=192.168.76.231 name=camvoortuin.thuis
add address=192.168.76.230 name=camachtertuin.thuis
add address=192.168.76.250 name=MT-AP-BG.thuis
add address=192.168.76.232 name=camwerkkamer.thuis
/ip firewall filter
add action=accept chain=input comment="SSTP VPN naar Router" dst-port=3389 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="SSTP VPN" src-address=192.168.77.0/24
add action=accept chain=forward comment="SSTP VPN" src-address=192.168.77.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Blokkeer internet toegang camara voortuin" log=yes log-prefix=block_voortuin out-interface-list=WAN src-address=192.168.76.230
add action=drop chain=forward comment="Blokkeer internet toegang camara achtertuin" log=yes log-prefix=blockachtertuin out-interface-list=WAN src-address=192.168.76.231
add action=drop chain=forward comment="Blokkeer internet toegang camara werkkamer" log-prefix=blockwerkkamer out-interface-list=WAN src-address=192.168.76.232
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default configuration" src-address=192.168.77.0/24
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=1701 in-interface-list=WAN protocol=udp to-addresses=192.168.76.2 to-ports=1701
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=500 in-interface-list=WAN protocol=udp to-addresses=192.168.76.2 to-ports=500
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=4500 in-interface-list=WAN protocol=udp to-addresses=192.168.76.2 to-ports=4500
add action=dst-nat chain=dstnat comment="VPN Synology" dst-port=1723 in-interface-list=WAN protocol=tcp to-addresses=192.168.76.2 to-ports=1723
add action=dst-nat chain=dstnat comment="SSH naar NAS" disabled=yes dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=192.168.76.2 to-ports=22
add action=dst-nat chain=dstnat comment="HTTP naar NAS" dst-port=5000 in-interface-list=WAN protocol=tcp to-addresses=192.168.76.2 to-ports=5000
add action=dst-nat chain=dstnat comment="HTTPS naar NAS" dst-port=5001 in-interface-list=WAN protocol=tcp to-addresses=192.168.76.2 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTP naar NAS" dst-port=80 in-interface-list=WAN log-prefix=HTTPNAS protocol=tcp to-addresses=192.168.76.2 to-ports=80
add action=dst-nat chain=dstnat comment="Synology Drive" dst-port=6690 in-interface-list=WAN log-prefix=SynDrive protocol=tcp to-addresses=192.168.76.2 to-ports=6690
add action=dst-nat chain=dstnat comment="HTTPS naar NAS" dst-port=443 in-interface-list=WAN log-prefix=HTTPSNAS protocol=tcp to-addresses=192.168.76.2 to-ports=443
add action=dst-nat chain=dstnat comment="SMTP naar mailserver NAS" dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=192.168.76.2 to-ports=25
/ppp secret
add name=deefje profile=default-encryption service=sstp
/system clock
set time-zone-name=Europe/Amsterdam
/system routerboard settings
set silent-boot=yes
/tool graphing interface
add interface=WAN-INTERNET-100
add interface=WAN-IPTV-101
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any good reason for having both ether1 (untagged) and WAN-INTERNET-100 (tagged VID=100) active as WAN interfaces? Both have DHCP-client attached … check which one is actually active (/ip address print) and remove config of the other one (remove dhcp-client bound to unused interface ad remove unused interface from WAN interface list).
Not that the cange would mean much with regard to your problem (IPTV not performing optimally).

Other than that I don’t see anything wrong with your current config. The only solution while keeping RB2011 as router would be to reconfigure whole VLAN stuff (to use switch chip functionality), which would probably help with IPTV but would probably still not unleash full internet speed …

As I already said, RB2011 is not a beast, neither is RB960PGS. Both feature old single-core CPUs. I guess the best solution (practically replacement for your RB2011) would be RB4011 … it has lots of CPU power (capable of gigabit routing), it features SFP+ port and (wireless model) also dual-band wifi. The price is still reasonable (though quite much higher than RB960PGS).

Thanks again. I have also implemented this tips, for now it works fine. I have ordered an RB4011 as an replacement for my current RB2011.

I was just thinking there are two most known solutions for IPTV with the router i have. The bridged solution i used now and the routed. Wich one should be better and has the least impact on the router?

Most of the times routed is better, this because the tv receiver can also use other internet related services like Netflix or YouTube.
At least that is the case with KPN in Holland.

It really depends on implementation of how IPTV streams get delivered to set-top boxes. For example, my ISP delivers IPTV multicast streams in separate VLAN and their set-top boxes expect to receive IPTV through VLAN as well. Which allows to have IPTV switched and still have internet part (for those set-top boxes that feature internet functions) routed through all the security engine. As my ISP also manages set-top boxes via TR-069 through the same VLAN interface, it would be quite a challenge to set things up in routed IPTV solution not to break things in this aspect.

You might want to verify setup with your ISP (or some user forum dedicated to your ISP) whether set-top boxes are actually supposed to use VLANs as well but just survive without them as it is now in your case. You could deduct that from the set-up recommended by your ISP as well.

Internet is delivered over VLAN 100 and IPTV over 101. The STP expects the streams untagd. The VLAN is untagged on the LAN side. On the original router from my ISP the STP is on the same network as my regular devices.

I think it possible to use the igmp-proxy (multicast package), but i dot know if this would be a better solution than de bridge i use now. I have found some articles from users who uses the routed mode with my provider. But mosty with ubiquiti routers and no Mikrotik.

I cannot find and clear answer what has the least impact on the router (CPU utilisation). Maybe i should just test it

Tommorow my new router will be delivered.

My guess is that bridging is less CPU intensive than routing …