RB2011UiAS looses about 40 megabits of thgougpput!?!

I have a RB2011UiAS-2HnD-IN in my home. There is a N WiFi LAN, a Mac and NAS connected to it. Nothing much, yet the router looses 40 MBits!

I just tested direct connection with the same cable to my DSL modem and the speed was 146 MBit. When I connect to the MikroTik the speed is 106.

What can I do to check what the heck is happening? The networks is behind a NAT.

The measurements are quite consistent. I tried increasing and reducing processor speed for testing, but there was no change (as expected).

Use hardware bridge.

How and where??

Thanks!

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading

I Will try, but I still don’t get this. - If a CPU is powerful enough, and it is and I have tested that practically both by throttling and by using NAS with full 1GBit speeds, there should be no need for hardware switching.

The gigabit switch has a gigabit connection to the CPU, it is normal to have to avoid software. The fast switch might be similar.

Don’t bridge between switches or the WAN.

This means some hosts may need to be connected to the same half.

I forgot that fasttrack might also be needed.

I read the article, but I am not sure if it applies, mainly because 150 mbit is low rate, on a WAN and CPU is completely under-stressed. I see no reason for this speed drop.

Also WAN is separate from the bridge, and I do have a fasttrack rule. The hosts are connected to the same (gigabit) half of the router.

This can be many thing.

Run this and post the config
export hide-sensitive

How many firewall rules?

How big is your cluster? What spec are your hosts?

This network is mostly trivial. I use it for home office, and there are only a few hosts connected.

After tweaking the rotuer a bit, I got the speeds up to 130 MBit, but there is still about 10 MBit of loss, which is completely unacceptable.

As for firewall rules there are only a few general ones.

Here is the config:

# feb/19/2020 09:03:32 by RouterOS 6.45.8
#
# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=64:D1:54:E3:FD:0A auto-mac=no comment=defconf name=MREZA
/interface ethernet
set [ find default-name=ether5 ] name=GBE-ether5 speed=100Mbps
set [ find default-name=ether1 ] name=INTERNET speed=100Mbps
set [ find default-name=ether3 ] name=PRASE-ether3 speed=100Mbps
set [ find default-name=ether2 ] name=TABLETA-ether2 speed=100Mbps
set [ find default-name=ether4 ] name=ZORG-ether4 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n basic-rates-a/g=18Mbps basic-rates-b="" country=no_country_set disabled=no frequency=2462 frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=WiFi \
    rate-set=configured ssid=SKYNET supported-rates-a/g=18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b="" wireless-protocol=802.11 wps-mode=disabled
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.tx-power=14 datapath.bridge=MREZA distance=indoors installation=indoor name=skynet security.authentication-types=wpa2-psk security.encryption=aes-ccm ssid=SKYNET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=VIRUS supplicant-identity=""
/ip pool
add name=dhcp ranges=192.168.42.100-192.168.42.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=MREZA lease-time=1w1d name=defconf
/ppp profile
add dns-server=192.168.99.1 local-address=192.168.99.1 name=sstp-profile remote-address=192.168.99.2 use-encryption=required
set *FFFFFFFE local-address=192.168.89.1 remote-address=192.168.89.2
/queue simple
add disabled=yes max-limit=1G/1G name="ALL BW" target=192.168.42.0/24
/queue tree
add disabled=yes max-limit=10M name="All BW" parent=global priority=1
add disabled=yes max-limit=10M name=Download packet-mark=client-dw-pk parent="All BW" priority=2
add disabled=yes max-limit=1M name=Upload parent="All BW"
add disabled=yes max-limit=10M name=http-dw packet-mark=http-dw-pk parent=Download priority=1 queue=pcq-download-default
add disabled=yes max-limit=5M name=other-dw parent=Download priority=6 queue=pcq-download-default
add disabled=yes max-limit=1M name=http-up packet-mark=http-up-pk parent=Upload priority=1 queue=pcq-upload-default
add disabled=yes max-limit=512k name=other-up parent=Upload priority=6 queue=pcq-upload-default
/caps-man manager
set ca-certificate=auto certificate=auto
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=skynet
/interface bridge port
add bridge=MREZA comment=defconf interface=TABLETA-ether2
add bridge=MREZA comment=defconf interface=PRASE-ether3
add bridge=MREZA comment=defconf interface=ZORG-ether4
add bridge=MREZA comment=defconf interface=GBE-ether5
add bridge=MREZA comment=defconf interface=ether6
add bridge=MREZA comment=defconf interface=ether7
add bridge=MREZA comment=defconf interface=ether8
add bridge=MREZA comment=defconf interface=sfp1
add bridge=MREZA comment=defconf interface=WiFi
add bridge=MREZA interface=*E
add bridge=MREZA interface=ether9
add bridge=MREZA interface=ether10
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=MREZA list=LAN
add comment=defconf interface=INTERNET list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=sstp-profile force-aes=yes pfs=yes
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=WiFi
/ip address
add address=192.168.42.1/24 comment=defconf interface=TABLETA-ether2 network=192.168.42.0
add address=192.168.69.2/24 disabled=yes interface=INTERNET network=192.168.69.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=INTERNET
/ip dhcp-server alert
add disabled=no interface=MREZA valid-server=64:D1:54:E3:FD:0A
/ip dhcp-server lease
add address=192.168.42.101 client-id=1:0:11:32:83:31:14 mac-address=00:11:32:83:31:14 server=defconf
add address=192.168.42.102 client-id=1:a8:60:b6:39:f8:c6 mac-address=A8:60:B6:39:F8:C6 server=defconf
/ip dhcp-server network
add address=192.168.42.0/24 caps-manager=192.168.42.1 comment=defconf dns-server=192.168.42.1 domain=skynet.local gateway=192.168.42.1 netmask=24 ntp-server=216.239.35.0,216.239.35.4
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131
/ip dns static
add address=192.168.42.1 name=theboss.local
/ip firewall address-list
add address=192.168.42.2-192.168.42.254 list=clients
add address=192.168.42.1 list=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=add-src-to-address-list address-list=markirani_korisnici_tcp address-list-timeout=none-dynamic chain=forward comment=brojanje protocol=tcp src-address-list=clients
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting comment=router dst-address-list=router
add action=accept chain=forward comment=DNS port=53 protocol=tcp
add action=accept chain=forward comment=UDP protocol=udp
add action=mark-connection chain=forward comment=clinet-dw-con in-interface=INTERNET new-connection-mark=client-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-pk connection-mark=client-dw-con new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con in-interface=MREZA new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=client-up-con new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk new-packet-mark=http-dw-pk packet-mark=client-dw-pk passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-pk new-packet-mark=http-up-pk packet-mark=client-up-pk passthrough=no port=80,443 protocol=tcp
add action=mark-connection chain=forward comment=other-con new-connection-mark=other-con passthrough=yes
add action=mark-packet chain=forward comment=other-dw-pk new-packet-mark=other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk new-packet-mark=other-up-pk packet-mark=client-up-pk passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=53 log=yes log-prefix="*****LOCAL DNS FORWARD*****" protocol=udp src-address=192.168.42.102 to-addresses=192.168.42.1 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=tcp src-address=192.168.42.102 to-addresses=192.168.42.1 to-ports=53
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add distance=1 gateway=192.168.69.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=MREZA type=internal
add interface=INTERNET type=external
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/lcd interface
set INTERNET timeout=1s
/ppp secret
add name=vpn
add name=sstp profile=sstp-profile service=sstp
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="The Boss"
/system logging
add topics=caps
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/system ntp server
set broadcast=yes enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=650MHz
/tool graphing
set store-every=hour
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no forbid=yes interface=INTERNET

What does ‘ip settings print’ say?

What tweakings did you do?

@Vortex Here:

ip settings print
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: yes
  ipv4-fasttrack-packets: 2519484
    ipv4-fasttrack-bytes: 3405603511

@anav - I upgraded OS, shuffled some rules around in Firewall, tunred off fast path, rebooted and turned it on, tried turning off entire firewall (no change), tried overclocking and downclocking the cpu (no change) turned off PPP services off, and other stuff. It didn’t help, obviously. I measured this a number of times and the difference is now 10 MBit. Before the difference was huge, I got 110 mbit max (about 30 less).

Here - top two measurements are direct cable to modem, and rest of the stuff is via MikroTik.

Did you update the firmware too?

Yes. Both current and upgrade firmware.

When you test what is the status of the CPU?

I see you have a few mangle rules. Did you create those and can you disable those for a test?

I just have disable Mangle. The measurements are consistently 10-15MBit slower than direct link.
Ping is about the same.
CPU peaks at about 30-40%, but is usually around 10-15%.

Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ?
Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M .
The other ports (ETH6-10) is 100Mbit only on the RB2011.