RB3011UiAS speed issue, When testing speeds to the ISP the results come in as 465Mb Down stable and the upload first hits 200Mb but then fast drop to 80Mb
ISP Sold speed 500/500 actual speed is 465/465.
I’m looking for suggestions to what may be causing the upload to fail. 
Usage:
This RB3011UiAS is setup as a gateway between the ISP and the Core Router a CCR2116-12G-4S+. The intent behind this configuration is a test point with 1:1 NAT
Troubleshooting:
I exported this configuration to 2 other RB3001UiAS routers to verify the issue follows the below config.
When I remove the RB3001UiAS and have the ISP directly connected to the Core Router a CCR2116-12G-4S+ this issue goes away and we have 465Mb up and 465Mb down
When I plug a PC in to any Ethx port the issue is replicated
Export:
/export
# 2024-11-16 19:57:47 by RouterOS 7.16.1
# software id = 8LR8-XUND
#
# model = RB3011UiAS
# serial number = E14C0E22EDD8
/interface ethernet
set [ find default-name=ether1 ] advertise=1G-baseT-full comment=core_firewall_001a l2mtu=8154 mtu=8000
set [ find default-name=ether2 ] advertise=1G-baseT-full comment=core_firewall_001b l2mtu=8154 mtu=8000
set [ find default-name=ether3 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether4 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether5 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether6 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether7 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether8 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether9 ] advertise=1G-baseT-full disabled=yes l2mtu=8154 mtu=8000
set [ find default-name=ether10 ] advertise=1G-baseT-full comment=management l2mtu=8154 mtu=8000
set [ find default-name=sfp1 ] advertise=1G-baseT-full comment=lumen_uplink l2mtu=8154 mtu=8000
/interface bonding
add mode=802.3ad mtu=8000 name=core_firewall_001 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
/ip dhcp-server
add add-arp=yes always-broadcast=yes authoritative=after-2sec-delay interface=core_firewall_001 name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ip firewall connection tracking
set udp-timeout=10s
/ip address
add address=10.1.11.1/29 interface=sfp1 network=10.1.11.0
add address=10.1.6.1/29 interface=ether6 network=10.1.6.0
add address=10.1.7.1/29 interface=ether7 network=10.1.7.0
add address=10.1.8.1/29 interface=ether8 network=10.1.8.0
add address=10.1.9.1/29 interface=ether9 network=10.1.9.0
add address=10.1.10.1/29 interface=ether10 network=10.1.10.0
add address=10.1.2.1/29 interface=ether2 network=10.1.2.0
add address=10.1.3.1/29 interface=ether3 network=10.1.3.0
add address=10.1.4.1/29 interface=ether4 network=10.1.4.0
add address=10.1.5.1/29 interface=ether5 network=10.1.5.0
add address=10.1.1.1/29 interface=ether1 network=10.1.1.0
add address=10.1.12.1/29 interface=core_firewall_001 network=10.1.12.0
/ip dhcp-client
add interface=sfp1
/ip dhcp-server lease
add address=10.1.12.2 mac-address=D4:01:C3:0E:A1:8D server=dhcp1
/ip dhcp-server network
add address=10.1.12.0/29 dns-server=10.1.12.1 gateway=10.1.12.1 ntp-server=10.1.12.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=change-ttl chain=prerouting disabled=yes new-ttl=set:64 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp1 src-address=10.1.12.2 to-addresses=8.53.141.187
add action=dst-nat chain=dstnat dst-address=8.53.141.187 to-addresses=10.1.1.2
add action=masquerade chain=srcnat disabled=yes out-interface=sfp1 to-addresses=10.1.1.2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=core_firewall_001 type=internal
add interface=sfp1 type=external
/system clock
set time-zone-name=America/Chicago
/system identity
set name=gateway001_lumen
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system scheduler
add interval=1w name=Reboot on-event="system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=04:40:00
add interval=1w name=Package_upgrade on-event="system package update install" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=02:35:00
add interval=1w name=Routerboard_Upgrade on-event="system routerboard upgrade" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=03:40:00
add interval=1w name=Backup on-event=RouterBackup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=02:00:00
/export verbose
# 2024-11-16 19:25:41 by RouterOS 7.16.1
# software id = 8LR8-XUND
#
# model = RB3011UiAS
# serial number = E14C0E22EDD8
/interface ethernet
set [ find default-name=ether1 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited comment=core_firewall_001a disabled=no l2mtu=8154 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=2C:C8:1B:19:04:F3 mtu=8000 name=ether1 orig-mac-address=2C:C8:1B:19:04:F3 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited comment=core_firewall_001b disabled=no l2mtu=8154 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=2C:C8:1B:19:04:F4 mtu=8000 name=ether2 orig-mac-address=2C:C8:1B:19:04:F4 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether3 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:F5 mtu=8000 name=ether3 orig-mac-address=2C:C8:1B:19:04:F5 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether4 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:F6 mtu=8000 name=ether4 orig-mac-address=2C:C8:1B:19:04:F6 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether5 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:F7 mtu=8000 name=ether5 orig-mac-address=2C:C8:1B:19:04:F7 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether6 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:F9 mtu=8000 name=ether6 orig-mac-address=2C:C8:1B:19:04:F9 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether7 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:FA mtu=8000 name=ether7 orig-mac-address=2C:C8:1B:19:04:FA rx-flow-control=off tx-flow-control=off
set [ find default-name=ether8 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:FB mtu=8000 name=ether8 orig-mac-address=2C:C8:1B:19:04:FB rx-flow-control=off tx-flow-control=off
set [ find default-name=ether9 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
2C:C8:1B:19:04:FC mtu=8000 name=ether9 orig-mac-address=2C:C8:1B:19:04:FC rx-flow-control=off tx-flow-control=off
set [ find default-name=ether10 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited comment=management disabled=no l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s \
mac-address=2C:C8:1B:19:04:FD mtu=8000 name=ether10 orig-mac-address=2C:C8:1B:19:04:FD poe-out=auto-on poe-priority=10 power-cycle-interval=none !power-cycle-ping-address power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
tx-flow-control=off
set [ find default-name=sfp1 ] advertise=1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited comment=lumen_uplink disabled=no l2mtu=8154 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s \
mac-address=2C:C8:1B:19:04:F8 mtu=8000 name=sfp1 orig-mac-address=2C:C8:1B:19:04:F8 rx-flow-control=off sfp-ignore-rx-los=no sfp-rate-select=high sfp-shutdown-temperature=95C tx-flow-control=off
/interface bonding
add arp=enabled arp-interval=100ms arp-ip-targets="" arp-timeout=auto disabled=no down-delay=0ms !forced-mac-address lacp-rate=30secs link-monitoring=mii mii-interval=100ms min-links=0 mode=802.3ad mtu=8000 name=core_firewall_001 primary=none slaves=\
ether1,ether2 transmit-hash-policy=layer-2-and-3 up-delay=0ms
/queue interface
set core_firewall_001 queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
set 1 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch2
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 6 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 7 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 8 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 9 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 10 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
set 3 !forwarding-override
set 4 !forwarding-override
set 5 !forwarding-override
set 6 !forwarding-override
set 7 !forwarding-override
set 8 !forwarding-override
set 9 !forwarding-override
set 10 !forwarding-override
set 11 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default use-network-apn=yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip dhcp-server
add add-arp=yes address-pool=static-only always-broadcast=yes authoritative=after-2sec-delay disabled=no interface=core_firewall_001 lease-script="" lease-time=30m name=dhcp1 use-radius=no
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=yes name=guest password="" read-only=yes
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption \
on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set sfp1 queue=only-hardware-queue
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-password="" authentication-protocol=MD5 disabled=no encryption-password="" encryption-protocol=DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-poe-power=yes lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no secure-redirects=yes send-redirects=yes \
tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes max-neighbor-entries=16384 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=default-encryption enabled=no ipsec-secret="" keepalive-timeout=30 l2tpv3-circuit-id="" \
l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:67:91:26:D1:AB max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp \
push-routes="" redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set enabled=no
/interface wifi capsman
set enabled=no
/ip address
add address=10.1.11.1/29 disabled=no interface=sfp1 network=10.1.11.0
add address=10.1.6.1/29 disabled=no interface=ether6 network=10.1.6.0
add address=10.1.7.1/29 disabled=no interface=ether7 network=10.1.7.0
add address=10.1.8.1/29 disabled=no interface=ether8 network=10.1.8.0
add address=10.1.9.1/29 disabled=no interface=ether9 network=10.1.9.0
add address=10.1.10.1/29 disabled=no interface=ether10 network=10.1.10.0
add address=10.1.2.1/29 disabled=no interface=ether2 network=10.1.2.0
add address=10.1.3.1/29 disabled=no interface=ether3 network=10.1.3.0
add address=10.1.4.1/29 disabled=no interface=ether4 network=10.1.4.0
add address=10.1.5.1/29 disabled=no interface=ether5 network=10.1.5.0
add address=10.1.1.1/29 disabled=no interface=ether1 network=10.1.1.0
add address=10.1.12.1/29 disabled=no interface=core_firewall_001 network=10.1.12.0
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=sfp1 use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dhcp-server lease
add address=10.1.12.2 address-lists="" !allow-dual-stack-queue dhcp-option="" disabled=no !insert-queue-before mac-address=D4:01:C3:0E:A1:8D !parent-queue !queue-type server=dhcp1
/ip dhcp-server network
add address=10.1.12.0/29 caps-manager="" dhcp-option="" dns-server=10.1.12.1 gateway=10.1.12.1 !next-server ntp-server=10.1.12.1 wins-server=""
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall filter
add action=fasttrack-connection chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot hw-offload=yes !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port \
!tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=input comment="Drop Invalid connections" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss \
!time !tls-host !ttl
add action=accept chain=input comment="Allow Established connections" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established !connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port \
!tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="Allow ICMP" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority protocol=icmp !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host \
!ttl
add action=drop chain=input comment="Drop everything else" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
/ip firewall mangle
add action=change-ttl chain=prerouting !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" new-ttl=set:64 !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size passthrough=yes !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port \
!tcp-flags !tcp-mss !time !tls-host !ttl
/ip firewall nat
add action=src-nat chain=srcnat !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=sfp1 !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=10.1.12.2 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=8.53.141.187 !to-ports !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp dst-address=8.53.141.187 !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=10.1.1.2 !to-ports !ttl
add action=masquerade chain=srcnat !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=sfp1 !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=10.1.1.2 !to-ports !ttl
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=yes
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=yes max-sessions=20 port=23 vrf=main
set ftp address="" disabled=yes max-sessions=20 port=21
set www address="" disabled=yes max-sessions=20 port=80 vrf=main
set ssh address="" disabled=yes max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=yes max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=yes max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=yes
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes \
last-forwarded=yes nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes \
tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no !forced-ip interface=core_firewall_001 type=internal
add disabled=no !forced-ip interface=sfp1 type=external
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium \
reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/lcd
set backlight-timeout=30m color-scheme=dark default-screen=main-menu enabled=yes flip-screen=no read-only-mode=no time-interval=min touch-screen=enabled
/lcd pin
set hide-pin-number=no pin-number=1234
/lcd interface
set ether1 disabled=no max-speed=auto timeout=10s
set ether2 disabled=no max-speed=auto timeout=10s
set ether3 disabled=no max-speed=auto timeout=10s
set ether4 disabled=no max-speed=auto timeout=10s
set ether5 disabled=no max-speed=auto timeout=10s
set sfp1 disabled=no max-speed=auto timeout=10s
set ether6 disabled=no max-speed=auto timeout=10s
set ether7 disabled=no max-speed=auto timeout=10s
set ether8 disabled=no max-speed=auto timeout=10s
set ether9 disabled=no max-speed=auto timeout=10s
set ether10 disabled=no max-speed=auto timeout=10s
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,sfp1,ether6,ether7,ether8,ether9,ether10
/lcd screen
set 0 disabled=no timeout=10s
set 1 disabled=no timeout=10s
set 2 disabled=no timeout=10s
set 3 disabled=no timeout=10s
set 4 disabled=no timeout=10s
set 5 disabled=no timeout=10s
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=America/Chicago
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=gateway001_lumen
/system leds
set 0 disabled=no interface=sfp1 leds=user-led type=interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=yes mode=unicast servers=time.cloudflare.com vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=yes local-clock-stratum=5 manycast=yes multicast=yes use-local-clock=no vrf=main
/system ntp client servers
add address=time.cloudflare.com auth-key=none disabled=no iburst=yes max-poll=10 min-poll=6
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes enter-setup-on=any-key force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=any protected-routerboot=\
disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system scheduler
add disabled=no interval=1w name=Reboot on-event="system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=04:40:00
add disabled=no interval=1w name=Package_upgrade on-event="system package update install" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=02:35:00
add disabled=no interval=1w name=Routerboard_Upgrade on-event="system routerboard upgrade" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=03:40:00
add disabled=no interval=1w name=Backup on-event=RouterBackup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2018-09-18 start-time=02:00:00
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> password="" port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00 secrets=""
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all secrets=""
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no secret="" sim-pin="" sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB \
memory-scroll=yes only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0