RB4011iGS+ performance

akas059 · February 15, 2025, 10:07am

I recently bought the RB4011iGS+ router to replace my old CRS125.
My internet provider has migrated my connectivity to fiber. From the provider’s router the speedtest reaches 860Mbps download, while if I try the same speedtest from the laptop connected via cable to the mikrotik router I don’t go beyond 290Mbps.
The cpu of the RB4011iGS+ never exceeds 30 per cent utilisation, normally it is always below 5 per cent.
I don’t understand where the problem lies. From the specifications of the hardware I should get to 1Gbps, I guess it’s a configuration problem.
I am not experienced in configuration on RouterOS.

These are the firewall and nat rules:

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Test: Established e Related" \
    connection-state=established,related
add action=accept chain=forward comment="LAN to OpenVPN-Site2" \
    dst-address=192.168.100.0/24 log-prefix="LAN to OpenVPN-Site2" \
    src-address=192.168.0.0/24
add action=accept chain=forward comment="LAN to OpenVPN Clients" dst-address=\
    192.168.200.0/24 log-prefix="LAN to OpenVPN Clients" src-address=\
    192.168.0.0/24
add action=accept chain=forward comment="Wireguard - LAN to Router Site2 " \
    dst-address=192.168.201.2 log-prefix=\
    "Wireguard - LAN to Router Site2 " src-address=192.168.0.0/24
add action=accept chain=forward comment="Wireguard - LAN to Client VPN" \
    dst-address=192.168.202.0/24 log=yes log-prefix=\
    "Wireguard - LAN to Client VPN" src-address=192.168.0.0/24
add action=accept chain=forward comment=\
    "OpenVPN Site2 + Smartphone to LAN" dst-address=192.168.0.0/24 \
    log-prefix="OpenVPN Site2 + Smartphone to LAN" src-address=\
    192.168.200.0/28
add action=accept chain=forward comment="Site2 to Site1" dst-address=\
    192.168.0.0/24 log-prefix="Site2 to Site1" src-address=\
    192.168.100.0/24
add action=accept chain=forward comment=\
    "OpenVPN-Site2 to Wireguard-Client" dst-address=192.168.202.0/24 \
    log-prefix="OpenVPN-Site2 to Wireguard-Client" src-address=\
    192.168.100.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.202.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.202.0/24
add action=accept chain=forward comment="LAN - Deprecated_Device NTP" \
    dst-port=123 log-prefix="LAN - Deprecated_Device NTP" protocol=udp \
    src-address-list=Deprecated_Device
add action=accept chain=forward comment="LAN - Deprecated_Device_SMTPS" \
    dst-port=465 log-prefix="LAN - Deprecated_Device_SMTPS" protocol=tcp \
    src-address-list=Deprecated_Device_SMTPS
add action=drop chain=forward comment=HAPLITE-ovpn-ip_to_Home-LANs \
    dst-address-list=Home_LANs log-prefix=HAPLITE-ovpn-ip_to_Home-LANs \
    src-address-list=haplite_ovpn-ip
add action=drop chain=forward comment=\
    "LAN - Drop Deprecated_Device to external" log-prefix=\
    "LAN - Drop Deprecated_Device to external" src-address-list=\
    Deprecated_Device
add action=accept chain=input comment="WAN - OpenVPN haplite" dst-port=1194 \
    log-prefix="WAN - OpenVPN haplite" protocol=tcp src-address-list=\
    remote_haplite
add action=accept chain=input comment="WAN - OpenVPN Site2" dst-port=1194 \
    log-prefix="WAN - OpenVPN Site2" protocol=tcp src-address-list=\
    remote_Site2
add action=accept chain=input comment="WAN - Wireguard Site2" dst-port=\
    13231 log-prefix="WAN - Wireguard Site2" protocol=udp \
    src-address-list=remote_Site2
add action=accept chain=input comment="WAN - Wireguard Smartphone" dst-port=\
    13232 log-prefix="WAN - Wireguard Smartphone" protocol=udp \
    src-address-list=remote_smartphone
add action=accept chain=input comment="VPN Remote to Mrouter" log-prefix=\
    "VPN Remote to Mrouter" src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "OpenVPN Site2 e Smartphone to Firewall" log-prefix=\
    "OpenVPN Site2 e Smartphone to Firewall" src-address=192.168.200.0/28
add action=accept chain=input comment="Wireguard - Ping da Router" protocol=\
    icmp src-address=192.168.201.2
add action=accept chain=input comment="Wireguard-Client to Router" \
    log-prefix="Wireguard-Client to Router" src-address=192.168.202.2
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked log-prefix=Accept-Input-ERU
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
    "accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.202.2
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
    192.168.202.0/24
add action=masquerade chain=srcnat comment=\
    "Wireguard - Raggiungibilit\E0 router con NAT" dst-address=192.168.201.2 \
    src-address=192.168.0.0/24 to-addresses=192.168.201.2
add action=masquerade chain=srcnat dst-address=192.168.200.0/24 src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN

jaclaz · February 15, 2025, 10:53am

You should post your full configuration, the issue may (or may not ) be in the firewall.

erlinden · February 15, 2025, 11:04am

May I suggest restoring default firewall rules after removing the current and test again?
Though being a very creative set of rules, it can be optimized.
And the hardware is very capable of routing faster…a lot.

And as @jaclaz mentioned, please show complete config.

johnson73 · February 16, 2025, 9:33am

Looking at your configuration, you can see quite a mix. To make it easier for you to navigate your own configuration, then put the firewall rules in order, because the order also matters. It affects the entire traffic flow and of course security. First the Input chain and then the Forward chain. In the Input section, the last rule is ‘‘drop=!LAN’’ and in the forward section, the last rule is ‘‘drop=WAN’’. The rules are executed from top to bottom. This is probably why traffic is slow.
There are unnecessary rules in the firewall chain that are duplicated. For example, there is no need to specify this twice:
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
Each incorrect entry affects the traffic flow.
I would also recommend setting the default firewall for the test and then seeing what happens to the speeds. Export the existing config, set it to default and if everything is ok after that, add the Input and forward sections with the necessary rules, in the ‘‘input section we put the entries intended for input, but in the forward’’ section we put the rules that perform the forward function. Explanation of the sections:
INPUT CHAIN –> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN –> Through the Router. Directional flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN –> From the Router. Directional flow is Router to WAN.

There are two types of configuration options, the first - Everything is allowed and you only deny what you need. The second - everything is forbidden and you only allow what you need. This method is more recommended. As an example: (https://gist.github.com/gmanual/6c018691f3cebd068b0e8cfc83704b2e