RB5009 hotspot - disabling connection tracking doubles throughput (14 to 28 Mbps) - how to apply notrack without breaking NAT masquerade?

RouterOS General
1

RB5009 hotspot RouterOS 7.22.3. Disabling connection tracking completely (/ip firewall connection tracking set enabled=no) increases throughput from 14 Mbps to 28 Mbps on /tool fetch. But it breaks hotspot NAT and client connections. How to apply notrack for hotspot authenticated clients while keeping masquerade NAT working?

2

Depends.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

3

Connection tracking is very foundation for any "stateful" packet mangling, such as NAT. So what you're asking is impossible.

4

If your idea to disable connection tracking wasn't enough of a hint that you have no idea what you're doing, but surely you're doing something else wrong too since RB5009 CAN HANDLE MORE THAN 28Mbps with all the bells and whistles enabled.
Hire a consultant https://mikrotik.com/consultants
Cheers.

5

Hi anav, here is my config summary. RB5009 RouterOS 7.23, Starlink Roam ~80 clients. Key points: hotspot on bridge-lan, masquerade NAT on ether1, PCQ queue 180M/30M on bridge-lan, MSS clamp 1440, connection tracking with optimized timeouts, IPv6 disabled. At 4am with few clients: 31 Mbps. During day with 80 clients: 10-14 Mbps. What should I check?

6

That's not the config that @anav is expecting.

7

Confirms your sentiment znev "no idea what you are doing"

8

@Dams
A FULL (anonymized) configuration is expected for review, instructions here:

9

2026-05-27 by RouterOS 7.23

model = RB5009UG+S+

/interface bridge
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface list
add name=WAN
/ip hotspot profile
add dns-name=login.wifi hotspot-address=192.168.88.1 login-by=
http-pap,mac-cookie name=hsprof5
/ip hotspot user profile
set [ find default=yes ] mac-cookie-timeout=4w2d
add keepalive-timeout=10m mac-cookie-timeout=4w2d name=SONI-30J rate-limit=
4M/4M session-timeout=4w2d
add keepalive-timeout=10m mac-cookie-timeout=4w2d name="1 semaine"
rate-limit=4M/4M session-timeout=1w
add keepalive-timeout=10m mac-cookie-timeout=4w2d name="2 semaines"
rate-limit=4M/4M session-timeout=2w
add keepalive-timeout=10m mac-cookie-timeout=4w2d name=24H-1APP rate-limit=
4M/4M session-timeout=1d
add idle-timeout=15m keepalive-timeout=1h mac-cookie-timeout=4w2d name=GERANT
rate-limit=5M/5M
add idle-timeout=30m mac-cookie-timeout=4w2d name=VIP-30J rate-limit=5M/5M
session-timeout=4w2d
/ip pool
add name=dhcp_pool ranges=192.168.88.2-192.168.88.254
add name=hs-pool ranges=192.168.88.50-192.168.88.200
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge-lan lease-time=10m name=dhcp1
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address
add kind=pcq name=pcq-upload pcq-classifier=src-address
/queue interface
set ether1 queue=multi-queue-ethernet-default
/queue simple
add max-limit=180M/30M name=HOTSPOT queue=pcq-upload/pcq-download target=
bridge-lan
/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m
tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m
tcp-syn-sent-timeout=2m tcp-time-wait-timeout=2m udp-stream-timeout=2m
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.0/24 endpoint-address=89.167.122.190
endpoint-port=51820 interface=wg1 name=peer-vps persistent-keepalive=25s
/ip address
add address=192.168.88.1/24 interface=bridge-lan network=192.168.88.0
add address=10.0.0.8/24 interface=wg1 network=10.0.0.0
/ip dhcp-client
add interface=ether1 name=client1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=connectivitycheck.gstatic.com type=A
add address=192.168.88.1 name=www.gstatic.com type=A
/ip firewall filter
add action=accept chain=input comment=accept-established connection-state=
established,related
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment=SSH-WireGuard dst-port=22 protocol=tcp
src-address=10.0.0.0/24
add action=accept chain=forward comment=forward-established connection-state=
established,related
add action=drop chain=forward comment=limit-per-client connection-limit=
100,32 protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward comment=MSS-clamp new-mss=1440 protocol=
tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-ttl chain=postrouting comment=anti-tethering new-ttl=set:1
out-interface=bridge-lan passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN-masquerade out-interface=
ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot
add address-pool=hs-pool addresses-per-mac=1 disabled=no idle-timeout=none
interface=bridge-lan name=hotspot1 profile=hsprof5
/ip hotspot walled-garden
add dst-host=connectivitycheck.gstatic.com
add dst-host=connectivitycheck.android.com
add dst-host=clients3.google.com
add dst-host=play.googleapis.com
/ip route
add dst-address=10.0.0.0/24 gateway=10.0.0.1
/system clock
set time-zone-name=Africa/Nouakchott
/system identity
set name=RB5009-WOMPOU
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system scheduler
add interval=1m name=auto-comment-scheduler on-event=auto-comment policy=
read,write,policy,test start-time=startup
add interval=1h name=DAILY-EXPIRY on-event=CHECK-EXPIRY policy=
read,write,policy,test start-date=2026-01-01 start-time=00:00:00
add name=NTP-SYNC on-event=
"/system ntp client set enabled=yes servers=pool.ntp.org" policy=
read,write,policy,test start-time=startup

10

First thing I would do is unplug from the internet, use netinstall to put in the latest stable firmware 7.23 now?
Due to this line in the input chain:
***add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp

Never allow direct access to router services from the internet like so....... Winbox access should be from the LAN side (preferably only from admin IPs - could be a wireguard connection as well, or offbridge port etc.) THis also shows still using default port for winbox, which is like a magnet for trouble.

After that, which clients are using hotspot and which are not. I would separate hotspot client by vlan to a totally different subnet to make like simple and clean. That way you can easily keep functionality for non hotspot users like fasttrack etc. In other words, one needs a better description of ALL users and workflow

Missing any kind of LAN interface list setting or Management/Trusted and thus members of said lists.

Weird use of ip firewall connection tracking, not personally familiar so someone else should chime in, if there are potential errors or problems with it???

Neighbour discovery should be set to the trusted subnet only.

Please explain what your intentions are with all the DNS settings you have, seems overdone ( including statics)!

What is the purpose of clamping, and its not pointed at any specific interface???

Never seen this one used, what is its purpose?
add action=change-ttl chain=postrouting comment=anti-tethering new-ttl=set:1
out-interface=bridge-lan passthrough=no

Firewall is lacking in general for many default rules that should be kept.

Finally, to be clear, wireguard ( via your VPS ) is used for users using the hotspot to go out the internet???

11

Thank you anav. To clarify: this is a public WiFi hotspot in West Africa, ~80 clients pay to access internet via the hotspot. WireGuard VPS is for remote admin access only, not for client traffic. TTL change is anti-tethering. DNS statics are for Android captive portal detection. MSS clamp is for Starlink satellite link. What VLAN separation would you recommend to enable FastTrack for hotspot clients?

12

Well this type of information should have been in the first post LOL.
As I stated, the router needs to be removed from the internet soonest.
Similarly to SSH, access to the router, after Wireguarding in to the router is appropriate.

To be picky, using wireguard to administer the router depends on the level of risk willing to take. In that VPS setups are intrinsically a quagmire of potential hacking since we dont know how well the company ensures users cannot access one another. However, if its not a swiss bank, perhaps that is acceptable.

Consider also access via zerotier as a backup method but exposing winbox to the internet is a big no no.

TO confirm, there are no local users of the router, other than the hotspot users?

13

Confirmed. No local users, only hotspot paying clients. Administration is 100% remote via WireGuard VPN through VPS. The 2 managers also use WireGuard for remote access only. No local workstations on site. Will restrict Winbox to WireGuard subnet only.

14

Thank you for the detailed feedback. To answer your questions:

  1. No local users at all - 100% hotspot paying clients only
  2. WireGuard VPS is for remote admin only, not for client traffic
  3. TTL change is anti-tethering to prevent hotspot sharing
  4. DNS statics are for Android captive portal detection
  5. MSS clamp is for Starlink satellite link optimization

Important update: just discovered CPU was running at 350MHz instead of 1400MHz. After forcing 1400MHz and enabling FastTrack on separate VLAN interface, will test throughput tomorrow morning.

Main question: with hotspot on bridge interface, is FastTrack completely impossible even on a separate VLAN?

15

Fasttrack was not compatible with hotspot or queuing was my impression ( regardless of vlan)/?
my advice was to put non-hotspot traffic on a separate vlan so it could be fasttracked

16

With 100% hotspot clients, what would you recommend to maximize throughput?

17

Im not sure it can be optimized other than ensuring fair/equal access to the users.
In other words, have a flexible arrangement whereby as each user is added and active, they equally share the available bandwidth. However, not many access points are effective after a certain amount of users let alone the bandwidth being passed, probably over 20, one should consider ensuring they use another access point. Some other vendors sell access points specifically for load issues.

18

Update: I have optimized the RB5009 (CPU forced to 1400MHz, RPS enabled on all ports, VLAN for hotspot, MSS 1440). CPU is at 3% with 80 clients, zero drops.

Question: Many hotspot operators in Africa use Starlink Roam with good throughput results. What are they doing differently? Is there a specific configuration that allows full throughput with Starlink Roam + MikroTik hotspot?

Current aggregate throughput: 10-14 Mbps with 80 clients. Starlink direct WiFi gives 80 Mbps at the same time.