RB5009 upload problem

Hi. I’m having trouble getting my full ISP upload speed routed through the RB5009 (non-PoE version). Download is fine, but my upload consistently tests between 200Mbps and 300Mbps. My speeds as quoted by the ISP (Bell Aliant in Atlantic Canada) are 1Gbps down, 940Mbps up. The only configuration required to connect to my ISP is a DHCP client running on VLAN 35.
I currently have Bell’s GPON ONT SFP module plugged directly into the SFP+ port, but have also tried using a gigabit media converter, as well as a 2.5Gbps media converter consisting of an OEO and 2.5Gbps RJ45 SFP+ module. All methods of connecting the RB5009 I’ve tried give the same slow upload speed.

I know people in the area who have the same ISP and plan, and are using a hEX S that I personally configured for them, who consistently get their full upload speed.
If I do a BTest to TomjNorthIdaho’s public server running directly on the RB5009, I get 1.28Gbps down, 850Mbps up (bi-directional UDP mode). If I do the same test, but running off of a device on the LAN (2.5G RJ45 port), I get ~1.2Gbps down, and 200Mbps or so up. The strange thing is that if I run tests to something like Ookla’s speedtest.net from multiple devices on the LAN, I am able to get a combined upload of over 800Mbps when the upload tests are done simultaneously.

Currently I have bridge filtering and a few different subnets set up, but I’ve tried resetting to a fresh default config with just the basics to get a connection to my ISP with no change.
Does anyone have any thoughts on what might be going wrong?

Try test speed by conecting cable from provider directly to laptop, because this may be not a RB5009 problem.

Without knowing your configuration, we would only be guessing. To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite text editor and redact any sensitive information if desired / needed. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

Im in HRM, I have bell, I get 950 up and down.
What modem are you using?
I am using their office/business modem NOT the home hub hunk of junk.
This has ethernet out which goes to a standard ethernet port.
WE CANNOT USE GPONS like they do in Ontario in other words no direct fibre in.

Thus
a. do not bypass their modem
b. use a standard gig port

..

Speed test is fine if I use the ISP supplied router, as well as if I use a hEX S instead. Don’t have any other routers lying around to test that can handle gigabit.
Here is my config.

# nov/13/2022 22:11:15 by RouterOS 7.7beta6
# software id = A4ND-UX7D
#
# model = RB5009UG+S+
# serial number = EC1A0E732ADB
/interface bridge
add admin-mac=2C:C8:1B:FF:5D:CC auto-mac=no ingress-filtering=no name=bridge \
    pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=2.5G
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=10G speed=\
    2.5Gbps
/interface vlan
add disabled=yes interface=10G name="Bell Fibre (10G)" vlan-id=35
add interface=bridge name="Bell Fibre (Bridge)" vlan-id=35
add interface=bridge name=Management vlan-id=1217
add interface=bridge name=homeLAN vlan-id=10
add interface=bridge name=smartHOME vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="smartHOME Pool" ranges=172.16.143.11-172.16.143.99
add name="homeLAN pool" ranges=172.16.43.11-172.16.43.99
add name="Management pool" ranges=172.16.3.2-172.16.3.10
/ip dhcp-server
add address-pool="smartHOME Pool" interface=smartHOME lease-time=1h name=\
    smartHOME server-address=172.16.143.1
add address-pool="homeLAN pool" interface=homeLAN name=homeLAN \
    server-address=172.16.43.1
add address-pool="Management pool" interface=Management name=Management \
    server-address=172.16.3.1
/queue type
add kind=pfifo name=TEST pfifo-limit=1000
/queue simple
add comment="Needs fastrack turned off" disabled=yes max-limit=100M/100M \
    name="Rate Limit Internet Test" queue=TEST/TEST target=\
    "Bell Fibre (Bridge)"
/interface bridge port
add bridge=bridge interface=2.5G pvid=10
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=10G pvid=10
add bridge=bridge interface=ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment=homeLAN tagged=bridge vlan-ids=10
add bridge=bridge comment=Management tagged=2.5G,ether2,ether4,bridge \
    vlan-ids=1217
add bridge=bridge comment=smartHOME tagged=ether8,bridge vlan-ids=100
add bridge=bridge comment="Bell Fibre" tagged=10G,bridge vlan-ids=35
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface ethernet switch rule
add comment="Block Management access from homeLAN" dst-address=172.16.3.0/24 \
    new-dst-ports="" ports=\
    10G,2.5G,ether2,ether3,ether4,ether5,ether6,ether7,ether8 switch=switch1 \
    vlan-id=10
add comment="Block Management access from smartHOME" dst-address=\
    172.16.3.0/24 new-dst-ports="" ports=\
    10G,2.5G,ether2,ether3,ether4,ether5,ether6,ether7,ether8 switch=switch1 \
    vlan-id=100
/interface list member
add interface="Bell Fibre (Bridge)" list=WAN
add interface=homeLAN list=LAN
add interface=Management list=LAN
add interface=smartHOME list=LAN
add interface="Bell Fibre (10G)" list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.43.1/24 interface=homeLAN network=172.16.43.0
add address=172.16.143.1/24 interface=smartHOME network=172.16.143.0
add address=172.16.3.1/24 interface=Management network=172.16.3.0
/ip dhcp-client
add comment="Bell Internet VLAN" !dhcp-options interface=\
    "Bell Fibre (Bridge)"
add disabled=yes interface="Bell Fibre (10G)"
/ip dhcp-server lease
add address=172.16.43.10 client-id=1:c0:6:c3:a2:92:6e mac-address=\
    C0:06:C3:A2:92:6E server=homeLAN
add address=172.16.43.99 mac-address=28:AD:18:0B:84:49 server=homeLAN
/ip dhcp-server network
add address=172.16.3.0/24 comment=Management dns-server=172.16.3.1 domain=\
    Management gateway=172.16.3.1
add address=172.16.43.0/24 comment="home LAN" dns-server=1.1.1.1,1.0.0.1 \
    domain=homeLAN gateway=172.16.43.1
add address=172.16.143.0/24 comment="smartHOME subnet" dns-server=\
    172.16.143.1 domain=smartHOME gateway=172.16.143.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.43.1 name=router.homeLAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="Block non-homeLAN internet access" \
    disabled=yes in-interface=!homeLAN log=yes log-prefix=blockSTUFF \
    out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=no
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=172.16.3.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Halifax
/system logging
add disabled=yes topics=debug
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

@anav Yes, I am bypassing the modem. I’ve done this for a few different people on a hEX S with Bell-Aliant, and it works fine with full gigabit speed both ways. I just pull the optical module out of the HH3K, plug it into the SFP port, and set up a DHCP client on vlan35 as my WAN. It just doesn’t seem to want to work correctly on my RB5009. I’ve attached a picture of the label on the optical module I am using (Edit: looks like I’m currently unable to upload attachments.); it says GPON ONT SFP Class I Laser on the first line. It was my understanding that the main difference between our fibre and what Bell provides in Ontario, is that ours doesn’t use PPPoE. Is there something else I am missing?

Perhaps not, interesting though. I have SFP and SFP+ on my ccr1009, may give it a whirl sometime.
My ONT is in the picture. It probably has some sort of serial number or mac address and not convinced I can replace it with a cage gpon that replaces the ONT with no mac address or serial number. Perhaps the oNT I have is just a dummy device to turn fibre into ethernet???.

How did you decide on which gpon you would buy?

As for GPON, read this link, as it explained at the time why it would not work…
http://forum.mikrotik.com/t/need-help-for-get-rid-of-the-hh3k-with-bell-fibe/129814/19

@anav The HH3K comes with a GPON installed; I did not purchase anything separately. The SFP latching mechanism tends to get stuck on the plastic housing, so you sometimes have to undo a few screws to get it out of the HH3K. I expect that either serial number for the GPON, or some other information stored directly on the GPON, is registered with my account. I doubt this can just be replaced, but that is just my speculation.
The recent 7.7beta4 release enabled proper 2.5G SFP module support for RB5009 (the ones that do 2.5G but not 5 or 10); this is what is giving me the >gigabit download speeds. Quite happy about that, now if only I could figure out why the upload is behaving strangely.
Just to clarify, the internet upload speed with my RB5009 has been slow with previous stable releases as well, I’ve just not bothered to try to figure out what was going on until now.

Well that is intriguing…

I dug out the old ISP modem today, installed the GPON into that instead of the RB5009, and tested with the RB5009 behind it (with the RB5009 still performing NAT), and the problem persists. Really not sure what the issue is, as I can replicate it by simply using defconf and setting up a DHCP client for WAN.

Has anybody seen anything like this?

you might have more luck asking

here https://www.dslreports.com/forum/sympat
or here https://www.dslreports.com/forum/sympatdirect

maybe your profile is wrong on bell side, thing is i think they are actively replacing the 3k serie with the 4k one which have no spf or way to do what your doing so if you raise the issue you can expect to “lose” your 3k

Do you get full speeds using a 1G port on your lan / 5009 instead of the 2.5G port?

Did you ever get this resolved? I have the exact same issue with the exact same upload speed range.

I am just outside of Dartmouth, and went with TekSavvy because they are the first to resell fibre since the CRTC decision to force Bell to resell their fibre. I am supposed to have the 1.5 Gbps down and 940 Mbps up profile. TekSavvy provides the Adtran 854-v6 modem, and right off the get-go with the Adtran, I was getting anywhere between 150 and 250 Mbps upload, roughly. I also have the Mikrotik RB5009 (mine is PoE version), and it would get the same upload speeds (TekSavvy does PPPoE over vlan40). TekSavvy sent me a media converter where I plugged the ONT and fibre line into that, and then the media converter into the LAN port on the Adtran. Made zero difference for the upload speed. They (and Bell) are insistent that I am provisioned correctly. I’ve had a Bell Tech come here multiple times, and couldn’t find the problem. He’s tried replacing the ONT (twice) and changed the splitter and channel at the CSP (central splitting point). I was on splitter 1, channel 1 (oldest one), and he changed to splitter 7, channel 5. Made no difference.

He told me that he thinks that TekSavvy probably isn’t provisioning me correctly, and suggested that I go with Bell Aliant. I didn’t want to, because I don’t want the Gigahub since I can’t take the ONT out of it (everything soldered in). He said that they still keep HH3000 in the van, and I could just sign up for Bell and then ask whatever tech comes (hopefully him) to “install” the HH3000 instead, and then I would take the ONT out of it and plug it into my Mikrotik. So I just signed up today. After reading this, I am no longer hopeful that my speed issue will be resolved.

Hence why I am asking if this was resolved for you, and if so, what was the issue?

Do I understand you correctly that you are getting low upload speeds even if you connect your computer directly to ISP-provided ONT/router?
If so, then it's up to ISP to make things work ... as you're not using any 3rd party hardware which could affect the throughputs ... apart from your computer, but ISP's tech can use ther own computer to rule out any problems with your equipment.

After ISP can show you that subscribed speeds are indeed available at their ONT you can try to introduce your own equipment and see if speeds drop (and what change causes that).

Yes, I understand that, but OP stated elsewhere in this post that he tried using the Bell equipment and had the same upload problem. So I'm hoping to find out what the problem was because I anticipate having the exact same issue when I switch to Bell Aliant. TekSavvy was completely unable to resolve this. TekSavvy blamed Bell, and Bell blamed TekSavvy, and nothing was fixed.

It's hard to understand problems which happen within ISP's network. And here ISP-provided ONT is just that: network termination point, so basically part of network. Things get complicated when ISP is not the same as infrastructure owner ... it's only too easy for both to point at each other where in reality one of them made a lousy business decission which they won't admit.

Unfortunately there's not much that we as users can do. Even experience with same tandem of companies isn't worth a dime if it comes from different area (with different equipment vintage and different business decissions).

Hello, I did eventually get this resolved after selling the router to a friend and setting it up for them.

To clarify to anyone else reading this, the particular issue described in this thread is 100% a firmware/config issue on the RB5009; the issue did not occur unless the RB5009 was in the chain doing NAT and firewall stuff. When I tested with the Bell HH3K as mentioned in my previous post, I ran double NAT, feeding HH3k LAN to RB5009.

Unfortunately, I don't know exactly what it was the eventually fixed the issue. When I first set it up in its new home, it had the exact same issue as before. I recall doing multiple full resets, and being incredibly frustrated not knowing why the issue suddenly resolved itself.

Honestly, my gut feeling would be to try a netinstall and see if that resolves the issue.

Regarding Bell's gigahub, you can totally bypass that still. You need GPON module with custom firmware. This can be obtained either by flashing an old one taken supplied with a Home Hub 3000 or similar, as described here: Huawei MA5671A | Hack GPON (check what model you actually have if going this route), or, by just buying a GPON or XPON stick that already has firmware that provides MAC address, web GUI, SSH access etc.

This is an example of one that comes with a Realtek Chipset https://www.aliexpress.com/item/1005005376677727.html

That one I know has various firmware available for it if you wanted.

There is also this cheaper one; not sure on the chipset used https://www.aliexpress.com/item/1005008292892669.html

The main config you need to do is spoof serial number as copied down from the back of your gigahub, and then the standard DHCP client on VLAN 35 you do for Bell Aliant fiber. Check that hack-gpon site I linked, or poke around on 8311 discord server if you go this route and need help.

At some point, we'll probably get 3Gbps+ fiber here, and then to bypass their underpowered equipment, you'd need an XGS-PON module instead of GPON or XPON.

Thanks. I didn’t realize you were double NAT, still using the Mikrotik. I misunderstood.

I knew about spoofing the serial number on the Gigahub, but I didn’t know that I could get an ONT for $50. I always see the ones in the forums for at least a couple of hundred bucks.

In any case, the Bell tech who has been coming to my house said he carries the HH3000 in his van, and that it shouldn’t be a problem for me getting that modem and then taking the ONT out of that and popping it in my Mikrotik (like I’m already doing with the TekSavvy ONT).

I am set for install on Tuesday, so we’ll see if I get full upload speeds with the HH3000. If I do, and I don’t with the Mikrotik, then I know at least it’s the Mikrotik configuration. Right now with Teksavvy, I don’t get full speed with the Adtran, or the Mikrotik, or the Adtran + media converter (sent to me from Teksavvy).