RB5009UPr Disappointing Performance

mikrotikmandatory · January 7, 2024, 8:38pm

Long time lurker, first time poster. I finally just got around to replacing my dying USG3 with a brand new RB5009UPr+S+, however I am seeing what I can only explain as pretty dismal performance. I have ATT fiber for my ISP with symmetrical 1Gbps service, but the RB for some reason won’t do more than 50Mbps download. I have gone through all of the basic stuff at the lower end of the OSI model (cables, negotiation etc..,) and I don’t see anything physically wrong (at least that is apparent).

ATT ONT <=> ATT Modem (5268AC) in DMZ+ <=> RB5009 <=> US-8 <=> Clients (wired and wireless)

The interface on the RB facing the 5268AC is on the SFP+ port with an S-RJ01 inserted and is reporting negotiation at 1Gbps on both devices on each side. TX/RX flow control is off on this interface on the RB. I have tried modifying the available speeds on the SFP+ port to no avail to see if that would change anything. I have tried setting the ingress/egress rate on the interfaces as well to see if that had any effect.

Downstream the US-8 is connected on ether2 (non-2.5Gb port). I have tried other ports and the problem follows all ports.

Connecting directly to the ATT Modem I can get close to the expected 940Mbps in both directions, connecting to the RB5009 directly I get 50Mbps down (from both speedtest.net, fast.com and other sites), and connecting to the US-8 I can get 50Mbps down. The odd part is that sometimes in the upload direction from the RB or the US-8 I am able to see 160-200Mbps (still not close to the limit of the service).
If I run a bandwidth test server on a wired client off the US-8, I am able to get 958Mbps on the Rx and 929Mbps on the Tx as reported from the RB when running each test individually.
I have used the tools/profile to make sure there is no a CPU that is being overwhelmed, and things are perfectly fine I believe at less than 10% utilization during testing.
My next step is to use my fluke to test out all of the cables just to be sure, and maybe change the WAN port away from the SFP+ interface to see if anythning changes.
Would appreciate anyone’s thoughts as to what I could be doing wrong or have not configured correctly. This is my first Mikrotik system, so there is a high chance there is a problem with the user, I am more used to Cisco/Arista/Juniper systems.

Configuration is below here, its pretty stock out of the box:

# 2024-01-07 15:02:27 by RouterOS 7.13
# software id = **ELIDED**
#
# model = RB5009UPr+S+

/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=sfp-sfpplus1 ] advertise=1G-baseT-full rx-flow-control=auto tx-flow-control=auto
/interface ethernet switch port
set 8 egress-rate=1024.0Mbps ingress-rate=1024.0Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.254/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dns
set servers=192.168.1.15
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=gateway223
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

un9edsda · January 9, 2024, 4:32am

… I have ATT fiber for my ISP with symmetrical 1Gbps service, but the RB for some reason won’t do more than 50Mbps download. I have gone through all of the basic stuff at the lower end of the OSI model (cables, negotiation etc..,) and I don’t see anything physically wrong (at least that is apparent).

ATT ONT <=> ATT Modem (5268AC) in DMZ+ <=> RB5009 <=> US-8 <=> Clients (wired and wireless)

The interface on the RB facing the 5268AC is on the SFP+ port with an S-RJ01 inserted and is reporting negotiation at 1Gbps on both devices on each side. TX/RX flow control is off on this interface on the RB. I have tried modifying the available speeds on the SFP+ port to no avail to see if that would change anything. I have tried setting the ingress/egress rate on the interfaces as well to see if that had any effect.

Have a look at this similar looking issue and solution. Just be sure to change to the following to rules at the

/ip firewall raw
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.88.0/24

part to

/ip firewall raw
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.1.0/24

otherwise you’ll instantly lock out yourself from your router (practically run a search and replace in your favourite text editor to replace 192.168.88. to 192.168.1. on that quick fix example).

Also it would not hurt to read trough and understand than apply the linked parts in this post.

By the way why on Earth do you waste that 10Gbit capable SFP+ port for a 1Gbit uplink if you don’t get rid of the AT&T modem and use instead a GPON ONU Stick with MAC instead (so it functions as an ONT terminal device) as quite some AT&T customers do?