[RB951G-2HnD] 300Mbps Internet bottleneck

ljguerci · February 6, 2019, 1:26am

Hi, first time round here.

Today I’ve upgraded my internet connection from 100/8 to 300/10 Mbps and for my surprise, my router can’t seem to handle it.

Here is the configuration of the router:

# feb/05/2019 21:13:41 by RouterOS 6.43.8
# software id = NJEQ-QH3R
#
# model = 951G-2HnD
# serial number = xxxxxxxxxxxxx
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
    mode=ap-bridge ssid=WifiSSID wps-mode=push-button-virtual-only
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    WifiPassword
/ip pool
add name=dhcp_pool1 ranges=192.168.0.120-192.168.0.199
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.0.1
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow SSH" dst-port=60000 protocol=tcp
add action=accept chain=input comment="Allow winbox connections" dst-port=\
    8291 protocol=tcp
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established
add action=drop chain=input comment="Drop anything else" log-prefix=drop_
/ip firewall nat
add action=masquerade chain=srcnat comment="Nat General" log-prefix=nat_ \
    out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Nat General" log-prefix=nat_ \
    out-interface=ether1 src-address=192.168.1.0/24
/ip firewall service-port
set irc disabled=yes
set h323 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes port=2121
set www disabled=yes
set ssh port=60000
set api disabled=yes
set api-ssl disabled=yes

This prints are with the PC connected directly to the modem

And these ones with the router in the middle:

Am I doing something wrong? is this router really not capable of 300mbps?

Something that I found extrange to me is that I can actually copy a file from one PC to another and get a 1 gigabit transfer without any problems, but still can’t from the modem.

Pea · February 6, 2019, 6:21am

Do not open SSH and Winbox to wild internet (use e.g. address list, VPN, port knock)
Use Fast track for better throughput https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
Consider router upgrade

normis · February 6, 2019, 9:01am

Is this over ethernet or wireless ?
Yes, fasttrack should help a lot.

ljguerci · February 6, 2019, 9:59am

Thanks a lot for the security advice. I’ve used this commands of the wiki link:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

Now everything works as expected:

Now i have some questions:

I see that if fasttrack is enabled the traffic evades every check including firewall, does this means a internet security issue?
In case of upgrade, wich router should i go for? a 4011 will be fine?

baragoon · February 6, 2019, 10:05am

any requirements?

mkx · February 6, 2019, 10:20am

Not all traffic evades firewall, only traffic with configured connection state, which is “established” and “related”. New connections won’t match the fast-track rule and will be checked against all the regular rules. Only after the connection passes on to “established” (for TCP connection this could mean finished exchange of SYN, SYNACK, ACK packets), it’ll get fast-tracked. The second rule (same criteria but with action=accept) is necessary as fast-tracked connection gets “normal-tracked” from time to time … to make sure connection states are properly maintained (or something like that as per rumours).

A nice step between your current RB951G and mentioned RB4011 would be RBD52G (hAP ac²). With a very friendly price tag.

ljguerci · February 8, 2019, 7:52pm

I’m thinking on future-proof. I work for the biggest ISP in my country, so I have very cheap high speed connections. I’m also into streaming and I have a hp dl380 server that will probably be followed of more servers and a big redundant storage as I want to make some startup projects. Even when it is for my home, I guess it’ll be a good purchase and will last for many years. Am I right?