Resolved: Need something more powerful than HEX S - suggestions?

bobk4k · June 12, 2025, 8:26pm

Been running a HEX S as a firewall / NAT along with DHCP in a small home (and a 2nd at a church) for several years and it’s worked fine. However after an upgrade here at home from 60/5 to 500/500 Mbps the HEX S has turned into a bottleneck with speeds topping out around 95 Mbps both ways. Still running 6.49.18 but willing to move to V7; no ipv6. Need minimum 4 (or more) ports, no WiFi.

Looking for suggestions / guidance - first off I’m a retired server sysadmin and at my final job there was a whole network group so there is a very good chance I’ve got something messed up with the configuration of the HEX S. Can upload a copy of my running config.

The HEX S has worked great but I’m open to upgrading to something more powerful from Mikrotik both for me and my church if they decide to get faster internet.

Thanks in advance,
Bob

lurker888 · June 12, 2025, 9:18pm

95 sounds very much like 100 Mb ethernet. Check out what speed is negotiated on the ports of the device.

bobk4k · June 12, 2025, 10:11pm

Oooh, that would have been embarrassing.

Did an export verbose from the terminal and all five ether1-5 show " speed=1Gbps". Check of my desktop computer shows link at 1 GBbs as well. A speed test before the hEX S does show 500 Gbps speeds so it is something with the Mikrotik. Oh, the spf port is not in use.

Thanks,
Bob

jaclaz · June 12, 2025, 10:36pm

Hex S routing test results ( 512 bytes/25 firewall filter rules) say 265.
Usually that is a good indication of possible performance, i.e. you should be able to reach at least that speed.
Depending on setup/configuration (Fasttrack, Hardware Offload, etc.) usually much higher speed can be reached.
So there must be something “wrong” in your configuration, post It for review
Instructions here:
http://forum.mikrotik.com/t/forum-rules/173010/1

lurker888 · June 12, 2025, 10:38pm

Believe me, nothing is really embarrassing here

I still think that you might have a problem. The “export” series of commands - whichever verbosity you select - only show the configuration of the device, not the actual status. My thought is that you configure - correctly - to advertise every speed up to 1Gbps, but then the auto-negotiation results in a lower speed actually selected. This does not show up in an export. The command for this is:
/interface ethernet monitor

This shows the actual rate the port is running at.

My suspicion is triggered not only because your throughput number is exactly where I would expect it on a 100 Mbps line, but the hEX S maxes out at somewhere in the 200-300 Mbps region. With fasttrack enabled, it can handle the 500/500 just fine - so probably once you find the problem, you won’t even need new hardware. Of course if you want new hardware, that’s another matter entirely

anav · June 12, 2025, 11:24pm

Meanwhile, the RB5009 is a great upgrade regardless.

bobk4k · June 12, 2025, 11:55pm

anav,

Ok first off I recognize you from the now gone dslreports.com based on your animated icon! We may have chatted at some point in the past years (decades?) but I can’t remember what it was about.

Doing some research the RB5009 did show up but I wanted to run it across folks who know networking and that could improve my home throughput and my old hEX S could be a spare for my church along with my DSL modem / router as backups once I get them programmed for their configuration until they decide to migrate to fiber with higher speeds.

Many thanks,
Bob

bobk4k · June 13, 2025, 12:27am

Here it is:

# jun/12/2025 19:15:01 by RouterOS 6.49.18
# software id = ****
#
# model = RB760iGS
# serial number = *********
/interface bridge
add admin-mac=**-**-**-**-**_** auto-mac=no comment=defconf name=bridge
/interface ethernet switch
set 0 mirror-source=ether1 mirror-target=cpu
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.240-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=24m name=\
    defconf
/system logging action
set 1 disk-file-count=4 disk-lines-per-file=2500
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.206,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set winbox address=192.168.1.0/24
/system clock
set time-zone-name=America/Chicago
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add topics=warning
add topics=info
add topics=error
add topics=critical
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here you go. Be gentle on an ex-server guy working with networking stuff.

Thanks,
Bob

jaclaz · June 13, 2025, 9:44am

The configuration is pretty much vanilla, nothing particularly “wrong” I could spot.

Post the info lurker888 asked for.

anav · June 13, 2025, 11:12am

1, It would seem the hex gets a private LANIP from an upstream device.
In any case, one should NOT duplicate having an IP address AND an enabled IP DHCP client setting for wan termination.
Thus pick one NOT both!!!

/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1

On this line, if you manually added the netmask then remove it ( if generated by router fine )
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=
192.168.1.206,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24

lurker888 · June 13, 2025, 11:26am

Yes. There’s a static route, manual dns config and everything. Delete or disable the dhcp client.

Having both a static config and a dhcp client on the same interfaces causes periodic brief (<1s) interruptions in service, but does not lead to the decreased bandwidth situation. Nonetheless, it should be corrected.

bobk4k · June 17, 2025, 4:22pm

Resolved: lurker888 called it: short answer is the hEX S and the Quantum Q Fiber W1700K 1Gb ports will only connect at 100Mb speeds, something I haven’t seen in years (decades?) since the early days of 1Gb network cards. Plugging the hEX S into a spare 1Gb switch and from there into the W1700K links up at the correct speed and I’m getting around 500Mb speeds up and down through the hEX S.

Apologies for missing the obvious - the W1700K access point / router is only configurable via an app with no web interface. While I can find the IP address of a port it doesn’t show the speed. And the VOIP box plugged in was showing the same yellow port LED so I assumed it was linking up at 1Gb speeds but I was wrong. Not much info on the AP/router on the web but yes I misread the status LEDs on the ports.

And for the Mikrotik experts - is there a WebFig or terminal command to query the port speeds? I couldn’t find it and my (dim) light bulb ah-ha moment came when I started plugging 1Gb devices in the W1700K and seeing different port lights. (Head smack.)

Many thanks for all who responded - being retired it seems I’m loosing my troubleshooting skills.

Bob

bobk4k · June 17, 2025, 4:41pm

lurker888:

1, It would seem the hex gets a private LANIP from an upstream device.
In any case, one should NOT duplicate having an IP address AND an enabled IP DHCP client setting for wan termination.
Thus pick one NOT both!!!

/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1

On this line, if you manually added the netmask then remove it ( if generated by router fine )
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=
192.168.1.206,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24

Yes. There’s a static route, manual dns config and everything. Delete or disable the dhcp client.

Having both a static config and a dhcp client on the same interfaces causes periodic brief (<1s) interruptions in service, but does not lead to the decreased bandwidth situation. Nonetheless, it should be corrected.

I didn’t include my network topology so let me see if I can explain it since I’m coming from DSL with a configurable modem/router to now on fiber:

DSL → router (192.168.0.0/24) old WiFi AP → hEX S (192.168.1.1) running firewall and dhcp on a separate wired network. At 192.168.1.206 is an old Windows Server 2012 R2 and plugged in is a desktop and laptop that are member workstations in an active directory domain. Windows AD gets grumpy if it’s DNS isn’t exactly right; yes it’s a weird setup for home use but at my last (final) job my knowledge of AD came in handy dealing with customers and kept me up to speed on AD.

Besides I did have MCSE certifications from Microsoft - minesweeper consultant and solitare expert. (Stolen from the net.)

Again my background is more server than networking but hopefully this explains my oddball separate internal network. Thanks for bringing that up.

Bob

jaclaz · June 17, 2025, 8:21pm

Well, I would try this:

bobk4k · June 17, 2025, 10:53pm

[admin@MikroTik] > /interface ethernet monitor 0
name: ether1
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no

Thank you jaclaz & lurker888! Didn’t dig deep enough into the command line but I will file that away in case I encounter any other weirdness with the hEX S connected to other devices.

Bob

lurker888 · June 18, 2025, 12:17am

Just an FYI: I gave the CLI command out of habit, but the same info is clearly labelled and readily available in the GUI interfaces, including the web one.