Slow Ethernet Speeds

RouterOS General
1

Hi there,
I recently purchased an RB2011UiAS-2HnD hoping to replace our old Virgin Media Hub 3.0 and get the most out of our 300Mb internet. However, after a few days of tinkering and visiting many pages on this forum, i have been unable to get speeds above 70Mbps.
To connect the router i have changed the Hub 3.0 from router to modem mode and plugged that into the mikrotik router. I dont believe it is the Hub 3.0 slowing the internet speed, as in router mode it was able to deliver speeds of around 200Mbps.
I would be very grateful for your help :slight_smile:

Router Config:

[admin@MikroTik] > /export hide-sensitive 
# jul/11/2022 15:24:18 by RouterOS 6.49.6
# software id = 2WXB-9KYG
#
# model = RB2011UiAS-2HnD
# serial number = C4510F05FF28
/interface bridge
add admin-mac=DC:2C:6E:D6:77:01 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full name="Google Wifi"
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full name=Internet
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full name=Office speed=1Gbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface="Google Wifi"
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=Office
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Internet list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=Internet
/ip dhcp-server lease
add address=192.168.10.130 client-id=1:70:3a:cb:2a:69:b0 comment="Google Wifi LAN" mac-address=70:3A:CB:2A:69:B0 server=defconf
add address=192.168.10.126 client-id=1:68:f7:28:d9:3f:e mac-address=68:F7:28:D9:3F:0E server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=SMB:445 dst-port=445 in-interface=Internet protocol=tcp src-port=""
add action=accept chain=input comment=SMB:139 dst-port=139 in-interface=Internet protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Web Server Forwarding" dst-port=80 in-interface=Internet log=yes log-prefix=WebServer>> port="" protocol=tcp src-port="" to-addresses=192.168.10.130 to-ports=80
add action=dst-nat chain=dstnat comment="Banking Management System Forwarding" dst-port=30003 in-interface=Internet log=yes log-prefix="BANKM >> " protocol=tcp to-addresses=192.168.10.130 to-ports=30003
add action=dst-nat chain=dstnat comment="SSH Forwarding" dst-port=22 in-interface=Internet protocol=tcp src-port="" to-addresses=192.168.10.130 to-ports=22
add action=dst-nat chain=dstnat comment="SMB:445 Forwarding" dst-port=445 in-interface=Internet log=yes log-prefix="SMB:445 >> " protocol=tcp to-addresses=192.168.10.130 to-ports=445
add action=dst-nat chain=dstnat comment="SMB:139 Forwarding" dst-port=139 in-interface=Internet log=yes log-prefix="SMB:139 >> " protocol=tcp to-addresses=192.168.10.130 to-ports=139
/lcd interface pages
set 0 interfaces="sfp1,Internet,Google Wifi,ether3,ether4,ether5,Office,ether7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=216.239.32.0 secondary-ntp=216.239.32.4
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Without looking too much at config:
Why would you expect 300Mb using Mikrotik if the same device giving you 200Mb is still in between ?
Are you sure the cable used to connect Hub to Mikrotik is cat5E or ideally cat6 ? Since a throughput of 70Mb makes me think something is operating at 100Mb Ethernet.
I assume that connection from Hub terminates on RB2011 on eth2 ? What does it show as link speed in Winbox or terminal ?

3

While checking your /ip firewall:

add action=accept chain=input comment=SMB:445 dst-port=445 in-interface=Internet protocol=tcp src-port=""
add action=accept chain=input comment=SMB:139 dst-port=139 in-interface=Internet protocol=tcp

Are you really running SMB on your MikroTik? Your input chain is only for services running on the MikroTik.

Do you think it is a good idea to make SMB publically available? Or SSH or even “Banking Management System”?

add action=dst-nat chain=dstnat comment="Web Server Forwarding" dst-port=80 in-interface=Internet log=yes log-prefix=WebServer>> port="" protocol=tcp src-port="" to-addresses=192.168.10.130 to-ports=80
add action=dst-nat chain=dstnat comment="Banking Management System Forwarding" dst-port=30003 in-interface=Internet log=yes log-prefix="BANKM >> " protocol=tcp to-addresses=192.168.10.130 to-ports=30003
add action=dst-nat chain=dstnat comment="SSH Forwarding" dst-port=22 in-interface=Internet protocol=tcp src-port="" to-addresses=192.168.10.130 to-ports=22
add action=dst-nat chain=dstnat comment="SMB:445 Forwarding" dst-port=445 in-interface=Internet log=yes log-prefix="SMB:445 >> " protocol=tcp to-addresses=192.168.10.130 to-ports=445
add action=dst-nat chain=dstnat comment="SMB:139 Forwarding" dst-port=139 in-interface=Internet log=yes log-prefix="SMB:139 >> " protocol=tcp to-addresses=192.168.10.130 to-ports=139

This one did make me grin as well:

/interface detect-internet
set detect-interface-list=all

Just turn it off.

And to answer your question:
How do you test?
What is CPU load during testing?
Are you sure you get a public IP address on your “internet” interface? And is it connected with Gigabit speed?

4

The SMB rules are redundant as my ISP blocks them anyway (ive got rid of them now) and the SSH and Application ports are (reasonably) well secured. My CPU load while testing rarely exceeds 15% and there is definitely a public IP being assigned to ‘Internet’ (ether1 interface).
The Hub is definitely connected to the Mikrotik router using cat6.
Thank you for your help!

5

Then I am looking forward to the answers on the other questions.