Dear all i have a quick question, for the past few weeks now my internet speed has been decreased from 50MBps Download and 10MBps upload to 10Mbps download and 5 Upload. I have terminated every web server in the house but still the same thing. Im using a Huawei VDSL modem with PPOE bridge on mikrotik. When I’m using the mode as a router from my provider the internet speed goes back to normal. 50/10. How can i see where I’m loosing packages or can do something to correct this out. Im imagining I’m doing something wrong with my settings.
Which routerboard model? ROS/Firmware version?
Do you have DNS enabled (“Allow Remote Requests”)?
Have you checked if there’s upload bandwidth usage when that happens?
Do you have firewall rules protecting the router making reference to the PPPoE interface, not the ether its binded to?
- CRS125-24G-1S-2HnD
- Yes
- I have only my Laptop opened to check traffic “Nothing its on and eating Bandwidth”
[admin@mikrotiknetworks.sytes.net] /ip firewall> export
# mar/27/2016 19:40:52 by RouterOS 6.34.3
# software id = FC72-6PKR
#
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=all-ppp protocol=tcp tcp-flags=syn tcp-mss=\
1453-65535
/ip firewall nat
add chain=srcnat comment=BREAKER disabled=yes
add action=masquerade chain=srcnat out-interface=WAN_1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.50.0/24
add chain=srcnat comment=BREAKER disabled=yes
add action=dst-nat chain=dstnat comment="MEDIA SERVER PLEX" disabled=yes dst-port=32400 in-interface=WAN_1 \
protocol=tcp to-addresses=192.168.50.16 to-ports=32400
add action=dst-nat chain=dstnat comment="MEDIA SERVER REMOTE DESKTOP" disabled=yes dst-port=3389 in-interface=\
WAN_1 protocol=tcp to-addresses=192.168.50.23 to-ports=3389
add action=dst-nat chain=dstnat comment="WEB SERVER" disabled=yes dst-port=80 in-interface=WAN_1 protocol=tcp \
to-addresses=192.168.50.16 to-ports=80
add action=dst-nat chain=dstnat comment="FILE SERVER" disabled=yes dst-port=80 in-interface=WAN_1 protocol=tcp \
to-addresses=192.168.50.11 to-ports=80
add action=dst-nat chain=dstnat comment="TOMCAT SERVER" disabled=yes dst-port=8084 in-interface=WAN_1 protocol=tcp \
to-addresses=192.168.50.16 to-ports=8084
add chain=srcnat comment=BREAKER disabled=yes
add action=dst-nat chain=dstnat comment=DDWRT_ROUTER disabled=yes dst-address=xxx.xxx.xxx. dst-port=8081 protocol=\
tcp to-addresses=192.168.50.13 to-ports=80
add action=dst-nat chain=dstnat comment=DDWRT_ROUTER_NTP disabled=yes dst-address=xxx.xxx.xxx dst-port=123 \
protocol=udp to-addresses=192.168.50.13 to-ports=123
add action=dst-nat chain=dstnat comment=XBMC_SERVER_ISENGARD disabled=yes dst-address=xxx.xxx.xxx dst-port=9090 \
protocol=tcp to-addresses=192.168.50.13 to-ports=80
add action=dst-nat chain=dstnat comment=ASTERISK_DDWRT_ROUTER disabled=yes dst-address=xxx.xxx.xxx dst-port=8088 \
protocol=tcp to-addresses=192.168.50.13 to-ports=8088
add chain=srcnat comment=BREAKER disabled=yes
add action=dst-nat chain=dstnat comment="UBNT UNIFI_AP_DISCOVERY" disabled=yes dst-port=8444 in-interface=WAN_1 \
protocol=tcp to-addresses=192.168.50.17 to-ports=8080
add action=dst-nat chain=dstnat comment="UBNT UNIFI_AP_PORTAL" disabled=yes dst-port=8443 in-interface=WAN_1 \
protocol=tcp to-addresses=192.168.50.17 to-ports=8443
add action=dst-nat chain=dstnat comment="UBNT UNIFI_AP_PORTAL_HOTSPOT" disabled=yes dst-port=8880 in-interface=\
WAN_1 protocol=tcp to-addresses=192.168.50.17 to-ports=8880
[admin@mikrotiknetworks.sytes.net] /ip firewall>
Plus thats my WAN settings
/interface pppoe-client
add ac-name=AthMar1BR04 add-default-route=yes allow=pap,chap default-route-distance=1 disabled=no interface=Ethernet_1 keepalive-timeout=disabled max-mru=1492 max-mtu=1480 mrru=\
1600 name=WAN_1 password=xxx.xxx.xxx use-peer-dns=yes user=xxx.xxx.xxx
did you omit ip firewall filters intentionally, or doesn’t your router have any???
I have deleted them i thought it was there fault.
You should reenable or re-add them, don’t left your router wide open! your DNS will be used for DNS amplification attack in a matter of minutes…
You can see the default ruleset inside the default configuration script by issuing
/system default-configuration print
Just change the wan interface (ether1) to your PPPoE interface.
What’s the firmware version of your CRS? (System > Routerboard)
I doubt CPU load being the problem for 50Mbps, but if you’re not using queues, I’d configure fasttrack (is enabled on the default /ip firewall filter ruleset shown by previous command), for more info see http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
Hello,
I have the same exact issue!
I have a VDSL ZTE router setup as bridge and RB2011UiAS-2HND where I have the PPPOE dialup connection.
My line is 50Mb down and 5Mb up.
If I use the ZTE as a router, practically making the pppoe connection from it, I get practically 48mb of download and 4.8 mb of upload, even if I am connected through mikrotik just as a second router on the chain.
But if I setup the zte as bridge and make the pppoe connection from mikrotik, I will get max 5 mb of download and 0.5 mb of upload.
I have deleted all the IP filter rules, I have played a little bit with mtu value but still nothing.
I have also noticed that when I make the pppoe connection on mikrotik, I see that there is around 3 - 4 mb of traffic on ether1 where the connection is listening, although that I am not making any traffic.
Do you guys have any idea how to solve this?
Hello,
I have the exact same issue.
Is there any possible solution?
Found the solution at least on my case.
I had a lot of traffic coming on udp port 53 which is used by the dns server. It was some kind of dns flood.
I applied the following filters to refuse this connections and now I reach the speeds advertised by my isp.
0 ;;;
chain=input action=drop protocol=udp in-interface=pppoe-out2 dst-port=53 log=yes log-prefix=“”
1 chain=input action=drop protocol=tcp in-interface=pppoe-out2 dst-port=53 log=yes log-prefix=“”
2 chain=forward action=drop protocol=udp out-interface=!all-ethernet dst-port=53 log=no log-prefix=“”
3 chain=forward action=drop protocol=tcp out-interface=!all-ethernet dst-port=53 log=no log-prefix=“”
For those using PPPoE: make sure your firewall rules refer to the pppoe device (pppoe-out1, pppoe-out2 or whichever) and not the ether1 interface otherwise your internet connection will be used for DNS DDoS in no time, stealing your bandwidth.