Slow internet when change IP pool address and DHCP server

dcuervog · September 30, 2024, 12:01am

Hello there. I have a little problem with my router, a hAP ac2. I have FTTH 900 mbps symmetrical, when I do a speedtest directly to ONT, a Huawei EG8145V5, it marks full speed (approx 950/940 mbps). But when I try to the router, it marks 930/450.

I factory reset it several times without positival results. Then, I tried with another router, a hEX RB750Gr3 and I made the same process without any result.

Then I discovered that the default address pool 192.168.88.0/24 shows full speed. And my custom address pool 192.168.0.0/24 shows half speed.

Why does this happen? And is there a solution to this problem? I attach screenshots of speed test results.

My main ISP is Movistar FTTH and backup is Claro HFC.

With 192.168.88.0/24

EdgeUno Bogota Server

Movistar Bogota Server

Somos Bogota Server

With 192.168.0.0/24

EdgeUno Bogota Server

Movistar Bogota Server

Somos Bogota Server

I have the 6.49.17 version, I don’t know if that’s a problem.

And sorry for my bad english. I didn’t use any AI chat.

erlinden · September 30, 2024, 7:56am

This shouldn’t happen, as you understand.

Did you change from 192.168.88.x to 192.168.0.x?
Did you change on 3 locations:

/ip address
/ip dhcp-server network
/ip pool

Can you share your config after changing the subnet?

/export hide-sensitive file=anynameyoulike

Remove serial and any other private info.

dcuervog · October 1, 2024, 1:44am

This shouldn’t happen, as you understand.

Did you change from 192.168.88.x to 192.168.0.x?
Did you change on 3 locations:
/ip address
/ip dhcp-server network
/ip pool
Can you share your config after changing the subnet?
/export hide-sensitive file=anynameyoulike
Remove serial and any other private info.

Yeah, I changed from 88.x to 0.x and vice versa, and the speed changes. Also I changed on 3 locations. I attach my config, there are two subnets.

# sep/30/2024 20:30:25 by RouterOS 6.49.17
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=XXXXXXX auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface ethernet
set [ find default-name=ether1 ] comment="Movistar FTTH" name=ether1-wan1
set [ find default-name=ether2 ] comment="Claro HFC" name=ether2-wan2
set [ find default-name=ether5 ] comment=Invitados
/interface pppoe-client
add comment="Movistar FTTH PPPoE" disabled=no interface=ether1-wan1 \
    keepalive-timeout=disabled name=pppoe-out1 service-name=telefonica user=\
    AAFXXXXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=colombia default-forwarding=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan1-2g ssid=test \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=colombia default-forwarding=no \
    disconnect-timeout=15s distance=indoors frequency=auto hw-retries=15 \
    installation=indoor mode=ap-bridge name=wlan2-5g on-fail-retry-time=1s \
    skip-dfs-channels=10min-cac ssid=test wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
/interface vlan
add disabled=yes interface=bridge name=vlan-invitados vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add mode=static-keys-optional name=no-pass supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=domotica \
    supplicant-identity=""
/interface wireless
add mac-address=XXXXX master-interface=wlan1-2g name=\
    wlan2-2g-guest security-profile=no-pass ssid="test invitados" vlan-id=10 \
    vlan-mode=use-tag wps-mode=disabled
add mac-address=XXXXX master-interface=wlan2-5g name=\
    wlan2-5g-guest security-profile=no-pass ssid="Invitados KH" wps-mode=\
    disabled
add mac-address=XXXXX master-interface=wlan1-2g name=\
    wlan3-homeaut security-profile=domotica ssid="Domo KH" wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot-es login-by=\
    mac,http-chap
add hotspot-address=10.0.10.1 html-directory=flash/hotspot-es login-by=\
    http-chap,mac-cookie name=hsprof1
add html-directory=flash/hotspot-es name=visita
/ip hotspot
add addresses-per-mac=30 disabled=no idle-timeout=1h interface=bridge-guest \
    name=invitados profile=hsprof1
add addresses-per-mac=unlimited idle-timeout=1h interface=vlan-invitados \
    name=invitados-vlan profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no session-timeout=30m shared-users=\
    15 status-autorefresh=5s
add add-mac-cookie=no !idle-timeout !keepalive-timeout !mac-cookie-timeout \
    name=visita-larga session-timeout=2h status-autorefresh=5m \
    transparent-proxy=yes
add add-mac-cookie=no !idle-timeout !keepalive-timeout !mac-cookie-timeout \
    name=familia session-timeout=1d shared-users=40 status-autorefresh=5s
/ip pool
add name=principal ranges=192.168.88.2-192.168.88.254
add name=principal2 ranges=192.168.0.10-192.168.0.254
add name=invitados-vlan ranges=10.0.10.2-10.0.10.50
add name=invitados ranges=10.0.10.2-10.0.10.50
/ip dhcp-server
add address-pool=principal disabled=no interface=bridge name=principal
add address-pool=principal2 interface=bridge name=principal2
add address-pool=invitados-vlan interface=vlan-invitados name=invitados-vlan
add address-pool=invitados disabled=no interface=bridge-guest name=invitados
/ip hotspot user profile
add add-mac-cookie=no address-pool=invitados idle-timeout=30m \
    !keepalive-timeout !mac-cookie-timeout name=colados rate-limit=512k/512k \
    session-timeout=30m shared-users=5
add add-mac-cookie=no address-pool=invitados idle-timeout=20m \
    !keepalive-timeout !mac-cookie-timeout name=visita-corta rate-limit=\
    11m/11m session-timeout=20m shared-users=10
/ipv6 dhcp-server
add address-pool=main interface=bridge name=principal-v6
/queue simple
add burst-time=1s/1s disabled=yes limit-at=4k/4k max-limit=4k/4k name=poco \
    target=192.168.0.39/32
add burst-time=1s/1s disabled=yes limit-at=4k/4k max-limit=4k/4k name=Emma \
    target=192.168.0.57/32
add limit-at=80M/80M max-limit=80M/80M name=invitados target=bridge-guest
add limit-at=512k/512k max-limit=512k/512k name=colados target=bridge-guest
add disabled=yes max-limit=75M/75M name=invitados-vlan target=vlan-invitados
add disabled=yes max-limit=2M/5M name="vaio wifi" target=192.168.0.9/32
add disabled=yes max-limit=11M/51M name=vaio target=192.168.0.8/32
add disabled=yes max-limit=51M/51M name=test target=192.168.0.2/32
add disabled=yes name=wan1 target=pppoe-out1
add disabled=yes name=wan2 target=ether2-wan2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=read-only policy="read,winbox,web,!local,!telnet,!ssh,!ftp,!reboot,!w\
    rite,!policy,!test,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
add name=ftp policy="ftp,read,!local,!telnet,!ssh,!reboot,!write,!policy,!test\
    ,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2-wan2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-guest comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1-2g
add bridge=bridge comment=defconf interface=wlan2-5g
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge disabled=yes tagged=vlan-invitados,bridge vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2-wan2 list=WAN
/interface wireless access-list
add interface=wlan2-5g mac-address=XXXXX
/ip address
add address=192.168.88.1/24 comment=principal interface=bridge network=\
    192.168.88.0
add address=192.168.0.1/24 comment=principal2 disabled=yes interface=bridge \
    network=192.168.0.0
add address=10.0.10.1/24 comment=invitados-vlan disabled=yes interface=\
    vlan-invitados network=10.0.10.0
add address=10.0.10.1/24 comment=invitados interface=bridge-guest network=\
    10.0.10.0
add address=192.168.4.2/24 comment=Mitrastar interface=ether5 network=\
    192.168.4.0
add address=192.168.1.1/24 comment=repetidor interface=bridge-guest network=\
    192.168.1.0
add address=192.168.4.1/24 comment=Mitrastar interface=bridge-guest network=\
    192.168.4.0
add address=5.207.142.254/24 interface=ether2-wan2 network=5.207.142.0
/ip dhcp-client
add add-default-route=no comment="Movistar FTTH" disabled=no interface=\
    ether1-wan1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no comment="Claro HFC" disabled=no interface=\
    ether2-wan2 script="{\r\
    \n    :local rmark \"to_wan2\"\r\
    \n    :if (\$bound=1) do={\r\
    \n        :if ([/ip route print count-only where comment=\$rmark] = 0) do=\
    {\r\
    \n            /ip route add distance=2 gateway=\$\"gateway-address\" check\
    -gateway=ping routing-mark=\$rmark comment=\$rmark\r\
    \n            /ip route add distance=2 gateway=\$\"gateway-address\" check\
    -gateway=ping comment=\$rmark\r\
    \n        } else={\r\
    \n            :foreach r in=[/ip route find where comment=\$rmark] do={ \r\
    \n                :if ([/ip route get \$r gateway] != \$\"gateway-address\
    \") do={\r\
    \n                    /ip route set \$r gateway=\$\"gateway-address\"\r\
    \n                }\r\
    \n            }    \r\
    \n        }\r\
    \n    } else={\r\
    \n        /ip route remove [find comment=\$rmark]       \r\
    \n    }\r\
    \n}\r\
    \n         " use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=10.0.10.0/24 comment=invitados dns-server=8.8.8.8,1.1.1.1 domain=\
    guest gateway=10.0.10.1 netmask=24 ntp-server=186.155.28.147
add address=192.168.0.0/24 comment=principal2 domain=khuervo gateway=\
    192.168.0.1
add address=192.168.1.0/24 comment=repetidor dns-server=10.0.10.1,8.8.8.8 \
    gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf domain=khuervo gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
    45.90.28.211,45.90.30.211,2a07:a8c0::8a:8ce6,2a07:a8c1::8a:8ce6 \
    use-doh-server=https://dns.nextdns.io/8a8ce6 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related src-address=192.168.88.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Bloquear el puerto 80" disabled=yes \
    protocol=tcp src-port=80
/ip firewall mangle
add action=accept chain=prerouting in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=ether2-wan2
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to_wan1 passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to_wan2 passthrough=yes src-address=192.168.88.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-wan1
add action=masquerade chain=srcnat out-interface=bridge-guest
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
    10.0.10.0/24
add action=masquerade chain=srcnat out-interface=ether2-wan2 src-address=\
    192.168.88.0/24
add action=dst-nat chain=dstnat comment="ETS2 servidor tcp" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27014-27050 protocol=tcp to-addresses=\
    192.168.88.2 to-ports=27014-27050
add action=dst-nat chain=dstnat comment="ETS2 servidor udp" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27014-27050 protocol=udp to-addresses=\
    192.168.88.2 to-ports=27014-27050
add action=dst-nat chain=dstnat comment="ETS2 servidor tcp vaio" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27014-27050 protocol=tcp to-addresses=\
    192.168.88.8 to-ports=27014-27050
add action=dst-nat chain=dstnat comment="ETS2 servidor udp vaio" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27014-27050 protocol=udp to-addresses=\
    192.168.88.8 to-ports=27014-27050
add action=masquerade chain=srcnat disabled=yes out-interface=bridge
add action=masquerade chain=srcnat comment="hairpin nat" connection-mark=\
    Hairpin_nat
add action=dst-nat chain=dstnat comment="Admin Mikrotik remoto" dst-address=\
    0.0.0.0/0 dst-port=6030 protocol=tcp to-addresses=192.168.88.1 to-ports=\
    80
add action=dst-nat chain=dstnat comment=OpenVPN dst-address=0.0.0.0/0 \
    dst-port=1194 protocol=tcp to-addresses=192.168.88.1 to-ports=1194
add action=masquerade chain=srcnat comment="Trafico VPN a LAN" src-address=\
    172.16.0.0/24
add action=dst-nat chain=dstnat comment="ETS 2 servidor 2" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27036-27037 protocol=tcp to-addresses=\
    192.168.88.2 to-ports=27016
add action=dst-nat chain=dstnat comment="ETS 2 servidor 1 udp" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=4380 protocol=udp to-addresses=\
    192.168.88.2 to-ports=27015
add action=dst-nat chain=dstnat comment="ETS 2 servidor 2 udp 2" disabled=yes \
    dst-address=0.0.0.0/0 dst-port=27036 protocol=udp to-addresses=\
    192.168.88.2 to-ports=27016
add action=dst-nat chain=dstnat comment="Fiberhome nodo 1" dst-address=\
    0.0.0.0/0 dst-port=6031 log=yes protocol=tcp to-addresses=192.168.88.74 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Fiberhome nodo 2" dst-address=\
    0.0.0.0/0 dst-port=6032 protocol=tcp to-addresses=192.168.88.75 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Archer A6 " dst-address=0.0.0.0/0 \
    dst-port=6033 protocol=tcp to-addresses=192.168.88.76 to-ports=80
add action=dst-nat chain=dstnat comment=Nexxt dst-address=0.0.0.0/0 dst-port=\
    6035 protocol=tcp to-addresses=192.168.88.80 to-ports=80
add action=dst-nat chain=dstnat comment="RE270K invitados " disabled=yes \
    dst-port=6034 in-interface-list=WAN protocol=tcp to-addresses=10.0.10.2 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Modem Mitrastar" dst-address=\
    0.0.0.0/0 dst-port=6034 protocol=tcp to-addresses=192.168.4.1 to-ports=80
add action=dst-nat chain=dstnat comment="Modem Mitrastar https" dst-address=\
    0.0.0.0/0 dst-port=6035 protocol=tcp to-addresses=192.168.4.1 to-ports=\
    8000
add action=dst-nat chain=dstnat comment="Askey invitados 2" dst-address=\
    0.0.0.0/0 dst-port=6036 protocol=tcp to-addresses=192.168.1.47 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Modem Huawei" dst-address=0.0.0.0/0 \
    dst-port=6037 protocol=tcp to-addresses=192.168.18.1 to-ports=80
add action=dst-nat chain=dstnat comment="Modem Huawei https" dst-address=\
    0.0.0.0/0 dst-port=6038 protocol=tcp to-addresses=192.168.18.1 to-ports=\
    443
add action=dst-nat chain=dstnat comment="Modem Radiotech" dst-address=\
    0.0.0.0/0 dst-port=6039 protocol=tcp to-addresses=5.207.142.54 to-ports=\
    443
add action=dst-nat chain=dstnat comment="FTP PC" dst-address=0.0.0.0/0 \
    dst-port=21 protocol=tcp to-addresses=192.168.88.2 to-ports=21
add action=dst-nat chain=dstnat comment="FTP Nas" dst-address=0.0.0.0/0 \
    dst-port=20 protocol=tcp to-addresses=192.168.88.1 to-ports=21
add action=dst-nat chain=dstnat comment="SMB Nas" disabled=yes dst-address=\
    0.0.0.0/0 dst-port=445 protocol=tcp to-addresses=192.168.88.1 to-ports=\
    445
add action=dst-nat chain=dstnat comment=RE270K dst-port=6034 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.80 to-ports=80
add action=dst-nat chain=dstnat comment="Impresora Canon" dst-address=\
    0.0.0.0/0 dst-port=6040 protocol=tcp to-addresses=192.168.88.30 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Open Hardware Monitor" dst-address=\
    0.0.0.0/0 dst-port=8085 protocol=tcp to-addresses=192.168.88.2 to-ports=\
    8085
add action=dst-nat chain=dstnat comment="Impresora Canon remoto tcp" \
    disabled=yes dst-address=0.0.0.0/0 dst-port=9100 protocol=tcp \
    to-addresses=192.168.88.30 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Canon remoto udp" \
    disabled=yes dst-address=0.0.0.0/0 dst-port=9100 protocol=udp \
    to-addresses=192.168.88.30 to-ports=9100
add action=dst-nat chain=dstnat comment="Impresora Epson" dst-address=\
    0.0.0.0/0 dst-port=6041 protocol=tcp to-addresses=192.168.88.31 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Nas remoto" dst-address=0.0.0.0/0 \
    dst-port=445 protocol=tcp to-addresses=192.168.88.1 to-ports=445
add action=dst-nat chain=dstnat comment="Impresora Epson IPP" dst-address=\
    0.0.0.0/0 dst-address-list=wan dst-port=631 protocol=tcp to-addresses=\
    192.168.88.25 to-ports=631

/ip route
add check-gateway=ping comment=to_wan2 distance=2 gateway=181.53.172.1 \
    routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out1
add check-gateway=ping comment=to_wan2 distance=2 gateway=181.53.172.1

/ip service
set telnet disabled=yes
set ssh disabled=yes
set www-ssl certificate=TLS disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=CASA enabled=yes interfaces=bridge
/ip smb shares
add directory=/disk1 name=nas
/ip smb users
add name=main read-only=no
/ipv6 address
add from-pool=main interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether2-wan2 pool-name=main request=\
    address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 route
add distance=1 dst-address=::/64 gateway=bridge
/system clock
set time-zone-name=America/Bogota
/system identity
set name=RouterOS

#error exporting /system upgrade mirror
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I also discovered that when I enable a VLAN, it slows my internet speed when I do a speed test.

mkx · October 1, 2024, 5:21am

This firewall filter rule

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related src-address=192.168.88.0/24

means that traffic gets fasttracked if LAN address is from router’s default range. And it thus skips the mangling rules … and likely queues as well. When you change your LAN address range, this rule becomes irrelevant.

My opinion: you have quite convoluted setup. It may be the right thing based on your requirements but you have to accept that such convoluted setup is pretty heavy on CPU resources. hAP ac2 is pretty much a beast, but from my experience it can do just around 1Gbps with much simpler setup (and fasttrack active). I guess that with your setup, you’re getting what device is capable of.

dcuervog · October 3, 2024, 2:23am

Well, I tried putting fast track with 192.168.0.0/24 and still persisting. I have mangle rules because I manage two net connections and of course, I put load balancing. With 88.0/24 works fine.

infabo · October 3, 2024, 8:36am

reboot or purge existing connections when fiddling with fast track rules.