Slow internet when modem connected to mikrotik

RouterOS General
1

Hi There,

I have a 5g ZTE modem with 2 LAN ports. I have connected to an old routerboard i have (951G), if i connect my laptop via LAN to the ZTE modem i can get 700Mbps, if i connect to the mikrotik only 70.
I have tried to hard reset the router and it does not make a difference.
On the modem then lan port settings are: MTU 1358, MSS 1318

if anyone could give some advice i would appreciate it.

I have a simple config,

# nov/19/2021 20:38:03 by RouterOS 6.49.1
# software id = J3TZ-KVGS
#
# model = 951G-2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=D4:CA:6D:DE:82:0D auto-mac=no fast-forward=no mtu=1500 name=\
    bridge-local
add name=bridge_trunk vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set frequency=2427 frequency-mode=\
    manual-txpower mode=ap-bridge rx-chains=0 ssid=GCSA-Tech tx-chains=0 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-IMAX speed=100Mbps
set [ find default-name=ether2 ] mac-address=D4:CA:6D:DE:82:0D speed=100Mbps
set [ find default-name=ether3 ] mac-address=D4:CA:6D:DE:82:0E speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1358 mac-address=9C:EB:E8:06:C9:5C mtu=\
    1358 name=ether4-WAN speed=100Mbps
set [ find default-name=ether5 ] mac-address=D4:CA:6D:DE:82:10 name=\
    ether5-Uplink speed=100Mbps
/interface vlan
add interface=bridge_trunk name=vlan1 vlan-id=1
add interface=bridge_trunk name=vlan20 vlan-id=20
add interface=bridge_trunk name=vlan30 vlan-id=30
/interface list
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=10.1.0.100-10.1.0.150
add name=pool-vlan1 ranges=10.253.10.230-10.253.10.240
add name=pool-vlan20 ranges=10.253.20.230-10.253.20.240
add name=pool-vlan30 ranges=10.253.30.230-10.253.30.240
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-local lease-time=3d name=default
add address-pool=pool-vlan1 disabled=no interface=vlan1 lease-time=1d name=\
    dhcp-vlan1
add address-pool=pool-vlan20 disabled=no interface=vlan20 lease-time=1d name=\
    dhcp-vlan20
add address-pool=pool-vlan30 disabled=no interface=vlan30 lease-time=1d name=\
    dhcp-vlan30
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local hw=no interface=ether1-master-IMAX
add bridge=bridge_trunk interface=ether5-Uplink
add bridge=bridge_trunk interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge_trunk tagged=bridge_trunk vlan-ids=1
add bridge=bridge_trunk tagged=bridge_trunk,ether5-Uplink,ether2 vlan-ids=20
add bridge=bridge_trunk tagged=bridge_trunk,ether5-Uplink vlan-ids=30
/interface list member
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4-WAN list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5-Uplink list=mactel
add interface=ether4-WAN list=mac-winbox
add list=mactel
add interface=ether5-Uplink list=mac-winbox
add interface=bridge-local list=mactel
add list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface wireless access-list
add authentication=no forwarding=no interface=wlan1 mac-address=\
    78:D7:5F:27:11:7C
/ip accounting
set enabled=yes
/ip address
add address=10.1.0.254/24 interface=bridge-local network=10.1.0.0
add address=10.253.10.254/24 interface=vlan1 network=10.253.10.0
add address=10.253.20.254/24 interface=vlan20 network=10.253.20.0
add address=10.253.30.254/24 interface=vlan30 network=10.253.30.0
/ip dhcp-client
add disabled=no interface=ether4-WAN
/ip dhcp-server lease
add address=10.253.30.102 client-id=1:64:79:f0:2f:fe:c7 comment="Lighting PC" \
    mac-address=64:79:F0:2F:FE:C7 server=dhcp-vlan30
/ip dhcp-server network
add address=10.1.0.0/24 comment="default configuration" dns-server=10.1.0.254 \
    gateway=10.1.0.254
add address=10.253.10.0/24 dns-server=10.253.10.254 gateway=10.253.10.254
add address=10.253.20.0/24 dns-server=10.253.20.254 gateway=10.253.20.254
add address=10.253.30.0/24 dns-server=10.253.30.254 gateway=10.253.30.254
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=input comment="block external dns requests" dst-port=53 \
    in-interface=ether4-WAN protocol=tcp
add action=drop chain=input comment="block external dns requests" dst-port=53 \
    in-interface=ether4-WAN protocol=udp
add action=accept chain=forward in-interface=vlan1 out-interface=vlan1
add action=accept chain=forward in-interface=vlan20 out-interface=vlan20
add action=accept chain=forward in-interface=vlan30 out-interface=vlan30
add action=drop chain=forward in-interface=vlan20 out-interface=vlan30
add action=drop chain=forward in-interface=vlan30 out-interface=vlan20
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4-WAN src-address=\
    10.253.10.0/24
add action=masquerade chain=srcnat out-interface=ether4-WAN src-address=\
    10.253.20.0/24
add action=masquerade chain=srcnat out-interface=ether4-WAN src-address=\
    10.253.30.0/24
add action=masquerade chain=srcnat dst-address=10.1.0.0/24 out-interface=\
    ether4-WAN
/ip proxy
set cache-path=web-proxy1
/ip service
set api disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=MT_imax
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
2

Speed on your ethernet ports seems to be limited to 100M ?
Which eth port you use for connecting Zte ?

set [ find default-name=ether1 ] name=ether1-master-IMAX speed=100Mbps
set [ find default-name=ether2 ] mac-address=D4:CA:6D:DE:82:0D speed=100Mbps
set [ find default-name=ether3 ] mac-address=D4:CA:6D:DE:82:0E speed=100Mbps

Why don’t you use Autonegotiation ?
Like this:
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=
unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=
XYZ mtu=1500 name=ether1 orig-mac-address=XYZ rx-flow-control=off speed=1Gbps tx-flow-control=off

3

Hi,

it is currently set to autonegotiate with advertise selected all the way to 1000M full - it is like this for all ports.

im using ETH4

4

Here is the interface connected to the modem
Screenshot 2021-11-19 162337.png

5

ok - so if i dont use masquerade and just add the port to the bridge and use the same ip range i can get 800Mbps downloads, so it is something happening after, i use the masquerade function.

i reset it again and tested without any vlans,

6

I see the screenshot and that says it is at 1GbE, but what about the other ports? Your original config had all the ports at 100M, and if you changed ether4 to GbE, but left the other ports at 100M, when you test from your laptop you’re still passing traffic through a 100M port and getting it throttled.

This is what you had before for ether4, but all your ports were set to 100M in the original config dump.

set [ find default-name=ether4 ] l2mtu=1358 mac-address=9C:EB:E8:06:C9:5C mtu=\
    1358 name=ether4-WAN speed=100Mbps
7

all my ports are the same as the screenshot, and i did not change any settings.
i reset it again and here is the export;

however i have the same issue when i use masquerade. if i just add the port to the bridge - then i get the full speed. but this is not an ideal solution for me.

# nov/19/2021 16:40:24 by RouterOS 6.49.1
# software id = J3TZ-KVGS
#
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=D4:CA:6D:EB:CC:4D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-EBCC51 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether4
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether4
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
8

And yet it has to be searched in that domain (I could be wrong but I’d like to be sure).
70M is in the range of what can be reached on a 100M link.
The fact you get 700M when directly connected, should then correspond to 1G.

And link is to be defined as end to end. The slowest part is what will define the complete speed.

Can you provide this
interface/ethernet/print detail

You’re note showing your complete config on that last part.
There is no ethernet anymore ?

9

Hi

thank you for your reply - here is the terminal output:

[admin@MikroTik] > interface ethernet print detail 
Flags: X - disabled, R - running, S - slave 
 0 R  name="ether1" default-name="ether1" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:EB:CC:4C orig-mac-address=D4:CA:6D:EB:CC:4C arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
      loop-protect-disable-time=5m auto-negotiation=yes advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps bandwidth=unlimited/unlimited switch=switch1 

 1 RS name="ether2" default-name="ether2" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:EB:CC:4D orig-mac-address=D4:CA:6D:EB:CC:4D arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
      loop-protect-disable-time=5m auto-negotiation=yes advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps bandwidth=unlimited/unlimited switch=switch1 

 2  S name="ether3" default-name="ether3" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:EB:CC:4E orig-mac-address=D4:CA:6D:EB:CC:4E arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
      loop-protect-disable-time=5m auto-negotiation=yes advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps bandwidth=unlimited/unlimited switch=switch1 

 3    name="ether4" default-name="ether4" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:EB:CC:4F orig-mac-address=D4:CA:6D:EB:CC:4F arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
      loop-protect-disable-time=5m auto-negotiation=yes advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps bandwidth=unlimited/unlimited switch=switch1 

 4 RS name="ether5" default-name="ether5" mtu=1500 l2mtu=1598 mac-address=D4:CA:6D:EB:CC:50 orig-mac-address=D4:CA:6D:EB:CC:50 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
      loop-protect-disable-time=5m auto-negotiation=yes advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=1Gbps bandwidth=unlimited/unlimited switch=switch1 
[admin@MikroTik] >
10

Oops, I missed your previous replies about the masquerade.
Since you did full reset, can you drop full config again ?
/export hide-sensitive file=anynameyouwish

11

RB951G is a great device … for when it was concieved. Its CPU is weak for today’s standards. Official test results indicate it’s capable of routing at around 240 Mbps. However, you configured VLANs on bridge which all by itself reduces bridging capacity from wirespeed to one third. Throw in CPU-bound wireless and throughput drops further. Not saying that one should multiply all effects, but they are all clear signs that you won’t be able to squeeze much more juice out of it. No chance of getting anywhere near 700 Mbps anyway.

BTW, device has a very decent switch chip built in and if device is not used as simple router on a stick (i.e. it’s also switching traffic within VLAN between different ports), you could get better performance if you configured stuff on switch-chip directly.

Two minor things:

  1. No need to reduce l2mtu on ether4, setting mtu to value ZTE is using is enough.
  2. ether2 is set with pvid=20 and yet it’s set as tagged member of same vlan
12

understood regarding the limitations of the device. To be fair it was an old unit that has been sat in my toolbox unused for a number of years, i guess it is time to retire it :slight_smile: