Hello all,
I searched the forum and didn’t find any post about this issue.
Hope this post is not a duplicate. If so, please just point me to the other post.

Here’s the scenario:
{homelan}—>mikrotic CPE[mikrotic PTP-bridge]<—
—{officelan}—>[mikrotik 2011iLS]-nat–>[adsl router]-nat-again–>{internet}

The two mikrotik radio boxes between the homelan and the officelan:

• are SXT 5HPnD r2 (webfig v6.38.1, fw: 3.33)
• do not NAT
  (systems in the office lan need to know what Ip at home is requesting services)
  . office lan is 192.168.5.0/24
  . home lan is 192.168.3.0/24

The mikrotik 2011iLS has 192.168.3.0/24 in the routing table and
knows to route through the [mikrotic PTP-bridge] at the office side
in order to reach the homelan.

When at home I can reach servers in the office lan at good speed.
it can peak up to 90 Mbps, average 60 Mbps. In other words, the path:
{homelan}—>mikrotic as CPE[mikrotic PTP-bridge]<—
—{officelan}<–server performs at around 60 Mbps average.

When in the office, test speeds over the internet average at around
16 Mbps (down). In other words, the path:
{internet}–>[adsl router]-nat–>[mikrotik 2011iLS]-nat–>{ office lan }
performs at around 16 Mbps average.

Since the latter path is the slowest one, I expected to see speeds at
around 16 Mbps or a little bit less, from the internet to home.
But I can reach 6 Mbps in the best cases and conditions.

I have been trying to pinpoint the problem for weeks by now, but
I’m now short of any other good ideas about where to look into.

What could be wrong with the combination:
{internet}–>[adsl router]-nat–>[mikrotik 2011iLS]-nat–>{officelan}
→ mikrotic PTP-bridge[mikrotic CPE]–{homelan}?

I know that natting twice is a bad practice. But if it were the problem
I would have slow speed issues at the office too.

Am I missing something?
Ask if you need other details,

Thanks in advance, Alessandro

Are you natting between your home and office lan?

I do not NAT between office and home lans.
As I wrote:

• do not NAT
  (systems in the office lan need to know what Ip at home is requesting services)
  . office lan is 192.168.5.0/24
  . home lan is 192.168.3.0/24"

In other words, my systems in the officelan need to know which
IPs at home are trying to connect (host-firewalls and tcp_wrappers are
selecting the few homelan systems allowed to use them).

Or the other way around, my systems at the office need to be able
to initiate a connection to a homelan system (for example a NAS).

So NATTING only takes place (twice) at the entrance from the internet:
{internet}–>[adsl-router]#-NAT(°)—>[mikrotik2011iLS]#-NAT-(°°)—[…]

(°)
—[ADSL-ROUTER]<-192.168.12.2---- cross-cable —192.168.12.1->[mikrotik2011iLS]

(°°)
— 192.168.12.1->[mikrotik2011iLS]–192.168.5.0 (or 192.168.3.0 or others)

Routing table of the mikrotik 2011iLS
;;; OutWall (deafult gw to the internet):
0.0.0.0/0 192.168.12.2 ether1-gateway <<(the adsl router)
;;; home lan:
192.168.3.0/24 192.168.5.251 ether2 <<(the SXT box office-side)
;;; office lan:
192.168.5.0/24 192.168.5.253 ether2 <<(this is the mikrotik2011iLS IP address)
;;; ANOTHER lan “behind” the homelan:
192.168.11.0/24 192.168.5.251 ether2

NATTING RULES of the mikrotik 2011iLS
Action Chain Src. Address Out. Interface
masquerade srcnat 192.168.5.0/24 ether1-gateway
masquerade srcnat 192.168.3.0/24 ether1-gateway
masquerade srcnat 192.168.11.0/24 ether1-gateway

NO NATTING RULES IN THE RADIO BOXES
Only routing tables.

Thanks in advance.
Alessandro

Are you running any firewall rules? Are you running any queues?

Are you running any firewall rules?
Some at the “entry point” from the internet in the Mikrotik 2011iLS box:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=fasttrack-connection log=no
2 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”
3 ;;; invalid packets
chain=output action=drop connection-state=invalid
out-interface=all-ethernet log=no log-prefix=“”
4 ;;; Microsoft telemetry 1 of 2
chain=forward action=drop dst-address=191.232.139.253 log=no
log-prefix=“”
5 ;;; Microsoft Telemetry 2 of 2
chain=forward action=drop dst-address=191.232.139.254 log=no
log-prefix=“”
6 ;;; drop pings except from outwall
chain=input action=drop protocol=!icmp in-interface=ether1-gateway
log=no log-prefix=“”
7 ;;; default configuration
chain=input action=accept connection-state=established,related,new
log=no log-prefix=“”
8 ;;; default configuration
chain=input action=accept connection-state=established,related,new
protocol=icmp src-address=192.168.0.0/16 log=no log-prefix=“”
9 chain=input action=accept connection-state=established,related,new
protocol=udp src-address=192.168.12.2 dst-address=192.168.12.1
dst-port=514 log=no log-prefix=“”

The radio boxes have only this “passthrough/fasttrack” built-in that
showed up when I upgraded to 6.38.1 (and I must admit I haven’t
understood yet…)

Are you running any queues?
I didn’t set any. Also because I’m a “white hair” guy. I have to admit
I come from the old (deep last century!) school. An IP packet is an
IP packet is an IP packet I am able to reason only in terms
of routing (being able to redirect a packet to the right piece of iron)
and filtering (being free to drop a packet if I don’t like it).

I should upgrade myself, I know…

From the “entry point” from the internet (the Mikrotik 2011iLS box)
[admin@InWall] /queue interface> print

INTERFACE QUEUE ACTIVE-QUEUE

0 ether1-gateway only-hardware-queue only-hardware-queue
1 ether2 only-hardware-queue only-hardware-queue
2… all other ethers are hardware-queue (and shouldn’t matter - they are disabled)
10 sfp1 only-hardware-queue only-hardware-queue
11 bridge-local no-queue no-queue

From the PTP.bridge (office side):
[admin@SideC] /queue interface> print

INTERFACE QUEUE ACTIVE-QUEUE

0 eth0 only-hardware-queue only-hardware-queue
1 air0 wireless-default wireless-default
2 bridge1 no-queue no-queue

From the CPE (home side):
[admin@sideD] /queue interface> print

INTERFACE QUEUE ACTIVE-QUEUE

0 eth0 only-hardware-queue only-hardware-queue
1 air0 wireless-default wireless-default
2 bridge1 no-queue no-queue

Please try disable your firewall on your mikrotik to see if that makes a difference to the speed from your home clients.

I’ll try this evening when I go back home.
I’ll let you know the results.
Thanks

Also if you run

export hide-sensitive

on the router that will give us an idea of anything else that could be lurking in the background.

Please try disable your firewall on your mikrotik to see if that makes a difference

I tried, it doesn’t make any difference.

run export hide-sensitive

I did it on the entry point box [the 2011iLS router]
I found a few incongruities vs what I see through the WEB UI.
I’ll have to recheck them, see if it makes a difference, and then post the whole result.
In the meanwhile here’s what I noticed so far (any help is appreciated):

set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full disabled=yes speed=10Mbps
((where is ether2?? I’m sure is there and running (or I wouldn’t be here posting this reply…)
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
… … …
… … …
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

this 2011iLS box has no wireless interfaces… it this just a “left-over” of a general purpose firmware/software?<<<

/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default

The dhcp server is off, I’m pretty sure of that. At least this is what the WEB UI says…<<<
Or this is right? I would see enabled=yes if it were enabled?<<<

/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=default-encryption mode=ethernet port=1202

The ovpn server is off, I’m pretty sure of that. At least this is what the WEB UI says…<<<
Or this is right? I would see enabled=yes if it were enabled?<<<

/interface pptp-server server
set enabled=yes max-mru=1400 max-mtu=1400

AH! That’s my fault. That is enabled indeed and is not supposed to.<<<

/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=192.168.88.1 gateway=192.168.88.1

AGAIN; The dhcp server is off, I’m pretty sure of that. At least this is what the WEB UI says…<<<
Or this is right? I would see enabled=yes if it were enabled?<<<

Later on (probably tomorrow morning with the whole output after I fix a few things.
Of course I’ve no idea now if speed will improve after such fixes.

– Alessandro

Often when you get a new box it is better tofactory default the settings remove defautl configuration then most of the things you are seeing now would not be there. Let us know how it goes after you have resolved the issues you found. Where are your ip addresses coming from if you are not running dhcp. WHich ports are connected to which area. I see one port Ether 3 is running at 10 mbps where does that go?

Where are your ip addresses coming from if you are not running dhcp.

At the office:
. adsl router behind the 2011iLS box provides to wireless clients dhcp addresses only for the internet
(such IPs are “by design” unroutable to/through the 2011iLS box - guests can see only the internet)
. all “wired” devices (PCs, NAS, servers, SXTs, whatever, …) at the office have a fixed IP address

At home:
. WiFi access point provides addresses to wireless clients
(such IPs are fully routable to both the office lan and the internet - no “guests” at home)
. all “wired” devices (PCs, NAS, servers, SXTs, whatever, …) at home have a fixed IP address

Which ports are connected to which area. I see one port Ether 3 is running at 10 mbps where does that go?

thanks for any advice

{ISP}—dsl line–>[adsl router]<eth0— cross cable — ether1-gateway>[mikrotik 2011iLS]

[…]<ether2 --------->[[[16 port 3COM Gb switch]]] =
[mikrotik 2011iLS]<ether3* unplugged (a leftover of previous experiments)
[…]<ALL other ethers disabled and unplugged
_ among other things, I’ll disable ether3 since is not used. But I doubt it’lll make a difference_*

[[[…]]]>most of all other office devices—
[[[16 ports 3COM Gb switch]]]>(including the SXT box in question)–>eth0[SXT]air0((-~~~~~~~~
[[[…]]]>------->[[[another switch]]]>-- a very few other office devices

–>192.168.5.251/eth0>[officeSXT]10.4.4.1/air0((–~air~–))10.4.4.2/air0[homeSXT]>192.168.3.3/eth0—
*192.168.5.251/eth0 is linked to the 3com-swicth at 100 Mbps. Double-checked it.
*And I wouldn’t get 60Mbps office-to-home speed if it were not at 100Mbps

~air~~~–))10.4.4.2/air0>[homeSXT]>192.168.3.3/eth0—>[[[8 port TPLINK switch]]]—(homelan)

so just to confirm you have the mikrotik 2011 —>3com switch1 ---->SXT-----wirelesss------ to other office devices. these devices connec to internet at 16mbps
3com switch1 ---->switch---->SXT OFFICE–>wireless bridge–>SXT Home–>TP-LINK SWITCH–> WIRELESS AP (DHCP SERVER)
Is the wireless bridge a transparent bridge.
I am worried about your bridge I understand from home to office is working fine.from your notes you listing one side of bridge as having 192.168.5.251 on the otherside you have 192.168.3.3
Which interface on 2011 is your home lan hosted on and which interface is your office lan hosted on or are they coming off one port on main 2011 router. it would make it easier to understand if either you posted logical network diagram or posted your actual configuration hiding sensitive data and or anything else you dont want visible.

so just to confirm you have the



mikrotik 2011 —>3com switch1 ---->SXT-----wirelesss------ to other office devices

Well, close with a little change:
mikrotik 2011 —>3com switch1 ---->all wired office devices + the SXT@office-radiolink-SXT@home—home devices

Which interface on 2011 is your home lan hosted on and which interface is your office lan hosted on or are they coming off one port on main 2011 router

everything is coming off the ether2 on 2011 and going to the 3com switch.
the idea was not to traverse the 2011 when home<->office devices are talking to each other (bad idea?)

Is the wireless bridge a transparent bridge.

No, the idea was to use the SXTs on both sides as “routers” to avoid useless traffic (like broadcasting) traversing the wireless link.
For both economy and security reasons. I’ll give details in a next post in one or two hours. (bad idea?)

it would make it easier to understand if either you posted logical network diagram or posted your actual
configuration hiding sensitive data and or anything else you dont want visible.

I will draw it and post it in one or two hours. No problem about hiding things (except keys).
As a security professional I always recommend my Clients not to count on “secrecy” for security. Security comes from good design, keys, and control.
Then the world can see how your network is designed and still not be able to do anything with it (if you did a good job).

I’ll be back in one/two hours. But if in the meanwhile you noticed any “bad idea”, you’re welcome to note it.

– Alessandro

So do you have static routes on each of the sxt’s as well as the 2011 pointing to all the lans you require access to?
AS you are routing between mutiple routers 2 x sxts and 1x 2011 to get out to the internet it could be something as simple as the default route you pointed at from home is going a round about route to get out to internet or is missing on one of the routers and slowing things down.
Personally I would have connected the SXT’s to one of the unused ports on the 2011 and hosted there lan from there. If you then wanted to configure the remote sxt as a router you could do keep local traffic local but because it is only a few home devices(unless you have 100 of devices on your home network) I would not be worrying about a broadcast storm and by using a port on the 2011 for this purpose, it would not bring your office network down only that port.

So do you have static routes on each of the sxt’s as well as the 2011 pointing to all the lans you require access to?

YES, or at least this was the intention… while putting together the diagram I started noticing a few strange (at least to me) things:

[[SXT@officeside]]
interface print
0 RS eth0 ether
1 RS air0 wlan
2 R bridge1 bridge

ip address print
0 192.168.5.251/24 192.168.5.0 eth0
1 10.4.4.1/30 10.4.4.0 eth0 <<< THAT’S A SURPRISE TO ME. i THOUGHT 10.4.4.1 TO BE THE AIR0 i/F ADDDRESS!
<<<<<<<<<<<<<<<<<<<<<<<<<<<<< OR, AT LEAST, THIS IS WHAT THE WEB GUI TELLS ME!

[admin@SideC] > ip route print
0 A S ;;; default gw @ office-lan
0.0.0.0/0 192.168.5.253 1 <<<The default gw (the mikrotik 2011 box) the when all the rules that follow fail
1 ADC 10.4.4.0/30 10.4.4.1 bridge1 0 <<<I don’t understand this dynamic rule. Already have a static rule to the homeside of the radiolink (see next rule)
2 S ;;; home-to-office radio link
10.4.4.0/30 10.4.4.1 air0 1 <<<.1 is office-side and .2 is home-side
3 A S ;;; axampab.axinet.vpn via fedora
172.29.5.6/32 192.168.5.3 1 <<< ignore this. It’s the routing to a (open)vpn network of ours
4 A S ;;; home lan
192.168.3.0/24 10.4.4.2 1 <<<this is where the SXT knows to send IP packets to/from the homelan to the SXT homeside
5 ADC 192.168.5.0/24 192.168.5.251 bridge1 0 <<<I don’t understand this dynamic rule. Already have a static rule to the officelan via eth0 (see next rule)
6 S ;;; office lan
192.168.5.0/24 eth0 1
7 A S ;;; rho-lan via home-lan
192.168.11.0/24 10.4.4.2 1 <<<another network behind the homelan, so to be routed to 10.4.4.2 (SXT@home)

I’ll be back. Thank you for your notes.

1 10.4.4.1/30 10.4.4.0 eth0 > <<< THAT’S A SURPRISE TO ME. i THOUGHT 10.4.4.1 TO BE THE AIR0 i/F ADDDRESS!

10.4.4.1 is the ip address 10.4.4.0 is the subnet id or network id

1 ADC 10.4.4.0/30 10.4.4.1 bridge1 0 > <<<I don’t understand this dynamic rule. Already have a static rule to the homeside of the radiolink (see next rule)

Tells you to get to the network 10.4.4.0/30 it will use 10.4.4.1. this is automatically generated when you add an ip to an interface. there is no need to add a static so you could remove

2 S ;;; home-to-office radio link
10.4.4.0/30 10.4.4.1 air0 1 > <<<.1 is office-side and .2 is home-side

not needed

6 S ;;; office lan
192.168.5.0/24 eth0 1

if you can post the ip routes for each of the routers.
ie 2011
sxt off
sxt home
then any other router after that

Thanks for all your notes.

if you can post the ip routes for each of the routers.
ie 2011
sxt off
sxt home
then any other router after that

[[[[ie 2011]]]]

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S ;;; OutWall (deafult gw to the internet)
0.0.0.0/0 192.168.12.2 1
1 A S ;;; vpns via fedora2
172.29.0.0/16 192.168.5.3 1
2 A S ;;; home lan
192.168.3.0/24 192.168.5.251 1
3 ADC 192.168.5.0/24 192.168.5.253 ether2 0
4 S ;;; office lan
192.168.5.0/24 ether2 1
5 A S ;;; rho-lan via home-lan
192.168.11.0/24 192.168.5.251 1
6 ADC 192.168.12.0/24 192.168.12.1 ether1-gateway 0
7 A S 192.168.12.0/30 ether1-gateway 1

[[[[sxt@office]]]]

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S ;;; default gw @ office-lan
0.0.0.0/0 192.168.5.253 1
1 ADC 10.4.4.0/30 10.4.4.1 bridge1 0
2 S ;;; home-to-office radio link
10.4.4.0/30 10.4.4.1 air0 1
3 A S ;;; axampab.axinet.vpn via fedora
172.29.5.6/32 192.168.5.3 1
4 A S ;;; home lan
192.168.3.0/24 10.4.4.2 1
5 ADC 192.168.5.0/24 192.168.5.251 bridge1 0
6 S ;;; office lan
192.168.5.0/24 eth0 1
7 A S ;;; rho-lan via home-lan
192.168.11.0/24 10.4.4.2 1

[[[[sxt1@home]]]] the one linked with the sxt@office

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

;;; deafult via office.lan
0 A S 0.0.0.0/0 10.4.4.1 1
;;; radio-to-radio
1 ADC 10.4.4.0/30 10.4.4.2 air0 0
;;; home-to-rho radio link via sxt2@home
2 A S 10.8.8.0/30 192.168.3.252 1
3 ADC 192.168.3.0/24 192.168.3.251 bridge1 0
;;; route to office.lan
4 A S 192.168.5.0/24 192.168.3.251 air0 1 USELESS, I GUESS…
;;; route to home.lan via sxt2@home
5 A S 192.168.11.0/24 192.168.3.252 1

[[[[sxt2@home2]]]] the one airlinked with rho.lan (192.168.11.0/24)

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.3.251 1
1 ADC 10.8.8.0/30 10.8.8.1 bridge1 0
2 S ;;; homelan-rholan link radio-to-radio
10.8.8.0/30 air0 1
3 ADC 192.168.3.0/24 192.168.3.252 bridge1 0
4 S ;;; homelan
192.168.3.0/24 eth0 1
5 A S ;;; officelan
192.168.5.0/24 192.168.3.251 1 USELESS, I GUESS…
6 A S ;;; rholan
192.168.11.0/24 10.8.8.2 1

[[[[sxt2@rho]]]] (the other side of home->rho radio link)
ip route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

;;; default gw via rholan-homelan radio link
0 A S 0.0.0.0/0 10.8.8.1 1
;;; reach radio-to-radio
1 ADC 10.8.8.0/30 10.8.8.2 air0 0 USELESS, I GUESS…
;;; reach home-lan
2 A S 192.168.3.0/24 192.168.11.1 10.8.8.1 1 USELESS, I GUESS…
;;; rho.lan
4 ADC 192.168.11.0/24 192.168.11.1 eth1 0


I doubt I’ll be able to finish drawing the network scheme today.
In the meanwhile clients are demanding my attention. Don’t know why… don’t have my invoices already???

I am going to highlight the ones I dont believe are needed in red you can disable and see that they are not before deleting
the ones you have put useless I guess next to are needed because they tell that particular router where to find the other lan without it you have to go to the start router or run ospf that will put it all in for you but that requires some configuration. confirm you not running any simple queues on any of these routers.

the other thing to do is run a traceroute to google.com and see how it goes out to make sure it follows the paths it should

Hi again. Sorry for the delay, clients (fortunately) kept me busy

Here’s the diagram
(checked via traceroute the path is what is supposed to be)
follow the colored lines for speed tests from internet->officelan, officelan->homelan, and internet->homelan
cleaning up the route tables of useless stuff improved office<–>home speed (up to average 90, occasionally 120 Mbps)
no changes in speed from internet to homelan.

Any idea?