Speed issues with specific services, probably due to firewall misconfig

needlessWay · January 6, 2026, 9:08pm

Some time ago, getting tired of overheating issues of my provider’s router I purchased hAP ax³, and switched provider’s device to work as transparent DOCSIS modem.

Some time later reading routerOS wiki and bunch of guides on firewall configuration I think I ended up with configuration that is a little bit overkill.

In general I do not have issues - most everything works fine, but for some reason I have a very slow download speed specifically for gog com with browser/third-party client. Initial download speed usually around 10-15MB/s but it quickly drops to less then 2MB/s often even more.

However, after some testing I found out that directly connecting eithernet on provider router I can reliably get 25MB/s with no issues. So it’s something that I did on my routerOS config (or maybe something that happened to configuration with updates?)

At the same time my steam download usually just goes right up against my providers speed limit of around 350-400Mb/s on Ethernet connection to the router with no issues. So I’m it’s not something that is completely overwhelms the router.

I’m open to suggestions what might be my issue or where should I look for it. I can just resete configuration to zero and set everything up again, but without understanding I’m likely to make the same mistake again.

My router config as follows. I wanted to split firwall separately but it seems that it’s mostly firewall rules anyway.

# 2026-01-06 22:32:13 by RouterOS 7.20.6
# software id = ****-****
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ***********
/interface bridge
add admin-mac=__:__:__:__:__:__1 auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=on tx-flow-control=on
/interface wifi
set [ find default-name=wifi2 ] channel.reselect-interval=1h..2h \
    .skip-dfs-channels=all .width=20/40mhz-Ce configuration.country=Estonia \
    .dtim-period=4 .hide-ssid=no .mode=ap .ssid="myWIFI 5GHz" \
    .tx-power=22 disabled=no name=wifi1 security.authentication-types=\
    wpa3-psk .ft=yes .ft-over-ds=yes .wps=disable
set [ find default-name=wifi1 ] channel.reselect-interval=30m..1h \
    .skip-dfs-channels=all .width=20/40mhz-Ce configuration.country=Estonia \
    .mode=ap .ssid=myWIFI .tx-power=18 disabled=no name=wifi2 \
    security.authentication-types=wpa3-psk .connect-priority=0 .ft=yes \
    .ft-over-ds=yes .wps=disable
add configuration.hide-ssid=yes .mode=ap .ssid=myWIFI_wpa2 \
    datapath.bridge=bridge_guest disabled=no mac-address=4A:A9:8A:48:35:F5 \
    master-interface=wifi2 name=wifi2-guest security.authentication-types=\
    wpa2-psk,wpa3-psk .wps=disable
/interface wireguard
add listen-port=13541 mtu=1420 name=wg_personal
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=w.x.y1.10-w.x.y1.254
add name=guest-dhcp ranges=w.x.y2.2-w.x.y2.16
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=12h name=defconf
add address-pool=guest-dhcp interface=bridge_guest name=guest_dhcp
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wg_personal) is not slave
add action=drop chain=forward in-interface=*B
add action=drop chain=forward in-interface=wifi2-guest
add action=drop chain=forward out-interface=wifi2-guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge_guest interface=wifi2-guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=15360 \
    min-neighbor-entries=3840 soft-max-neighbor-entries=7680
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_guest list=LAN
/interface ovpn-server server
add mac-address=__:__:__:__:__:__2 name=ovpn-server1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=w.x.y3.2 interface=\
    wg_personal name=rosse public-key=\
    "QHF+i5/obT1DqHpMEZ+s3Ycq6wWaq7v0o9ObPPwOfR8=" responder=yes
/ip address
add address=w.x.y1.1/24 comment=defconf interface=bridge network=\
    w.x.y1.0
add address=w.x.y3.1/24 comment=wg_guests interface=wg_personal network=\
    w.x.y3.0
add address=w.x.y2.1/24 comment=wifi_guest interface=bridge_guest \
    network=w.x.y2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h
/ip dhcp-client
add comment=defconf default-route-tables=main interface=ether1 use-peer-ntp=\
    no
/ip dhcp-server lease
add address=w.x.y1.10 client-id=1:24:4b:fe:df:6c:fa mac-address=\
    __:__:__:__:__:__3 server=defconf
add address=w.x.y1.132 client-id=\
    ff:56:50:4d:98:0:2:0:0:ab:11:f9:af:3c:4f:b:98:49:9a mac-address=\
    __:__:__:__:__:__4 server=defconf
add address=w.x.y1.14 client-id=1:bc:d0:74:46:69:be mac-address=\
    __:__:__:__:__:__5 server=defconf
add address=w.x.y1.12 client-id=1:18:d6:1c:cb:ba:56 mac-address=\
    __:__:__:__:__:__6 server=defconf
add address=w.x.y1.15 client-id=1:0:e0:4c:de:cb:6d mac-address=\
    __:__:__:__:__:__7 server=defconf
add address=w.x.y1.128 client-id=1:24:5e:be:3d:72:91 mac-address=\
    __:__:__:__:__:__8 server=defconf
add address=w.x.y1.20 client-id=1:f4:28:9d:19:27:77 mac-address=\
    __:__:__:__:__:__9 server=defconf
/ip dhcp-server network
add address=w.x.y1.0/24 comment=defconf dns-server=w.x.y1.1 gateway=\
    w.x.y1.1 ntp-server=w.x.y1.1
add address=w.x.y2.0/24 dns-server=w.x.y2.1,1.1.1.1 gateway=\
    w.x.y2.1 ntp-server=w.x.y2.1
/ip dns
set allow-remote-requests=yes cache-size=40960KiB use-doh-server=\
    https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=w.x.y1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=1.1.1.1 comment=cloudflare list=whitelist
add address=85.253.128.1 comment=ESP list=whitelist
add address=85.253.0.2 comment=ESP list=whitelist
add address=85.253.0.130 comment=ESP list=whitelist
add address=0.0.0.0/8 comment="defconf: RFC6y20" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6y20" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6y20" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6y20" list=bad_ipv4
add address=w.0.0.0/24 comment="defconf: RFC6y20" list=bad_ipv4
add address=w.0.2.0/24 comment="defconf: RFC6y20 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6y20 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6y20 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6y20 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6y20" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6y20" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6y20" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6y20" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6y20" list=not_global_ipv4
add address=w.0.0.0/29 comment="defconf: RFC6y20" list=not_global_ipv4
add address=w.x.0.0/16 comment="defconf: RFC6y20" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6y20 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6y20" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6y20" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6y20" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6y20" list=bad_dst_ipv4
add address=w.x.y1.0/24 comment="physical LAN" list=local_subnets
add address=w.x.y2.0/24 comment="guest WiFi" list=local_subnets
add address=he208v4dqk3.sn.mynetname.net comment=ESP list=whitelist
add address=pool.ntp.org comment=NTP list=whitelist
add address=81.19.135.171 list=bad_src_ipv4
add address=45.142.193.162 list=bad_src_ipv4
add address=w.x.y3.0/24 comment=vpn list=local_subnets
add address=82.131.68.1 list=whitelist
/ip firewall filter
add action=accept chain=forward disabled=yes
add action=drop chain=forward comment="defconf: drop invalid forward" \
    connection-state=invalid disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input disabled=yes
add action=drop chain=input comment="defconf: drop invalid input" \
    connection-state=invalid
add action=tarpit chain=input comment="tarpit suspicious incoming requies" \
    disabled=yes protocol=tcp src-address-list=blacklist
add action=drop chain=input disabled=yes src-address-list=blacklist
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked src-address-list=!blacklist
add action=accept chain=input comment="accept LAN traffic" src-address-list=\
    local_subnets
add action=accept chain=input comment=exceptions src-address-list=whitelist
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=add-src-to-address-list address-list=wg_client \
    address-list-timeout=1d chain=input comment="log wireguard client" \
    disabled=yes dst-port=13541 log=yes log-prefix="wg: new_client" protocol=\
    udp src-address-list=!wg_client
add action=accept chain=input comment="wireguard VPN server" disabled=yes \
    dst-port=13541 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment=wiregurd disabled=yes dst-port=13541 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input disabled=yes dst-port=13541 in-interface-list=\
    WAN protocol=udp
add action=add-src-to-address-list address-list=whitelist \
    address-list-timeout=1w chain=input comment="whitelist request approved" \
    dst-port=10541 protocol=tcp src-address-list=knock^2
add action=add-src-to-address-list address-list=knock^2 address-list-timeout=\
    15m chain=input comment="second knock" dst-port=666 protocol=tcp \
    src-address-list=knock
add action=add-src-to-address-list address-list=knock address-list-timeout=1m \
    chain=input comment="first knock" dst-port=y39 protocol=tcp
add action=reject chain=input reject-with=icmp-port-unreachable \
    src-address-list=knock^2
add action=reject chain=input reject-with=icmp-port-unreachable \
    src-address-list=knock
add action=drop chain=input dst-port=\
    22,23,53,68,79,80,111,137-139,445,2049,33y2,5900,8291 in-interface-list=\
    WAN protocol=tcp src-address-list=!whitelist
add action=add-src-to-address-list address-list=blocklist \
    address-list-timeout=1d chain=input comment="temp ban (all)" \
    in-interface-list=!LAN log-prefix="filter: ban_temp;" protocol=tcp \
    src-address-list=strike
add action=add-src-to-address-list address-list=strike address-list-timeout=\
    30m chain=input comment="first strike (all)" in-interface-list=!LAN \
    protocol=tcp src-address-list=!whitelist
add action=drop chain=input comment="defconf: drop all not coming from LAN"
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat disabled=yes dst-port=47984,479y2,48010 \
    protocol=tcp src-address-list=whitelist to-addresses=w.x.y1.10
add action=dst-nat chain=dstnat disabled=yes dst-port=47y38,47y39,48000 \
    protocol=udp to-addresses=w.x.y1.10
add action=dst-nat chain=dstnat comment="sunshine 47984" dst-port=47984 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47984
add action=dst-nat chain=dstnat comment="sunshine 479y2" dst-port=479y2 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=479y2
add action=dst-nat chain=dstnat comment="sunshine 47y30" disabled=yes \
    dst-port=47y30 in-interface-list=WAN protocol=tcp to-addresses=\
    w.x.y1.10 to-ports=47y30
add action=dst-nat chain=dstnat comment="sunshine 48010" dst-port=48010 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=48010
add action=dst-nat chain=dstnat comment="sunshing u47y38" dst-port=47y38 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47y38
add action=dst-nat chain=dstnat comment="sunshing u47y39" dst-port=47y39 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47y39
add action=dst-nat chain=dstnat comment="sunshing u48000" dst-port=48000 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=48000
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment=\
    "block connections from guest netrowk into LAN" dst-address=\
    w.x.y1.0/24 src-address=w.x.y2.0/24
add action=add-dst-to-address-list address-list=whitelist \
    address-list-timeout=1m chain=prerouting comment=\
    "whitelist remote conntection initiated from lan" dst-address-list=\
    !whitelist src-address-list=local_subnets
add action=accept chain=prerouting comment=\
    "whitelist remote conntection initiated from lan" dst-address-list=\
    whitelist src-address-list=local_subnets
add action=accept chain=prerouting comment="accept whitelist" \
    src-address-list=whitelist
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=DNS dst-port=53 in-interface-list=\
    LAN protocol=tcp src-address-list=local_subnets
add action=accept chain=prerouting dst-port=1900 protocol=udp src-address=\
    w.x.y1.0/24
add action=accept chain=prerouting dst-port=2828 protocol=tcp src-address=\
    w.x.y1.0/24
add action=accept chain=prerouting disabled=yes dst-port=13541 protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1w chain=prerouting comment=\
    "ban unsolicited remote control requests" dst-port=\
    22,23,53,68,79,111,137-139,445,512-515,2049,33y2,5900 in-interface-list=\
    WAN protocol=tcp
add action=drop chain=prerouting src-address-list=blocklist
add action=accept chain=prerouting comment="accept for tarpitting" disabled=\
    yes in-interface-list=WAN limit=4,16:packet protocol=tcp \
    src-address-list=blacklist
add action=drop chain=prerouting comment=\
    "drop excess above limit to protect from DDoS" in-interface-list=WAN \
    src-address-list=blacklist
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address-list=\
    local_subnets in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop local from unused ranges" in-interface-list=LAN \
    src-address-list=!local_subnets
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=filter_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN limit=\
    32,32:packet
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    128,256:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=128,256:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=filter_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    fin,syn
add action=drop chain=filter_tcp comment="defconf: TCP flag filter" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    fin,rst
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    fin,!ack
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    fin,urg
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    syn,rst
add action=drop chain=filter_tcp comment=defconf protocol=tcp tcp-flags=\
    rst,urg
add action=accept chain=filter_tcp protocol=tcp
add action=drop chain=prerouting disabled=yes dst-address=w.x.y1.0/24 \
    src-address=w.x.y2.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set www address=w.x.y1.0/24 disabled=yes
set www-ssl address=w.x.y1.0/24 certificate=webfig-local disabled=no \
    tls-version=only-1.2
set api disabled=yes
set api-ssl certificate=webfig-local tls-version=only-1.2
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4y20 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Tallinn
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=pool.ntp.org
/system scheduler
add interval=1w name=week_reboot policy=reboot start-date=2025-06-28 \
    start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jaclaz · January 7, 2026, 9:18am

This is invalid (but very likely not connected to your speed issue), see Point #21 here:

You make extensive use of RAW firewall, in addition to the plain firewall rules, this is unusual, but in itself should not be slowing down the connection to the low speeds you report, though it is likely to have some impact.

As seen from the outside, your overall configuration seems (to me) very complex, very likely you have your reasons for having all those settings, but finding among them which ones could be slowing down the connection seems daunting.

needlessWay · January 7, 2026, 9:56am

Thanks for looking at my, admittedly, overly complex config!

Amazingly, despite being triggered exactly zero times it seems to be a huge part of the issue, together with ‘tcp_filter‘ sub-chain in RAW rules. After disabling both, I’m getting speeds at least around 8-10MB/s, sometimes up to 25MB/s

I will do some more testing and mark you response as solution later.

I also did reduce some strictness of blocking rules, suspecting that working over a longer block lists might be the issue and disable some rules that do not seem to be triggered at all, but neither had noticeable effect.

I guess I will read the post you referred and clean up my firewall rules more.
Initially my idea was to clean up clear offenders and incorrect packages in RAW table and then give rules to guest wifi and VPN connections in plain rules, but I guess I got carried away doing that.

jaclaz · January 7, 2026, 10:44am

Yes, usually all firewall rules should go in the "normal" firewall section and the use of /ip firewall raw should be limited (when needed) to at most a handful of rules, it is entirely possible that rules in RAW have an impact on speed, but it remains strange, as an Ax3 should be capable to route/firewall "comfortably" around 1 Gb speed connection, that the speed can go so low.

rextended · January 7, 2026, 12:22pm

__:__:__:__:__:__7 = 00:E0:4C:DE:CB:6D

Don't waste time hiding y1 = 192.168.88.1, y2 = 192.168.89.1, etc., as well as MAC addresses, which are still visible in the client ID...

Only public IP addresses, serial numbers, usernames, and passwords, private keys, etc. should be censored (also comments with names and surnames).
Otherwise, MAC addresses and private IP numbers (192.168.x.x, 10.x.x.x, etc.)are completely pointless to hide.

needlessWay · January 7, 2026, 12:39pm

I actually didn’t plan to, but that was what is recommended to be done.

Probably should have used VSCode with highlight plugin (at least that only one i found quickly for routeros config) for config cleanup

needlessWay · January 7, 2026, 12:39pm

Well it seems that effect was temporally, which is even more confusing.

I did some more rules cleanup, but I’m starting to suspect that I might have easier time reverting whole config to default and rebuilding it again from scratch.

/ip firewall filter
add action=accept chain=forward disabled=yes
add action=drop chain=forward comment="defconf: drop invalid forward" \
    connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input disabled=yes
add action=drop chain=input comment="defconf: drop invalid input" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept LAN traffic" src-address-list=\
    local_subnets
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=exceptions src-address-list=whitelist
add action=accept chain=input comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=add-src-to-address-list address-list=whitelist \
    address-list-timeout=1w chain=input comment="whitelist request approved" \
    dst-port=10541 protocol=tcp src-address-list=knock^2
add action=add-src-to-address-list address-list=knock^2 address-list-timeout=\
    15m chain=input comment="second knock" dst-port=666 protocol=tcp \
    src-address-list=knock
add action=add-src-to-address-list address-list=knock address-list-timeout=1m \
    chain=input comment="first knock" dst-port=y39 protocol=tcp
add action=reject chain=input reject-with=icmp-port-unreachable \
    src-address-list=knock^2
add action=reject chain=input reject-with=icmp-port-unreachable \
    src-address-list=knock
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input comment="temp ban (all)" \
    in-interface-list=!LAN log-prefix="filter: ban_temp;" protocol=tcp \
    src-address-list=strike
add action=add-src-to-address-list address-list=strike address-list-timeout=\
    30m chain=input comment="first strike (all)" in-interface-list=!LAN \
    protocol=tcp src-address-list=!whitelist
add action=drop chain=input comment="defconf: drop all not coming from LAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat comment="sunshine 47984" dst-port=47984 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47984
add action=dst-nat chain=dstnat comment="sunshine 479y2" dst-port=47989 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=479y2
add action=dst-nat chain=dstnat comment="sunshine 48010" dst-port=48010 \
    in-interface-list=WAN protocol=tcp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=48010
add action=dst-nat chain=dstnat comment="sunshing u47y38" dst-port=47998 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47y38
add action=dst-nat chain=dstnat comment="sunshing u47y39" dst-port=47999 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=47y39
add action=dst-nat chain=dstnat comment="sunshing u48000" dst-port=48000 \
    in-interface-list=WAN protocol=udp src-address-list=whitelist \
    to-addresses=w.x.y1.10 to-ports=48000
/ip firewall raw
add action=drop chain=prerouting comment=\
    "block connections from guest netrowk into LAN" dst-address=\
    w.x.y1.0/24 src-address=w.x.y2.0/24
add action=accept chain=prerouting comment=\
    "whitelist remote conntection initiated from lan" src-address-list=\
    local_subnets
add action=accept chain=prerouting comment="accept whitelist" \
    src-address-list=whitelist
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=DNS dst-port=53 in-interface-list=\
    LAN protocol=tcp src-address-list=local_subnets
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1w chain=prerouting comment=\
    "ban unsolicited remote control requests" dst-port=\
    22,23,53,68,79,111,137-139,445,512-515,2049,33y2,5900,8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=prerouting comment="accept for tarpitting" disabled=\
    yes in-interface-list=WAN limit=4,16:packet protocol=tcp \
    src-address-list=blacklist
add action=drop chain=prerouting comment=\
    "drop excess above limit to protect from DDoS" in-interface-list=WAN \
    src-address-list=blacklist
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
    yes src-address-list=bad_ipv4
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN limit=\
    32,32:packet
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    128,256:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=128,256:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=filter_tcp comment="defconf: TCP port 0 drop" disabled=\
    yes port=0 protocol=tcp
add action=drop chain=filter_tcp comment="defconf: TCP flag filter" disabled=\
    yes protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=accept chain=filter_tcp protocol=tcp
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set www address=w.x.y1.0/24 disabled=yes
set www-ssl address=w.x.y1.0/24 certificate=webfig-local disabled=no \
    tls-version=only-1.2
set api disabled=yes
set api-ssl certificate=webfig-local tls-version=only-1.2
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4y20 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

needlessWay · January 7, 2026, 6:11pm

I’ve reset the config.

I tried to use /reset-config keep-users no-defaults , as it was recommenced for devices with some updates applied, but after that I could not connect to the router, so I had to use regular factory reset (power off > reset + power on for 3 sec)

After that and basic setting restored, it seems my issue was resolved. So I guess now I will try to restore some of my FW config step-by-step ove time looking which exact config change resulted in my issue.

needlessWay · January 7, 2026, 7:48pm

Those are created automatically, I guess by initial QuickConfig.
Should they be removed?

Clear requirements are not always easy to achieve when every other game or home appliance uses different set of ports and might or might not require ability to connect back to the device. It’s a pain in the ass to waste couple hours every time something changes in what I have in my network.
Also, from my previous failure at configuring WG remote clients, they are not just getting access to local resources and it takes time to make change in config, reconnect from outside and look if anything working differently.

Thanks for reminder, thought, I will try to apply it to simplify new rules set I going to get.

needlessWay · January 7, 2026, 9:51pm

And problem returned again, about 6 hours after the reset.

Most of the configuration is default + quick config to set wifi and enable upnp, with exception of adding DHCP to separate guest wifi network, but download speeds were unaffected, at least initially.

Maybe I can reset config with no-defaults and manually assign scrip for router to get default DHCP or a least one interface configured?

UPD.: I’m at a complete loss now, because just now when I connected directly to provider’s modem detaching my router I have the issue regardless.

Why it was working previously by just connecting directly? How it affects connection to a specific set of resources even under the VPN? I’m completely out of ideas what is happening, so I guess the thread is useless at least until I get to connect my router at some other location.

loloski · January 8, 2026, 12:11am

It appears so

needlessWay · January 8, 2026, 4:15pm

Well, ISP issue confirmed.

I’m not sure how I lucked in most cased to have decent speed by connecting directly (maybe it somehow related to getting fresh lease from ISP DHCP), but after a half of the day on another connection by the same router I have not issues of the same type - download speed from gog services reliably stays above 20MB/s