The internet is slow on my MikroTik RB450Gx4

Putfdlasf023 · January 23, 2026, 7:21am

Hi everyone,
I’m experiencing slow internet performance on my MikroTik RB450Gx4. When traffic goes through the access point, the connection feels slow and sometimes unstable, even though both ISPs should be working normally. I’m currently using a dual-ISP load balancing setup (PCC), and I’m not sure whether the issue is coming from the mangle rules, routing, NAT, or queue configuration. I’m still learning MikroTik, so any advice or corrections would be greatly appreciated.

Below is my full configuration. I didn’t remove or shorten anything; it’s just formatted to be easier to read.

model = RB450Gx4

/interface bridge
add name=Bridge-Lan

/interface bridge port
add bridge=Bridge-Lan interface=ether3
add bridge=Bridge-Lan interface=ether4

/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add name=dhcp1 interface=Bridge-Lan address-pool=dhcp_pool1 lease-time=1h

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
dns-server=8.8.8.8,1.0.0.1,1.1.1.1,8.8.4.4

/ip address
add address=192.168.0.1/24 interface=Bridge-Lan network=192.168.0.0

/ip dhcp-client
add interface=ether1 default-route-tables=main
add interface=ether2 default-route-tables=main

/ip dns
set allow-remote-requests=yes
servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/queue simple
add name="Balmon AP 1" target=Bridge-Lan
limit-at=25M/25M max-limit=50M/50M
queue=pcq-upload-default/pcq-download-default

/routing table
add name=to_ISP1 fib=yes
add name=to-ISP2 fib=yes

/ip firewall mangle
add chain=prerouting action=accept dst-address=10.11.24.0/21
add chain=prerouting action=accept dst-address=192.168.1.0/24
add chain=prerouting action=accept dst-address=192.168.0.0/24

add chain=prerouting in-interface=ether1
action=mark-connection new-connection-mark=ISP1
add chain=prerouting in-interface=ether2
action=mark-connection new-connection-mark=ISP2

add chain=prerouting in-interface=Bridge-Lan
per-connection-classifier=both-addresses:4/0
action=mark-connection new-connection-mark=ISP2
add chain=prerouting in-interface=Bridge-Lan
per-connection-classifier=both-addresses:4/1
action=mark-connection new-connection-mark=ISP1
add chain=prerouting in-interface=Bridge-Lan
per-connection-classifier=both-addresses:4/2
action=mark-connection new-connection-mark=ISP2
add chain=prerouting in-interface=Bridge-Lan
per-connection-classifier=both-addresses:4/3
action=mark-connection new-connection-mark=ISP2

add chain=prerouting in-interface=Bridge-Lan
connection-mark=ISP1 action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting in-interface=Bridge-Lan
connection-mark=ISP2 action=mark-routing new-routing-mark=to-ISP2

add chain=output connection-mark=ISP1
action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2
action=mark-routing new-routing-mark=to-ISP2

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade

/ip route
add dst-address=0.0.0.0/0 gateway=10.11.24.1
routing-table=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=to-ISP2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=to_ISP1 distance=2
add dst-address=0.0.0.0/0 gateway=10.11.24.1
routing-table=to-ISP2 distance=2

/system clock
set time-zone-name=Asia/Makassar

/system identity
set name="Load Balance 2 isp"

/system routerboard settings
set enter-setup-on=delete-key

Thank you in advance for any help or suggestions.

holvoetn · January 23, 2026, 7:24am

You may have removed quite a bit.
Best to use export, only remove sensitive info like serial, passwd, public IP,...
Then post contents between code quotes < / >

I don't see anything on firewall filter rules ?
Serious ? This is an outside ISP facing device and no firewall filters ?

Putfdlasf023 · January 23, 2026, 7:40am

Thanks for the reminder — you’re right.

I used the /export output and I only removed sensitive information (like serial number, passwords, and public IP details). I’m now pasting the full configuration inside a code block as requested.

Also, regarding the firewall filter rules: yes, currently I don’t have any /ip firewall filter rules configured yet. This router is connected directly to external ISPs, so I understand this is not safe and I will add proper firewall filtering rules after this. For now, I would appreciate any guidance on what might be causing the slow internet issue (routing/mangle/queue), and recommendations for a proper basic firewall filter setup for my case.

# model = RB450Gx4

/interface bridge
add name=Bridge-Lan
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-Lan lease-time=1h name=dhcp1
/port
set 0 name=serial0
/queue simple
add limit-at=25M/25M max-limit=50M/50M name="Balmon AP 1" queue=\\
    pcq-upload-default/pcq-download-default target=Bridge-Lan
/routing table
add disabled=no fib name=to_ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=Bridge-Lan interface=ether3
add bridge=Bridge-Lan interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.0.1/24 interface=Bridge-Lan network=192.168.0.0
/ip dhcp-client
add default-route-tables=main interface=ether1
add default-route-tables=main interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,1.0.0.1,1.1.1.1,8.8.4.4 \\
    gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.11.24.0/21
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=mark-connection chain=prerouting in-interface=ether1 \\
    new-connection-mark=ISP1
add action=mark-connection chain=prerouting in-interface=ether2 \\
    new-connection-mark=ISP2
add action=mark-connection chain=prerouting in-interface=Bridge-Lan \\
    new-connection-mark=ISP2 per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting in-interface=Bridge-Lan \\
    new-connection-mark=ISP1 per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting in-interface=Bridge-Lan \\
    new-connection-mark=ISP2 per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting in-interface=Bridge-Lan \\
    new-connection-mark=ISP2 per-connection-classifier=both-addresses:4/3
add action=mark-routing chain=prerouting connection-mark=ISP1 in-interface=\\
    Bridge-Lan new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\\
    Bridge-Lan new-routing-mark=to-ISP2
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=\\
    to_ISP1
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\\
    to-ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.11.24.1 \\
    routing-table=to_ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 \\
    routing-table=to-ISP2 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 \\
    routing-table=to_ISP1 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.11.24.1 \\
    routing-table=to-ISP2 suppress-hw-offload=no
/system clock
set time-zone-name=Asia/Makassar
/system identity
set name="Load Balance 2 isp"
/system routerboard settings
set enter-setup-on=delete-key

rextended · January 23, 2026, 10:08am

Your router is open to the world, and they're using it for you to do whatever they want with it.

He already wrote to you to censor the export and not to edit it, but you continue to delete essential information, such as the RouterOS version.

anav · January 23, 2026, 12:52pm

REMOVE QUEUE or at least DISABLE IT. Not sure why you would even need it???

/queue simple
add limit-at=25M/25M max-limit=50M/50M name="Balmon AP 1" queue=\
pcq-upload-default/pcq-download-default target=Bridge-Lan disabled=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

{ modified you have extra rules in place that are not required or at least you have not sufficiently show in the config or described requirements for ( aka no traffic to the router from external) }

/ip firewall mangle { fixed }
add action=mark-connection chain=forward in-interface=Bridge-Lan
connection-mark=no-mark new-connection-mark=ISP1 dst-address-type=!local
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward in-interface=Bridge-Lan
connection-mark=no-mark new-connection-mark=ISP2 dst-address-type=!local
per-connection-classifier=both-addresses:2/1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=ISP1
new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2
new-routing-mark=to-ISP2 passthrough=no

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.11.24.1
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.1.1
{ special tables }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.11.24.1 routing-table=to_ISP1
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.1 routing-table=to_ISP1

add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to-ISP2
add distance=2 dst-address=0.0.0.0/0 gateway=10.11.241.1 routing-table=to-ISP2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

If both the ISPs coming in on ethe1 and ether2 are roughly the same throughput, then PCC makes less sense and ECMP would be better/simpler like so with only two routes and no special tables!

add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.11.24.1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.1.1

paul2 · February 8, 2026, 9:04am

First, secure your router immediately: add a filter rule to drop all input traffic on WAN interfaces unless connection-state=established,related.

Regarding slowness:Disable your Simple Queue. You set a max-limit=50M, which caps your entire LAN (not per-user) to 50Mbps.

PCC incompatible with FastTrack. Since PCC requires Mangle, FastTrack is likely bypassed, increasing CPU load. Check /tool profile.

Ensure your PCC classifier uses src-address to avoid breaking secure (HTTPS) banking sites.