Unable to go over 200mbps on HEX

swits1109 · September 10, 2016, 3:09pm

Hi all,

I have been using mikrotik for a while and pretty happy both personally and at my clients. We finally got gigabit fiber to my neighborhood I upgraded from a HEX lite to the HEX with 5 gigabit ports. Trouble is, whenever I run a speedtest (using either a web tool or the built-in Bandwidth Test), it gets to about 225mbps and the CPU goes to 100% and it won’t go past that. I realize that the hardware isn’t that powerful, but it still has gigabit ports so I figure it should at least get close to gigabit speeds.

Anyone else familiar with this?

jarda · September 10, 2016, 4:08pm

What eats the cpu? Try to use fasttrack if you do not need queues.

swits1109 · September 10, 2016, 4:51pm

I just implemented fasttrack and it made no difference. Here are some screenshots:

Speedtest-
http://puu.sh/r6vfO/d08cd56f24.png

Firewall Rules-
http://puu.sh/r6vh3/23bbdf03a2.png

pukkita · September 10, 2016, 5:50pm

From Mikrotik Wiki:

Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;

Are you using any of these features?

IntrusDave · September 10, 2016, 6:00pm

With a default config, the HEX will pass 900mbps. 25~30 filters rules will slow you down to about 800. Mangle and queues will drop you even more.
if you can post your queue and firewall exports, we can get a better idea of what is bringing you do so much.

swits1109 · September 10, 2016, 6:11pm

Nope, none of that was configured. This is just put of the box with the exception of 4 ports forwarded.

swits1109 · September 10, 2016, 6:14pm

Not sure how to export, but here are screenshots.

Queues-
http://puu.sh/r6zKA/89ea616d55.png
http://puu.sh/r6zLt/5d7683ddcd.png

Firewall-
http://puu.sh/r6zMX/1f62205533.png

IntrusDave · September 10, 2016, 6:17pm

open the console and type…

/firewall export
/interface export
/queue export

copy/paste the output

swits1109 · September 10, 2016, 6:25pm

[admin@MOB] > /queue export

sep/03/2016 16:51:55 by RouterOS 6.36.2

software id = 8K75-VWJ6

[admin@MOB] > /interface export

sep/03/2016 16:52:17 by RouterOS 6.36.2

software id = 8K75-VWJ6

/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether5 ] mac-address=E4:8D:8C:93:F8:A8 name=“ATT 1G”
speed=1Gbps
set [ find default-name=ether4 ] mac-address=E4:8D:8C:93:F8:A9 name=LAN
set [ find default-name=ether3 ] mac-address=E4:8D:8C:93:F8:AA master-port=
LAN name=ether3-slave-local
set [ find default-name=ether2 ] mac-address=E4:8D:8C:93:F8:AB master-port=
LAN name=ether4-slave-local
set [ find default-name=ether1 ] mac-address=E4:8D:8C:93:F8:AC master-port=
LAN name=ether5-slave-local
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/interface bridge port
add bridge=bridge1 interface=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=1234 use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes

[admin@MOB] > /firewall export
bad command name firewall (line 1 column 2)
[admin@MOB] > /firewall export
bad command name firewall (line 1 column 2)

IntrusDave · September 10, 2016, 6:28pm

oops, sorry about the firewall.. that was supposed to be:

/ip firewall export

swits1109 · September 10, 2016, 6:30pm

[admin@MOB] >> /ip firewall export

sep/03/2016 16:58:52 by RouterOS 6.36.2

software id = 8K75-VWJ6

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=forward comment=“default configuration” connection-state=
established,related
add action=drop chain=forward comment=“default configuration” connection-state=
invalid
add action=drop chain=forward comment=“default configuration”
connection-nat-state=!dstnat connection-state=new in-interface=“ATT 1G”
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input in-interface=“ATT 1G”
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=
“ATT 1G”
add action=dst-nat chain=dstnat dst-port=443 in-interface=“ATT 1G” protocol=tcp
to-addresses=192.168.1.5 to-ports=443
add action=dst-nat chain=dstnat dst-port=8921 in-interface=“ATT 1G” protocol=tcp
to-addresses=192.168.1.1 to-ports=8921
add action=dst-nat chain=dstnat comment=DVR dst-port=37777 in-interface=“ATT 1G”
protocol=tcp to-addresses=192.168.1.18 to-ports=37777
add action=dst-nat chain=dstnat comment=DVR dst-port=37777 in-interface=“ATT 1G”
protocol=udp to-addresses=192.168.1.18 to-ports=37777
add action=dst-nat chain=dstnat dst-port=5198 in-interface=“ATT 1G” protocol=udp
to-addresses=192.168.1.5 to-ports=5198
add action=dst-nat chain=dstnat dst-port=5199 in-interface=“ATT 1G” protocol=udp
to-addresses=192.168.1.5 to-ports=5199
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24
/ip firewall service-port
set sip disabled=yes
[admin@MOB] >>

IntrusDave · September 10, 2016, 6:31pm

right off, I would say you need to remove the LAN port from the bridge, and delete the bridge. You have a switch chip and no wireless interfaces, so a software bridge isn’t needed.

swits1109 · September 10, 2016, 6:42pm

Ok, I went to bridge and deleted the LAN port and then deleted the bridge completely.

That didn’t seem to help:

http://puu.sh/r6Bzw/2c1ce92c9d.png

IntrusDave · September 10, 2016, 6:44pm

what do you get with speedtest.net or fast.com?

InoX · September 10, 2016, 6:51pm

I don’t understand why you still test with btest. Is not reliable and will not reflect real world situations.
What are you trying to achieve? Gigabit between lan ports? Make a transfer between computers.

IntrusDave · September 10, 2016, 6:57pm

He is a new forum user, and very likely has not read the threads on the btest client/server.

swits1109 · September 13, 2016, 7:53pm

Sorry for the late reply here. I’ve been doing a lot of testing and finally was able to get this fix. Fasttrack was the solution, but I did not realize that the commands had to be run PLUS you have to drag the fasttrack rule to the top of the firewall list. That was my mistake. Thanks to everyone that helped. Here are the results, CPU much lower and the speed much higher!

https://i.imgur.com/868FW4Z.png

IntrusDave · September 13, 2016, 8:04pm

looks good, and thanks for the update. Glad you worked it out.