Good evening gents. Im working as a custom service agent. We connect to the company’s PC through Forticlient VPN and the program we use to communicate with our clients is Bria. The issue im facing is that i ve a lot of complains that my voice is cracking. I can hear them very well, but my voice doesnt reach them as it should be. I ve tested my device and its not a hardware issue on microphone or anything. Below im attaching my config and few tests on bufferbloat before and after application of simple queues. Clients some time say that my voice is fine after applying the queue, but other times its not fixing the issue. If you ve any thoughts please let me know. Thanks in advance.

Before Simple

https://www.waveform.com/tools/bufferbloat?test-id=d4663af9-f684-4bb4-ae2f-d75ef635b92e

After Simple

https://www.waveform.com/tools/bufferbloat?test-id=adb3ebf2-1e4b-4e8d-aade-833d57d03f22

Config

2025-11-06 15:57:15 by RouterOS 7.19.6

software id =

model = RBD53G-5HacD2HnD

serial number =

/interface bridge add name=bridge-lan
/interface lte set [ find default-name=lte1 ] allow-roaming=no band="" modem-init="AT+QNWLOCK=\"common/4g\"**********************"
/interface lte apn set [ find default=yes ] use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=2.4 supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=5 supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no mode=ap-bridge security-profile=2.4 ssid=*******
/interface wireless set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX disabled=no mode=ap-bridge security-profile=5 ssid=*******
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp_pool0 ranges=14.14.14.2-14.14.14.254
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-lan lease-time=50w6d name=dhcp1
/queue type add kind=bfifo name=BFIFO
/queue type add kind=cake name=CAKE
/queue type add kind=codel name=CODEL
/queue type add kind=fq-codel name="FQ CODEL"
/queue type add kind=mq-pfifo name="MQ PFIFO"
/queue type add kind=pcq name=PCQ
/queue type add kind=pfifo name=PFIFO
/queue type add kind=red name=RED
/queue type add kind=sfq name=SFQ
/queue type add kind=none name=NONE
/queue simple add limit-at=18M/18M max-limit=18M/18M name="FQ CODEL" priority=1/1 queue="FQ CODEL/FQ CODEL" target="" total-queue="FQ CODEL"
/certificate settings set builtin-trust-anchors=not-trusted
/interface bridge port add bridge=bridge-lan interface=all
/ip address add address=14.14.14.1/24 interface=bridge-lan network=14.14.14.0
/ip dhcp-server network add address=14.14.14.0/24 dns-server=**************** gateway=14.14.14.1
/ip firewall mangle add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=lte1
/ip firewall nat add action=masquerade chain=srcnat
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set winbox port=*******
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Europe/Athens

Biggest company, dead forum. Sad af.

Hi,

It's mostly users' forum, managed by volunteers. If someone wants to help, then helps, if not, then topic gets stalled. There is no SLA Maybe there is noone who knows the answer?

Do you use forticlient to connect to Mikrotik's router? Have you tried other options?
Why are you tweaking packets' TTL?
If you publish only a part of a config then it gets even harder to guess what could be the problem

You might want to apply to the WAN via target. Currently it appears to be "", which is odd. Also, you could use an interface queue instead with fq_codel to the WAN interface, which only capture outbound. Both a simple to try.

Personally, I'd use a /queue/tree so that SIP traffic has a limit-at while other traffic does not, and can set a max-limit for all LTE traffic You apply similar using a simple queue too but this IMO get more confusing than /queue/tree. In either case, you need to mark packets to identify the SIP traffic, so the limit-at only applies to SIP. Normal traffic should not have a limit-at. The terms are confusing but "limit-at" should be read as guaranteed

Additionally, appear your using LTE. So anything you can do to improve the LTE signal quality may help too. Are the drop calls happen around "primetime" when cell networks might be congested? Also since LTE bandwidth is variable, so setting max-limit get tricky - either you set to the lowest speed you expect (and "waste" bandwidth when speeds are higher), or you set it the average speed you expect (in which case the queue will not drop packet to prevent bufferbloat if speed is low since queue won't trigger).

Finally, you can try to disable the ALG in /ip/firewall/service-port/set sip disabled=yes as it's not likely needed (unless you have local PBX and it crosses LANs)

First if all thanks for your answers and your time and . Forticlient is running on my pc, dunno if i can run this on mikrotik and how. Tomorrow im gonna ask my IT, if i can change SSL into ipsec, cause from what i heard tcp connections are trash when they come though tunnels along with 4G/5G connectivity. TTL are tweaking in order supposedly to make my router looking as a cellphone and trick the provider to not cut my speeds. The ALG you are suggesting is it gonna make a difference, dont know whats PBX etc, probably i dont need ALG. Below im posting my latest config. Thanks again.

# 2025-11-21 00:29:25 by RouterOS 7.19.6
# software id = D081-78YX
# 
# model = RBD53G-5HacD2HnD
# serial number =
/interface bridge
add name=bridge-lan
/interface lte
set \[ find default-name=lte1 \] allow-roaming=no band="" modem-init=
/interface lte apn
set \[ find default=yes \] use-network-apn=no
/interface wireless security-profiles
set \[ find default=yes \] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=2.4 
supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=5 
supplicant-identity=""
/interface wireless
set \[ find default-name=wlan1 \] band=2ghz-b/g/n channel-width=20/40mhz-XX 
country=no_country_set disabled=no mode=ap-bridge security-profile=2.4 
ssid=
set \[ find default-name=wlan2 \] band=5ghz-onlyac channel-width=
20/40/80mhz-Ceee country=no_country_set disabled=no frequency=5745 
installation=outdoor mode=ap-bridge security-profile=5 ssid=
/ip hotspot profile
set \[ find default=yes \] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge-lan lease-time=50w6d name=dhcp1
/queue type
add fq-codel-limit=1024 fq-codel-quantum=300 fq-codel-target=1ms kind=
fq-codel name=fq-codel_up
add fq-codel-ecn=no fq-codel-interval=10ms fq-codel-limit=1024 
fq-codel-target=1ms kind=fq-codel name=fq_codel_dw
/queue tree
add max-limit=35M name=Down_fq packet-mark=no-mark parent=bridge-lan 
priority=1 queue=fq_codel_dw
add bucket-size=0.001 max-limit=25M name=Upload_fq packet-mark=no-mark 
parent=lte1 priority=1 queue=fq-codel_up
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=bridge-lan interface=all
/ip address
add address=192.168.1.1/24 interface=bridge-lan network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server= gateway=
192.168.1.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment=
"Fasttrack accept established, related connections" connection-state=
established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
"Forward accept established, related connections" connection-state=
established,related disabled=yes
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=lte1
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=

You didn't mention this is going via a VPN upstream...

That's mostly right. IPSec be better than some TCP-based VPN. 4G/5G network have some recovery mechanism internal to network, but it adds latency to retry packets. Since TCP also does recovery, and also slows down if errors, it does make it a double-whammy.

But I tend to believe your SIP troubles are not in queues - although they help if you have a lot of local traffic.

@amm0 ,so any other suggestions if this isnt possible? Cant stop thinking that i hear them fine and they dont. Of course i dont know how its working overall, but still. Thats why im seeking a solution for this.

Please use "Preformatted text" code tag instead of quoting for code. You can add RouterOS after backticks to help formatting better

image1471×727 151 KB

I asked of TTL as you set it arbitrarily to 64, you do not decrease it by one to fool ISP's network. How do you know that it is a proper value?
On the other hand ISP perfectly knows brands of devices you use to access their network.

No idea @BartoszP brother, just followed the instructions of a greek guy and the Calculus of mikrotik at youtube.

I did notice that too. I'd recommend remove the TTL. Although I doubt that's the cause since traffic seems to work.

Typically the TTL adjustment is needed for LTE carriers that use it to block tethering (hotspot on smartphone). But unless you're sure it's need (historically T-Mobile in US, which does not do this anymore), it's better not to set it. Various security schemes might see an unusual TTL and take some action.

I can remove it, tho its not the issue, cause im experiencing the crackling issue from the beginning of my employment at which time i didnt ve ttl set up.

Probably unrelated, but you have no firewall, are you sure that this is safe?

IMHO, LTE usually separetes your modem from any other devices.
There should even minimal firewall but it seems to be not a big issue.