WAN through Switch to Router and VLAN Setup

RouterOS Beginner Basics
1

Hi all,

I just got a RB5009 and a CRS304.

For my specific use case, I need the Internet cable modem connection to come through the switch on it's own VLAN, then through a trunk port to the RB5009 router.

So far I have the PC connecting to the network fine with the correct IP address for the VLAN. Now I am struggling to get an internet connection. I would appreciate any help to figure out what I'm missing or doing wrong.

CRS304 Switch:
Ethernet 1 - Uplink to router (Trunk)
Ethernet 2 - Cable modem (VLAN 60)
Ethernet 3 - PC (VLAN 10)
Other devices will be added to the remaining ports but are not relevant.

RB5009 Router:
SFP+ 1 - Link to switch (Trunk)
Other devices will be added to the remaining ports but are not relevant.

Please see the router config below, followed by the switch.


# 2025-07-27 11:36:10 by RouterOS 7.19.4
# model = RB5009UPr+S+
/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60-WAN vlan-id=60
add interface=bridge name=vlan110 vlan-id=110
add interface=bridge name=vlan150 vlan-id=150
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool2 ranges=10.0.60.2-10.0.60.254
add name=dhcp_pool3 ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool3 interface=vlan60-WAN name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,bridge vlan-ids=60
add bridge=bridge tagged=sfp-sfpplus1,bridge vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan60-WAN list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.60.1/24 interface=vlan60-WAN network=10.0.60.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip dhcp-client
add comment=defconf default-route-tables=main interface=bridge
add default-route-tables=main interface=vlan60-WAN
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



# 2025-07-27 11:40:03 by RouterOS 7.19.4
# model = CRS304-4XG
/interface bridge
add admin-mac=*************** auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60-WAN vlan-id=60
add interface=bridge name=vlan110 vlan-id=110
add interface=bridge name=vlan150 vlan-id=150
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2 vlan-ids=60
add bridge=bridge tagged=ether1,bridge untagged=ether3,ether4 vlan-ids=10
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
2

First, on the CRS304-4XG:

  • You don't need to have the bridge port in the tagged list of VLAN 60. Instead of:

    /interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2 vlan-ids=60

    this is enough:

    /interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=60

  • And if you want to manage that switch from VLAN 10 only, all these unnecessary VLAN interfaces should be REMOVED from the switch:

    /interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60-WAN vlan-id=60
add interface=bridge name=vlan110 vlan-id=110
add interface=bridge name=vlan150 vlan-id=150

    Only this need to be kept:

    /interface vlan
add interface=bridge name=vlan10 vlan-id=10

  • If you want to manage te switch with IP address, as well as give it internet access for software update, then maybe turn on DHCP client on that vlan10 interface:

    /ip dhcp-client
add interface=vlan10

    If you don't want DHCP client, then you can manually add a static IP address like 10.0.10.2/24 to vlan10 under /ip address instead, but don't forget to adjust the pool on the RB5009 to exclude that static address.

Moving to the RB5009UPr+S+:

Currently you are having both DHCP Client AND Server running at the same time on vlan60-WAN, which is wrong. Furthermore, you also have DHCP Client on the bridge interface, which is also wrong. On vlan10 you only need DHCP Server, and on vlan60-WAN you only need DHCP Client.

  • Under /ip dhcp-server, remove dhcp2

  • Under /ip pool, remove the two obsolete pools dhcp_pool2 and dhcp_pool3.

  • Under /ip address, remove the address entry 10.0.60.1/24 currently associated with interface vlan60-WAN.

  • Remove this entry from IP -> DHCP Client:

    /ip dhcp-client
add comment=defconf default-route-tables=main interface=bridge

  • Remove this Entry from IP -> DHCP Server -> Networks:

    /ip dhcp-server network
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1

If you have no use for the original 192.168.88.1/24 network of the bridge interface on the RB5009 anymore, you can remove the related entries, namely:

  • The defconf DHCP Server instance.
  • The default-dhcp IP Pool.
  • The 192.168.88.1/24 entry under /ip address.
  • The entry with the defconf comment under IP -> DHCP Server -> Networks.
  • The router.lan entry under IP -> DNS -> Static.
1 Like
3

without looking at the config details.

The switch needs to be a switch and thus managed through the management vlan which is setup at the router. The switch gets its IP address from this subnet. This vlan is the only one requiring the bridge to also be tagged in /interface bridge vlan settings.

Normally only the management vlan needs to be identified on the switch in /interface vlan settings.

The only tricky part is vlan60 but as CGG pointed out.....
The switch is only taking the input from the cable modem putting a vlan tag on it and the porting out to the Router.

The router simply terminates vlan60 to its internet connection be it IP DHCP client or PPPOE........
vlan60 has nothing to do with any pools, or dhcp-server etc...

All the data vlans normally should be fully setup pool, dhcp-server, dhcp-server network,address etc.
your /interface bridge port settings are hosed.

As noted by CGG once you go vlans, forget the bridge doing anything but bridge so simply move the required subnet to vlan5 for example........

1 Like
4

Thank you very much, your changes got the Internet working. During my troubleshooting it looks like I definitely messed things up even more!

Now I'm facing fairly slow internet speed. Only 500mb/s download over the gigabit NIC.

I've read some about potential issues with the RB5009. Maybe I'm missing something obvious to resolve this?

5

Your router's and switch's configuration (after the changes) look pretty normal to me (standard firewall from defconf, and the VLAN configurations are ok). The RB5009 shouldn't have issue routing over 2 Gbps, with fasttrack (currently active on your firewall) even more than that.

What is your expected internet speed from the ISP? Do you reach that speed if you connect the cable modem directly to your PC and let the PC be the DHCP client of the cable modem?

Can you check the currently negotiated rates of the ethernet ports on both devices? On both devices in WinBox go to Interfaces -> Ethernet and make the "Rate" column visible for quicker overview:

image
image460×335 7.92 KB

Namely, what is the rate

  • between Cable Modem and CRS304's ether2?
  • between CRS304's ether1 and RB5009's sfp-sfpplus1?
  • between CRS304's ether3 and PC?
6

Do I understand correctly that Internet access is available in this environment via the switch port ether2?

Just curious, if you don't mind, what your situational need is that results in the CRS304 being the first device connected to the Internet and then an RB5009 on ether1 of the CRS304?

7

I am referring to the issue noted here: https://forum.mikrotik.com/t/rb5009-slow-speed-2-5g-bug-report-as-requested/155362

I am experiencing the reverse of what the above poster experienced, but the issue seems to apply in either direction.

All the link speeds you asked about are appropriate. My internet connection is 2 gigabit, so I have a 2.5 connection from the modem to the switch. Then 10gb between the switch and the router. As for the PC, I have tried both 1 gigabit and 10 gigabit connections. The 10 gigabit connection gives me full internet speed, but the 1 gigabit connection only gives me 500-600 mb.

Based on what I've been reading, this appears to be something to do with the buffer in the router when moving between different port speeds.

8

I asked you about the rate because this is a common issue (not specific to the RB5009) when you have traffic coming from a faster interface (from RB5009 to CRS304) being sent to a slower link (from CRS304 to PC @ 1Gbps).

Here is an older post from me describing the issue with an "illustration" Bad performance with CRS310-8G+2S+IN working at 2.5Gbps - #21 by CGGXANNX

The workaround that you can read from my post as well as from the thread that you linked above, is to turn on flow control on the path between your PC and the cable modem. Do it for both Tx and Rx because you'll face the same problem when you connect the PC at 10 Gbps and try to upload at full speed (in this case the link has to slow down when entering the cable modem).

On the PC, look at the device properties of the ethernet adapter for the setting to turn on Flow Control. On the MikroTik devices, the setting is to be turn on per individual ethernet port.

Also, if you WAN is only 2 Gbps, then you can free one more port on the CRS304, and plug your cable modem to ether1 of the RB5009 instead. That port is fully capable of 2.5 Gbps. No big config change is required: on the RB5009 under /interface bridge port, just set PVID of port ether1 to 60 (and probably turn on Flow Control for ether1 too) That's all what is needed. Then plug the cable modem to ether1.

Once you've verified the your internet works with the full 2 Gbps, you can reconfigure ether2 on CRS304 to give it other purposes.

9

That is a necessary setup if OP has faster than 2.5 Gbps WAN (with fasttrack the Rb5009 should be able to route at 5 Gbps) because the RB5009 only has 1 port capable of > 2.5 Gbps.

10

Got it -- thank you.

11

Thank you for the generous help.

I have turned on send and receive flow control on all ports between the computer and the modem. SFP+ 1, ETH 1, 2, and 3. I have also ensured that flow control is on in the PC network adapter.

However, I am still getting download speeds of only 500mb/s.

If I then change the link speed to my modem to 1gb instead of 2.5gb, I get the full download speed of 940mb/s. No other changes.

As for my reason for not plugging WAN directly into the router, I need to utilize all of the POE ports.

Here is another post on this forum with the same issue: https://forum.mikrotik.com/t/please-help-rb5009-with-2-5g-advertise-allowed-dramatic-speed-decrease/176971/12

Here is another person who experienced the same issue on Reddit, the only difference being that my WAN is connected to the switch first. https://www.reddit.com/r/mikrotik/comments/rq7ytu/rb5009_25gbe_slower_than_1gbe/

12

As always best to post both configs after changes, that way we are working from truth.
Also did you switch the functionality between ether1 and ether2 as CGG suggested?

13

I have gone ahead and eliminated the Switch from the equation to get to the root of this issue. I have also eliminated all VLANs except 10 which the PC is on.

RB5009
Ether 1 -> Cable Modem (2.5gb)
Ether 3 -> PC (1gb)

With flow control on or off on both ports, I cannot exceed roughly 700mb/s to the PC. It fluctuates between 500-700. The internet has been tested on other devices at 2gb/s.


# 2025-08-21 17:01:28 by RouterOS 7.19.4
# model = RB5009UPr+S+
/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus1 ] rx-flow-control=on tx-flow-control=on
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether3 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip dhcp-client
add default-route-tables=main interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 \
    protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
14

Probably the cable modem doesn't or can't react to the Pause frames, so flow control has no effect. Another shot is maybe to swap the interface queues (in the Queues -> Interface Queues table) from only-hardware-queue to mq-pfifo (but you have to go to Queues Types and add a new type with mq-pfifo as Kind first, and use it as interface queue for the ports). And probably this won't help neither.

You should have the full 2Gbps download speed if you slap a PCI-E 2.5Gbps ethernet adapter (for about 25 USD) to the PC that currently only has the 1Gbps adapter. Maybe that's a simpler solution.

15

I tried mq-pfifo and the problem is still not 100% resolved.

When you mentioned the modem, I did some searching and came across this thread: https://forum.netgate.com/topic/196355/mixing-different-nic-speeds-1gb-10gb-performance-problem-question/166

The final "solution" was as follows:
Wanted to give an update to all here. I recently was able to get Sonic Fiber 10Gbps Symmetrical. With this ISP connection connected to the same pfSense and Cisco and UniFi switches, there are no issues with 1GbE, 2.5GbE, GbE and 10GbE LAN clients getting the max speeds they are expected to achieve (940Mbps/2.35Gbps/4.7Gbps/9.4Gbps). 802.3x Ethernet Flow Control is not required as TCP Flow Control works. The root cause is clearly with how DOCSIS changes the TCP flow. Comcast for sure uses AQM. This is only an issue for customers subscribed to their 2100Mbps/300Mbps top tier plan and can not employ 802.3x Ethernet Flow Control as a last resort.

The funny thing is that they were originally using the same modem that I have with the same speed plan (2100/300).

So it sounds like I'm completely out of luck? I have no other internet providers where I live.