Community discussions

 
Jimmy
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark
Contact:

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 1:50 am

I do not understand how you can get that speed? After update to 6.43.8 is the worst shit I have seen from mikrotik :(
Back to DLINK Again :(
# dec/28/2018 00:36:18 by RouterOS 6.43.8
# software id = 8N6V-6ATQ
#
# model = 2011UAS-2HnD
# serial number = 419E02286B23
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=1C:5F:2B:70:B2:9B
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Copenhagen
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Image
LCPL J.Hahn
Danish Army
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1373
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 2:02 am

Hey

I'm guessing the test was for forwarded traffic? And I'm hoping the test was not over wifi?!? And also not over the 100mbit ports? Any cpu usage data?
Do note that the gbit switch is connected over 1gbit line: so max you'll be able to do is 500 up + down = 1gbit total
Block diagram: https://i.mt.lv/cdn/rb_files/Block-RB2011UAS-2HnD.pdf

With the listed config all traffic is processed in full -> no fast-track.

Add this and retest
/ip firewall filter
add action=fasttrack-connection chain=forward comment="FastTrack: established & related" connection-state=established,related place-before=0
 
Jimmy
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark
Contact:

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 2:38 am

standart router basic setup with cabel and Of cause 1gb. (if you see my config my wifi is distable :)
lucky i have a RB1100AHx4 for test, and now i no i will bye a RB4011 bur it is still sad about the speed on RB2011 :(

This is on RB1100AHx4 with same setup and same version and firmware :)

Image
LCPL J.Hahn
Danish Army
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1373
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 2:44 am

2011 is not as fast as 4011, but with the suggested change it can do much better.
 
Jimmy
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark
Contact:

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 3:12 am

The RB4011 uses a quad core Cortex A15 CPU, same as in our carrier grade RB1100AHx4 unit, so hopfull it will run as RB1100AHx4 :)
LCPL J.Hahn
Danish Army
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Fri Dec 28, 2018 11:47 pm

So did you enable fast track yet?
 
Jimmy
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark
Contact:

Re: RB2011 slow internet even with fasttrack

Sat Dec 29, 2018 12:32 am

No sorry i Will try it to morrow.

Cheers
Jimmy
LCPL J.Hahn
Danish Army
 
neilticktin
just joined
Posts: 1
Joined: Fri Dec 28, 2018 5:27 pm

Re: RB2011 slow internet even with fasttrack

Sat Dec 29, 2018 8:46 pm

When a new connection was being put it a couple days ago, we started doing testing and saw poor performance on a RB2011 -- around 100 mbps when the cable modem was testing directly at 900+ mbps. Decided to really streamline the rules and make sure that we were using FastTrack. A bit better, but not as much as one would think. So we went ahead and swapped out the RB2011 with a RB3011 that we had on hand, and found that it doubled the speed to 300-400 mbps -- but still nowhere near the 900+ mbps that we saw on a direct connect with the cable modem.

It feels to us like a bug in v6.43.8 -- any more that we can help provide to help identify?

Thanks!

Neil
 
nescafe2002
Long time Member
Long time Member
Posts: 579
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: RB2011 slow internet even with fasttrack

Sun Dec 30, 2018 12:10 pm

RB3011 w/fasttrack should reach 850Mbps easily, more or less depending on configuration.

RB3011 at 6.43.8 reaches 335 Mbps without fasttrack and 550Mbps with fasttrack (500Mbps capped connection) in a single TCP connection based browser test.

Are you perhaps using an IPv6 test server?
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sun Dec 30, 2018 5:07 pm

If you have ipv6 disabled in the router, it won't connect to ipv6 websites or connections, right?
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sun Dec 30, 2018 5:11 pm

When a new connection was being put it a couple days ago, we started doing testing and saw poor performance on a RB2011 -- around 100 mbps when the cable modem was testing directly at 900+ mbps. Decided to really streamline the rules and make sure that we were using FastTrack. A bit better, but not as much as one would think. So we went ahead and swapped out the RB2011 with a RB3011 that we had on hand, and found that it doubled the speed to 300-400 mbps -- but still nowhere near the 900+ mbps that we saw on a direct connect with the cable modem.

It feels to us like a bug in v6.43.8 -- any more that we can help provide to help identify?

Thanks!

Neil
Can you try downgrading to 6.36.4 or earlier os and firmware and see if you have normal speed with fasttrack?

I just want to know if it's just my hardware (modem+router) or the 2011 itself/software bug.
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Mon Jan 14, 2019 8:44 am

Heck, why not...
It's a new year, nothing changed...
Speedtest.net gives 150 down/22 up
Dslreports gives 450 down/23 up

Gotta love the consistency.
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Fri Jan 18, 2019 9:33 pm

I'll be leaving cable for a fiber connection soon (either 250/25 or 500/50) so I will be able to test and see what happens on a different ISP/modem with the same router/config/computers.
Speed is still bad, much worse at times: only 75-200 down.
 
dasvos
newbie
Posts: 29
Joined: Sat Mar 14, 2015 7:10 pm

Re: RB2011 slow internet even with fasttrack

Sun Jan 20, 2019 9:47 am

Have you ruled out the speedtest server as a possible issue?

Have you tried to connect another computer to WAN and test the throughput using a tool like iperf?
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: RB2011 slow internet even with fasttrack

Mon Jan 21, 2019 12:30 am

Hi.
Speedtest.net gives 150 down/22 up
On our 2011 this is the scenario too. When I upgraded it to 6.40.9 because of winbox vulnerability, it slowed down to about 150/28 Mbps... on a 350/30 UPC ConnectBox modem.
If I test the direct link without 2011, just PC->UPC... there is a full 350/30 speed. So something wrong with the RoS versions till 6.36.x
(I glued to 6.40.9 because it is the latest version, which uses master/slave port config instead of Hw offloading. :) which is a pain in my *ss)

Best regards: CsXen
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Mon Jan 21, 2019 4:10 am

I really wish there was a solution to this. The 2011 is fairly powerful and I hate to upgrade it because of a software issue. I would be ok if it impacted lan traffic too or had some logical reason, but fasttrack thru wan shouldn't slow down that bad, especially without cpu maxing out...
 
mkx
Forum Guru
Forum Guru
Posts: 1949
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB2011 slow internet even with fasttrack

Mon Jan 21, 2019 3:49 pm

Unrelated, but never the less:

I glued to 6.40.9 because it is the latest version, which uses master/slave port config instead of Hw offloading.

I'm using 6.44beta54 on my RB951G configured with traditional /interface ethernet setup, including VLANs in hardware ... and things work just fine. E.g. VLAN filtering works wire speed without RB's CPU noticing single bit.

The only big difference on ROS change 6.40->6.41 is how ports are grouped to a switch group (6.40) or bridge (6.41), nothing else is forced by this SW change.
BR,
Metod
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: RB2011 slow internet even with fasttrack

Mon Jan 21, 2019 4:25 pm

Hi.

I'm using 6.44beta54 on my RB951G configured with...

So.. your RB951 has 1 (one) switch chip, my RB2011 has 2 (two) different speed switch chip, and I can't do bridge the bridges.
(1 bridge for 1G and 1 bridge for 100M ports instead of switching... and can't bridge this 2 bridges. :) In old time, I simply bridged the two master port, and filtered, what I want... So the new bridge scheme with Hw offloading is a pain in my *ss, as I said.)

Best regards: CsXen
 
mkx
Forum Guru
Forum Guru
Posts: 1949
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB2011 slow internet even with fasttrack

Mon Jan 21, 2019 8:33 pm

In new time you simply add all 10 ports to the same bridge. Regardless, bridge will only see traffic sent towards it through switch1-cpu and switch2-cpu "interfaces" (those are actually old master-ports). The new bridge implementation doesn't mess with /interface ethernet switch settings unless you configure bridge with vlan-filtering=yes.

Why, instead of whining, don't you just try?
BR,
Metod
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: RB2011 slow internet even with fasttrack

Thu Jan 24, 2019 6:50 pm

Hi.

Why, instead of whining, don't you just try?

I tried... I can't got over about 100Mbps on the Giga ports. I think, this is because bridge is as fast as the slowest port in it.
When current issue will corrected (150M max even with fasttrack...) I will try again. :)

Best regards: CsXen
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sat Feb 09, 2019 5:44 pm

I wish MikroTik would help here. There is a serious issue with the later software or firmware or both.
It's frustrating to see their synthetic test results, while we can only realize a very small fraction in real world scenario.

With gigabit connections becoming more affordable, I'm now seeing MikroTik devices not keeping up.

I had a site with rb2011 with older software capping out at ~280Mbs in a gig connection. I thought
perhaps an update would help. Updated to latest software and firmware, which cause speed to cap
at about 120Mbs. I ended up using the providers router and and took the RB2011 home.

At home I performed a factory reset with default config and got the same speeds in my Gig services.
Additionally my hEX (750G r3) only gets ~550Mbs. I connected RB4011 and I get wire speed with
all other variables the same (computer, lan cable, modem, speed test site).

I see the same issue with CPU load never gets above ~70%. the RB2011 is the only device out of the
three that starts at it's max speed then slowly decreases over the test time (which appears to be some
sort of throttling). The hEX and RB4011 gradually speed up then maintain it's max speed.

I have a CRS125-24G-1S with 200Mbs circuit which maxes out at 50Mbs running 6.43.8.

I would love if MikroTik would stop saying we are just whiners. How about MikroTik tells
us which packages/firmware combination and which config will give us performance.
Like, hey MikroTik, put your money where your mouth is. Stop saying it's a problem with
our config, show me a good config that works, then I'll stop whining :)
Clearly vanilla/stock config does not cut the mustard.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1373
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB2011 slow internet even with fasttrack

Sat Feb 09, 2019 6:14 pm

As a Tik admin you have a lot of features / possibilities in your hands, but also responsibility, as the choices made have significant impact.

Few examples:
* vlans & bridging: latest software introduces bridge level vlans, but it's has only limited switch chip support. one ends up quickly with full cpu processing. using switch menu features is better for performance.

* physical topology / connections of ports matters, see https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png. if wan is on eth1-5 and lan on 6-10, 100mb is max one can get! Knowing the platform is important. Same story for hex (https://i.mt.lv/cdn/rb_files/RB750Gr3-d ... 140316.png & https://i.mt.lv/cdn/rb_files/RB750Gr3-e ... 152443.png), depending on how it is connected and configured, throughput could be capped to 500mbps, and that even before accounting for the bi-directional traffic.

* Its necessary to measure / analyse at the right place and in context. Router itself won't speed up or slow down, it will just do it's thing. The up's and down's depend on quite a bit of aspects: window size at client, ISP situation, source server load, ...

* CRS is a switch! Don't try to route with it -> know the hardware

BTW, it's a user that mentioned something about "whining" not the company.
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sat Feb 09, 2019 6:25 pm

I wish MikroTik would help here. There is a serious issue with the later software or firmware or both.
It's frustrating to see their synthetic test results, while we can only realize a very small fraction in real world scenario.

With gigabit connections becoming more affordable, I'm now seeing MikroTik devices not keeping up.

I had a site with rb2011 with older software capping out at ~280Mbs in a gig connection. I thought
perhaps an update would help. Updated to latest software and firmware, which cause speed to cap
at about 120Mbs. I ended up using the providers router and and took the RB2011 home.

At home I performed a factory reset with default config and got the same speeds in my Gig services.
Additionally my hEX (750G r3) only gets ~550Mbs. I connected RB4011 and I get wire speed with
all other variables the same (computer, lan cable, modem, speed test site).

I see the same issue with CPU load never gets above ~70%. the RB2011 is the only device out of the
three that starts at it's max speed then slowly decreases over the test time (which appears to be some
sort of throttling). The hEX and RB4011 gradually speed up then maintain it's max speed.

I have a CRS125-24G-1S with 200Mbs circuit which maxes out at 50Mbs running 6.43.8.

I would love if MikroTik would stop saying we are just whiners. How about MikroTik tells
us which packages/firmware combination and which config will give us performance.
Like, hey MikroTik, put your money where your mouth is. Stop saying it's a problem with
our config, show me a good config that works, then I'll stop whining :)
Clearly vanilla/stock config does not cut the mustard.
That has been my question/problem from the beginning. I get if the bridge performance changes how things work, but is it possible to give some insight into why things are acting weird.
  • Why did speed decrease only on wan traffic so dramatically since removing master/slave config?
  • Why even with fasttrack enabled does speed start out normal but slow down so dramatically without a corresponding maxing out of cpu? Speed often remains slower in subsequent tests. Is this an internal device buffer problem or packet timing issue? Can I troubleshoot this?
  • Why does cpu performance not go above 70-80% even when fasttrack is disabled?
Unfortunately I don't have another gigabit capable device at the moment to check config, but will within a month or 2.
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sat Feb 09, 2019 10:24 pm

As a Tik admin you have a lot of features / possibilities in your hands, but also responsibility, as the choices made have significant impact.

Few examples:
* vlans & bridging: latest software introduces bridge level vlans, but it's has only limited switch chip support. one ends up quickly with full cpu processing. using switch menu features is better for performance.

* physical topology / connections of ports matters, see https://i.mt.lv/cdn/rb_files/RB2011iL-160620170215.png. if wan is on eth1-5 and lan on 6-10, 100mb is max one can get! Knowing the platform is important. Same story for hex (https://i.mt.lv/cdn/rb_files/RB750Gr3-d ... 140316.png & https://i.mt.lv/cdn/rb_files/RB750Gr3-e ... 152443.png), depending on how it is connected and configured, throughput could be capped to 500mbps, and that even before accounting for the bi-directional traffic.

* Its necessary to measure / analyse at the right place and in context. Router itself won't speed up or slow down, it will just do it's thing. The up's and down's depend on quite a bit of aspects: window size at client, ISP situation, source server load, ...

* CRS is a switch! Don't try to route with it -> know the hardware

BTW, it's a user that mentioned something about "whining" not the company.
@sebastia thanks for chiming in. Thanks for pointing out block diagrams, (which I'm already familiar with). I'm not sure what "if wan is on eth1-5 and lan on 6-10, 100mb is max one can get!" means. I certainly was not connecting to a 100Mb port and expecting greater than 100Mbs. Are you suggesting combining 1000Mbs and 100Mbs ports in same bridge, will degrade all 1000Mbs ports to 100Mbs Max?

I'm not sure what I'm supposed to learn from your post.
I asked some very direct questions and offered very direct challenge (please provide a working config that allows max NAT throughput).
I understand CRS is classified as a switch. A 600Mhz CPU with very modest routing needs, should be handled with ease.

MikroTik could be so much more if this forum offered real solutions vs pointing to existing documents. The Wiki is not clear, especially with so many variants of hardware and iterations of software advance. I don't think it's unreasonable to expect over 400Mbs from a RB2011 fully patched with default config, do you?

According to MikroTik, the CRS125 and RB2011 display nearly identical routing test results.
https://mikrotik.com/product/CRS125-24G ... estresults
https://mikrotik.com/product/RB2011UiAS ... estresults

Please tell me why I shouldn't consider them both for routing purposes?
If MikroTik doesn't show real world test results, how is anyone expected to pick the correct hardware for the desired workload?

So again, I challenge anyone to show me a config that will route NAT on RB2011 at the hardware's maximum limit.
Why can't we saturate the CPU with NAT traffic?
Why does the RB2011 appear to throttle at 70-75% CPU utilization (or after a 1 dec celsius increase).

My whining comment was not directly related to this thread, but from MikroTik employee at a MUM presentation.
I thought it was a worldly know fact (how MikroTik feels about it's user base complaining about misrepresented stats).
The consensus is always the same, "know your product". How are we supposed to "know it", when example stats are not
real world and when people ask for help, they simply get pointed to existing documentation, without any explanation.
Try giving your 12 year old child the keys to the car and a driving manual and expect them to learn how to drive
without any first hand instruction. Many of us need some on on one help.

People coming to these forums are looking for help, for products they genuinely like, but
since not all the users have the knowledge of how to wire a switch chip, it's hard to get real help. Why is there such
apprehension to share real world examples and individual help?

Claims have been made in this thread... the RB2011 has actually NAT'd over 800Mbs, but nobody has
posted a config that can do such. It's a simple request.

Please help educate your consumers MikroTik.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Sat Feb 09, 2019 11:37 pm

I have managed to get ~ 850Mb/s with RB2011, using NAT (No PPPoE). About a year ago, the RB2011 retired to my lab area and has been replaced with a HAP AC2 and I no longer have a 1Gb/s Internet link.

Why do you not start by providing your full config, and we can make suggestions?
MTCNA, MTCTCE, MTCRE & MTCINE
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 12:55 am

Well hopefully I'll be able to call myself an idiot when all said and done!

You helped me see a potential issue. Ignorance on my part, or a failed reset has
left some configs, that I didn't expect to see.

Here is the config that I last use (which I expected to be bone stock default, out of the box experience).
Notice firewall rules pointing to address list "LAN" and other ipec related firewall rules (that I don't expect
would be in the default config). I see how firewall rules were carried over in reset, but the address lists weren't?

I'll have to do a better reset and try again.
# feb/06/2019 21:57:45 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-2C9E69 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1373
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 2:56 am

My previous post was mean to provide perspective and context: performance depends not only on hardware, but also software, configuration and topology. There is no one good solution.
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 6:07 am

I have managed to get ~ 850Mb/s with RB2011, using NAT (No PPPoE). About a year ago, the RB2011 retired to my lab area and has been replaced with a HAP AC2 and I no longer have a 1Gb/s Internet link.

Why do you not start by providing your full config, and we can make suggestions?
Why don't you un-retire the RB2011, install new ROS and firmware and see what sort of performance change you get, vs whatever ISP speeds you get with your hap AC2? What is your link speed currently?
I remember you had given up after I reset to plain vanilla on page 1. :(
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 2:32 pm

Back in the times I had a 1Gb internet, my one son (Serious gamer) was living with us and he paid for the link. This is not the case anymore, he has moved out, moved the 1Gb link with him, so now I have a measly 40/20 fibre link so will not prove anything anymore unfortunately.
MTCNA, MTCTCE, MTCRE & MTCINE
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 5:59 pm

Well, it seems I'm progressing and can't blame hardware or software just yet. I have been able to achieve ~800Mbs
with the following config:
# feb/10/2019 10:54:43 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York
This offers no real firewall protection. Does anyone have any suggestions what to add to firewall to make it more secure, but not slow throughput?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 6:17 pm

Generic, home use FW rules for me are: (With fwd chain rules first)

1. Drop invalid, fwd chain
2. accept Fastrack, fwd chain, est, rel
3. accept fwd chain, est, rel
4.allow new from lan, fwd chain
5. allow dst nat, in wan, connection new, fwd chain
6. drop all fwd chain

Then use similar for Input chain except the dst nat rule
MTCNA, MTCTCE, MTCRE & MTCINE
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 8:11 pm

I followed this post

and ended up with the following config, which still yielded 750-800Mbs NAT download.
# feb/10/2019 13:06:30 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop invalid, will need to update this rule when using ipsec" \
    connection-state=invalid
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York
Image
 
volkswagner
just joined
Posts: 12
Joined: Sun Nov 20, 2016 9:45 pm

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 8:21 pm

Thanks to everyone (@sebastia & @CZfan) that helped me on my journey.

The most important things I learned:
  • Don't trust software reset (command line nor WebFig) they leave traces of user config even when not checked
  • FastTrack does work.
  • Make sure firewall rules make sense and always test after implementing firewall changes
  • Queues don't work with fasttrack. If I need Queues, I'll need a more powerful model. Next test is to see if I can use Queues with RB4011 and still get high throughput.
I was also able to modify my existing firewall rules on RB750 G3. I made sure FastTrack was enabled and working correctly.
I now get over 900Mbs on my hEX!

...
hEX results:
Image
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Sun Feb 10, 2019 9:29 pm

Well done, glad I could help.

FYI, IIRC, that is exactly what I achieved with my 2011, 812Mb/s

The link you posted to the firewall config, I just did a quick scan through it and off the bat it looks over complicated for many environments, I will also be weary of the following 2 rules as generally you will want to limit this to access only from inside your network, else can become a target for DNS Amplification attacks

add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
MTCNA, MTCTCE, MTCRE & MTCINE
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sun Feb 17, 2019 10:46 am

Well, I reset my 2011 to no config, copied and pasted your config and I still have exactly the same performance as before. This is irritating.

Image

Then a few minutes later, I reset to my config with mangle rules and everything, with fasttrack enabled like usual:
Image

It doesn't stay this good of course.
I followed this post

and ended up with the following config, which still yielded 750-800Mbs NAT download.
# feb/10/2019 13:06:30 by RouterOS 6.43.11
# software id = KQLT-H381
#
# model = 2011UiAS-2HnD
# serial number = 762C0718xxxx
/interface bridge
add admin-mac=64:D1:54:2C:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.10-192.168.88.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=ether6
add bridge=bridgeLocal comment=defconf interface=ether7
add bridge=bridgeLocal comment=defconf interface=ether8
add bridge=bridgeLocal comment=defconf interface=ether9
add bridge=bridgeLocal comment=defconf interface=ether10
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=ericAdded interface=bridgeLocal network=\
    192.168.88.0
/ip dhcp-client
add comment="eric moved dhcp-client to eth1, was on bridgeLocal" \
    dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop invalid, will need to update this rule when using ipsec" \
    connection-state=invalid
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="eric added after reset" \
    out-interface=ether1
/system clock
set time-zone-name=America/New_York
Image
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Sun Feb 17, 2019 4:37 pm

Maybe you should approach your ISP?
MTCNA, MTCTCE, MTCRE & MTCINE
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Sun Feb 17, 2019 4:47 pm

If i hook directly to the modem it runs flat out and they tell me it's my router. This modem isn't a "router", so can't put it into bridge or pass thru mode (i thought double nat issue maybe). I spent 3 hours one evening getting escalated and bounced around.
Maybe you should approach your ISP?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1165
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 slow internet even with fasttrack

Mon Feb 18, 2019 12:14 am

If I may ask, what device is this ISP modem, make, model, etc?
MTCNA, MTCTCE, MTCRE & MTCINE
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Mon Feb 18, 2019 12:50 am

Arris TM1602a docsis 3.0 cable/telephony modem
If I may ask, what device is this ISP modem, make, model, etc?
 
bdubs85
newbie
Topic Author
Posts: 41
Joined: Fri Sep 07, 2018 4:30 am

Re: RB2011 slow internet even with fasttrack

Tue Mar 12, 2019 1:58 am

I upgraded to a RB4011iGS+5HacQ2HnD and it's running max speed every time at around 4% CPU out of the box.

Who is online

Users browsing this forum: No registered users and 19 guests