How and where??Use hardware bridge.
I read the article, but I am not sure if it applies, mainly because 150 mbit is low rate, on a WAN and CPU is completely under-stressed. I see no reason for this speed drop.The gigabit switch has a gigabit connection to the CPU, it is normal to have to avoid software. The fast switch might be similar.
Don't bridge between switches or the WAN.
This means some hosts may need to be connected to the same half.
# feb/19/2020 09:03:32 by RouterOS 6.45.8
#
# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=64:D1:54:E3:FD:0A auto-mac=no comment=defconf name=MREZA
/interface ethernet
set [ find default-name=ether5 ] name=GBE-ether5 speed=100Mbps
set [ find default-name=ether1 ] name=INTERNET speed=100Mbps
set [ find default-name=ether3 ] name=PRASE-ether3 speed=100Mbps
set [ find default-name=ether2 ] name=TABLETA-ether2 speed=100Mbps
set [ find default-name=ether4 ] name=ZORG-ether4 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n basic-rates-a/g=18Mbps basic-rates-b="" country=no_country_set disabled=no frequency=2462 frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=WiFi \
rate-set=configured ssid=SKYNET supported-rates-a/g=18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b="" wireless-protocol=802.11 wps-mode=disabled
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.tx-power=14 datapath.bridge=MREZA distance=indoors installation=indoor name=skynet security.authentication-types=wpa2-psk security.encryption=aes-ccm ssid=SKYNET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=VIRUS supplicant-identity=""
/ip pool
add name=dhcp ranges=192.168.42.100-192.168.42.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=MREZA lease-time=1w1d name=defconf
/ppp profile
add dns-server=192.168.99.1 local-address=192.168.99.1 name=sstp-profile remote-address=192.168.99.2 use-encryption=required
set *FFFFFFFE local-address=192.168.89.1 remote-address=192.168.89.2
/queue simple
add disabled=yes max-limit=1G/1G name="ALL BW" target=192.168.42.0/24
/queue tree
add disabled=yes max-limit=10M name="All BW" parent=global priority=1
add disabled=yes max-limit=10M name=Download packet-mark=client-dw-pk parent="All BW" priority=2
add disabled=yes max-limit=1M name=Upload parent="All BW"
add disabled=yes max-limit=10M name=http-dw packet-mark=http-dw-pk parent=Download priority=1 queue=pcq-download-default
add disabled=yes max-limit=5M name=other-dw parent=Download priority=6 queue=pcq-download-default
add disabled=yes max-limit=1M name=http-up packet-mark=http-up-pk parent=Upload priority=1 queue=pcq-upload-default
add disabled=yes max-limit=512k name=other-up parent=Upload priority=6 queue=pcq-upload-default
/caps-man manager
set ca-certificate=auto certificate=auto
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=skynet
/interface bridge port
add bridge=MREZA comment=defconf interface=TABLETA-ether2
add bridge=MREZA comment=defconf interface=PRASE-ether3
add bridge=MREZA comment=defconf interface=ZORG-ether4
add bridge=MREZA comment=defconf interface=GBE-ether5
add bridge=MREZA comment=defconf interface=ether6
add bridge=MREZA comment=defconf interface=ether7
add bridge=MREZA comment=defconf interface=ether8
add bridge=MREZA comment=defconf interface=sfp1
add bridge=MREZA comment=defconf interface=WiFi
add bridge=MREZA interface=*E
add bridge=MREZA interface=ether9
add bridge=MREZA interface=ether10
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=MREZA list=LAN
add comment=defconf interface=INTERNET list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=sstp-profile force-aes=yes pfs=yes
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=WiFi
/ip address
add address=192.168.42.1/24 comment=defconf interface=TABLETA-ether2 network=192.168.42.0
add address=192.168.69.2/24 disabled=yes interface=INTERNET network=192.168.69.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=INTERNET
/ip dhcp-server alert
add disabled=no interface=MREZA valid-server=64:D1:54:E3:FD:0A
/ip dhcp-server lease
add address=192.168.42.101 client-id=1:0:11:32:83:31:14 mac-address=00:11:32:83:31:14 server=defconf
add address=192.168.42.102 client-id=1:a8:60:b6:39:f8:c6 mac-address=A8:60:B6:39:F8:C6 server=defconf
/ip dhcp-server network
add address=192.168.42.0/24 caps-manager=192.168.42.1 comment=defconf dns-server=192.168.42.1 domain=skynet.local gateway=192.168.42.1 netmask=24 ntp-server=216.239.35.0,216.239.35.4
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131
/ip dns static
add address=192.168.42.1 name=theboss.local
/ip firewall address-list
add address=192.168.42.2-192.168.42.254 list=clients
add address=192.168.42.1 list=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=add-src-to-address-list address-list=markirani_korisnici_tcp address-list-timeout=none-dynamic chain=forward comment=brojanje protocol=tcp src-address-list=clients
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting comment=router dst-address-list=router
add action=accept chain=forward comment=DNS port=53 protocol=tcp
add action=accept chain=forward comment=UDP protocol=udp
add action=mark-connection chain=forward comment=clinet-dw-con in-interface=INTERNET new-connection-mark=client-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-pk connection-mark=client-dw-con new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con in-interface=MREZA new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=client-up-con new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk new-packet-mark=http-dw-pk packet-mark=client-dw-pk passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-pk new-packet-mark=http-up-pk packet-mark=client-up-pk passthrough=no port=80,443 protocol=tcp
add action=mark-connection chain=forward comment=other-con new-connection-mark=other-con passthrough=yes
add action=mark-packet chain=forward comment=other-dw-pk new-packet-mark=other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk new-packet-mark=other-up-pk packet-mark=client-up-pk passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=53 log=yes log-prefix="*****LOCAL DNS FORWARD*****" protocol=udp src-address=192.168.42.102 to-addresses=192.168.42.1 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=tcp src-address=192.168.42.102 to-addresses=192.168.42.1 to-ports=53
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add distance=1 gateway=192.168.69.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=MREZA type=internal
add interface=INTERNET type=external
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/lcd interface
set INTERNET timeout=1s
/ppp secret
add name=vpn
add name=sstp profile=sstp-profile service=sstp
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="The Boss"
/system logging
add topics=caps
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/system ntp server
set broadcast=yes enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=650MHz
/tool graphing
set store-every=hour
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no forbid=yes interface=INTERNET
ip settings print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: yes
ipv4-fasttrack-packets: 2519484
ipv4-fasttrack-bytes: 3405603511
Yes. Both current and upgrade firmware.Did you update the firmware too?
I just have disable Mangle. The measurements are consistently 10-15MBit slower than direct link.When you test what is the status of the CPU?
I see you have a few mangle rules. Did you create those and can you disable those for a test?
100% sure about link, also for PC.Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ?
Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M .
The other ports (ETH6-10) is 100Mbit only on the RB2011.
This one has fooled me many times before. This is a export of the interfaces on a hAP AC2Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ?
Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M .
The other ports (ETH6-10) is 100Mbit only on the RB2011.
From your config it looks like you are using Ethernet 1 to 5 only which means Gbit speed and looking at the block diagram (https://i.mt.lv/cdn/rb_files/RB2011UiAS ... 170256.png) there should be more then enough bandwidth internally to not cause and issue.100% sure about link, also for PC.Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ?
Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M .
The other ports (ETH6-10) is 100Mbit only on the RB2011.
100mbit is weird a bit, but I checked rate and speed is negotiated 1000mbit.
From your config it looks like you are using Ethernet 1 to 5 only which means Gbit speed and looking at the block diagram (https://i.mt.lv/cdn/rb_files/RB2011UiAS ... 170256.png) there should be more then enough bandwidth internally to not cause and issue.100% sure about link, also for PC.Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ?
Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M .
The other ports (ETH6-10) is 100Mbit only on the RB2011.
100mbit is weird a bit, but I checked rate and speed is negotiated 1000mbit.
So the only option I could give is to reinstall the router using netinstall and test with default config. This may very well turn out to not solve anything so perhaps not even worth trying.
Just tried it = 12MBit difference.Have you tried with:
/interface bridge settings
set use-ip-firewall=no
Just tried it. Without Fasstrack CPU load is up to 65% and speed is about 22 MBit lower.Did you try deactivating fasttrack, as illogical as it may sound?
I will probably kill the router today and test barebones. I am really surprised to see it stumble this much on traffic.The RB2011 is an old and slow router. It will have no problem with switching 1Gbit/s between interfaces, but when routing you will quickly hit limits when not everything is configured in a minimalist way.
E.g. those shaping queues can have some effect even when they are not actually throttling traffic.
Don't worry about the speed=100Mbps, it is the default speed when autonegotiate is disabled, when it is enabled it has no effect at all.
I max out my 500/50 connection with the 2011 but I don't use queues.The RB2011 is an old and slow router. It will have no problem with switching 1Gbit/s between interfaces, but when routing you will quickly hit limits when not everything is configured in a minimalist way.
E.g. those shaping queues can have some effect even when they are not actually throttling traffic.
Don't worry about the speed=100Mbps, it is the default speed when autonegotiate is disabled, when it is enabled it has no effect at all.
I max out my 500/50 connection with the 2011 but I don't use queues.
Nop. I netinstalled the router, killed eveything off, literally no setting in, except few likes to enable basic functionality. The router was literally naked.It could be the PPPoE.
...
In the past I even bought a SFP VDSL modem for it, to replace the Draytek 130 VDSL modem I use at home. But that never really worked, mostly because RouterOS does not include support for it to readout the line parameters and MikroTik apparently isn't interested in VDSL (I can understand they don't want to produce a modem/router, but support for a SFP VDSL modem would be useful).
Latency on 5G and NV2 is trivial. As for pollution, it is what it is. We need speed.So they are choosing wireless pollution and high latency?
You still need to go through the base station.Latency on 5G and NV2 is trivial. As for pollution, it is what it is. We need speed.So they are choosing wireless pollution and high latency?
My VDSL is FTTC. The line is less than 100m in length, only to a street cabinet that is connected by fiber. I am using VVDSL2 with 17a profile, but 35b is also available (200 Mbit/s). And you can get "bonded" (2 lines) as well for double that speed.In South Africa, the major Telecoms company, i.e. Telkom has started plans of removing all ADSL / VDSL infrastructure in the near future, so the choices are going to be Fibre, Wireless / 3G/4G/5G/LTE for home users
You can get 500Mbps on a regular line at 200m with G.fast .My VDSL is FTTC. The line is less than 100m in length, only to a street cabinet that is connected by fiber. I am using VVDSL2 with 17a profile, but 35b is also available (200 Mbit/s). And you can get "bonded" (2 lines) as well for double that speed.
So they are choosing wireless pollution and high latency?
This is probably an issue in SAR. We don’t ever see that.
I suppose the problem here is that the current copper cabling infrastructure is so old and causing lots and lots of problems. To make that worse, the copper cabling theft here is huge, Telkom or the electricity companies will replace a cable, and a week later, it will be stolen again