I currently have 1Gbit up/down connection and I'm having issues going past roughly half of that, I was downloading a game the other day at about 40 MB/s and Discord sounded metallic and Netflix was buffering all the time. Most downloads tops at that speed more or less but in speedtests I have about 930 up and down, but I noticed that, as soon as I turn on Qbitorrent, even if there's very little upload bandwidth usage (like 1 MB/s or so), the download speed takes a dip below 900. I checked CPU usage and it rarely goes beyond 30-35% even when I'm downloading big files.
This doesn't happen with the router the ISP provided, so I discard that there's something wrong in the fiber connection. This is my current config:
Code: Select all
# sep/20/2021 13:48:43 by RouterOS 6.48.4
# software id = 3IGX-RWR4
#
# model = RB750Gr3
# serial number = CC210E0A13F3
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface vlan
add interface=ether1 name=vlan20 vlan-id=20
add interface=bridge name=vlan_router_digi vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 name=pppoe-out1 user=\
XXXXXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.128-192.168.1.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_pppoe_server ranges=10.0.1.200-10.0.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/ppp profile
add local-address=10.0.1.1 name=pppoe_server_digi remote-address=\
pool_pppoe_server
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pppoe-server server
add default-profile=pppoe_server_digi disabled=no interface=vlan_router_digi \
service-name=servicio_router_digi
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,1.0.0.1,2001:4860:4860::8888,2001:4860:4860::8844
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out1 type=external
add interface=bridge type=internal
/ipv6 address
add address=::1 from-pool=pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=pool6 request=prefix \
script=":delay 5s;\r\
\n/ipv6 address remove [find advertise=yes] \r\
\n/ipv6 address add interface=bridge address=::1/64 from-pool=pool6 advert\
ise=yes"
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes hop-limit=64 other-configuration=yes
add interface=bridge mtu=1480
/ppp secret
add name=vpn
add name=XXXXXXXXXXXXX profile=pppoe_server_digi service=pppoe
/system clock
set time-zone-name=Europe/Madrid
/system scheduler
add interval=30m name=Duckdns-Dynamic-IP-Updater on-event=\
"/system script run Duckdns-Dynamic-IP-Updater;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/08/2021 start-time=00:00:00
/system script
add dont-require-permissions=no name=Duckdns-Dynamic-IP-Updater owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="#----------SCRIPT INFORMATION-------------------------------------\
--------------\r\
\n#\r\
\n# Script: Beeyev DuckDNS.org Dynamic DNS Update Script\r\
\n# Version: 1.2\r\
\n# Created: 29/07/2019\r\
\n# Updated: 06/06/2021\r\
\n# Author: Alexander Tebiev\r\
\n# Website: https://github.com/beeyev\r\
\n#\r\
\n#----------MODIFY THIS SECTION AS NEEDED--------------------------------\
--------\r\
\n\r\
\n\r\
\n# DuckDNS Sub Domain\r\
\n:local duckdnsSubDomain \"XXXXXXXXXX\"\r\
\n\r\
\n# DuckDNS Token\r\
\n:local duckdnsToken \"XXXXXXXXXXXXX\"\r\
\n\r\
\n# Set true if you want to use IPv6\r\
\n:local ipv6mode false;\r\
\n\r\
\n# Online services which respond with your IPv4, two for redundancy\r\
\n:local ipDetectService1 \"https://api.ipify.org/\"\r\
\n:local ipDetectService2 \"https://api4.my-ip.io/ip.txt\"\r\
\n\r\
\n# Online services which respond with your IPv6, two for redundancy\r\
\n:local ipv6DetectService1 \"https://api64.ipify.org\"\r\
\n:local ipv6DetectService2 \"https://api6.my-ip.io/ip.txt\"\r\
\n\r\
\n\r\
\n#-----------------------------------------------------------------------\
--------\r\
\n\r\
\n:local previousIP; :local currentIP\r\
\n# DuckDNS Full Domain (FQDN)\r\
\n:local duckdnsFullDomain \"\$duckdnsSubDomain.duckdns.org\"\r\
\n\r\
\n:log warning message=\"START: DuckDNS.org DDNS Update\"\r\
\n\r\
\nif (\$ipv6mode = true) do={\r\
\n\t:set ipDetectService1 \$ipv6DetectService1;\r\
\n\t:set ipDetectService2 \$ipv6DetectService2;\r\
\n\t:log error \"DuckDNS: ipv6 mode enabled\"\r\
\n}\r\
\n\r\
\n# Resolve current DuckDNS subdomain ip address\r\
\n:do {:set previousIP [:resolve \$duckdnsFullDomain]} on-error={ :log war\
ning \"DuckDNS: Could not resolve dns name \$duckdnsFullDomain\" };\r\
\n\r\
\n# Detect our public IP adress useing special services\r\
\n:do {:set currentIP ([/tool fetch url=\$ipDetectService1 output=user as-\
value]->\"data\")} on-error={\r\
\n\t\t:log error \"DuckDNS: Service does not work: \$ipDetectService1\"\r\
\n\t\t#Second try in case the first one is failed\r\
\n\t\t:do {:set currentIP ([/tool fetch url=\$ipDetectService2 output=user\
\_as-value]->\"data\")} on-error={\r\
\n\t\t\t:log error \"DuckDNS: Service does not work: \$ipDetectService2\"\
\r\
\n\t\t};\r\
\n\t};\r\
\n\t\r\
\n\r\
\n:log info \"DuckDNS: DNS IP (\$previousIP), current internet IP (\$curre\
ntIP)\"\r\
\n\r\
\n:if (\$currentIP != \$previousIP) do={\r\
\n\t:log info \"DuckDNS: Current IP \$currentIP is not equal to previous I\
P, update needed\"\r\
\n\t:log info \"DuckDNS: Sending update for \$duckdnsFullDomain\"\r\
\n\t:local duckRequestUrl \"https://www.duckdns.org/update\\\?domains=\$du\
ckdnsSubDomain&token=\$duckdnsToken&ip=\$currentIP&verbose=true\"\r\
\n\t:log info \"DuckDNS: using GET request: \$duckRequestUrl\"\r\
\n\r\
\n\t:local duckResponse\r\
\n\t:do {:set duckResponse ([/tool fetch url=\$duckRequestUrl output=user \
as-value]->\"data\")} on-error={\r\
\n\t\t:log error \"DuckDNS: could not send GET request to the DuckDNS serv\
er. Going to try again in a while.\"\r\
\n\t\t:delay 5m;\r\
\n\t\t\t:do {:set duckResponse ([/tool fetch url=\$duckRequestUrl output=u\
ser as-value]->\"data\")} on-error={\r\
\n\t\t\t\t:log error \"DuckDNS: could not send GET request to the DuckDNS \
server for the second time.\"\r\
\n\t\t\t\t:error \"DuckDNS: bye!\"\r\
\n\t\t\t}\r\
\n\t}\r\
\n\r\
\n\t# Checking server's answer\r\
\n\t:if ([:pick \$duckResponse 0 2] = \"OK\") do={\r\
\n\t\t:log info \"DuckDNS: New IP address (\$currentIP) for domain \$duckd\
nsFullDomain has been successfully set!\"\r\
\n\t} else={ \r\
\n\t\t:log warning \"DuckDNS: There is an error occurred during IP address\
\_update, server did not answer with \\\"OK\\\" response!\"\r\
\n\t}\r\
\n\r\
\n\t:log info \"DuckDNS: server answer is: \$duckResponse\"\r\
\n} else={\r\
\n\t:log info \"DuckDNS: Previous IP (\$previousIP) is equal to current IP\
\_(\$currentIP), no need to update\"\r\
\n}\r\
\n\r\
\n:log warning message=\"END: DuckDNS.org DDNS Update finished\""
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
There is a pppoe server because I connect the router the ISP provides to the Mikrotik to have a working phone at home, and that's how the ISP ONT works. The ipv6 nat rules are the default the router sets, there's probably a bit of security risks there but...
Regards.