my ISP recently upgraded my speed to 200/20Mbps (PPPoE VDSL).
I have been using a 3011 since 2016, and I never had any speed issues.
But now, running a simple speedtest or download test, I can see the CPU *almost* maxing out while getting 140-160 Mbps.
The reasons I am NOT using fast track or fastpath are:
- that I need to have queues for almost every interface
- that when I enabled it, the TCP MSS NAT rule was not honored and I had a lot of problems with the devices losing packets
The below screenshot is from a simple download test running in background and getting around 130Mbps I am posting a full export of my settings:
Code: Select all
# mar/24/2022 11:13:48 by RouterOS 7.1.5
# software id = RPP7-BQU5
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=E4:8D:8C:78:EC:FD auto-mac=no fast-forward=no igmp-snooping=yes \
name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=WAN speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] comment="Building B" speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
"Unifi Switch8-150"
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-server
/interface vlan
add comment="APTS VLAN" interface=bridge-local name=Apts-VLAN vlan-id=214
add comment="ASTARTI GUESTS VLAN" interface=bridge-local name=\
Astarti-Guests-VLAN vlan-id=216
add comment="ATRIUM GUESTS VLAN" interface=bridge-local name=\
Atrium-Guests-VLAN vlan-id=209
add arp=disabled comment="ATRIUM MAIN VLAN" interface=bridge-local name=\
Atrium-Main-VLAN vlan-id=9
add comment="MANAGEMENT VLAN" interface=bridge-local name=Mgmt-VLAN vlan-id=\
172
/interface pppoe-client
add add-default-route=yes comment="VDSL PPPoE" disabled=no interface=WAN \
keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 \
service-name=COSMOTE user=**@otenet.gr
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=zerotier
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB3011
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_1
/ip ipsec peer
add address=***.duckdns.org comment=HOME name=HOME profile=profile_1
add address=***.duckdns.org comment=OFFICE name=OFFICE profile=\profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=site-to-site pfs-group=modp2048
/ip pool
add name=astarti_lan_pool ranges=192.168.16.101-192.168.16.200
add name=astarti_guests_pool ranges=192.168.216.16-192.168.216.249
add name=vpn_pool ranges=192.168.16.208/28
add name=atrium_guests_pool ranges=192.168.209.9-192.168.209.249
add name=atrium_lan_pool ranges=192.168.9.101-192.168.9.200
add name=apts_lan_pool ranges=192.168.14.129-192.168.14.190
add name=mgmt_vlan_pool ranges=172.16.16.101-172.16.16.199
/ip dhcp-server
add add-arp=yes address-pool=astarti_lan_pool bootp-support=none interface=\
bridge-local lease-time=2w1d name=Astarti-Lan-dhcp
add address-pool=astarti_guests_pool bootp-support=none interface=\
Astarti-Guests-VLAN lease-time=1d name=Astarti-Guest-dhcp
add address-pool=atrium_guests_pool interface=Atrium-Guests-VLAN lease-time=\
1d name=Atrium-Guest-dhcp
add add-arp=yes address-pool=atrium_lan_pool bootp-support=none interface=\
Atrium-Main-VLAN lease-time=2w1d name=Atrium-Lan-dhcp
add add-arp=yes address-pool=apts_lan_pool interface=Apts-VLAN lease-time=1d \
name=Apts-Lan-dhcp
add add-arp=yes address-pool=mgmt_vlan_pool interface=Mgmt-VLAN lease-time=\
2w1d name=Mgmt-vlan-dhcp
/port
set 0 name=serial0
/ppp profile
set *0 change-tcp-mss=default on-up=DUCKDNS use-encryption=yes
set *FFFFFFFE bridge=bridge-local dns-server=192.168.16.1 local-address=\
192.168.16.1 remote-address=vpn_pool use-encryption=required
/queue simple
add max-limit=20M/185M name=TOTAL target="192.168.16.0/24,192.168.14.128/26,As\
tarti-Guests-VLAN,Atrium-Guests-VLAN,Atrium-Main-VLAN"
add disabled=yes max-limit=5M/10M name=atrium-lan parent=TOTAL target=\
Atrium-Main-VLAN
add disabled=yes limit-at=1M/3M max-limit=5M/90M name=astarti-lan parent=\
TOTAL priority=2/2 target=192.168.16.0/24
/queue type
add kind=sfq name=sfq-guests sfq-perturb=8
add kind=fq-codel name=fq_codel
set 7 pcq-limit=25KiB
set 8 pcq-limit=30KiB
/queue simple
add max-limit=7M/65M name=astarti-guests parent=TOTAL queue=\
sfq-guests/sfq-guests target=Astarti-Guests-VLAN total-queue=fq_codel
add max-limit=7M/65M name=atrium-guests parent=TOTAL queue=\
sfq-guests/sfq-guests target=Atrium-Guests-VLAN total-queue=fq_codel
add max-limit=2M/20M name=apts-guests parent=TOTAL queue=\
sfq-guests/sfq-guests target=192.168.14.128/26 total-queue=fq_codel
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add name=ha policy="local,read,write,policy,test,api,rest-api,!telnet,!ssh,!ft\
p,!reboot,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes identity="f***2" name=zt1 port=9993
add disabled=yes disabled=yes identity="d***b" name=zt2-oci port=9994
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=yes instance=\
zt1 mac-address=82:38:5F:54:C7:C1 name=my-zt-net network=***
add allow-default=no allow-global=no allow-managed=no disabled=yes instance=\
zt2-oci mac-address=FA:7F:21:9A:59:75 name=oci network=***
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2
add bridge=bridge-local ingress-filtering=no interface=ether6
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1
add bridge=bridge-local ingress-filtering=no interface=ether4
add bridge=bridge-local ingress-filtering=no interface=ether3
add bridge=bridge-local ingress-filtering=no interface=ether5
add bridge=bridge-local ingress-filtering=no interface=ether7
add bridge=bridge-local ingress-filtering=no interface=ether8
add bridge=bridge-local ingress-filtering=no interface=ether9
add bridge=bridge-local ingress-filtering=no interface=ether10
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=1024
/interface bridge vlan
add bridge=bridge-local vlan-ids=9,14,216,209
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=Astarti-Guests-VLAN list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=ether10 list=mactel
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10 list=mac-winbox
add interface=bridge-local list=mactel
add interface=sfp1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=my-zt-net list=zerotier
add interface=oci list=zerotier
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes128,aes256 keepalive-timeout=120 \
require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.99.51/32 comment=vaios-OfficePC interface=\
WG-server public-key="***"
add allowed-address=192.168.99.50/32 comment=vaios-iPhone interface=WG-server \
public-key="***"
/ip address
add address=192.168.16.1/24 comment="Astarti LAN" interface=bridge-local \
network=192.168.16.0
add address=192.168.216.1/24 comment="Astarti Guest VLAN" interface=\
Astarti-Guests-VLAN network=192.168.216.0
add address=192.168.1.250/24 comment="Access xDSL Modem" interface=WAN \
network=192.168.1.0
add address=192.168.209.1/24 comment="Atrium Guest VLAN" interface=\
Atrium-Guests-VLAN network=192.168.209.0
add address=192.168.9.1/24 comment="Atrium LAN" interface=Atrium-Main-VLAN \
network=192.168.9.0
add address=192.168.14.1/24 comment="Apts LAN" interface=Apts-VLAN network=\
192.168.14.0
add address=192.168.99.1/24 comment=Wireguard interface=WG-server network=\
192.168.99.0
add address=172.16.16.1/24 comment="Mgmt VLAN" interface=Mgmt-VLAN network=\
172.16.16.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment="default configuration" disabled=yes interface=WAN
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.16.1 name=router
/ip firewall address-list
add address=192.168.100.0/24 list="Owned IP"
add address=192.168.0.0/24 list="Owned IP"
add address=192.168.30.0/24 list="Owned IP"
add address=192.168.89.0/24 list="Owned IP"
add address=164.52.24.171 list="IPSec Penetrators"
add address=146.88.240.4 list="IPSec Penetrators"
add address=178.128.255.8 list="IPSec Penetrators"
add address=192.168.2.0/24 list="Owned IP"
add address=39.98.157.27 list="IPSec Penetrators"
add address=50.126.86.253 list="IPSec Penetrators"
add address=107.173.193.198 list="IPSec Penetrators"
add address=37.192.170.101 list="IPSec Penetrators"
add address=92.246.84.199 list="IPSec Penetrators"
add address=192.168.9.0/24 list="Owned IP"
add address=192.168.14.0/24 list="Owned IP"
add address=45.79.76.236 list="IPSec Penetrators"
add address=37.49.229.196 list="IPSec Penetrators"
add address=89.113.142.164 list="IPSec Penetrators"
add address=213.108.134.176/28 list="IPSec Penetrators"
add address=87.251.66.112/28 list="IPSec Penetrators"
add address=94.232.41.0/24 list="IPSec Penetrators"
add address=111.7.96.162 list="IPSec Penetrators"
add address=123.160.221.47 list="IPSec Penetrators"
add address=87.251.67.120/29 list="IPSec Penetrators"
add address=185.180.143.147 list="IPSec Penetrators"
add address=78.128.113.66 list="IPSec Penetrators"
add address=23.148.144.25 list="IPSec Penetrators"
add address=78.128.113.64/29 list="IPSec Penetrators"
add address=183.136.226.4 list="IPSec Penetrators"
add address=91.191.209.232/29 list="IPSec Penetrators"
add address=***.duckdns.org list=Home_WAN_Ips
add address=***.duckdns.org list=Home_WAN_Ips
add address=192.168.209.0/24 list=Guest_VLANs
add address=192.168.216.0/24 list=Guest_VLANs
add address=192.168.14.128/26 list=Guest_VLANs
add address=***.duckdns.org list=Home_WAN_Ips
/ip firewall filter
add action=accept chain=forward comment=ZeroTier disabled=yes \
in-interface-list=zerotier
add action=accept chain=input disabled=yes in-interface-list=zerotier
add action=fasttrack-connection chain=forward comment="default configuration" \
connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=forward comment="BLOCK SARAFIDIS RESIDENTS" disabled=\
yes in-interface=Apts-VLAN src-mac-address=4C:02:20:79:CA:95
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
src-mac-address=34:29:12:B5:95:A7
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
src-mac-address=68:14:01:23:58:43
add action=drop chain=forward disabled=yes in-interface=Apts-VLAN \
src-mac-address=68:14:01:23:58:43
add action=drop chain=forward comment="Block Guest Access to backbone" \
disabled=yes dst-address=172.16.16.0/24 dst-port=!53 protocol=tcp \
src-address-list=Guest_VLANs
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=drop chain=input comment="BLOCK IPSec Penetrators" disabled=yes \
src-address-list="IPSec Penetrators"
add action=accept chain=input comment="Access RB from IPSec" dst-port=\
80,443,8291,22 ipsec-policy=in,ipsec protocol=tcp src-address-list=\
"Owned IP"
add action=accept chain=forward comment="IPSec IN" ipsec-policy=in,none
add action=accept chain=forward comment="IPSec OUT" ipsec-policy=out,none
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=accept chain=input comment="Accept Ping" protocol=icmp
add action=accept chain=input comment="Accept Established" connection-state=\
established
add action=accept chain=input comment="Accept Related" connection-state=\
related
add action=accept chain=input comment="allow GRE" disabled=yes protocol=gre
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow ipsec ports" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="allow ipsec" protocol=ipsec-esp
add action=accept chain=input comment="allow pptp (Only from Office-Home)" \
dst-port=1723 in-interface=pppoe-out1 protocol=tcp src-address-list=\
Home_WAN_Ips
add action=accept chain=input comment=Wireguard-Roadwarrior dst-port=13231 \
protocol=udp
add action=drop chain=input comment=Drop in-interface=pppoe-out1
/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=192.168.100.0/24 \
fragment=no new-mss=1300 passthrough=yes protocol=tcp src-address=\
192.168.16.0/24 tcp-flags=syn tcp-mss=!0-1300
add action=change-mss chain=forward comment="TCP MSS" disabled=yes new-mss=\
clamp-to-pmtu out-interface=pppoe-out1 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=0-0
add action=change-mss chain=forward comment="TCP MSS" new-mss=1452 \
out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn \
tcp-mss=1453-65535
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=srcnat comment="Access IPSec Subnets" \
dst-address-list="Owned IP" ipsec-policy=out,ipsec src-address=\
192.168.16.0/24
add action=accept chain=srcnat comment="Access IPSec Subnets Atrium" \
dst-address-list="Owned IP" ipsec-policy=out,ipsec src-address=\
192.168.9.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Masq L2TP" dst-address=\
!192.168.16.208/28 src-address=192.168.16.208/28
add action=masquerade chain=srcnat comment="Access ADSL Modem" out-interface=\
WAN
add action=dst-nat chain=dstnat comment="Docker Reverse Proxy" dst-port=\
80,443 in-interface=pppoe-out1 protocol=tcp src-address-list=Home_WAN_Ips \
to-addresses=172.16.16.50 to-ports=80-443
add action=dst-nat chain=dstnat comment="DVR View Building A" dst-port=55416 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.16.10 to-ports=\
1-65535
add action=dst-nat chain=dstnat comment="DVR View Building B" dst-port=55404 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.16.20 to-ports=\
1-65535
add action=src-nat chain=srcnat dst-address=192.168.14.0/24 to-addresses=\
192.168.14.1
add action=src-nat chain=srcnat dst-address=192.168.9.0/24 to-addresses=\
192.168.9.1
/ip firewall raw
add action=drop chain=prerouting comment=\
"Block Access from guests to mgmt-vlan" dst-address=172.16.16.0/24 \
dst-port=!53 log=yes protocol=tcp src-address-list=Guest_VLANs
add action=drop chain=prerouting in-interface=pppoe-out1 log=yes \
src-address-list="IPSec Penetrators"
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add auth-method=rsa-key key=astarti_mt my-id=fqdn:***.duckdns.org peer=\
HOME remote-id=fqdn:***.duckdns.org remote-key=home-erx
add auth-method=rsa-key generate-policy=port-strict key=astarti_mt my-id=\
fqdn:***.duckdns.org peer=OFFICE remote-id=\
fqdn:***.duckdns.org remote-key=rodou_mt
/ip ipsec policy
add comment="Office RB2011" dst-address=192.168.100.0/24 peer=OFFICE proposal=\
site-to-site src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
src-address=192.168.9.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
src-address=192.168.14.0/24 tunnel=yes
add dst-address=192.168.100.0/24 peer=OFFICE proposal=site-to-site \
src-address=172.16.16.0/24 tunnel=yes
add comment="Home ER-X" dst-address=192.168.0.0/24 level=unique peer=HOME \
proposal=site-to-site src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
src-address=192.168.16.0/24 tunnel=yes
add dst-address=192.168.0.0/24 level=unique peer=HOME proposal=site-to-site \
src-address=172.16.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
src-address=172.16.16.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
src-address=192.168.9.0/24 tunnel=yes
add dst-address=192.168.30.0/24 level=unique peer=HOME proposal=site-to-site \
src-address=192.168.14.0/24 tunnel=yes
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=pppoe-out1 pref-src=\
192.168.16.1
add comment="IPSEC OWN NETWORKS" disabled=no dst-address=192.168.30.0/24 \
gateway=pppoe-out1 pref-src=192.168.16.1
add disabled=no dst-address=192.168.0.0/24 gateway=pppoe-out1 pref-src=\
192.168.16.1
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=15m name=mtcloud_update on-event=mtcloudupdate policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
may/26/2016 start-time=15:50:54
add disabled=yes interval=20m20s name="IPSec Updater" on-event=\
home_ipsec_update policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=10m name="DuckDNS Updater" on-event=DUCKDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add comment="Unifi Cloud Key" disabled=yes host=192.168.16.12