Quick update:
I examined high RX code errors and TX collisions. With half duplex mode packet loss was close to 0, but overall speed decreased nearly twice. Looks like I fixed my issue with switching my WAN port from ether1 to ether7. Also I configured all my firewall rules and etc. to use interface list WAN instead of direct ether1 interface binding. After all, I set up SFQ instead of PCQ for my WAN port.
Does anybody know why a single port may cause such a huge error rate?
My new config:
# apr/01/2020 00:13:42 by RouterOS 6.46.1
# software id = 47F2-FCLT
#
# model = CCR1009-7G-1C
# serial number = 94C40B1BF92C
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full arp=proxy-arp \
auto-negotiation=no full-duplex=no loop-protect=off rx-flow-control=on \
speed=100Mbps tx-flow-control=on
set [ find default-name=ether2 ] advertise=\
1000M-full,2500M-full,5000M-full,10000M-full arp=proxy-arp \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add name=l2tpserver passive=yes send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,3des
/ip pool
add comment="Pool for Server network" name=server-net-pool ranges=\
192.168.8.2-192.168.8.199
add comment="Pool for Smart Home network" name=smart-home-net-pool ranges=\
192.168.10.2-192.168.10.199
add comment="Pool for Main network" name=main-net-pool ranges=\
192.168.11.2-192.168.11.199
add comment="Pool for VPN clients" name=vpn-pool ranges=\
192.168.8.200-192.168.8.250
/ip dhcp-server
add address-pool=server-net-pool authoritative=after-2sec-delay disabled=no \
interface=ether2 lease-time=1w1d name=server-net-dhcp
add address-pool=smart-home-net-pool authoritative=after-2sec-delay disabled=\
no interface=ether4 lease-time=1w1d name=smart-home-net-dhcp
add address-pool=main-net-pool authoritative=after-2sec-delay disabled=no \
interface=ether3 lease-time=1w1d name=main-net-dhcp
/ppp profile
add local-address=vpn-pool name=ipsec_vpn remote-address=vpn-pool
/queue interface
set ether1 queue=pcq-download-default
set ether2 queue=pcq-download-default
set ether3 queue=pcq-download-default
set ether4 queue=pcq-download-default
set ether7 queue=hotspot-default
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=\
ipsec_vpn enabled=yes
/interface list member
add comment="SkyNet (Home WAN)" interface=ether7 list=WAN
add comment="Server LAN" interface=ether2 list=LAN
add comment="Main LAN" interface=ether3 list=LAN
add comment="Smart Home LAN" interface=ether4 list=LAN
/ip address
add address=192.168.8.1/24 comment="Route to Server network" interface=ether2 \
network=192.168.8.0
add address=192.168.11.1/24 comment="Route to Main network" interface=ether3 \
network=192.168.11.0
add address=192.168.10.1/24 comment="Route to Smart Home network" interface=\
ether4 network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether7
/ip dhcp-server lease
add address=192.168.11.11 client-id=1:66:66:66:66:66:66 mac-address=\
66:66:66:66:66:66 server=main-net-dhcp
add address=192.168.10.10 client-id=1:74:4d:28:7d:6a:15 mac-address=\
74:4D:28:7D:6A:15 server=smart-home-net-dhcp
add address=192.168.8.8 client-id=1:74:4d:28:f8:95:f8 mac-address=\
74:4D:28:F8:95:F8 server=server-net-dhcp
/ip dhcp-server network
add address=192.168.8.0/24 comment="Server network" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.8.1 netmask=24
add address=192.168.10.0/24 comment="Smart Home network" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment="Main network" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.11.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=30m chain=input comment=Perebor_portov_add_list \
dst-port=98 in-interface-list=WAN log=yes log-prefix=Attack protocol=tcp
add action=drop chain=input comment=Perebor_portov_list_drop dst-port=80 \
in-interface-list=WAN protocol=tcp src-address-list=perebor_portov_drop
add action=accept chain=input comment="Allow limited pings" \
in-interface-list=WAN limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Excessive Pings Drop" in-interface-list=\
WAN log=yes log-prefix="drop excessive pings" protocol=icmp
add action=add-dst-to-address-list address-list=connection-limit \
address-list-timeout=1d chain=input comment=Connection_limit \
connection-limit=200,32 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=input comment=Adr_list_connection-limit_drop \
in-interface-list=WAN log=yes log-prefix="connection limit" \
src-address-list=connection-limit
add action=drop chain=input comment=Port_scanner_drop src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface-list=WAN log=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="accept ICMP" disabled=yes protocol=\
icmp
add action=accept chain=input comment="accept L2TP IPSec VPN" port=\
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN \
log-prefix="warn block"
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment=\
"fasttrtack everything except VPN" connection-mark=!ipsec \
connection-state=established,related
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related disabled=yes
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
"mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=dst-nat chain=dstnat comment="port forwarding SSH" dst-port=65022 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.88 to-ports=22
add action=dst-nat chain=dstnat comment="port forwarding MongoDB" dst-port=\
65017 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.88 \
to-ports=65017
add action=masquerade chain=srcnat comment="WAN NAT" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="hairpin NAT SSH" dst-address=\
94.19.177.63 dst-port=65022 protocol=tcp src-address=192.168.0.0/16 \
to-addresses=192.168.88.88 to-ports=22
add action=dst-nat chain=dstnat comment="hairpin NAT MongoDB" dst-address=\
94.19.177.63 dst-port=65017 protocol=tcp src-address=192.168.0.0/16 \
to-addresses=192.168.88.88 to-ports=65017
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=\
192.168.0.0/16 src-address=192.168.0.0/16
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes
/ppp secret
add name=trofiv profile=ipsec_vpn service=l2tp
add name=mitrofiv profile=ipsec_vpn service=l2tp
/routing rip interface
add interface=ether2 receive=v2
add interface=ether3 receive=v2
add interface=ether4 receive=v2
/routing rip network
add network=192.168.10.0/24
add network=192.168.11.0/24
add network=192.168.8.0/24
/system clock
set time-zone-autodetect=no time-zone-name=Etc/UTC
/system identity
set name=TrofivCloud
/system ntp client
set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=37.193.156.169
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no