Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

RB5009 - slow WAN speed - from 980mbps to 450mbps

Post Reply
 
toronto0082
just joined
Topic Author
Posts: 2
Joined: Wed Mar 08, 2023 4:49 pm

RB5009 - slow WAN speed - from 980mbps to 450mbps

Wed Mar 08, 2023 5:57 pm

Hello everyone,
Thank you in advance for your time and I appreciate you taking the time to read this post.
My internet plan is 1.5G down and 50M up. If I connect my computer directly to the ISP modem, I get 980+Mbps on speedtest.net however if I connect to the RB5009 (isp modem in bridge) my speedtest is never over 450mbps.
Here are the services I have:
Email server (from a relay server on port 9932 as 25 is blocked by isp)
Web server (from cloudflare so only a handful of ips making requests)
HE.Net ipv6 tunnel
Plex server
---
Important VLANS are:
---
Main VLAN
Guest VLAN
Servers VLAN
Management VLAN
---
Intervlan allowed traffic:
---
Main VLAN and Servers VLAN can access everything
Guest only internet except Plex serve, internal email server and internal pihole hosted on MainVLAN (I can change it to Server vlan if needed)
Management VLAN has on demand internet access (I change the default gateway when needed)
---
I have one bridge and all the ports are its members and vlans are configured in bridge as recommended by Mikrotik manual so all ports and vlan filtering is HW offload.(https://help.mikrotik.com/docs/display/ ... NFiltering)
---
Here is my vlan and firewall config - please help me figure what could be causing the slow throughput:

+++++++++++++++++++++++++
Code: Select all
#
# model = RB5009UG+S+
/interface bridge
add frame-types=admit-only-vlan-tagged mtu=1500 name=NATIVE_BR vlan-filtering=yes
/interface bridge port
add bridge=NATIVE_BR frame-types=admit-only-untagged-and-priority-tagged interface=ether3
add bridge=NATIVE_BR frame-types=admit-only-untagged-and-priority-tagged interface=ether4
add bridge=NATIVE_BR frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=101
add bridge=NATIVE_BR frame-types=admit-only-vlan-tagged interface=LAG1
add bridge=NATIVE_BR frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=4
add bridge=NATIVE_BR frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=172
/interface bridge vlan
add bridge=NATIVE_BR tagged=NATIVE_BR,LAG1 untagged=ether2 vlan-ids=101
add bridge=NATIVE_BR tagged=LAG1,NATIVE_BR vlan-ids=22
add bridge=NATIVE_BR tagged=NATIVE_BR,LAG1 vlan-ids=196
add bridge=NATIVE_BR tagged=LAG1,NATIVE_BR untagged=ether5 vlan-ids=4
add bridge=NATIVE_BR tagged=LAG1,NATIVE_BR vlan-ids=200
add bridge=NATIVE_BR tagged=NATIVE_BR,LAG1 vlan-ids=14
add bridge=NATIVE_BR tagged=NATIVE_BR,LAG1 untagged=ether6 vlan-ids=172
/interface vlan
add interface=NATIVE_BR mtu=9000 name=GUEST_22_VL vlan-id=22
add interface=NATIVE_BR name=LAN_101_VL vlan-id=101
add interface=NATIVE_BR mtu=9000 name=LOM_14_VL vlan-id=14 << Internal use
add interface=NATIVE_BR mtu=9000 name=MGMT_196_VL vlan-id=196
add interface=NATIVE_BR mtu=9000 name=SEC_4_VL vlan-id=4 << Lab use
add interface=NATIVE_BR mtu=9000 name=SERV_200_VL vlan-id=200
add interface=NATIVE_BR mtu=9000 name=VPN_172_VL vlan-id=172 << Lab use VLAN
# model = RB5009UG+S+
#
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=172.16.196.0/24 comment="Management vlan 196 range" list=management
add address=192.168.1.0/24 comment="LAN main" list=local_lan
add address=192.168.22.0/24 comment="WIFI Guests and IOT" list=Guest_vlan22
add address=10.10.0.0/24 comment="Servers vlan200" list=servers_dmz
add address=192.168.1.26 comment="Plex Servers group" list=plex_servers
add address=192.168.1.27 list=plex_servers
add address=192.168.1.7 comment="Printers list" list=printers_list
add address=192.168.1.25 list=printers_list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=173.245.48.0/20 list=cloudflare-ips
add address=103.21.244.0/22 list=cloudflare-ips
add address=103.22.200.0/22 list=cloudflare-ips
add address=103.31.4.0/22 list=cloudflare-ips
add address=141.101.64.0/18 list=cloudflare-ips
add address=108.162.192.0/18 list=cloudflare-ips
add address=190.93.240.0/20 list=cloudflare-ips
add address=188.114.96.0/20 list=cloudflare-ips
add address=197.234.240.0/22 list=cloudflare-ips
add address=198.41.128.0/17 list=cloudflare-ips
add address=162.158.0.0/15 list=cloudflare-ips
add address=104.16.0.0/13 list=cloudflare-ips
add address=104.24.0.0/14 list=cloudflare-ips
add address=172.64.0.0/13 list=cloudflare-ips
add address=131.0.72.0/22 list=cloudflare-ips
add address=c.c.c.c list=mxguarddog-ips
/ip firewall connection tracking
set tcp-established-timeout=5m
/ip firewall filter
add action=add-src-to-address-list address-list=blacklist-v4 address-list-timeout=1h chain=input dst-port=21,23 in-interface-list=wan_interfacelist log=yes protocol=tcp
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes in-interface-list=wan_interfacelist out-interface-list=internal_interfaces protocol=tcp
add action=accept chain=forward comment="Allowing Established, Related for FORWARD traffic" connection-state=established,related log-prefix=A-FW-21
add action=accept chain=input comment="Default Config - accepting ESTABLISHED and RELATED traffic" connection-state=established,related
add action=accept chain=input comment="Allow ICMP after RAW" in-interface-list=wan_interfacelist protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=input comment="Allow proto 41 from HE.NET for 6in4" dst-limit=1,5,dst-address/1m40s in-interface-list=wan_interfacelist limit=1,5:packet log=yes log-prefix=pro41- protocol=ipv6-encap psd=21,3s,3,1 src-address=xxx.66.38.xxx time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Allow access to PLEX from Guests" dst-address-list=plex_servers dst-port=32400 in-interface-list=guest_interfaces protocol=tcp
add action=accept chain=forward comment="Allow access to NAS from Servers - no management tools" dst-address=192.168.1.18 dst-port=!80,443,22,23 in-interface-list=dmz_interfaces protocol=tcp
add action=accept chain=forward comment="Allow access to pihole from all but wan" dst-address=192.168.1.16 dst-address-list="" dst-port=53 in-interface-list=!wan_interfacelist protocol=udp
add action=accept chain=forward comment="Allow access to DMZ from LAN and MGMT" in-interface-list=lan_mgmt_interfaces out-interface-list=dmz_interfaces
add action=accept chain=forward comment="Allow LAN and MGMT to access guest networks" in-interface-list=lan_mgmt_interfaces out-interface-list=guest_interfaces
add action=drop chain=forward comment="Rule to disallow guests to communicate with other guest network." in-interface-list=guest_interfaces log-prefix=guest_access out-interface-list=guest_interfaces
add action=drop chain=forward comment="Disalow DMZ access from guests" in-interface-list=guest_interfaces out-interface-list=dmz_interfaces
add action=drop chain=forward comment="Disallow LAN/MGMT access from guests" in-interface-list=guest_interfaces out-interface-list=lan_mgmt_interfaces
add action=drop chain=forward comment="Drop invalid and new" connection-nat-state=!dstnat connection-state=invalid,new in-interface=1-WAN log-prefix=invalid%
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=1-WAN log-prefix=!NAT
add action=drop chain=input comment="Explicit drop" in-interface=1-WAN log=yes log-prefix=D-FW-28-
add action=accept chain=forward comment="Inc email 9932 > 25" dst-port=9932 in-interface-list=wan_interfacelist protocol=tcp
add action=accept chain=forward comment="Inc to web server" dst-port=80,443,465,587,25,2525 in-interface-list=wan_interfacelist protocol=tcp
add action=accept chain=input protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN Masq" out-interface=1-WAN src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Guest Masq" out-interface=1-WAN src-address=192.168.22.0/24
add action=masquerade chain=srcnat comment="Server MASQ" out-interface=1-WAN src-address=10.10.0.0/24
add action=masquerade chain=srcnat comment="Mgmt MASQ" log=yes log-prefix=mgmt_MASQ out-interface=1-WAN src-address=172.16.196.0/24
add action=dst-nat chain=dstnat comment="http(s) only | DNAT to email server" dst-port=80,443 in-interface-list=wan_interfacelist log-prefix=A-NAT-7- protocol=tcp src-address-list=cloudflare-ips to-addresses=10.10.0.4
add action=dst-nat chain=dstnat comment="DNAT 9932 > 25" dst-port=9932 in-interface-list=wan_interfacelist protocol=tcp src-address-list=mxguarddog-ips to-addresses=10.10.0.4 to-ports=25
add action=dst-nat chain=dstnat comment="DNAT to email server" dst-address-list="" dst-port=465,587,25,2525 in-interface-list=wan_interfacelist log-prefix=A-NAT-7- protocol=tcp to-addresses=10.10.0.4
add action=dst-nat chain=dstnat comment=DNAT-MS-remote-access_p dst-port=42400 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.27 to-ports=32400
add action=dst-nat chain=dstnat comment=DNAT-MS-remote-access_s dst-port=42401 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.26 to-ports=32400
add action=dst-nat chain=dstnat comment=DNAT-xbox dst-port=3074 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.14
add action=dst-nat chain=dstnat comment=DNAT-wss-zm dst-port=9000 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment=DNAT-sip dst-port=5001,5090,5060,9001-9398,10600-10998 in-interface-list=wan_interfacelist protocol=tcp to-addresses=10.10.0.10
add action=dst-nat chain=dstnat comment=DNAT-sip dst-port=5001,5090,5060,9001-9398,10600-10998 in-interface-list=wan_interfacelist protocol=udp to-addresses=10.10.0.10
add action=dst-nat chain=dstnat comment=tm dst-port=54805 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.30
add action=dst-nat chain=dstnat comment=tm dst-port=54805 in-interface-list=wan_interfacelist protocol=udp to-addresses=192.168.1.30
add action=dst-nat chain=dstnat comment=rt dst-port=51433 in-interface-list=wan_interfacelist protocol=udp to-addresses=192.168.1.30 to-ports=51433
add action=dst-nat chain=dstnat comment=rt dst-port=51433 in-interface-list=wan_interfacelist protocol=tcp to-addresses=192.168.1.30 to-ports=51433
/ip firewall raw
add action=drop chain=prerouting in-interface-list=wan_interfacelist log-prefix=blacklistv4- src-address-list=blacklist-v4
add action=drop chain=prerouting dst-port=9932 in-interface-list=wan_interfacelist protocol=tcp src-address-list=!mxguarddog-ips
add action=drop chain=prerouting dst-port=80,443 in-interface-list=wan_interfacelist protocol=tcp src-address-list=!cloudflare-ips
add action=accept chain=prerouting protocol=ipv6-encap src-address=xxx.66.38.xxx
add action=accept chain=output dst-address=xxx.66.38.xxx protocol=ipv6-encap
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=internal_interfaces protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" in-interface-list=wan_interfacelist src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 in-interface-list=wan_interfacelist
add action=drop chain=prerouting comment="defconf: drop bogon IP's" in-interface-list=wan_interfacelist src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 in-interface-list=wan_interfacelist
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=wan_interfacelist src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop bad UDP" in-interface-list=wan_interfacelist port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" in-interface-list=wan_interfacelist jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" in-interface-list=wan_interfacelist jump-target=bad_tcp protocol=tcp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" in-interface-list=wan_interfacelist protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf in-interface-list=wan_interfacelist protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" in-interface-list=wan_interfacelist port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 in-interface-list=wan_interfacelist limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 in-interface-list=wan_interfacelist protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 in-interface-list=wan_interfacelist protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 in-interface-list=wan_interfacelist protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 in-interface-list=wan_interfacelist protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 in-interface-list=wan_interfacelist protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 in-interface-list=wan_interfacelist limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 in-interface-list=wan_interfacelist protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" in-interface-list=wan_interfacelist log=yes log-prefix=D_RAW_31_ protocol=icmp
+++++++++++++++++++++++++
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5480
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB5009 - slow WAN speed - from 980mbps to 450mbps

Wed Mar 08, 2023 10:01 pm

Not a solution but the discrepancy between your DL/UL speed, makes me wonder if this is not relevant.
viewtopic.php?t=104266&start=900#p985016
Top
 
toronto0082
just joined
Topic Author
Posts: 2
Joined: Wed Mar 08, 2023 4:49 pm

Re: RB5009 - slow WAN speed - from 980mbps to 450mbps

Wed Mar 08, 2023 11:33 pm

@holvoetn Thank you for the link. I have been using a edgex router and always got 950+ mbps speedtest.net results. It just recently that my ISP upgraded the internet service from 1G to 1.5Gbps. 2 weeks ago when I was using the ubiquity edge router, I was still getting same speed above 950mbps on average but then I purchased RB5009 hoping to utilize its 2.5gb ports since my ISP mode has one 2.5gb port. The link which you have provided does make sense however it is not the issue which I have.

Edit: For reference, I just reset the router to factory and here is the result which is close:-
SOprTem - Imgur.png
Here is what I have been getting with the above posted config:
t2cJwzX - Imgur.png
Here is from an old test with ubiquity ERX router:
G6SjA1K - Imgur.png
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 36 guests
  4. RouterOS
  5. Beginner Basics