No the purchaser didnt do their homework as open vpn is not fully supported by MT and only recently has started trying to make it possible.
Meanwhile wireguard which is faster and easier is available......................
No I made my homework.
I knew that openvpn installed on the router uses tcp and it is slow.
Actually based on your configuration file (that you have attached to your opening post) you have not done your homework before purchasing as from it seems that you had not checked the
block diagram of RB3011UiAS-RM before purchasing. Since from your configuration it seems that you are not using any of the missing features like BFD that is implemented in RouterOS v6 it is time to move on to v7 (it has UDP OpenVPN by the way).
The risk averse way of this is to export your configuration with
export file=thedesirednameoftheexportedconfigfile
than copy it to your computer so you have it as a reference at hand, than use
Netinstall to load the
latest stable RouterOS v7 (at the time of writing it is 7.7) to your device (make sure that you don't select "keep old configuration" (Windows version) or in case of the GNU/Linux version you
do use the "-r" parameter). After it rebuild your configuration on the router from scratch (do
not load your previously exported configuration file on the router).
In this case i installed it on debian server, on the local network and made port forwarding. I did not expect that the mikrotik can not handle simple port forwarding.
...
I Do not understand, Why mikrotik has so slow speed when port forwarding ?
Based on your configuration export I assume that
- your ISPs' Ethernet cables are connected to Eth1 and Eth10
- you have started from the default configuration
Unfortunately the default configuration on at least a few devices with more than one switch chip is one which is mentioned as a typical Layer 2 misconfiguration in the current documentation:
Bridgeing and Switching Case Studies / Layer2 misconfiguration / VLAN filtering with multiple switch chips. The block diagram of
RB3011UiAS-RM clearly states that it has two switch chips and a SFP cage (directly connected to the CPU with XOR with switch2 serving ports Eth6 to Eth10) therefore from performance point of view having a single bridge with all of the ports may be suboptimal. According to the current documentation the RB3011UiAS-RM has two QCA8337 switch chips. Since the two switches are the same they have the same
Bridge Hardware Offloading capabilities. Since these two chips are the same type they have the same
Bridging and Switching / Switch Chip Features as described in the documentation. Therefore to maximise the throughput you should use two separate bridges: one for the Eth1 to Eth5 ports and and another one for Eth6 to Eth10 ports (except the port(s) that are used for Internet uplink) while keeping in mind not to enable features on the two separate bridges that are not supported in the respective switch chip's hardware. Please note that in case you intend to use the SFP cage in the future than it is better to select from Eth6 to Eth9 for Internet uplink(s) (Eth10 has passive PoE out), for additional reasons keep on reading.
While implementing
Basic VLAN switching following the case study in the documentation than heed the warning in it:
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and adapt the configuration (bridge1 should only have Eth1 to Eth5 ports):
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=30
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
And in case of the solution for
VLAN filtering with multiple switch chips adapt the solution code as following:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/interface ethernet switch port
set ether1,ether2,ether3,ether4,ether7,ether8,ether9 default-vlan-id=10 vlan-header=leave-as-is vlan-mode=secure
set ether5,ether6,ether10 vlan-header=leave-as-is vlan-mode=secure
set switch1-cpu,switch2-cpu vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add ports=ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=10