В офисе стоит 2011UiAS. С января провайдер сменил тариф и, в качестве бонуса, увеличил скорость в два раза до 40 Мбит/с. Перенастроил Queues, все работало и радовало.
С марта посыпались жалобы на низкую скорость, speedtest.net показывал не более 20 Мбит. Замерил скорость без микротика, получил такой же результат. Провайдер заменил свое оборудование на новое, теперь скорость без микротика нормальная. На микротике получаю те же 20 Мбит/с. Без разницы, включены queues или нет.
Подскажите где искать проблему. Склоняюсь к полному сбросу роутера и настройке с нуля.
admin@ROUTER > export compact
# mar/12/2020 08:21:22 by RouterOS 6.44.5
# software id = 2WMQ-LZN9
#
# model = 2011UiAS
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth01 speed=100Mbps
set [ find default-name=ether2 ] name=eth02 speed=100Mbps
set [ find default-name=ether3 ] name=eth03 speed=100Mbps
set [ find default-name=ether4 ] name=eth04 speed=100Mbps
set [ find default-name=ether5 ] name=eth05 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth06
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth07
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth08
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth09
set [ find default-name=ether10 ] name=eth10 poe-out=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] disabled=yes name=sfp01
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth10 keepalive-timeout=60 name=wan-pppoe password=XXX use-peer-dns=yes user=XXX
/interface gre
add allow-fast-path=no ipsec-secret=XXX local-address=XXX name=nel remote-address=XXX
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
/ip pool
add name=office-pool ranges=192.168.10.101-192.168.10.230
add name=vpn-pool ranges=192.168.10.231-192.168.10.250
/ppp profile
add change-tcp-mss=yes dns-server=192.168.10.1,192.168.10.3 local-address=192.168.10.2 name=l2tp remote-address=vpn-pool
/queue type
add kind=pcq name=pcq--download-5M pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=pcq-upload-5M pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64
set 7 pcq-burst-rate=40M pcq-burst-threshold=2M
set 8 pcq-burst-rate=40M pcq-burst-threshold=2M
/queue simple
add max-limit=40M/40M name=queue-default queue=pcq-upload-default/pcq-download-default target=192.168.10.0/24 total-queue=default
/interface bridge port
add bridge=bridge interface=eth01
add bridge=bridge interface=eth06
add bridge=bridge hw=no interface=sfp01
add bridge=bridge interface=eth02
add bridge=bridge interface=eth03
add bridge=bridge interface=eth04
add bridge=bridge interface=eth05
add bridge=bridge interface=eth07
add bridge=bridge interface=eth08
add bridge=bridge interface=eth09
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 caller-id-type=number default-profile=l2tp enabled=yes ipsec-secret=XXX use-ipsec=yes
/interface list member
add interface=bridge list=discover
add interface=gre-tunnel list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.30.1/30 interface=nel network=172.16.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=reject chain=forward comment=update.microsoft.com content=update.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=download.microsoft.com content=download.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=download.windowsupdate.com content=download.windowsupdate.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=wustat.windows.com content=wustat.windows.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=stats.microsoft.com content=stats.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=ntservicepack.microsoft.com content=ntservicepack.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=windowsupdate.com content=windowsupdate.com reject-with=icmp-network-unreachable
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input dst-port=53 in-interface=eth10 protocol=udp
add action=drop chain=input dst-port=53 in-interface=eth10 protocol=tcp
add action=drop chain=input in-interface=wan-pppoe
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=wan-pppoe
add action=passthrough chain=input
add action=passthrough chain=forward
add action=passthrough chain=output
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=XXX dst-port=5655 new-connection-mark=dmz passthrough=yes protocol=tcp src-address=\
192.168.10.0/24
add action=mark-connection chain=prerouting dst-address=XXX dst-port=25,465,587,993 new-connection-mark=dmz passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=RDP dst-address=XXX dst-port=3389 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=SMTP dst-address=XXX dst-port=25 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=SMTPS dst-address=XXX dst-port=465 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=IMAPS dst-address=XXX dst-port=993 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=XXX dst-address=XXX dst-port=5655 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=masquerade chain=srcnat comment=DMZ connection-mark=dmz
add action=masquerade chain=srcnat out-interface=wan-pppoe
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore secret=XXX
/ip route
add distance=1 dst-address=192.168.20.0/24 gateway=172.16.30.2 pref-src=192.168.10.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=XXX password=XXX profile=l2tp service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=ROUTER
/system ntp client
set enabled=yes primary-ntp=192.168.10.1 secondary-ntp=91.206.16.3
/tool graphing interface
add interface=wan-pppoe
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox]
# mar/12/2020 08:21:22 by RouterOS 6.44.5
# software id = 2WMQ-LZN9
#
# model = 2011UiAS
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth01 speed=100Mbps
set [ find default-name=ether2 ] name=eth02 speed=100Mbps
set [ find default-name=ether3 ] name=eth03 speed=100Mbps
set [ find default-name=ether4 ] name=eth04 speed=100Mbps
set [ find default-name=ether5 ] name=eth05 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth06
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth07
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth08
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth09
set [ find default-name=ether10 ] name=eth10 poe-out=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] disabled=yes name=sfp01
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth10 keepalive-timeout=60 name=wan-pppoe password=XXX use-peer-dns=yes user=XXX
/interface gre
add allow-fast-path=no ipsec-secret=XXX local-address=XXX name=nel remote-address=XXX
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
/ip pool
add name=office-pool ranges=192.168.10.101-192.168.10.230
add name=vpn-pool ranges=192.168.10.231-192.168.10.250
/ppp profile
add change-tcp-mss=yes dns-server=192.168.10.1,192.168.10.3 local-address=192.168.10.2 name=l2tp remote-address=vpn-pool
/queue type
add kind=pcq name=pcq--download-5M pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=pcq-upload-5M pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64
set 7 pcq-burst-rate=40M pcq-burst-threshold=2M
set 8 pcq-burst-rate=40M pcq-burst-threshold=2M
/queue simple
add max-limit=40M/40M name=queue-default queue=pcq-upload-default/pcq-download-default target=192.168.10.0/24 total-queue=default
/interface bridge port
add bridge=bridge interface=eth01
add bridge=bridge interface=eth06
add bridge=bridge hw=no interface=sfp01
add bridge=bridge interface=eth02
add bridge=bridge interface=eth03
add bridge=bridge interface=eth04
add bridge=bridge interface=eth05
add bridge=bridge interface=eth07
add bridge=bridge interface=eth08
add bridge=bridge interface=eth09
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 caller-id-type=number default-profile=l2tp enabled=yes ipsec-secret=XXX use-ipsec=yes
/interface list member
add interface=bridge list=discover
add interface=gre-tunnel list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.30.1/30 interface=nel network=172.16.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=reject chain=forward comment=update.microsoft.com content=update.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=download.microsoft.com content=download.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=download.windowsupdate.com content=download.windowsupdate.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=wustat.windows.com content=wustat.windows.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=stats.microsoft.com content=stats.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=ntservicepack.microsoft.com content=ntservicepack.microsoft.com reject-with=icmp-network-unreachable
add action=reject chain=forward comment=windowsupdate.com content=windowsupdate.com reject-with=icmp-network-unreachable
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input dst-port=53 in-interface=eth10 protocol=udp
add action=drop chain=input dst-port=53 in-interface=eth10 protocol=tcp
add action=drop chain=input in-interface=wan-pppoe
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=wan-pppoe
add action=passthrough chain=input
add action=passthrough chain=forward
add action=passthrough chain=output
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=XXX dst-port=5655 new-connection-mark=dmz passthrough=yes protocol=tcp src-address=\
192.168.10.0/24
add action=mark-connection chain=prerouting dst-address=XXX dst-port=25,465,587,993 new-connection-mark=dmz passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=RDP dst-address=XXX dst-port=3389 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=SMTP dst-address=XXX dst-port=25 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=SMTPS dst-address=XXX dst-port=465 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=IMAPS dst-address=XXX dst-port=993 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=dst-nat chain=dstnat comment=XXX dst-address=XXX dst-port=5655 protocol=tcp src-address=0.0.0.0/0 to-addresses=XXX
add action=masquerade chain=srcnat comment=DMZ connection-mark=dmz
add action=masquerade chain=srcnat out-interface=wan-pppoe
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore secret=XXX
/ip route
add distance=1 dst-address=192.168.20.0/24 gateway=172.16.30.2 pref-src=192.168.10.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=XXX password=XXX profile=l2tp service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=ROUTER
/system ntp client
set enabled=yes primary-ntp=192.168.10.1 secondary-ntp=91.206.16.3
/tool graphing interface
add interface=wan-pppoe
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox]