Unifi UAP-AC-LITE in "Router-on-a-stick" mode give bad throughput

I have Unifi UAP-AC-LITE running latest openwrt 23.05.3 running in DUMP AP mode since it only have 1 poe ethernet port.

Today I convert this to a router-on-a-stick mode, behind a Netgear managed switch, with 5G wifi attached to the LAN (br-lan device on eth0.33) side, and I notice the 5G WIFI throughput drop pretty bad.

Dump AP mode 5G WIFI speedtest: ~330Mbps both upload and download

Router-on-a-stick: 5G wifi speedtest Download ~85Mbps, upload ~110Mbps. Lan port speedtest is still tbd.

Is the 70% speed drop expected?

Any recommendation how can I improve it?

Or am I asking too much from UAP-AC-LITE?

Sounds like you had a decent router before. Why do you want to move the routing into the ap?

Yes, you are probably asking too much from the ap, but we can review your configuration to ensure that there are no errors and that it is reasonably optimized within tits capabilities.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

root@openwrt-252:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "openwrt-252",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "Ubiquiti UniFi AC Lite",
        "board_name": "ubnt,unifiac-lite",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

root@openwrt-252:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'aaaa:bbbb:cccc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        option bridge_empty '1'
        list ports 'eth0.3'

config device
        option type 'bridge'
        option name 'br-lan2'
        option bridge_empty '1'
        option ipv6 '0'
        option mtu '1500'
        option txqueuelen '1000'
        option macaddr '11:22:33:44:55:66'
        list ports 'eth0.2'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.252.252'
        option netmask '255.255.255.0'
        option device 'br-lan'
        option type 'bridge'

config interface 'wan'
        option device 'br-lan2'
        option proto 'static'
        option gateway '192.168.153.254'
        list dns '9.9.9.9'
        list dns '149.112.112.112'
        list ipaddr '192.168.153.252/24'
        option type 'bridge'

config interface 'wan2'
        option proto 'dhcp'
        option device 'br-lan2'
        option hostname 'openwrt-252-B'

config device
        option type 'bridge'
        option name 'br-lan3'
        option bridge_empty '1'

config interface 'wan33'
        option proto 'static'
        option device 'br-lan3'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option gateway '10.0.0.254'

cat /etc/config/wireless

root@openwrt-252:~# cat /etc/config/wireless'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option cell_density '0'
        option country 'US'
        option channel '36'
        option htmode 'VHT80'
        option txpower '23'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option encryption 'psk2'
        option key 'password'
        option mode 'ap'
        option ssid 'lan-5g'
        option wmm '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option cell_density '0'
        option country 'US'
        option channel 'auto'
        option txpower '20'
        option htmode 'HT20'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'wan2-5g'
        option encryption 'psk2'
        option key 'password'
        option network 'wan2'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'wan3-backup-2g'
        option encryption 'psk2'
        option key 'password'
        option network 'wan33'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'wan3-5g'
        option encryption 'psk2'
        option key 'password'
        option network 'wan33'

cat /etc/config/dhcp

root@openwrt-252:~# cat /etc/config/dhcp

config dnsmasq 'main_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option noresolv '1'
        option rebind_localhost '1'
        option authoritative '1'
        option nonegcache '1'
        option cachesize '0'
        list server '127.0.0.1#5252'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5454'
        list server '/pool.ntp.org/8.8.8.8'
        option filter_aaaa '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        list dhcp_option '3,192.168.252.252'
        list dhcp_option '6,9.9.9.9,149.112.112.112'
        option leasetime '60m'
        option start '2'
        option limit '100'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan33'
        option interface 'wan33'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

root@openwrt-252:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option output 'ACCEPT'
        list network 'wan'

config rule
        option src '*'
        option dest_port '80'
        option target 'ACCEPT'
        option name 'allow-luci'

config rule
        option name 'allow-ssh'
        option src '*'
        list dest_ip '192.168.153.252'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'wan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan2'
        option masq '1'

config zone
        option name 'wan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan33'
        option masq '1'

config forwarding
        option src 'wan3'
        option dest 'wan2'

config rule

Speedtest Result

SSID Download Speed Uploadd Speed
lan-5g 23Mbps 33Mbps
wan2-5g 323Mbps 361Mbps
wan3-5g 84Mbps 168Mbps

I started to go through this with line-by-line suggestions... but then I realized there is too much going on to fix. I'd recommend resetting to defaults and then setting up just one lan and one wan, and that's it... testing from there.

Reset to defaults and post your configs here. Also tell us what VLAN and address/subnet you're designating for your lan and what is your wan (VLAN, DHCP or static, if static we need IP, subnet mask/size, DNS, and gateway).