← StabilityPulse/Fix
Router tuning · ASUS RT-AX series

Why your ASUS gigabit router caps at 500 Mbps
(and the 8 settings that fix it)

If your ISP's speed test reads 900+ Mbps at the gateway but your devices cap at half on both wired and wireless, it's almost never the line. It's hardware NAT acceleration, and a feature you forgot you turned on has turned it off.

The symptom

Three things together identify this pattern almost perfectly:

  1. The speed test that runs on the router itself — the one in your ISP's app, or speedtest.xfinity.com if you're on Xfinity — reads close to your plan speed.
  2. Every device behind the router caps at roughly half that number, plus or minus.
  3. The cap holds whether the device is on Wi-Fi or wired Ethernet, and across multiple devices.

If your router is in the ASUS RT-AX family — RT-AX55, RT-AX58U, RT-AX82U, RT-AX86U, RT-AX88U, RT-AX92U, and several others — this is the textbook signature. It typically isn't the cable. It isn't the ISP. The router CPU is forwarding every packet in software because hardware NAT acceleration got switched off.

Why this happens

ASUS routers in the RT-AX line are built on Broadcom SoCs that include dedicated silicon for moving packets between interfaces. The acceleration paths have a few names — CTF (Cut-Through Forwarding), Flow Cache, runner — but the concept is the same: when the router doesn't need to look at a packet, it shouldn't have to copy it through the CPU. It can hand it off in hardware. That hardware path is what lets a $200 home router move gigabit traffic without breaking a sweat.

The catch: any feature that wants to inspect packets forces the router to take the slow path. AsusWRT silently disables the hardware accelerator whenever you enable certain features, and most users have no idea that's the trade. Software forwarding on the BCM4908 (RT-AX86U) tops out around 400–700 Mbps depending on which features are running, which is why "capped at half my plan" is so consistent — it's the CPU's ceiling, not the line's.

The fix is mostly identifying which features you actually need versus which ones are silently costing you half your bandwidth. Eight features are the usual suspects.

The 8 features to check

01

AiProtection (Trend Micro)

Menu pathAiProtection → Network Protection · Malicious Sites Blocking · Two-Way IPS · Infected Device Prevention
Why it hurts

Single biggest culprit. Inspects every flow against Trend Micro's threat feed. Disables CTF completely on most firmware versions.

Fix

Toggle off all three AiProtection sub-features. Don't leave any of them enabled hoping it'll preserve acceleration — it won't.

Expected recovery

Often the full gap. Many users report their wired throughput jumps from ~500 to 900+ Mbps with no other change.

02

Adaptive QoS

Menu pathQoS → Enable QoS toggle
Why it hurts

Disables CTF entirely. The deep packet inspection that classifies traffic into priority bands runs in software.

Fix

Turn QoS off entirely if you don't actively use it. If you do need bandwidth shaping, install Asuswrt-Merlin and use FlexQoS or SQM, which keep the hardware accelerator engaged for unclassified traffic.

Expected recovery

Another 30–40% on top of #1, in most cases.

03

Traffic Analyzer

Menu pathTraffic Analyzer → Statistics / Traffic Monitor
Why it hurts

Logs metadata for every flow. Smaller CPU hit than AiProtection but contributes when combined.

Fix

Disable the daily Statistics view. The basic Traffic Monitor is usually fine on stock firmware but check before assuming.

Expected recovery

A few percent. Worth it for completeness.

04

VPN Server

Menu pathVPN → VPN Server
Why it hurts

Encrypts the tunnel on the CPU. The RT-AX86U doesn't have AES offload for OpenVPN, and even WireGuard maxes out around 300–400 Mbps in real-world tests.

Fix

If you don't actively use it, turn it off. If you do, accept that the throughput cap is structural — VPN traffic will always be CPU-bound on this hardware.

Expected recovery

Variable. Only impacts you while a VPN session is active.

05

VPN Fusion / VPN Client

Menu pathVPN → VPN Fusion / VPN Client
Why it hurts

Same as #4. Routes selected traffic through a paid VPN provider on the CPU.

Fix

Turn off if unused. If you need it for one device, set up the VPN on the device itself rather than on the router.

Expected recovery

Variable; same conditions as #4.

06

Web History

Menu pathAdaptive QoS → Web History
Why it hurts

Logs every DNS lookup and HTTP request. DPI-class CPU cost on top of whatever QoS is already doing.

Fix

Disable. If you genuinely need device-level history, your DNS provider (NextDNS, Quad9, Pi-hole) does a better job and doesn't bottleneck routing.

Expected recovery

A few percent.

07

WAN Aggregation

Menu pathWAN → Internet Connection · WAN Aggregation toggle
Why it hurts

On some firmware versions of the RT-AX86U specifically, enabling WAN Aggregation introduces a bug that caps single-stream throughput. The official 2.5 Gbps WAN port works fine; the aggregation mode does not.

Fix

If your ISP doesn't actually deliver multi-gigabit and you don't need aggregation, leave it off. If you need it, check your firmware version against the ASUS forums for known regressions.

Expected recovery

Up to half the line speed if you've hit the bug.

08

Outdated firmware (or unwanted firmware regressions)

Menu pathAdministration → Firmware Upgrade
Why it hurts

Specific firmware versions on the RT-AX86U and RT-AX88U have introduced throughput regressions. The current stable build sometimes performs worse than a build from six months ago.

Fix

Check the ASUS support forum for your specific model's known issues. Consider Asuswrt-Merlin — a community firmware that tracks ASUS releases but ships with better SQM implementations and clearer documentation about which features impact acceleration.

Expected recovery

Highly version-dependent. Worth checking before assuming the issue is configuration.

How to verify the fix

Do the changes one at a time. Disable one feature, then run a speed test. Two reasons: you find out which feature actually cost you, and you don't break a security setting you didn't realize you needed.

  1. Run a baseline. Use Cloudflare Speed Test or your ISP's official test, on a wired device, plugged directly into one of the router's LAN ports.
  2. Disable the next feature on the checklist. Wait 30 seconds for the router to settle. Run the test again.
  3. If throughput recovered, that feature was costing you bandwidth. Decide whether you actually need it back.
  4. If throughput didn't change, re-enable the feature and move on. Don't leave defenses turned off you didn't need to disable.
  5. When you're done, run the StabilityPulse stability test. The throughput recovery confirms you fixed the bandwidth cap; the stability test confirms you didn't introduce bufferbloat or jitter while disabling QoS.

The honest security trade-off

Disabling AiProtection isn't free. Trend Micro's threat feed is actually pretty good at blocking known-bad domains, and the intrusion-prevention rules catch some classes of inbound attack. If you turn it all off and don't replace it with anything, you lose a real layer of defense.

The alternatives that don't bottleneck routing:

  • DNS-level filtering. NextDNS or Quad9 at the router's DNS setting blocks malicious domains before the connection happens. Free, runs upstream, no CPU cost on your router.
  • Pi-hole or AdGuard Home. If you're comfortable running a Raspberry Pi or container, you get more control over what's blocked and visibility into who's connecting where.
  • Browser-level extensions. uBlock Origin catches most of the same threats AiProtection blocks at the network level, and doesn't cost you any router CPU.

Pick one. The point is that "I disabled AiProtection to recover throughput" doesn't have to mean "I'm running naked" — it means you've moved the defense to a layer that isn't competing with your bandwidth for CPU cycles.

When tuning isn't enough

If you've worked through all 8 features and you're still capped well below your line speed, the router itself has probably hit its hardware ceiling for your plan. The RT-AX86U is rated for gigabit and delivers that comfortably with acceleration engaged. It is not rated for 2 Gbps service, and no amount of feature disabling will get it there.

The honest upgrade paths:

  • Same family, refreshed silicon: ASUS RT-AX86U Pro (affiliate). Same form factor, faster CPU, handles 2 Gbps with acceleration on.
  • Wi-Fi 7 upgrade: ASUS RT-BE96U (affiliate). 10 GbE WAN, MLO, the works. Overkill for most homes but the right call if you're on 5 Gbps fiber.
  • Mesh, with wired Ethernet backhaul: ASUS ZenWiFi BT (affiliate). If coverage is the actual issue and the throughput cap is secondary, a wired-backhauled mesh moves the problem.

Before you spend money, though: the plan calculator will tell you whether you even need the higher tier you're hitting the cap on. The number of households paying for 2 Gbps and capping at 500 Mbps because of router config — and who would be perfectly served by a downgrade to the 500 Mbps tier they're already getting — is non-trivial.

A note on why this article exists

ASUS won't tell you that AiProtection halves your throughput. The product manager wants AiProtection enabled — it's a marketing feature, a recurring relationship with Trend Micro, and a checkbox in the box copy. The router engineering team knows about the acceleration cost; the documentation doesn't surface it.

That gap is the reason this article exists. If you found it useful, the StabilityPulse stability test is the next thing to run — once your throughput's back, the next question is whether the line is stable enough for calls.