Why your TP-Link router caps your gigabit
(and the settings that actually matter)
TP-Link's hardware acceleration is silent about which features turn it off. If your Archer reads near-gigabit at the WAN but devices crawl, or your Deco mesh dropped speeds after a firmware update, the cause is almost certainly something in the HomeShield panel.
The pattern, in one paragraph
TP-Link Archer routers (AX55, AX73, AX5400, AX95 and similar) and Deco mesh systems (X20, X60, X75, XE75 and others) all run a Broadcom or MediaTek SoC with hardware NAT acceleration — typically labeled "NAT Boost" or "Flow Control" in the TP-Link admin panel. With acceleration on, they deliver gigabit speeds comfortably. With acceleration off, the CPU forwards every packet in software and tops out around 400–600 Mbps depending on the model.
Several features quietly switch off NAT Boost when enabled. TP-Link doesn't surface the trade. This article walks through each one in priority order.
Check this first: is NAT Boost even on?
On most Archer routers, hardware acceleration has an explicit toggle. It's usually buried under Advanced → System Tools → System Parameters → NAT Boost or, on older firmware, Advanced → NAT Forwarding → NAT Boost. On Deco systems, the equivalent is "Fast Roaming" plus whatever the model labels as Flow Control, accessible through the Deco mobile app under Advanced settings.
Confirm it's enabled before walking the rest of the checklist. If NAT Boost is off and you don't know why, one of the features below disabled it. If it's on and you're still capping at half speed, you have a different problem — possibly hardware (see the upgrade section below).
The 7 features that disable NAT Boost (or silently throttle throughput)
HomeShield
HomeShield tab → Network Security · Malicious Content Filter · Intrusion Prevention SystemHomeShield is TP-Link's recurring-revenue security suite (basic features free, premium tier $35/year). Like ASUS AiProtection, it does deep packet inspection on every flow, which forces traffic onto the CPU's slow path.
Disable the network security toggles individually. If you want to keep DDoS protection (which is light) but disable IPS (heavy), do that selectively. Or move security to a DNS-based filter like NextDNS or Quad9, which doesn't bottleneck routing.
Biggest single recoverable factor on Archer routers. Often a 40-50% throughput jump.
QoS (Quality of Service)
Advanced → QoS · or HomeShield → QoS on newer firmwareTP-Link's QoS classifies traffic by application — gaming, streaming, browsing, work — and requires inspection of each flow. Disables NAT Boost completely.
Turn QoS off entirely unless you actively use it. The 'Smart Connect' band steering setting is separate and unrelated; you can leave that on.
Significant. 20-30% gain on top of HomeShield disablement.
Parental Controls
Advanced → Parental ControlsTracks per-device DNS lookups and applies time-based or content-based filtering. Same DPI cost as HomeShield.
Disable per-device. If you need parental controls for one specific device, run them on the device itself (Apple Screen Time, Google Family Link) — that doesn't cost router throughput.
Moderate. Bigger impact on routers with many monitored devices.
AI-Driven Mesh (Deco) / Self-Optimizing networks
Deco app → More → Advanced → Smart antenna / Mesh roamingSome Deco firmware versions monitor per-device signal quality continuously and re-route. The monitoring overhead is modest, but the re-routing decisions sometimes move devices to weaker satellite nodes during heavy traffic, capping throughput.
On Deco specifically: try disabling 'Beamforming' or 'Smart Antenna' if your model exposes the toggle, and check whether devices are anchored to a weaker satellite. Use the Deco app's signal-quality view to see which satellite each device is connected to.
Mesh-specific. Less about hardware acceleration, more about steering devices to underpowered satellites.
VPN Server / VPN Client
Advanced → VPN Server (or VPN Client on newer Archer / Deco firmware)Encryption isn't hardware-accelerated on most TP-Link consumer routers. OpenVPN tops out around 50–100 Mbps; WireGuard does better (200–400 Mbps) but still consumes the CPU that NAT Boost otherwise frees up.
Disable if unused. If you need VPN service, run it on the device, not the router. Routers with built-in VPN handle low-bandwidth use cases fine but are not gigabit-friendly.
Variable; only affects you while a VPN session is active.
Recent firmware regressions
System Tools → Firmware Upgrade (Archer) or About → Firmware Version (Deco)TP-Link's firmware quality varies. The Archer AX55 had a documented regression in 1.2.x builds where Smart Connect broke 5 GHz steering. Several Deco firmware versions have introduced AI-driven 'optimizations' that quietly throttle the gateway under certain conditions.
Check the TP-Link community forum and Reddit's r/HomeNetworking for known issues with your specific firmware version. If a known regression exists and a fix is in beta, weigh the trade-off. Don't update firmware just because the dashboard tells you to — read the changelog.
Highly version-dependent. Often the answer when 'it used to be fast and now it isn't.'
Mesh oversaturation (Deco specific)
Physical inspection of your Deco satellite placement.Adding more Deco units doesn't always improve coverage. In small spaces, too many satellites create wireless oversaturation — overlapping coverage areas force devices to ping-pong between satellites and can drop aggregate throughput below what a single unit would deliver.
Try removing the satellite you added most recently. Re-test. If throughput recovers or signal quality stays fine on the remaining nodes, the extra mesh unit was hurting more than helping. Wired ethernet backhaul, where possible, sidesteps this entirely.
Deco-specific. Real and counterintuitive — adding mesh nodes can make Wi-Fi worse.
How to verify each fix
One feature at a time. Toggle it off, wait 30 seconds for the router to settle, run a speed test from a wired device. Two reasons for the methodical approach: you find out which feature actually mattered, and you don't disable a setting you needed without realizing it.
- Run a baseline. Wired connection from a laptop to the Archer or Deco's LAN port. Use Cloudflare Speed Test plus your ISP's official test.
- Disable the next feature on the checklist. Wait 30 seconds. Re-test.
- If throughput jumped, that feature was the cost. Decide whether you actually need it back.
- Once the throughput cap is gone, run the StabilityPulse stability test. The speed test confirms bandwidth recovery; the stability test confirms you didn't introduce bufferbloat by disabling QoS.
The HomeShield trade-off, honestly
HomeShield does block some real threats. The free tier catches known-malicious domains and obvious phishing; the paid tier adds intrusion prevention rules and device-level controls. If you disable it, you're losing a layer of defense — not a critical one, but a real one.
The alternatives that don't cost throughput:
- DNS-level filtering. NextDNS or Quad9 in the router's DNS settings blocks malicious domains at query time. Free, runs upstream, zero CPU cost on the router. Catches most of what HomeShield catches.
- Pi-hole or AdGuard Home. Self-hosted on a Raspberry Pi or container. More control, more visibility, no router-side overhead.
- Browser-level filtering. uBlock Origin and similar handle most consumer-side threats and don't compete with routing for CPU.
Disabling HomeShield to recover throughput is a fair trade if you replace it with one of these. It's a worse trade if you just disable it and walk away.
When tuning isn't enough
If you've worked through all seven items and your Archer or Deco is still capping you below the line, the hardware itself is probably the limit. TP-Link's Archer line has wide quality variance — the AX55 is a budget router that tops out around 700 Mbps even with everything optimized; the AX95 and BE800 handle gigabit cleanly. The Deco line follows the same pattern: X20 caps around 600 Mbps per node; BE65 and beyond handle multi-gig.
Upgrade paths:
- Within TP-Link's standalone Archer line: Archer BE800 (affiliate). Wi-Fi 7, dual 10 GbE ports. Overkill for 1 Gbps service, appropriate for 2 Gbps+.
- Within TP-Link's Deco mesh line: Deco BE65 (affiliate). Wi-Fi 7 mesh with 2.5 GbE backhaul. The right call if you need both coverage and modern throughput.
- Different ecosystem entirely: ASUS RT-BE96U (affiliate). If you're frustrated with HomeShield's recurring-revenue model and like the option of community firmware (Asuswrt-Merlin), the ASUS path is worth considering. Standalone, not mesh — pair with an ethernet-backhauled setup if you need coverage.
Before any upgrade: confirm via the plan calculator that you actually need the bandwidth you're trying to deliver. Plenty of households on 1 Gbps service genuinely only need 300 Mbps, in which case the right answer isn't a new router — it's a downgrade and a refund.
Sibling reading
If you've ruled out router config but the same throughput cap pattern persists, the diagnostic tree branches:
- Single-device Wi-Fi only: Per-device Wi-Fi diagnosis.
- Sibling article for ASUS RT-AX routers: ASUS gigabit-cap walkthrough.
- Throughput is right but quality is wrong: Run the stability test.
- Throughput is wrong AND the ISP says it's fine: Escalation playbook.