Hi everyone, I have been having a great deal of trouble configuring the ERL for 1gig fiber with CenturyLink. I am decently familiar with networking concepts, but this is my first dive into ubiquiti products (usually work with Cisco). Any insight into my issue is greatly appreciated! 
For reference, here is my network visually simulated in Packet Tracer:
So I recently configured the ERL for use with CenturyLink's fiber (PPPoE, vlan 201, etc.). After getting frustrated with setup, I eventually just used the WAN+2LAN2 wizard to do the initial setup. Note that I also only got the pppoe authentication to work once I dropped the vlan 201 interface (tried this many many times) and just put pppoe on the wan interface. Since getting it to actually work, I have been getting abysmal throughput...speedtests vary from as low as 1mb/s to a high of about 250mb/s up and down. It usually averages around 40 mb/s. Speedtest.net and CL's speedtest give me 900mb/s up/down, but they are literally the only ones...I have tried around 15 other tests that all rate me below 200mb/s.
I have searched these forums and google for days trying to find solutions, and nothing has worked. On that note, I have enabled all offload that I can (pppoe, vlan, forwarding, gre, ipsec). I have a very simple firewall and a simple NAT configuration. I have 2 DHCP servers, one for my LAN and one for my WLAN. Other than that, I really have no other services running - CPU utilization stays >10%. All cables used are cat6 (cable to ONT is cat5e). I also use a Unifi AP AC Lite that may be interfering...should there be a switch between that and the LAN, or should I just put them on the same network?
I had a tech out here, but he pretty much just blew me off after the speedtest.net rating was normal. Again, any help is greatly appreciated! If you need any more information, please let me know...and by all means, feel free to call me out on my idiotic mistakes 
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id xxxxxxxxxxxx
}
speed auto
}
ethernet eth1 {
address 10.10.10.1/24
description LAN
duplex auto
speed auto
}
ethernet eth2 {
address 10.10.20.1/24
description WLAN
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DHCP-LAN {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 10.10.10.1
dns-server 8.8.8.8
lease 86400
start 10.10.10.100 {
stop 10.10.10.254
}
}
}
shared-network-name DHCP-WLAN {
authoritative disable
subnet 10.10.20.0/24 {
default-router 10.10.20.1
dns-server 10.10.10.1
dns-server 8.8.8.8
lease 86400
start 10.10.20.101 {
stop 10.10.20.254
}
unifi-controller 10.10.20.100
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 208.67.222.222
name-server 208.67.220.220
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface pppoe0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user fin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name Jake
level admin
}
user tech {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "CL tech"
level admin
}
}
name-server 127.0.0.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
}