Community discussions

MikroTik App
  4. RouterOS
  5. General

wireguard low performance at rb5009

Post Reply
 
haris013
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Jun 18, 2018 2:13 am

wireguard low performance at rb5009

Mon Apr 01, 2024 8:33 pm

Hello,

this is another wireguard performance thread, i have a strange problem when connecting from my laptop wireguard peer, to my rb5009 at the office.

I use my laptop which is connect with ethernet cable on a Chateau lte18 using lte connection (~100mbps down / 70~ mbps up)

I connect with wireguard to my office using also the 0.0.0.0/0 on allowed addresses in order to "take" my office public IP and route all my laptop's traffic through the office.

My office has a connection with 200mbps down and 20mbps up (point to point Public IP connection through VDSL technology)

MTU on wireguard interface at rb5009 is 1420.

My download speed from my laptop when connected on wireguard is 1mbps down and 19 mbps upload.

I can't find why i have so poor performance on down speeds while the upload is fine.

I thought it was mtu issue but tried several values without any change, down speed is very low compared to the up speed.

when i check the wireguard interface on rb5009 i get many tx errors around 1617 errors at the moment, while rx errors are 0.

Below is my mikrotik config:
Code: Select all
interface bridge
add admin-mac=DC:2C:6E:3B:C7:89 auto-mac=no comment=defconf name=bridge.LAN \
    priority=0x1000
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.0.100-10.0.0.199
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge.LAN lease-time=1w1d name=dhcp1
/queue type
set 0 kind=sfq
add kind=sfq name=qos
/queue tree
add bucket-size=0.01 max-limit=190M name=DOWN parent=bridge.LAN queue=default
add name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 queue=default
add name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=default
add name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=default
add name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=default
add name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=default
add name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=default
add name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=6 queue=\
    default
add name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 queue=default
add name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
add bucket-size=0.01 max-limit=20M name=UP parent=ether1 queue=default
add name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=default
add name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=default
add name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=default
add name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=default
add name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=default
add name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=default
add name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=6 queue=\
    default
add name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=default
add name="9. OTHER_" packet-mark=OTHER parent=UP queue=default
/interface bridge port
add bridge=bridge.LAN comment=defconf interface=ether3
add bridge=bridge.LAN comment=defconf interface=ether4
add bridge=bridge.LAN comment=defconf interface=ether5
add bridge=bridge.LAN comment=defconf interface=ether6
add bridge=bridge.LAN comment=defconf interface=ether7
add bridge=bridge.LAN comment=defconf interface=ether8
add bridge=bridge.LAN comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge.LAN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.10.2/32 interface=wireguard1 \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=172.16.10.3/32 interface=wireguard1 \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge.LAN network=10.0.0.0
add address=XXXXXXXXX interface=ether1 network=XXXXXXXXX
add address=172.16.10.1/24 interface=wireguard1 network=172.16.10.0
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=voips.modulus.gr list="Modulus SIP"
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port Scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=accept chain=input comment="WG VPN Rule" dst-port=51820 protocol=\
    udp
add action=accept chain=input comment="VPN Allow Rules" dst-port=1701 \
    protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input src-address-list="port scanners"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS new-packet-mark=\
    DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new \
    new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\
    DNS passthrough=no
add action=mark-connection chain=prerouting comment="VOIP GW" \
    new-connection-mark=VOIP passthrough=yes src-address-list="Modulus SIP"
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=\
    VOIP passthrough=yes port=\
    6050,5090,5060-5062,50000-50019,50020-50039,50040-50059,9000-10999 \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=\
    VOIP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new \
    new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=\
    QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new \
    new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=\
    UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new \
    new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=\
    ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new \
    new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP \
    new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK \
    packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting new-packet-mark=ACK packet-size=0-123 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    no-mark connection-state=new new-connection-mark=HTTP passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
    connection-mark=HTTP connection-rate=2M-200M new-connection-mark=HTTP_BIG \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG \
    new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\
    HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=\
    new new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=\
    tcp
add action=mark-packet chain=prerouting connection-mark=POP3 new-packet-mark=\
    OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER \
    new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \
    log-prefix="WAN DNS" protocol=udp
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXXXXXXXX routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=yes list=\
    bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\
    bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \
    list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=yes list=\
    bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \
    protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\
    546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \
    protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\
    yes protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
    bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \
    protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \
    dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\
    yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\
    yes protocol=ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
/snmp
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
and this is my peer connection via wireguard:
Code: Select all
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = 172.16.10.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.0.0.0/24, 172.16.10.1/32, 0.0.0.0/0
Endpoint = xxxxxxxxx:51820
any ideas for the poor performance? The resources on rb5009 is almost 0% on cpu, i checked all cores and nothing goes above 5% when i am connected with wireguard and try to speed test.
Top
 
haris013
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Jun 18, 2018 2:13 am

Re: wireguard low performance at rb5009

Tue Apr 02, 2024 7:17 pm

any ideas where to start searching the issue?
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 123
Joined: Thu Dec 21, 2023 6:45 pm

Re: wireguard low performance at rb5009

Tue Apr 02, 2024 8:21 pm

The download speed to your laptop will be limited by theo 20 Mbps upload capacity of your office, so don't expect download speed above that.

In your /ip firewall filter table, you should move the rule

Code: Select all
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked

to the top of the input chain, before the rules checking for "port scanners". In fact, you should remove all those "port scanners" rules on the "input" chain because they are useless and only consume resources. Those rules only check for TCP connection attempts to then potentially add the "bad guys" to the "port scanners" list and later drop them. But your input chain only has a few exceptions for UDP ports and otherwise already drops all other connection attempts from WAN, which includes all TCP connection attempts with this rule:

Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Then, you can temporarily disable all the mangle rules to see if the issue is caused by all the parket marking rules and the queues? WireGuard uses UDP and will be affected by the UDP parket and connection markings.

Currently, when the router "uploads" something into the WireGuard interface (for the laptop to download), the packets have to go through the list of mangle rules, although the resulting markings are not used at all. There is no "UP" queue tree with parent=wireguard1, only for ether1. If you want to keep the queues and mangle rules, you should probably add two action=accept rules for prerouting and postrouting at the very top of the mangle table to skip processing for everything with dst-address=172.16.10.0/24.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 14 guests
  4. RouterOS
  5. General