I’ve got several same installations with different mikrotik devices.
Im doing same speed test:
“My client device”(wireguard+windows pc or android+bth app) ->(over back-to-home)->MIKROTIK(mangle against ip list + nat + ipsec)->VPS (ipsec librewsan)->Speedtest.net server (nearest to VPS).
ip list “XX” contains ~12000 records.
All devices has got same config with slight differences depending on ISP (dhcp or pppoe).
All VPS are same (ubuntu+libreswan 5.1), same cloud hoster, same datacenter.
All pings to mikrotiks from “My client device” same.
All pings from mikrotiks to VPS same (30 msec).
During tests all devices reach 100% usage on one of 4 cores.
The only difference is measured speed
4011 can perform 170 mbit
ac2 can perform 70-80 mbit
ac3 can perform 80-90 mbit three different ax2 top speed 60-62 mbit! lowest result!
all use same ipsec crypto (cbc(aes) + hmac(sha1)) + modp2048
I tried to make local test with separate AX2:
AX2 connected with ethernet into my local network :
“My client device” (windows pc wired with 1gbit)->AX2 eth2(mangle against ip list + nat + ipsec)->4011 eth2(nat, ISP 200mbit)->VPS (ipsec librewsan)->Speedtest.net server (nearest to VPS).
Same 62 mbit top speed, same top 100% cpu per 1 core (overall ping displayed by speedtest.net = 34 msec).
62 mbit with 100% 1 core cpu - is very disappointing for new device with new and fast CPU.
Both ac2 and ax2 has got no wifi packages , no any other packages except routeros package.
I think there is something due to non optimal ROS7 + arm64 cpu. ax2_.rsc (10.4 KB)
both use same ipsec crypto (cbc(aes) + hmac(sha1)) + modp2048 (modp1024 - makes no difference)
Noticable difference with group of 4 “crypto” processes.
AC2 - any of 4 “crypto” processes consume less 1.5% each
AX2 - 1 of 4 “crypto” processes consume 30-40% (both upload\download)
Accoring to hw acceleration ipsec table, ax2(ipq6010) even better than ac2(ipq 4018) for AES-CBC, AES-CTR, AES-GCM:
I am not sure, but my guess: ac2 has many “qca_crypto” processes and therefore HW acceleration as “qca” stands for Qualcomm. And on AX2 there are many “crypto” processes instead which may be a generic module and therefore working on CPU.
I’m also suffering from slow speeds using Wireguard on the hAP AC2.
It maxes out at 60-70Mbps. 23-28% CPU load.
If I send data over two tunnel links, than I get double - each has it’s 60-70Mbps. And the CPU loads gets to 53-60%
I read people used to see 150-200-300Mbps on AC2 with Wireguard. It’s a new setup for me with the latest 7.18.1 and cannot compare it with previous ROS versions … wondering if I should downgrade to test test it … not really into it, as it’s a LIVE system at a remote location …
The tests I’m making are between AC2, AX3, L0009. The AX3 & L009 perform up to the wire limit speeds of the ISPs I’m using. The AC2 struggles, likes it’s running the tunnel over a single core. The only way I can see the AC2 going above 60-70MBPs is to exchange traffice from both the AX3 and the L009.
Are there any settings that I can make to enable multi-core on the AC2?
