HAP AX3 slow upload as ipsec l2tp client

Hello Dear Friends.
I use 760igs as internet (200\200 mbit, pppoe , mtu 1492) fiber router (7.10.1), and its speed as ipsec client (mtu,mru 1400) using mangle - mark routing was approx 90\80 mbit download and upload.

Seems this mode (using mangle - mark routing) requires strong cpu, so I tested HAP AC3 (7.10.1) connected as a dhcp client after 760igs, and it turned to be faster:150\125 mbit download\upload as ipsec client (mtu,mru 1400) to same vps ipsec.

So I bought HAP AX3. Made update 7.10.1.
The main goal is to set up HAP AX3 instead of 760igs.
But I faced with big failure.
AX3 connected as a dhcp client after 760igs, as ipsec client produces 175 mbit download, but only 70-95 mbit upload.
max cpu usage ~25-30% for download, ~10% for upload.
(With no ipsec speed test = 200\200)

Config extremely simple, attached.
ax3_.rsc (7.67 KB)
Tried to netinstall 7.10.1, same result.

Hap ac3 - arm. hap ax3 is arm64.
Please Help.
Truly yours,
–Alex

Did you try wireguard vice ipsec?
Why are you mangling?
Why are you using fastrack since you are mangling?

Check test results page for AX3 and see which combination they use there for IPSEC testing.
Not all combo’s are possible (yet ?) for HW offload on IPQ-6010.

At least you will then have the same base to compare.

PS and wireguard is faster then IPSEC

Hello Dear Anav,
Thank you for helping.

Tried wireguard on all devices: 760igs, 750gr3, ac3, ax3.
All produce low upload.
Ax3 wireguard produces 180 download, 60 upload.
Ac3 wireguard produces 160 download, 90 upload.
760igs and 750gr3 = 90 download, 40 upload.

I use mangle as I need to compare with ip address list.

Normally I switch off the fasttack rule.
In this config I disabled all firewall rules.
And it is default, but disabled in config attached as well.

Thank you.

Dear Holvoetn,
Wireguard faster indeed, but Im unable to configure it properly to have good upload.
My test results in previous, see reply to Anav.

I think tests by Mikrotik are without mangle mark routing.
I pay attention to hw acceleration, so sha256, aes-256 cbc chosen with care , tests, and these are mentioned as hw accelerated for all devices mentioned.

Thank you for your help.

I use mangle as I need to compare with ip address list.
That tells me nothing concrete.
There is nothing in your config that does any comparing!!!

What are the traffic flow requirements for wireguard.

a. do you have external users coming in?
OR
b. do you have only some users that need to go to the internet at the other end?
c. do you have users that need to reach devices at the other end?

++++++++++++++++++++++++++++++++++++++++++++++++++++

If I had to guess you are pushing all users on your single subnet out internet at a different device… The different device is a VPS (server in the cloud).
Looking at the other thread.
RB760iGS connected to Internet thru pppoe, 100\100 mbit, mtu=1492.
Vps connected to internet 200\200 mbit.

This tells me the fasted one should expect is around 95 up or down which is the limit of the throughput on the home ppppoe connection???
That is for non-encrypted traffic, expect losses when using VPNs.yes

++++++++++++++++++++++++++++++++++++++++++++++++++++

As for your setup, you dont need mangling,

(1) Remove current mangling.

(2**) Keep**
/routing table
add disabled=no fib name=g_wg

(3) Keep
_/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=g_wg _

(4) ADD Routing Rule
/routing rule add src-address=192.168.0.0/24 action=lookup table=g_wg

Try that and see what the speeds are.
++++++++++++++++++++++++++++++++++++++

Then add this as a mangle rule just to see if it makes any difference ( keep all mtu’s as default )
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=g_wg passthrough=yes protocol=tcp tcp-flags=syn

+++++++++++++++++++++++++++++++++++++


As for sourcenat, remove the second rule (orange), its a duplicate of the first one!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1

The question for me was do you need the one for wireguard, the answer is you can probably do what you need to do at VPS without doing this, but
yes no harm no foul it simplifies the work required at the VPS end.

Dear Anav,

1) Explanations:
Both remote vps with vpn (ipsec and wireguard) and 760igs have got 200\200 (I extended ISP plan for 760igs just recently and decided to speedup ipsec)
Speedtests with no ipsec = 200\200.
I got no users, its just home internet router
So my home router is the only user of remote vps\vpn.
I’m doing the speedTest using single pc (1gbit wired), with no extra users.

Why I need to use mangle: unfortunately, home router is installed in a country that does internet restrictions (a great pity), I need to use:
-local country internet directly,
-foreign internet thru self made vps with ipsec and wireguard (ubuntu + libreswan + wireguard).

If I add ip list, speeds are the same, its true.
But.
I do tests without ip lists, so config attached is 100% real, please believe me.
I only add ip lists in the end, and it does not impact performance.
But just extra 10k of ip in config will make it hard to read.

Telling the truth I could be pretty satisfied with hap ac3, that I tested recently.
The only problem - It was a mistake of buying hap ax3, as its slower for upload for some reason, and it’s got no oldscool single capsman for my house access points: wap 2.4 mode (ground floor) +wap ac (5 mode) 1st floor + wap ac (5 mode) 3rd floor.

It s a great pity #2, since I use capsman for many years and almost happy with reswitching while moving up and downstairs.

2) I will perform your directions and I will be back with performance results a bit later.


Sincerely yours,
Thanks again.

You know what you need best, my point is that for a single subnet, there is no need to decrease throughput due to mangling or at least negate the faster processing due to enabling fastrack.
Good plan to equalize the speed of internet connection to the same capacity as your VPS.

I still dont get why you need to mangle. There is nothing about mangling that is hiding anything from your local country???
It has no security advantage that I am aware of ??

Dear Anav,
Mangling gives me an option to compare destination ip address with local country ip list.
-If ip is local - do nothing, go directly, main table, pppoe.
-If ip is !local - do mark routing “g_ipsec” for further routing thru remote vps with ipsec\wireguard.
Its just impossible to access directly netflix, instagram, linkedin and other hundreds sites that I love.
And vise versa - its just impossible to access some local sites if you go thru foreign vpn.

I think it might be easy to divide local ip addresses to go directly or to go thru vpn, but its is not convenient )

Anav, thank you for your patience for such users as me.

No worries, the requirement is very well explained thanky ou and interesting. Challenges are fun!.

How do you know if a dest IP is local or foreign? Do you simply use whitelists etc… how often do you update them??
Seems like a daunting task for an individual to take on.

Dear Anav,
I use this:
http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/
There are some scripts like:
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/??
import file-name=??

It can be a schedule.
I do update rarely, because error is not critical (just a route choice).

Thanks for patience.

Dear holvoetn !
Dear anav !
Thank you for your help!

I sold new ax3, bought used 4011, moved ipsec vps to another cluster (ping now 21 ms, was 35 ms) and now I’m almost happy.
Speed test 185 mbit (measure at pppoe interface >200) download, 160-175 mbit upload.
4011 still has got capsman interface for my 3 waps…

Seems now its time to close this thread.

And to open another one to resolve low upload with ac3 )