It appears my Wireguard setup is much slower on the RB5009 than on the RB4011, achieving only 150 Mbps to the same endpoint. Has anyone else experienced this issue?
What speed did you achieve with the RB4011?
Did it have the same configuration and did it use the same ISP connection?
Can you share the Wireguard part of the config from both routers?
/interface/wireguard export
I’m interested with the findings (as I have the same behavior between an RB4011 and a hEX S).
Without seeing your config, its just noise…
Also, how are you testing the speed? iperf between endpoints or btest?
Have you tried to evaluate the performance of the WireGuard on RB5009 in the local network? You need to control variables to narrow down the potential factors that cause the performance bottleneck.
This configuration is the same on both routers—meticulously ported from export.
At this point, I suspect the difference is due to some interaction with the gigabit Ethernet adapter attached to the Thunderbolt doc. of my M1 Mac; other machines on the same network show higher Wireguard throughput. Another difference is that my test machine is directly attached to the bridge, while most other machines use an intervening switch.
Perhaps an interrupt coalescing issue? The profile shows the CPU at around 40%, with a large percentage dedicated to “ethernet.”
Afaik, there is no IPSEC HW acceleration yet on the RB5009. Thus, Wireguard is done in software.
Afaik, there is no IPSEC HW acceleration yet on the RB5009. Thus, Wireguard is done in software.
Currently not. But the RB5009 SoC supports crypto HW offload for IPSEC, Wireguard etc. MT support told me making it available in future ROS releases is to be expected.
Until this happens, the RB4011 is the better choice over RB5009 for high-bandwidth applications of IPSEC and VPNs like wireguard.
IMO, this should clearly be mentioned in the specs. For such use cases, this is a deal breaker.
Clearly not reading the release notes.
What’s new in 7.1rc3 (2021-Sep-08 13:29):
*) added IPSec hardware acceleration support for RB5009;
There is no hardware acceleration for Wireguard. That is always done in software.
IPsec has nothing to do with WireGuard.
Regarding RB5009 and WireGuard, RB5009 can do a little more than 150Mbps:
Clearly not reading the release notes.
What’s new in 7.1rc3 (2021-Sep-08 13:29):
*) added IPSec hardware acceleration support for RB5009;
Good to hear I stand corrected for IPSEC and 7.1. Can’t wait to give it a new try.
My last tests happend on 7.0.5, and I missed the 7.1rc3 release notes just checking the ones for official 7.1 and 7.1.1 releases…
Having release notes for official releases listing all changes since the last official release would be appreciated.
Znevna’s Wireguard througput measurements is what one would expect regarding the RB5009 CPU number crunching power.
Wireguard is using ChaCha20 cypher for whitch no HW acceleration exists yet.
This does indeed look like an interaction with the cheap gigabit transceiver of a Thunderbolt hub. Using a better USB-C to GigE adapter seems to have solved the issue. Not sure why the cheap adapter is better on other Mikrotiks, though.
Did they by any chance reveal any info regarding hw offloading, ie if any of the architectures are able to support ARX vector operations (or similar like the AVX2 instruction set) that can assist ChaCha20 to offload the cpu in the same way as for AES?
For Wireguard, the implementation in software is so fast that nobody has bothered to build any hardware accelerators. There’s some threads on it on the Netgate forums and a few other places. The CPU software implementation just gets faster as CPU’s do, so I doubt anyone will ever make an accelerator for Wireguard except for maybe if the offshore vpn’s start getting too slow (and adding more endpoints gets more expensive)
Maybe it is because with slower MikroTiks it doesn’t exceed the capabilities of the Thunderbolt hub, so fewer frames are dropped.
Did you compare iperf retransmissions on the slower MikroTiks vs. the RB5009?
The numbers posted by @Znevna are quite impressive. Especially when compared to OpenVPN.
What is that observation based on? A single connection of your own or something you’ve read about?
What is important to me to get verified is if a possible WG solution might be sufficient enough to hold multiple (>50) sessions for remote users who need secure access to the companies infrastructure (ie “road warrior” vpn). The objective is to make an informed decision if it’s possible to replace an existing VPN solution that is both expensive and administratively demanding.
What will it cost you more then some time ?
Maybe switch over some remote users case by case and monitor how it goes as more get added (esp. CPU usage).
It’s dead simple.
The only thing lacking from Mikrotik’s WG implementation is exactly this what you’re looking at: mass-setup and -deployment of users. It’s all manual for now.
I assume your current bandwidth is sufficient to serve all those users ?
Using a RB5009 i reach over 700Mbit over wireguard.
VERY important remark … unless I missed it I did not see a response to this question.
EDIT: got it. Switch was changed. And what is the new result ?