It‘s not about being able to reach the media (even DNS works fine). The question is about performance of routing between the different ip ranges for large amounts of data like 4k streams
I cannot say I’ve run performance benchmarks*. But I’d imagine you should be able get 50Mb/s or more through the proxy connection, or I’ve seen in my limited test when proxied. And if it’s running in “direct” mode (i.e. your router has a public IP), BTH is exactly same overhead as regular WireGuard - and limited by the internet speed/latency and router CPU.
But keep in mind, a 4K stream is still only 10-30Mb/s, so assuming WANs on both ends have 100Mbs+ internet… you should be fine be my guess. If you’re doing MPEG/RTP/UDP streams, that be more sensitive to VPN’s latency, but if your connection is via HLS (i.e. HTTP livestream RFC) which is pretty common, that is more friendly to VPN like BTH/WG.
*I just ran Ookla’s “Video” test on my phone when connected to BTH over LTE — via the Mikrotik App — and it reported it can do 4K (2160p) over a proxied BTH connect. The router here has 1G symmetric fiber — but I forced it out a double-NAT so BTH ran in proxy mode (took 1-2 minutes to switch between them FWIW). The phone running app was using Verizon LTE only (no Wi-Fi). In some cases (fast, ookla, speedof.me), using BTH VPN was FASTER than using no VPN. Only a long test in nPerf app, was using no VPN faster & with BTH was about 50-70% of raw speed on same 60s second (using proxy mode was pretty similar speeds in nPerf app, although, latency was 50-100ms higher with proxied BTH). This is a bit surprising — perhaps Verizon looks for speed tests and throttles — since BTH should not be faster than NO VPN running. Anyway that was curious finding…
Interesting, thanks!!
I believe, in the app, if you want JUST the LAN (which let other network traffic go out wi-fi/lte)… you can use the ⋮ next to the connect, and “Edit”, the allowed addresses to remove 0.0.0.0/0 and replace it with your LAN subnet(s). By default, all traffic goes through the BTH tunnel & if your using it just to stream, you may “save” bandwidth/CPU/etc if you allow all other traffic to use “real” Wi-Fi/LTE connection.
One more trick, at least for TCP traffic, is using a MSS adjustment mangle rule. I actually added one to BTH and helped in nPerf speedtest (after I posted) when using BTH. So something like this may help — although you’d want to know you calculate your MTU MSS in rule below, so mainly for thought.
/ip firewall mangle
add action=change-mss chain=postrouting dst-address=192.168.216.0/24 log=yes new-mss=1358 protocol=tcp tcp-flags=syn tcp-mss=1359-65535
1358 is since the LTE side has lower MTU, which is additive when using WG which also has a lower MTU… So if you’re using the BTH app over LTE, the rule may be helpful
Interesting as I wouldnt have thought of that but since the router is in some sense a client here as well it kinda works.
Just wondering if monkeying with the MTU for one device connection will effect all the other clients connecting… most will probably be smartphone but could easily have windows or apple laptops/desktops in the mix.
I did but checked today and the new supout didnt show, I must not have completed the add process properly.
Added it just now and its visible in the conversation trail.
What can cause an error is that to join a second peer I have to block it in Winbox then unlock it and the connection is just working. This operation also causes the previous peer to stop working - websites do not load, I cannot log in to the router.
@anav, did they get back to you? Been following your saga here for a while on what should be a simple for someone as well-versed in WG.
Sounds like you have messed the allowed-ips setting, defining subnets too large. For single hosts you should always use “/32”.
You had right. It is works properly now. Thx!
YES, the first response was they could not recreate, so then I decided to use my my main router for BTH 1009 and the same issue occurred, I added the new SUP but they seemed to have not looked at it so, no answer yet. I may repost a new bug report with the 1009 as the second supout seems to be ignored.
My MikroTik AX3 is behind a pfSense router with two WAN connections. The primary WAN has a public IP, while the failover WAN is behind CGNAT.
I want to configure the pfSense router so that when the primary WAN (with the public IP) is active, the MikroTik AX3 uses BTH (Bridge to Home) to establish a direct connection without relying on MikroTik’s cloud servers.
However, when the failover WAN (CGNAT) becomes active, I need the MikroTik to fall back to using MikroTik’s cloud servers.
What changes or configurations are required on the pfSense router to enable this behavior?
direct connection ~10ms
Relay connection ~ 150ms
At a high level, you should just need to look at “/interface/wireguard/print detail” and see what port is used by the BTH WG interface & then port forward that in pfSense. If pfSense failover, BTH should figure out the failover after ~1 minute (time may vary since it tied to DDNS update/resolve cache) & then use proxy mode when on CGNAT WAN.
@Amm0 that was the very first thing I have done before I submit my previous post, without sucess 
I attempted a few things before coming here, but haven’t had any luck so far.
What I’ve done so far:
-
I checked IP > Cloud > BTH, and noted the port listed there it’s the same interface/wireguard print.
-
I created a port forwarding rule on pfsense router to forward that port to the internal IP address of the AX3.
-
I double-checked that the AX3 IP is correct and that the NAT rule is active. Just for curiosity, I have the Port forward of winbox and it’s ok.
-
Despite this, the AX3 still connects through Mikrotik’s relay servers for remote access.
Is there another way to force direct connection mode on the AX3 or on pfsense?
I don’t know the internal logic. But there is not a way to “force” it AFAIK. @normis, perhaps you can explain how the detection works since the part is still mysterious (well, undocumented)…
I’d check /ip/cloud for DDNS, i.e. does it show “router is behind a NAT”? That uses some port to test connectivity – that may be used BTH too (but IDK for sure) to determine proxy stuff. So I suspect if you look for traffic with sniffer to MikroTik cloud (cloud.mikrotik.com and cloud2.mikrotik.com, or 159.148.172.0/24 + 159.148.147.0/24), you might be able to deduce what OTHER ports may need forwarding.
edit: doc suggest /ip/cloud DDNS (which is indirectly used by BTH)
Sends encrypted packets to cloud2.mikrotik.com using UDP/15252 port
from
https://help.mikrotik.com/docs/spaces/ROS/pages/97779929/Cloud#Cloud-DDNS
… so perhaps open that port to cloud2.mikrotik.com
I’m not that good to use sniffer tools, but from the connections listed on pfsense, I saw some packets to udp/15252 and I have done the proper port forwarding… but still no luck
You have raised a very good point. If you forward the BTH port on the pfsense to the MT router, MT should figure out that the relay server is not required. You should note that when creating the BTH enable, the router auto generates an input chain rule for that port on the router and that is the port that should be port forwarded on the pfsense. Dont see why other ports should be involved… I have posed the question to support, and hopefully will receive a response./…
For some reason, I’ve reinstalled the application at home, and we noticed there is some sort of file sharing feature — however, it’s crashing a lot. Are you aware of this issue?