Poor WireGuard performance on RB5009

tdabasinskas · October 5, 2023, 6:04am

Hello everyone,

I have the following setup:

RB5009UPr+S+ running v7.11
1000mbps Fiber Internet connection via GPON in SFP+ port (2.5Gbps, 1500 MTU)
WireGuard server (1420 MTU)
WireGuard clients (mobile phone and a laptop)

I have no problems reaching ~950mbps speeds when accessing Internet directly from behind the router. However, it seems that when connecting from other devices via WireGuard, the speed drops significantly:

LTE connection - ~300mbps, LTE via WireGuard tunnel - ~30mbps
5G connection - ~1200mbps, 5G via WireGuard tunnel - ~120mbps.

I read a lot of other posts on the forums - I’m aware CPU might be a limiting factor when talking about WireGuard. However, I don’t think that’s the case as the CPU usage when performing the tests never exceeds 20%. I also read http://forum.mikrotik.com/t/rb5009-wireguard-only-150-mbps/155060/1 where it’s visible that RB5009 can achieve 900Mbps via WireGuard.

Can it be somehow related to the GPON I’m using? MTUs? Maybe something on the Firewall side?

Would appreciate any help. If any additional details are needed, let me know.

normis · October 5, 2023, 6:20am

Can you post as much of your config as you can? Use export command and remove any irrelevant parts

blacksnow · October 5, 2023, 6:53am

Make sure you create a rule that removes any fasttracking from the routes to and from your WG interface. WG because of the enc/dec needs to be CPU only and fasttrack, L3HW offload etc do not help and will only interfere with it’s operation. Also try setting your MTU to 1350 (on both the Mikrotik and the “client” device), mobile providers are hardly 1500MTU and in many cases seem to be around 1440MTU which means you need to be even lower than that for the encapsulation.

ivicask · October 5, 2023, 7:53am

I can confirm the 1350 MTU, had weird issues where internet speeds where good for me but SMB traffic was super slow, droping mtu to 1350 fixed it.

tdabasinskas · October 5, 2023, 10:37am

Hope the following helps:

/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-local \
    vlan-filtering=yes

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=\
    sfp-sfpplus1-wan speed=2.5Gbps
    
/interface wireguard
add listen-port=12231 mtu=1420 name=wireguard1-roadwarrior
add listen-port=12230 mtu=1420 name=wireguard2-site

/interface vlan
add interface=sfp-sfpplus1-wan name=vlan5-management vlan-id=53
add interface=sfp-sfpplus1-wan name=vlan6-iptv vlan-id=63
add interface=sfp-sfpplus1-wan name=vlan30-internet vlan-id=33

/ipv6 settings
set disable-ipv6=yes

/interface list member
add interface=bridge-local list=LAN
add interface=wireguard1-roadwarrior list=LAN
add interface=sfp-sfpplus1-wanlist=WAN
add interface=wireguard2-site list=LAN

/interface wireguard peers
add allowed-address=10.10.10.10/32 interface=\
    wireguard1-roadwarrior persistent-keepalive=25s public-key=\
    "KEY"
    
/ip dhcp-client
add interface=vlan30-internet use-peer-dns=no

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=12231 \
    protocol=udp
add action=accept chain=input \
    dst-port=12230 log=yes protocol=udp src-address=PEER_IP
action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Not sure if that’s the same, but I tried to completely disable ;;; defcon: fasttrack rule, but it didn’t make any difference.

Tried doing that directly on Wireguard interface and the client as well as changing it via Mangle rule - unfortunately, not difference.

llamajaja · October 6, 2023, 4:18pm

Too much missing info…

In general, require only one bridge, add all vlans to the bridge. Remove frame types from bridge, and use them where applicable on bridge ports…
One wireguard interface is required only…
Understand you wish to separate remote users from another wireguard site…we will use separate IP address LOL
Keep alive is not used for peers on the Server Router, it is to be used on the peer settings of the client device… to keep connecting to the mT SERVER.
Where is config for other peer router for wireguard???

What is the purpose of sffplus1, to connect to ISP… for internet connection and for IPTV I presume..
Internet vlan30 will terminate at IP DHCP client or at pppoe client whichever is applicable.
IPTV should require some IGMP and multicast???

VLan5 is management is fine, but need to add one for LOCAL LAN lets say VLAN10.
You are missing /interface bridge ports and /interface bridge vlan settings???

Also input chain… source address is okay for wireguard rule, BUT ONLY if its a static PUBLIC IP that will not change.