Hey there guys!
Recently bought a RB5009UG+S+, and it works as expected, except in wireguard.
I’ve searched through multiple threads discussing this issue, but none provide a specific solution or go into detail about what might be causing these types of problems.
My current setup is as follows:
┌─────────────┐ ┌────────────┐
│ WAN │ │ France VPS │
│ Vodafone │ ┌►│ 1Gbps │
│1000/400 Mbps│ │ │ │
│ SFP+ GPON │ │ └────────────┘
└─────┬┬──────┘ │ ▲
▼▲ │ │
┌─────┴────┐ wireguard │ │
│ RB5009 ├───────────────────┘ │
└──────────┘ │
192.168.170.0/24 │
▼▲ │
┌──────┴──────┐ direct │
│ TEST HOST │◄─────────────────────────┘
└─────────────┘ iperf3 -P 20 -R ~941 Mbits
192.168.170.252
iperf3 -P 20 -R ~147 Mbits
Doing an iperf3 through wireguard and NATing traffic it is only giving me ~147 Mbits, but the CPU usage is kinda low ~35% across all cores, as you can spot in the CPU profiler:
I’ve already tested changing the MTU, adjusting the CPU clock, and disabling fasttrack, but there hasn’t been any improvement. Given the available CPU headroom, it should be achieving much higher bandwidth in this scenario. Could someone please provide any tips or hints on what might be wrong?
# 2024-09-21 00:15:40 by RouterOS 7.15.3
# software id = REDACTED
#
# model = RB5009UG+S+
# serial number = REDACTED
/interface bridge
add comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=2.5G-baseX
/interface wireguard
add comment=back-to-home-vpn listen-port=31957 mtu=1420 name=back-to-home-vpn
add comment=vps_fr listen-port=13231 mtu=1420 name=vps_fr
/interface vlan
add interface=sfp-sfpplus1 name=sfp-iptv vlan-id=105
add interface=sfp-sfpplus1 name=sfp-wan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.170.10-192.168.170.220
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user-manager user
add attributes=Mikrotik-Group:write comment=Admin name=REDACTED
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-iptv list=WAN
add interface=sfp-sfpplus1 list=WAN
/interface wireguard peers
add allowed-address=10.255.255.0/24 endpoint-address=x.x.x.x \
endpoint-port=51820 interface=vps_fr name=vps_fr_peer \
persistent-keepalive=25s public-key=\
"REDACTED"
/ip address
add address=192.168.170.254/24 comment=defconf interface=bridge network=\
192.168.170.0
add address=10.255.255.253/24 comment=vps_fr_ip interface=vps_fr network=\
10.255.255.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
add add-default-route=special-classless default-route-distance=210 interface=\
sfp-iptv use-peer-dns=no use-peer-ntp=no
add interface=sfp-wan
/ip dhcp-server network
add address=192.168.170.0/24 comment=defconf dns-server=192.168.170.254 \
gateway=192.168.170.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.170.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="iptv: Accept IGMP" connection-state="" \
dst-address=224.0.0.0/4 dst-address-list="" in-interface=sfp-iptv \
protocol=igmp
add action=accept chain=forward comment=\
"iptv: Accept and forward udp multicast iptv traffic" connection-state=\
established,related,new,untracked dst-address=224.0.0.0/4 in-interface=\
sfp-iptv protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=\
sfp-wan
add action=masquerade chain=srcnat comment="masquerade vps_fr" \
out-interface=vps_fr
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn
/radius
add address=127.0.0.1 comment=Radius service=login
/radius incoming
set accept=yes
/routing igmp-proxy
set query-interval=30s quick-leave=yes
/routing igmp-proxy interface
add interface=bridge
add alternative-subnets=10.2.0.0/18,224.0.0.0/4,10.56.192.0/19 interface=\
sfp-iptv upstream=yes
/system clock
set time-zone-name=Europe/Lisbon
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.windows.com
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
/user-manager
set enabled=yes
/user-manager router
add address=127.0.0.1 name=self-router
Thank you in advance!