Hi!
I’m struggling with setting up S2S VPN using Wireguard between RB4011 and wAP ac LTE6.
The tunnel works, wAP do use VPN as DefGW towards internat (no split tunnelling), BW is acceptable - around 20-30Mbps, but some websites load very long (like they load in 90% and wait loong time to get the last web elements). Some websites do not load at all. Few examples below:
Speedtest without VPN https://gifyu.com/image/SWNwb
Speedtest with VPN https://gifyu.com/image/SWNw2
Websites without VPN https://gifyu.com/image/SWNTe
Websites with VPN https://gifyu.com/image/SWNwS
I thought it’s MTU issue, so I lowered it on both VPN ends to 1420 - didn’t help, so I lowered it to 1300 - still no luck.
RB4011 connect via pppoe client, wAP ac LTE6 - via LTE
Tunnel is up and I can ping and reach RB4011 LAN from behinf wAP ac LTE6.
also whatismyipaddress shows RB4011 internet IP when checked from behind wAP ac LTE6.
Everything looks good, but not everything loads.
Attaching my both routers config where Wiregaurd interfaces WG_S2S_VPN are interesting (there are also WG_RA_VPN, which shouldn’t make problems and some NordVPN config - currently shutdown)
RB0411 config
[admin@RB4011.home] > export hide-sensitive
# jul/09/2023 08:14:55 by RouterOS 7.4.1
# software id = MQZK-Y2R6
#
# model = RB4011iGS+
# serial number = ...
/interface bridge
add admin-mac=48:8F:5A:2D:59:91 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_RA_VPN
add listen-port=13232 mtu=1420 name=WG_S2S_VPN
/interface vlan
add interface=bridge name=vlan10_Outside vlan-id=10
add interface=bridge name=vlan11_Inside vlan-id=11
add interface=bridge name=vlan12_Untrusted vlan-id=12
add interface=ether1 mtu=1492 name=vlan35 vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan35 name=pppoe-out1 service-name=ISP user=Username
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-192 hash-algorithm=sha256 name=NordVPN
add dh-group=modp2048 enc-algorithm=aes-192 name=NordVPN_Light
add dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=blowfish hash-algorithm=sha512 name=NordVPN_Secure
/ip ipsec peer
add address=pl134.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN_Light
add address=pl152.nordvpn.com exchange-mode=ike2 name=NordVPN_LowLoad profile=NordVPN_Light
add address=pl211.nordvpn.com exchange-mode=ike2 name=NordVPN_Close profile=NordVPN_Light
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=NordVPN pfs-group=none
add enc-algorithms=aes-128-cbc name=NordVPN_Light pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-cbc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gcm,camellia-128,blowfish,twofish name=NordVPN_Secure pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.21-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=10,11,12
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.13.2/32 comment="Dell 16" interface=WG_RA_VPN public-key="jEHZBavrtJUdjKIIP2Fr9xsd2mYdFLH3Jm6TZyoQlGk="
add allowed-address=0.0.0.0/0 endpoint-address=10.20.239.14 endpoint-port=13232 interface=WG_S2S_VPN public-key="zv9PwsLcfl/r0Rh0fSz1Y584J/mmDKxO2u+bUw5gXwA="
add allowed-address=192.168.13.3/32 comment="Samsung S23 Ultra" interface=WG_RA_VPN public-key="7YguNjIfwY1Zi8GLcMn5g246-vSP+T3QNMDlnimbryM="
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=192.168.10.1/24 comment=defconf interface=vlan10_Outside network=192.168.10.0
add address=192.168.11.1/24 comment=defconf interface=vlan11_Inside network=192.168.11.0
add address=192.168.12.1/24 comment=defconf interface=vlan12_Untrusted network=192.168.12.0
add address=192.168.13.1/24 interface=WG_RA_VPN network=192.168.13.0
add address=192.168.14.1/24 interface=WG_S2S_VPN network=192.168.14.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.20 mac-address=00:50:56:A7:93:10
add address=192.168.1.22 mac-address=E2:EB:4B:73:B7:35
add address=192.168.1.29 mac-address=78:8B:2A:66:FF:DA server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 domain=home gateway=192.168.1.1 netmask=24 ntp-server=40.119.148.38
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=home gateway=192.168.10.1 netmask=24 ntp-server=40.119.148.38
add address=192.168.11.0/24 dns-server=192.168.11.1 domain=home gateway=192.168.11.1 netmask=24 ntp-server=40.119.148.38
add address=192.168.12.0/24 dns-server=192.168.12.1 domain=home gateway=192.168.12.1 netmask=24 ntp-server=40.119.148.38
/ip dns
/ip firewall address-list
add address=192.168.1.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="WireGuard RA VPN SRV" dst-port=13231 protocol=udp
add action=accept chain=input comment="WireGuard RA VPN SRV" dst-port=13233 protocol=udp
add action=accept chain=input comment="WireGuard S2S VPN" dst-port=13232 protocol=udp
add action=accept chain=input comment="DNS froim VPN" dst-port=53 in-interface=WG_RA_VPN protocol=udp src-address=192.168.0.0/16
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes src-address=!192.168.1.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=443
add action=dst-nat chain=dstnat dst-port=444 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=444
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=80
add action=dst-nat chain=dstnat dst-port=81 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=81
add action=dst-nat chain=dstnat dst-port=22 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=22
add action=dst-nat chain=dstnat dst-port=21 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=21
add action=dst-nat chain=dstnat dst-port=20 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.16 to-ports=20
/ip ipsec identity
add auth-method=eap certificate=NordVPN_CA disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=Username
add auth-method=eap certificate=NordVPN_CA disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_Close policy-template-group=NordVPN username=Username
add auth-method=eap certificate=NordVPN_CA disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_LowLoad policy-template-group=NordVPN username=Username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN_Light src-address=0.0.0.0/0 template=yes
/ip route
add disabled=no dst-address=192.168.21.0/24 gateway=192.168.14.2 routing-table=main suppress-hw-offload=no
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB4011.home
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1m name=no-ip_script on-event="/system script run no-ip" policy=read,write,test start-date=jul/27/2022 start-time=10:07:44
/system script
add dont-require-permissions=no name=no-ip owner=admin policy=read,write,test source=":local ddnsuser \"Username\"\r\
\n:local ddnspass \"Pass\"\r\
\n:local ddnshost \"URL\"\r\
\n:local ddnsinterface \"pppoe-out1\"\r\
\n\r\
\n:global ddnslastip\r\
\n:global ddnsip [ /ip address get [find interface=\$ddnsinterface disabled=no] address ]\r\
\n\r\
\n:if ([ :typeof \$ddnslastip ] = nil ) do={:global ddnslastip 0.0.0.0/0 }\r\
\n:if ([ :typeof \$ddnsip ] = nil ) do={\r\
\n:log info (\"DDNS: No ip address present on \" . \$ddnsinterface . \", please check.\") } else={\r\
\n\r\
\n:if (\$ddnsip != \$ddnslastip) do={\r\
\n:log info \"DDNS: Sending UPDATE!\"\r\
\n/tool fetch url=\"http://dynupdate.no-ip.com/nic/update\?hostname=\$ddnshost&myip=\$ddnsip\" user=\$ddnsuser password=\$ddnspass keep-result=no;\r\
\n:delay 5s\r\
\n:global ddnslastip \$ddnsip } else={\r\
\n:log info \"DDNS: No change\" }\r\
\n}"
/tool graphing interface
add interface=pppoe-out1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@RB4011.home] >
wAP ac LTE6 config:
[admin@WAP_AC_LTE6] > export hide-sensitive
# 2023-07-09 08:13:03 by RouterOS 7.10.1
# software id = V6I3-6BQW
#
# model = RBwAPGR-5HacD2HnD
# serial number = ...
/interface bridge
add admin-mac=DC:2C:6E:D9:5F:80 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=1,3,5,7,20 network-mode=lte
/interface wireguard
add listen-port=13232 mtu=1420 name=WG_S2S_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys name=WiFi_at_home supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=WiFi_at_WAP supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_at_Samsung_S23_Ultra supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=poland distance=indoors frequency=2462 installation=indoor name=wlan_2,4GHz security-profile=\
WiFi_at_Samsung_S23_Ultra ssid="Samsung S23 Ultra" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX country=poland disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wlan_5Ghz security-profile=WiFi_at_Samsung_S23_Ultra ssid=Mikrotik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.21.10-192.168.21.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=wlan_5Ghz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wlan_2,4GHz list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=79.191.1.141 endpoint-port=13232 interface=WG_S2S_VPN public-key="3sfG7/U6tyXidNrq3cPBeYJz3u5Bkhd4XEwJDndM5WI="
/ip address
add address=192.168.21.1/24 comment=defconf interface=bridge network=192.168.21.0
add address=192.168.14.2/24 interface=WG_S2S_VPN network=192.168.14.0
/ip dhcp-client
add interface=wlan_2,4GHz
# DHCP client can not run on slave or passthrough interface!
add interface=wlan_5Ghz
/ip dhcp-server network
add address=192.168.21.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.21.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.21.1 comment=defconf name=wAP_ac_LTE6
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=13232 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.14.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.14.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=79.191.1.141/32 gateway=lte1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=WAP_AC_LTE6
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I’d appreciate any help - what I’m doing wrong