Hello,
I have recently replaced a Netgate 3100 (Pfsense) with a RB5009, and today got around to configure wireguard with the same functionality as I had in Pfsense where I can selectively add clients in address-lists to send the traffic over the VPN. However, the performance I am getting is dreadful, with my 500 mbit connection, I used to get around 350 on my Pfsense and the end user experience when turning on the wireguard VPN was not noticeable, with the config below I am getting 60-100 mbit (both simple tests using fast.com) and upload speed is in the kbits. Tests are not scientific, but the difference is so noticeable so that I couldn’t use wireguard connections like this. A quick Google shows worryingly that my problems are not unique, but none of the threads I found come to any conclusion other than suggested tweaks to MTU (which i tried)
Given that I am new to Mikrotik, I would appreciate if someone could validate my configuration to see if I made any mistakes, before I start concluding that the hardware just isn’t up for my needs.
# 2024-10-06 16:05:04 by RouterOS 7.16
# software id = LQXZ-65AP
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add comment="Switch Trunk for PoE devices" name="Bridge [Switch Trunk]" pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [L3 MyNet LAN Gateway]"
set [ find default-name=ether2 ] name="ether2 [L3 Internet]"
set [ find default-name=ether3 ] name="ether3 [L2 Trunk sw-2-1]"
set [ find default-name=ether4 ] name="ether4 [L2 TPLink Deco PoE]"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=mullvad-wireguard
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add bootp-support=none interface="ether1 [L3 MyNet LAN Gateway]" name="DHCP VLAN20" relay=192.168.20.1
add bootp-support=none interface="ether1 [L3 MyNet LAN Gateway]" name="DHCP VLAN30" relay=192.168.30.1
add bootp-support=none interface="ether1 [L3 MyNet LAN Gateway]" name="DHCP VLAN40" relay=192.168.40.1
/ip pool
add name="MyNet LAN Guest" ranges=192.168.10.21-192.168.10.100
/ip dhcp-server
add address-pool="MyNet LAN Guest" authoritative=after-2sec-delay bootp-support=none interface="ether1 [L3 MyNet LAN Gateway]" name="DHCP VLAN10 Static"
add address-pool="MyNet LAN Guest" bootp-support=none disabled=yes interface="ether1 [L3 MyNet LAN Gateway]" name="DHCP VLAN10 Guest"
/routing table
add disabled=no fib name=wireguard-route
/interface bridge port
add bridge="Bridge [Switch Trunk]" interface="ether3 [L2 Trunk sw-2-1]" pvid=10
add bridge="Bridge [Switch Trunk]" interface="ether4 [L2 TPLink Deco PoE]" pvid=10
/ip firewall connection tracking
set enabled=yes
/ipv6 settings
set forward=no
/interface bridge vlan
add bridge="Bridge [Switch Trunk]" tagged="ether3 [L2 Trunk sw-2-1],Bridge [Switch Trunk]" untagged="ether4 [L2 TPLink Deco PoE]" vlan-ids=10
add bridge="Bridge [Switch Trunk]" tagged="Bridge [Switch Trunk],ether3 [L2 Trunk sw-2-1]" vlan-ids=20
add bridge="Bridge [Switch Trunk]" tagged="Bridge [Switch Trunk],ether3 [L2 Trunk sw-2-1]" vlan-ids=30
add bridge="Bridge [Switch Trunk]" tagged="Bridge [Switch Trunk],ether3 [L2 Trunk sw-2-1]" vlan-ids=40
/interface list member
add interface="ether2 [L3 Internet]" list=WAN
add interface="ether1 [L3 MyNet LAN Gateway]" list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=193.32.129.86 endpoint-port=51820 interface=mullvad-wireguard name=mullvad-fr-par-wg-001 public-key="==key redacted=="
/ip address
add address=192.168.1.2/24 comment="SFR Router" interface="ether2 [L3 Internet]" network=192.168.1.0
add address=192.168.10.2/24 comment="LAN Internet Gateway" interface="ether1 [L3 MyNet LAN Gateway]" network=192.168.10.0
add address=10.65.147.25 comment="Mullvad Interface" interface=mullvad-wireguard network=10.65.147.25
/ip dhcp-server lease
# Redacted
/ip dhcp-server network
add address=192.168.10.0/24 dhcp-option=domain-search-list dns-server=192.168.10.2,192.168.10.223 domain=mydomain.com gateway=192.168.10.1 netmask=24 ntp-server=192.168.10.2
add address=192.168.20.0/24 dhcp-option=domain-search-list dns-server=192.168.10.2,192.168.10.223 domain=mydomain.com gateway=192.168.20.1 netmask=24 ntp-server=192.168.10.2
add address=192.168.30.0/24 dhcp-option=domain-search-list dns-server=192.168.10.2,192.168.10.223 domain=mydomain.com gateway=192.168.30.1 netmask=24 ntp-server=192.168.10.2
add address=192.168.40.0/24 dhcp-option=domain-search-list dns-server=192.168.10.2,192.168.10.223 domain=mydomain.com gateway=192.168.40.1 netmask=24 ntp-server=192.168.10.2
/ip dns
set allow-remote-requests=yes cache-max-ttl=4w2d cache-size=32768KiB servers=192.168.10.223
/ip dns adlist
add ssl-verify=no url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall address-list
add address=192.168.10.0/24 list=Local-Networks
add address=192.168.20.0/24 list=Local-Networks
add address=192.168.30.0/24 list=Local-Networks
add address=192.168.40.0/24 list=Local-Networks
add address=192.168.10.51 comment="MacBook" disabled=yes list=mullvad-clients
add address=192.168.10.163-192.168.10.168 comment="Kubernetes Hosts" disabled=yes list=mullvad-clients
/ip firewall filter
add action=accept chain=input comment="Drop all multicast" dst-address-type=multicast
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP (Destined to Firewall Interfaces)" in-interface-list=all protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=drop-all-not-LAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=wan-invalid-drops
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wireguard-route passthrough=yes src-address-list=mullvad-clients
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=mullvad-wireguard
/ip route
add disabled=no dst-address=192.168.20.0/24 gateway=192.168.10.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.30.0/24 gateway=192.168.10.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=192.168.10.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=193.32.129.86/32 gateway=192.168.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=none disabled=no distance=10 dst-address=0.0.0.0/0 gateway=mullvad-wireguard routing-table=wireguard-route scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=ro-2-1
/system logging
add topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=fr.pool.ntp.org
/tool romon
set enabled=yes
Thank you