Basically it’s the title problem. I’ve already tried changing the MTU in the mangle and in the Wireguard interface, but nothing helped.
Testing from one Mikrotik to another using the IPs of the Wireguard interfaces is around 150Mbps, but when I try to copy a file, for example, it is around 3 to 5 Mbps.
A blind shot as you haven’t posted the configurations: you may be using mangle rules to choose traffic that has to go via Wireguard and haven’t prevented that traffic from hitting the action=fasttrack rule in filter.
If it’s not this, post the configuration exports from both routers - check the other topics on suggestions how to properly obfuscate the exports before posting them.
/export file=anynameyouwish ( minus router serial number, any public wanip information, keys, etc. )
Let me know if i do this right.
Site A
/interface bridge
add name=bridge-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-wan user=
user
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-in
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool-lan ranges=10.11.50.1-10.11.50.254
/ip dhcp-server
add address-pool=pool-lan interface=bridge-lan lease-time=1w name=dhcp-lan
/queue type
set 0 kind=sfq
set 1 kind=sfq
set 9 kind=sfq
/interface bridge port
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=10.12.0.0/16 interface=wireguard-in is-responder=yes
name=inocencia public-key=“key”
/ip address
add address=10.11.10.250/16 interface=bridge-lan network=10.11.0.0
add address=172.16.200.1/30 interface=wireguard-in network=172.16.200.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.11.40.11 mac-address=B0:4F:13:FD:7E:4E server=dhcp-lan
/ip dhcp-server network
add address=10.11.0.0/16 dns-server=10.11.10.250 gateway=10.11.10.250
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,8.8.8.8
/ip firewall filter
add action=accept chain=forward connection-nat-state=“” connection-state=
established,related
add action=accept chain=input connection-nat-state=“” connection-state=
established,related
add action=accept chain=input connection-nat-state=dstnat connection-state=“”
in-interface=all-ppp
add action=accept chain=input dst-port=1701 in-interface=all-ppp protocol=udp
add action=accept chain=input dst-port=8292 in-interface=all-ppp protocol=tcp
add action=accept chain=input dst-port=13231 in-interface=all-ppp protocol=
udp
add action=accept chain=input src-address=10.11.0.0/16
add action=accept chain=forward src-address=10.11.0.0/16
add action=drop chain=input in-interface=all-ppp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1364 out-interface=wireguard-in
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1365-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-ppp
add action=dst-nat chain=dstnat dst-port=554 in-interface=all-ppp protocol=
tcp to-addresses=10.11.90.90 to-ports=554
add action=dst-nat chain=dstnat dst-port=1051 in-interface=all-ppp protocol=
tcp to-addresses=10.11.40.11 to-ports=1051
add action=dst-nat chain=dstnat dst-port=9000 in-interface=all-ppp protocol=
tcp to-addresses=10.11.40.11 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9090 in-interface=all-ppp protocol=
tcp to-addresses=10.11.90.90 to-ports=9090
add action=dst-nat chain=dstnat dst-port=37777 in-interface=all-ppp protocol=
tcp to-addresses=10.11.90.90 to-ports=37777
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=10.12.0.0/16 gateway=172.16.200.2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set ssh disabled=yes
set api disabled=yes
set winbox port=8292
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=America/Campo_Grande
/system identity
set name=router.eletricatrestl
/system leds
set 0 interface=wireguard-in
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=a.st1.ntp.br
add address=b.st1.ntp.br
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=update on-event=update policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2024-03-18 start-time=01:00:00
add name=upgrade on-event=upgrade policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=1d name=backup-diario on-event=backup-diario policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2020-03-03 start-time=00:00:00
add interval=4w2d name=backup-mensal on-event=backup-mensal policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2020-03-03 start-time=00:00:00
/system script
add dont-require-permissions=no name=update owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/
system/package/update/check-for-updates\r
\n:delay 5s;\r
\n:if ([system/package/update/get installed-version] != [system/package/up
date/get latest-version]) do={/system/package/update/install} else={ :put
"Nothing to do" };”
add dont-require-permissions=no name=upgrade owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
log info "Checking for RouterBOARD upgrade";\r
\n:delay 10s;\r
\n:if ([/system/routerboard/get current-firmware] != [/system/routerboard/
get upgrade-firmware]) do={[:log info "Upgrading RouterBOARD"] [:execute
_script={/system/routerboard/upgrade}] [:delay 10s] [:execute script={/sy
stem/reboot};]} else={:log info "RouterBOARD already in the latest versio
n"};”
add dont-require-permissions=no name=backup-diario owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
local filename ([/system identity get name]."-diario")\r
\n\r
\nexport compact file=$filename\r
\n/system backup save dont-encrypt=yes name=$filename\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.rsc" user=ftpbkp mode=ftp password=password dst-path="Mikro
tik/$filename.rsc" upload=yes\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.backup" user=ftpbkp mode=ftp password=password dst-path="Mi
krotik/$filename.backup" upload=yes\r
\n\r
\n/file remove "$filename.rsc"\r
\n/file remove "$filename.backup"\r
\n”
add dont-require-permissions=no name=backup-mensal owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
local filename ([/system identity get name]."-mensal")\r
\n\r
\nexport compact file=$filename\r
\n/system backup save dont-encrypt=yes name=$filename\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.rsc" user=ftpbkp mode=ftp password=password dst-path="Mikro
tik/$filename.rsc" upload=yes\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.backup" user=ftpbkp mode=ftp password=password dst-path="Mi
krotik/$filename.backup" upload=yes\r
\n\r
\n/file remove "$filename.rsc"\r
\n/file remove "$filename.backup"\r
\n”
/system watchdog
set automatic-supout=no watchdog-timer=no
Site B
/interface bridge
add name=bridge-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-wan user=
user
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-tl
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool-lan ranges=10.12.50.1-10.12.50.254
/ip dhcp-server
add address-pool=pool-lan interface=bridge-lan lease-time=1w name=dhcp-lan
/queue type
set 0 kind=sfq
set 1 kind=sfq
set 9 kind=sfq
/interface bridge port
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.11.0.0/16 endpoint-address=
mkcloudsite1 endpoint-port=13231 interface=wireguard-tl
name=treslagoas public-key=“key”
/ip address
add address=10.12.10.250/16 interface=bridge-lan network=10.12.0.0
add address=172.16.200.2/30 interface=wireguard-tl network=172.16.200.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.12.40.11 mac-address=78:8C:B5:53:6A:7C server=dhcp-lan
/ip dhcp-server network
add address=10.12.0.0/16 dns-server=10.12.10.250 gateway=10.12.10.250
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,8.8.8.8
/ip firewall filter
add action=accept chain=forward connection-nat-state=“” connection-state=
established,related
add action=accept chain=input connection-nat-state=“” connection-state=
established,related
add action=accept chain=input connection-nat-state=dstnat connection-state=“”
in-interface=all-ppp
add action=accept chain=input dst-port=8292 protocol=tcp
add action=accept chain=input src-address=10.12.0.0/16
add action=accept chain=forward src-address=10.12.0.0/16
add action=drop chain=input in-interface=all-ppp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1364 out-interface=wireguard-tl
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1365-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-ppp
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=10.11.0.0/16 gateway=172.16.200.1
routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set ssh disabled=yes
set api disabled=yes
set winbox port=8292
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=America/Campo_Grande
/system identity
set name=router.eletricatresin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=a.st1.ntp.br
add address=b.st1.ntp.br
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=update on-event=update policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2024-03-18 start-time=01:00:00
add name=upgrade on-event=upgrade policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=1d name=backup-diario on-event=backup-diario policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2020-03-03 start-time=00:00:00
add interval=4w2d name=backup-mensal on-event=backup-mensal policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2020-03-03 start-time=00:00:00
/system script
add dont-require-permissions=no name=update owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/
system/package/update/check-for-updates\r
\n:delay 5s;\r
\n:if ([system/package/update/get installed-version] != [system/package/up
date/get latest-version]) do={/system/package/update/install} else={ :put
"Nothing to do" };”
add dont-require-permissions=no name=upgrade owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
log info "Checking for RouterBOARD upgrade";\r
\n:delay 10s;\r
\n:if ([/system/routerboard/get current-firmware] != [/system/routerboard/
get upgrade-firmware]) do={[:log info "Upgrading RouterBOARD"] [:execute
_script={/system/routerboard/upgrade}] [:delay 10s] [:execute script={/sy
stem/reboot};]} else={:log info "RouterBOARD already in the latest versio
n"};”
add dont-require-permissions=no name=backup-diario owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
local filename ([/system identity get name]."-diario")\r
\n\r
\nexport compact file=$filename\r
\n/system backup save dont-encrypt=yes name=$filename\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.rsc" user=ftpbkp mode=ftp password=password dst-path="Mikro
tik/$filename.rsc" upload=yes\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.backup" user=ftpbkp mode=ftp password=password dst-path="Mi
krotik/$filename.backup" upload=yes\r
\n\r
\n/file remove "$filename.rsc"\r
\n/file remove "$filename.backup"\r
\n”
add dont-require-permissions=no name=backup-mensal owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
local filename ([/system identity get name]."-mensal")\r
\n\r
\nexport compact file=$filename\r
\n/system backup save dont-encrypt=yes name=$filename\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.rsc" user=ftpbkp mode=ftp password=password dst-path="Mikro
tik/$filename.rsc" upload=yes\r
\n\r
\n/tool fetch address=ftp port=21021 src-path="$fil
ename.backup" user=ftpbkp mode=ftp password=password dst-path="Mi
krotik/$filename.backup" upload=yes\r
\n\r
\n/file remove "$filename.rsc"\r
\n/file remove "$filename.backup"\r
\n”
/system watchdog
set automatic-supout=no watchdog-timer=no
The exports should have been placed between [code] and [/code] tags (using the </> button above the edit form).
You may prefer to “un-post” the usernames for the pppoe services (and maybe some other logins to external services).
Both can be fixed by editing the post.
You do not use action=fasttrack rules so the reason why the speed is low is different than what I have assumed. You do not use any action=drop rules in the forward chain of firewall filter which means it actually doesn’t filter anything - not so good.
The mangle rules you use to update tcp-mss act only in one direction, which would normally be a bad idea, but here in particular, the rule on one router compensates for the absence of the reverse rule on the other one, so that’s also not the reason why it is slow.
Can’t say more at the moment, I just wanted to let you know about the leaked data quickly.
Along with leaked usernames which sindy pointed out, your firewall rule has an unsafe rule!
Note: You have queues on both routers, this may cause slowdown if fastrack is turned on, but not 100% sure if your simple queue inputs affect fasttrack.
I would test with queues on and then removed to see if there is a significant difference. Are the queues essential???
Router A
/interface wireguard peers
add allowed-address=**172.16.200.2/32,**192.10.12.0.0/16 interface=wireguard-in is-responder=yes
name=inocencia public-key=“key”
By opening up the network to more IPs, then you as admin can remotely reach both routers for troubleshooting purposes.
Remove mangle rule for the moment, as long as the MTU on both routers is the same, I think default is 1500? it should work fine.
If after all the changes you are still having issues we will mangle on the CLIENT router for handshake, not the Server.
It would appear router A has two WANs, if so why is the second WAN not identified in the sourcenat settings.
Also the primary WAN is not noted by its name???
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-wan
add action=masquerade chain=srcnat out-interface=ether2
Modify to something like!!
/ip firewall address-list { using static dhcp leases where applicable }
add address=10.11.0.X list=Authorized comment=“admin local desktop”
add address=10.11.0.Y list=Authorized comment=“admin local wifi device”
add address=172.16.200.3 list=Authorized comment=“admin remote laptop”
add address=172.16.200.4 list=Authorized comment=“admin remote ipad/smartphone”
add address=10.12.0.A list=Authorized comment=“admin from router B access”
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface=bridge-lan dst-port=53,123 protocol=udp
add action=accept chain=input comment=“users to services” in-interface=bridge-lan dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface=bridge-lan out-interface=ppoe-wan
add action=accept chain=forward comment=“internet access” in-interface=bridge-lan out-interface=ether2
add action=accept chain=forward comment=“relay remote wg users to RB” in-interface=wireguard-in out-interface=wireguard-in
add action=accept chain=forward comment=“local users to wg” src-address=10.11.0.0/16 out-interface=wireguard-in
add action=accept chain=forward comment=“remote users to LAN” dst-address=10.11.0.0/16 in-interface=wireguard-in
add action=drop chain=forward comment=“drop all else”
Not sure what all-ppp describes, either you forgot to add critical config components, which I dont recall being a request ?? or, you made it up and it has no context.
Your route is incorrect…
change to:
/ip route
add dst-address=10.12.0.0/16 gateway=wireguard-in routing-table=main
Missing route,
Since you had wan2 in ip dhcp client with no default route, you need a route manually set.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Router B
Should normally be set to loose
/ip settings
set rp-filter=strict
Modify allowed IPs to:
/interface wireguard peers
add allowed-address=**172.16.200.0/24,**10.11.0.0/16 endpoint-address=
mkcloudsite1 endpoint-port=13231 interface=wireguard-tl persistent-keep-alive=35s
name=treslagoas public-key=“key”
Address:
/ip address
add address=10.12.10.250/16 interface=bridge-lan network=10.12.0.0
add address=172.16.200.2/24 interface=wireguard-tl network=172.16.200.0
Remove mangle for now.
Sourcenat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-wan
FIREWALL rules should mirror those of the main router for the most part but no need for relay forward chain rule.
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface=bridge-lan dst-port=53,123 protocol=udp
add action=accept chain=input comment=“users to services” in-interface=bridge-lan dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface=bridge-lan out-interface=ppoe-wan
add action=accept chain=forward comment=“local users to wg” src-address=10.12.0.0/16 out-interface=wireguard-tl
add action=accept chain=forward comment=“remote users to LAN” dst-address=10.12.0.0/16 in-interface=wireguard-tl
add action=drop chain=forward comment=“drop all else”
TKS for the info and for your time.
TKS, gonna made the changes for better security and see if will have better results with performance.
Problem continues. The mangle rule doesnt show bytes count when I make the test, looks like is not capturing the packets.
Were you ever able to get to the bottom of this? I’m having a similar issue.
When I run a bandwidth test between mikrotiks, over the wireguard tunnel, I can max out the internet connection (400Mbps / 400Mbps)
However, when I run a speed test between host using scp, ftp, http, etc I can only hit around 30-40Mbps max.
Spent many hours messing with MTU values and other suggestions without any success.