Hello All - I contacted support but they weren’t much help, so hoping to get some ideas from the forum.
I have a CCR1009-7G-1C-1S+ router running RouterOS version 7.1.1. I have created a Wireguard connection and created rules so traffic coming from certain internal IP’s will be routed over the Wireguard route. All is working great.
The problem is I know the Wireguard server I’m connecting to is able to handle the full 1gb connection both ends are connected to. I can get full speed using other routers and just my own computer, so I know the problem isn’t on the other end.
With the CCR1009 router, I am only able to get a max of 400mbps. But what doesn’t seem right is while the speed maxes out at 400mbps, the CPU usage is only 50%. I could understand only getting 400mbps if the CPU was maxing out, but it’s not. So my thinking is I can get faster speed over the Wireguard connection if I can get the CPU to actually max out? Or maybe perhaps this is just the way it works on RouterOS…
I have attached the configuration. I have already Fasttrack disabled, created a Mangle rule to clamp the MSS, and troubleshooted the max MTU to use.
Sounds like that is probably a decent VPN speed that you will not be able to improve upon.
Comparing direct speeds to an unencrypted connection is not really valid.
You are brave, configuring your CCR1009 to 7.1.1, I am waiting one more iteration before I make the plunge.
Don’t forget that your CCR has 9 CPU cores … so CPU usage of 50% can translate to 4 fully utilized CPU cores (and other lightly utilized) or it can translate to all 9 cores to be 50% utilized. To see which is it, you should run CPU profiler.
The thing is that many things can not be ideally parallelized … and routing with encryption is one of them. In order to keep traffic flow with minimum distraction (i.e. to keep frames delivered in order), certain things have to be done in series. Typically all packets belonging to single TCP connection are routed by same CPU core ant that can limit throughput. Using multiple parallel TCP streams lifts this limitation. Even if you use multiple parallel TCP streams from client device, router still has to serialize that into wireguard connection. I’m not wireguard expert, so I can only assume that subsequent packets, sent through single tunnel, can not be entirely independently treated, hence it may be that wireguard can only use so many CPU cores in parallel.
So assuming your CCR1009 is the peer device in the setup (at least for initial connection).
(1) Interface wireguard peers looks good!
(2) IP address - I do not see the need for this wg interface IP address (WHAT PURPOSE does it serve??)
(3) The IP route has most of the elements dst-address=0.0.0.0/0, gwy=wireguard interface, and the use of the separate routing table, BUT where is the defined traffic going through that route??
Your are missing the routing rule… take a look at my setup…
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Wireguard-P routing-table=table-p suppress-hw-offload=no /routing rule add action=lookup-only-in-table disabled=no src-address=192.168.50.0/24
/routing table
add disabled=no name=table-p
add fib name=table-p
No need to disable Fasttrack … Your mangle rule will will generate a performance hit … get rid of mangle and your WAN performance will improve.
If your connection is 1G symmetrical then you should be able to hit between 7-800 Mbps …
insofar as your CPU is concerned … it all depends on the number of concurrent sessions that are active … I believe that on the next version of RoS 7.21 or 7.22 there will be some CPU performance improvements
@anav
Have you measured your throughput with AXIOM SHIELD turned off or Active?
I have a number of CCR1009 at customer sites all running RoS 7.1.1 on Bell fiber 1G symmetrical business and using iPerf no problem hitting 800 Mbps on single session with MOAB active. …
BTW, you can use speedtestCLI via command windows and you will see an improvement in the metrics https://www.speedtest.net/apps/cli
but iPerf is more consistent. Your Pie can probably run iPerf server then your remote client and run iPerf via windows command window … much better that way.
Hello Porkapatamus. I’m in a similar situation. I have a CHR 7.14.2 with several WireGuard VPNs and a Dude monitoring local devices. During the nights, I started receiving alerts as if there were outages coinciding with remote backups. I managed to demonstrate that when I perform a bandwidth test against another router (4011 7.14.1), one of the CHR CPU reaches 100% usage starting from 100Mbps, and outages start to occur. The strange thing is that <3% is used in WireGuard and >80% in routing. On the other side, the 4011 distributes the load among its 4 CPUs. If I perform the same test using L2TP, I don’t have any problems whatsoever.
Hello, after a few days of testing, the solution has been to downgrade to version ROS7.13. After downgrading, everything has gone smoothly and I haven’t observed any of the CHR vCPUs reaching 100% usage. There are no interruptions, and the monitoring is good. The test speed has increased from 100Mbps to around 400Mbps (maximum client line speed) without any issues. It’s clear that in my case, ROS7.14 version doesn’t work properly.