Hello everyone,
I know this is yet another thread about Wireguard being slow but I went through a lot of them without success.

Basically I have 2 RB962UiGS-5HacT2HnT behind my ISP routers. On both ends the connection is 2.5Gbps/500Mbps, where the the actual speed is at least 1.7Gbps (ports are 1Gbps so I had to test via Wifi6) and full 512/516 Mbps.

SiteA(server)== ISP home router == 2.5/0.5 == 2.5/0.5 == ISP home router == SiteB(client)

SiteA exposes port 15916 and site B connects to that port. MTU is 1420 for both (see config).

The issue is I get a very poor speed (I checked the cables and the negotiation happens at 1Gbps Full-Duplex).

I made my tests with both Mikrotik bandwidth test and iperf3 between 2 wired hosts.

SiteA => SiteB

Send UDP: ~60 Mbps, both CPUs (siteA and siteB) ~100%
Receive UDP: 70-100 Mbps, both CPUs (siteA and siteB) ~100%
Both UDP: 50/50 Mbps both CPUs (siteA and siteB) ~100%
Send TCP: ~65 Mbps, both CPUs (siteA and siteB) ~100%
Receive TCP: ~60 Mbps, both CPUs (siteA and siteB) ~100%
Both TCP: 25/25Mbps both CPUs (siteA and siteB) ~100%

As far as I know there can be no hardware offload involved, I really don't know what's going on
I even disabled a lot of firewall filter rules due to the fact that the mikrotik is not internet facing anymore.
I was expecting higher speeds despite:

• The CPU is not a monster
• Encryption is involved
• HW Offload is absent
  But this is actually worse than I expected.

I am planning to buy a RB5009UPr+S+IN or a CRS310-8G+2S+IN (maybe even CCR2004-1G-12S+2XS) when I move to my new house with a 10Gbps connection, does anybody know how I can fund out wireguard speeds with these devices?

They're going to only route traffic to the switch (and maybe some cameras).

Here's my current configuration:
Site A

# 2023-12-18 10:43:18 by RouterOS 7.13
#
# model = RB962UiGS-5HacT2HnT

/interface bridge
add name=bridge-main port-cost-mode=short protocol-mode=none
add name=voda-bridge port-cost-mode=short protocol-mode=none

/interface wireguard
add listen-port=15915 mtu=1420 name=wirelab
add listen-port=15916 mtu=1420 name=zm

/interface vlan
add interface=bridge-main name=vlan-vodafone vlan-id=11

/interface list
add name=outgoing

/ip pool
add name=pool-lan ranges=10.0.40.21-10.0.40.239

/ip dhcp-server
add address-pool=pool-lan interface=bridge-main lease-time=10m name=dhcp1

/interface bridge port
add bridge=bridge-main interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether5 internal-path-cost=10 path-cost=10
add bridge=voda-bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=voda-bridge interface=vlan-vodafone internal-path-cost=10 \
    path-cost=10

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=ether1 list=outgoing
add interface=voda-bridge list=outgoing
add interface=*C list=outgoing

/interface wireguard peers
add allowed-address=10.0.41.13/32 comment=ipanto interface=wirelab \
    public-key=<REDACTED>
add allowed-address=10.0.41.21/32 comment=garanto interface=wirelab \
    public-key=<REDACTED>
add allowed-address=10.0.41.12/32 comment=pasqbook interface=wirelab \
    public-key=<REDACTED>
add allowed-address=10.0.41.11/32 comment=manto interface=wirelab public-key=<REDACTED>
add allowed-address=10.0.41.130/32 comment=pc-guglielmo interface=wirelab \
    public-key=<REDACTED>
add allowed-address=192.168.1.0/24,10.0.42.5/32 client-address=10.0.42.5/32 \
    comment="zm-peer1" interface=zm persistent-keepalive=20s public-key=<REDACTED>

/ip address
add address=10.0.40.1/24 interface=bridge-main network=10.0.40.0
add address=10.0.41.1/24 interface=wirelab network=10.0.41.0
add address=10.0.42.1/28 interface=zm network=10.0.42.0

/ip dhcp-client
add interface=voda-bridge

/ip dhcp-server lease
<REDACTED>

/ip dhcp-server network
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dns static
<REDACTED>

/ip firewall address-list
add address=10.0.40.0/24 list=antonio
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons

/ip firewall filter
add action=accept chain=input disabled=yes dst-port=15915 in-interface=\
    voda-bridge log-prefix=remanto protocol=udp
add action=accept chain=input disabled=yes dst-port=15916 in-interface=\
    voda-bridge log-prefix=remanto protocol=udp
add action=accept chain=input comment="cratesregistry allow" disabled=yes \
    dst-port=9418 log=yes log-prefix=cratesregistry protocol=tcp
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \
    protocol=tcp tcp-flags=syn
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=yes \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o antonio list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE ant\
    onio ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!antonio
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=yes \
    dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
    yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=yes \
    dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=yes port=53 \
    protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=yes port=53 \
    protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established disabled=yes
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related disabled=yes
add action=accept chain=input comment="Full access to antonio address list" \
    disabled=yes src-address-list=antonio
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    disabled=yes icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\
    0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
    icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
    protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
    protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input disabled=yes dst-port=53 in-interface=voda-bridge \
    protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=voda-bridge \
    protocol=udp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes

/ip firewall mangle
add action=fasttrack-connection chain=prerouting in-interface=zm

/ip firewall nat
add action=masquerade chain=srcnat out-interface=voda-bridge
add action=dst-nat chain=dstnat dst-port=80 in-interface=voda-bridge \
    protocol=tcp to-addresses=10.0.40.240 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=voda-bridge \
    protocol=tcp to-addresses=10.0.40.240 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=4222 in-interface=\
    voda-bridge protocol=tcp to-addresses=10.0.40.240 to-ports=4222
add action=dst-nat chain=dstnat disabled=yes dst-port=6222 in-interface=\
    voda-bridge protocol=tcp to-addresses=10.0.40.240 to-ports=6222
add action=dst-nat chain=dstnat comment="crates registry" disabled=yes \
    dst-port=9418 in-interface=voda-bridge log=yes protocol=tcp to-addresses=\
    10.0.40.240 to-ports=9418
add action=accept chain=srcnat out-interface=bridge-main
add action=accept chain=srcnat out-interface=voda-bridge
add action=masquerade chain=srcnat out-interface=zm

/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=zm pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.40.0/24,10.0.41.0/24
set ssh address=10.0.40.0/24,10.0.41.0/24
set api address=10.0.40.0/24,10.0.41.0/24
set winbox address=10.0.40.0/24,10.0.41.0/24
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Rome

/system identity
set name=mainTik

/system logging
add prefix=WG- topics=wireguard

/system note
set show-at-login=no

Site B

# 2023-12-18 10:44:26 by RouterOS 7.13
#
# model = RB962UiGS-5HacT2HnT

/interface bridge
add name=bridge-lan
add name=bridge-maint

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik

/interface wireguard
add listen-port=13231 mtu=1420 name=toni

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=pool-maint ranges=172.31.0.2-172.31.0.14

/ip dhcp-server
add address-pool=pool-maint interface=bridge-maint name=dhcp-maint

/interface bridge port
add bridge=bridge-maint interface=ether5
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4

/interface wireguard peers
add allowed-address=10.0.40.0/24,10.0.42.1/32 endpoint-address=\
    <REDACTED> endpoint-port=15916 interface=toni \
    persistent-keepalive=20s public-key=<REDACTED>

/ip address
add address=172.31.0.1/28 interface=bridge-maint network=172.31.0.0
add address=10.0.42.5/28 interface=toni network=10.0.42.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=172.31.0.0/28 gateway=172.31.0.1

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=accept chain=forward in-interface=toni
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=toni

/ip route
add disabled=no distance=1 dst-address=10.0.40.0/24 gateway=10.0.42.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

/system clock
set time-zone-name=Europe/Rome

/system identity
set name=zmtik

/system logging
add prefix=WG- topics=wireguard

/system note
set show-at-login=no

Thank you very much!

Not complete configs so wont waste my time.
First config why do you have funky bridge settings and why do you have two bridges.

I only stripped the wireless configuration which I’m not using, and of course public keys, is there anything else missing?. The goal was to make this a bit more readable, not “waste your time”
Bridges make it easier to reassign network interfaces, I may have to add another interface to the maintenance bridge or move a device from the maintenance subnet to another.

Anyway

Not complete configs so wont waste my time.

This isn’t quite friendly. Besides as you can see this is my first post in this forum, I may not be perfect at providing the required information.

Thank you

Please only use iPerf for performance testing (and forget about the MT test).

In regards to iPerf:

• how many threads?
• CPU usage of the MT while testing?

Why are you using multiple Wireguard instances?

Instead of using multiple bridges, you could choose using VLAN (the correct way):
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

/interface detect-internet
set detect-interface-list=all

Could you test again with detect internet disabled?

I think you will find with this router your CPU is not fast enough. it only has 1 core @ 720 MHz.
If you check your router CPU usage when you are testing with iperf you are probably at 100% CPU.

Andy

I would still expect to see over 100Mbps though… the ethernet tests show the route is capable of more.
One bridge would help…

I tested iperf3 with -P {2,3,4} and without -P, no changes.
CPU always reaches 90-100% with iperf as well.
wirelab is a road warrior, I use it to connect to my lab. While zm is the one I need to connect a remote site, access from this one will be restricted.

Internet detection is now disabled, but nothing has changed.

I'm not using VLANs because I need a phisical segregation and, since devices come and go, I need to configure each device to untag the right one, which would be a nightmare.
I have my "WAN" interface which picks an IP from my ISP router, and I need to pack that network in a VLAN so I can inject It in the main bridge, the purpose is reaching a couple of Unifi access points. One of them is directly connected to the router, the other one connects to a switch. I need to provide 2 different networks to the APs: the lab one (untagged) and the ISP (Vodafone) one, tagged.
I'm not sure what you mean by using VLANs but I don't see how I can span networks dynamically on multiple interfaces without using bridges. Advice is welcome though

I don't know, maybe something is going through the CPU instead of being offloaded somewhere else? I set up the fasttrack settings but I get 100% CPU even on lan

Since WireGuard utilizes ChaCha20, which is pure software encryption, the bottleneck is almost always the CPU power. When the CPU hits 100% on either endpoint, that’s the maximum throughput you will get.

Larsa is right, if you plan on using heavy CPU tasks at high internet speeds, you need to upgrade your router. Home routers can only do so much.

Thank you very much.
So my configuration is correct, right? Except for the amount of bridges nothing is wrong?
Anyway, can anyone link an article about best practices on segregating networks on mikrotik? Like using VLANs or so. I’m currently reading this: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Thank you very much for your help.

Antonio

In mhy humble opinion you already found the best topic about VLAN.