Community discussions

MikroTik App
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 4:38 pm

Hi,

Unfortunately, I have a weird speed issue on Wireguard packet transfer (SMB & HTTP), Bandwith Test on Winbox is symmetrical (UDP & TCP).

A -> B : 200 mbps
B -> A : 930 mbps

I can replicate the issue from a client on site A and site B.

Both connections are on symmetrical Gigabit fiber

Screenshot from site A client
Image
On a site B client, I get the exact same opposite

Note : router A has a second wireguard peer

Config on A
# oct/25/2022 08:59:53 by RouterOS 7.6
# software id = XBM6-GW7N
#
# model = RB5009UG+S+
# serial number = EC1A0EF453D7
/interface bridge
add admin-mac=2C:C8:1B:FF:5B:68 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lan
set [ find default-name=sfp-sfpplus1 ] name=sfpplus-wan speed=10Gbps
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=\
    sfpplus-wan name=Bell user=user
/interface wireguard
add listen-port=13231 mtu=1280 name=wireguard1
add listen-port=13232 mtu=1280 name=wireguardchesnay
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add local-address=192.168.30.1 name=peer2 passive=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.30.100-192.168.30.189
add name=VPN-pool ranges=192.168.30.190-192.168.30.199
add name=VPN-FDDF ranges=192.168.30.200-192.168.30.205
/ip dhcp-server
add address-pool=dhcp interface=bridge name=default
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.30.1 name=\
    VPN-FDDF remote-address=VPN-FDDF
set *FFFFFFFE dns-server=192.168.30.1 local-address=192.168.30.1 \
    remote-address=VPN-pool
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge interface=ether1-lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes enabled=yes max-mru=1350 max-mtu=1350 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Bell list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=chesnay_ovpn cipher=blowfish128,aes128,aes256 \
    default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.85.0/24,10.255.255.0/24 endpoint-address=\
    ec1a0f20d5b6.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
    public-key="public-key"
add allowed-address=192.168.17.0/24,10.255.254.0/24 endpoint-address=\
    24.50.98.58 endpoint-port=13232 interface=wireguardchesnay public-key=\
    "public-key"
/ip address
add address=192.168.30.1/24 comment=defconf interface=bridge network=\
    192.168.30.0
add address=10.255.255.2/30 interface=wireguard1 network=10.255.255.0
add address=10.255.254.1/30 interface=wireguardchesnay network=10.255.254.0
/ip arp
add address=192.168.30.188 interface=bridge mac-address=98:48:27:99:CE:75
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.30.105 client-id=1:0:c:29:37:ce:7c mac-address=\
    00:0C:29:37:CE:7C server=default
add address=192.168.30.122 client-id=1:8:0:23:9f:46:8e mac-address=\
    08:00:23:9F:46:8E server=default
add address=192.168.30.123 client-id=1:c4:2f:90:33:44:7c mac-address=\
    C4:2F:90:33:44:7C server=default
add address=192.168.30.120 client-id=1:38:c9:86:9:30:82 mac-address=\
    38:C9:86:09:30:82 server=default
add address=192.168.30.115 client-id=1:a0:ce:c8:5:33:25 mac-address=\
    A0:CE:C8:05:33:25 server=default
add address=192.168.30.113 client-id=1:6c:40:8:b5:cc:22 mac-address=\
    6C:40:08:B5:CC:22 server=default
add address=192.168.30.172 mac-address=00:0C:29:F6:A7:0F server=default
add address=192.168.30.156 client-id=1:0:1c:2a:1:ae:ec mac-address=\
    00:1C:2A:01:AE:EC server=default
add address=192.168.30.185 client-id=1:78:2b:cb:27:69:95 mac-address=\
    78:2B:CB:27:69:95 server=default
add address=192.168.30.164 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:6c:6a:66:84:29:85:de:93 mac-address=\
    00:0C:29:CE:9B:09 server=default
add address=192.168.30.149 client-id=1:10:dd:b1:d8:d7:b6 mac-address=\
    10:DD:B1:D8:D7:B6 server=default
add address=192.168.30.167 client-id=1:0:c:29:ef:ef:2f mac-address=\
    00:0C:29:EF:EF:2F server=default
add address=192.168.30.184 client-id=1:0:c:29:b0:d5:a5 mac-address=\
    00:0C:29:B0:D5:A5 server=default
add address=192.168.30.142 client-id=\
    ff:47:5c:3a:82:0:2:0:0:ab:11:5f:7f:38:fd:eb:4a:33:f5 mac-address=\
    74:83:C2:76:E2:01 server=default
add address=192.168.30.174 client-id=1:0:23:24:a7:fa:9d mac-address=\
    00:23:24:A7:FA:9D server=default
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.1 gateway=\
    192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
add address=192.168.30.5 name=unifi
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input dst-port=13232 protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" in-interface=Bell \
    protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" in-interface=Bell \
    protocol=ipsec-ah
add action=accept chain=input dst-address=192.168.30.0/24 src-address=\
    192.168.30.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=!wireguard1 in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=forward port=80,44 protocol=tcp
add action=drop chain=forward dst-address=!192.168.30.6 src-address=\
    192.168.30.200-192.168.30.205
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 \
    out-interface-list=LAN src-address=192.168.30.0/24 to-addresses=0.0.0.0
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add generate-policy=port-override peer=peer2 remote-id=ignore
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=192.168.85.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.17.0/24 gateway=\
    wireguardchesnay pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Montreal
/system routerboard settings
set cpu-frequency=1400MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Config on B
# oct/25/2022 09:14:00 by RouterOS 7.6
# software id = ED39-LLKN
#
# model = RB5009UG+S+
# serial number = EC1A0F20D5B6
/interface bridge
add admin-mac=DC:2C:6E:28:EF:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan max-mtu=1480 name=\
    Bell use-peer-dns=yes user=b12hn3wt
/interface wireguard
add listen-port=13231 mtu=1280 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.85.100-192.168.85.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Bell list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.30.0/24,10.255.255.0/24 endpoint-address=\
    proitek.dyndns.org endpoint-port=13231 interface=wireguard1 public-key=\
    "public-key"
/ip address
add address=192.168.85.1/24 comment=defconf interface=bridge network=\
    192.168.85.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-wan
/ip dhcp-server lease
add address=192.168.85.133 client-id=1:0:11:32:ac:6f:f3 mac-address=\
    00:11:32:AC:6F:F3 server=defconf
add address=192.168.85.138 client-id=1:0:1c:2a:0:89:7 mac-address=\
    00:1C:2A:00:89:07 server=defconf
/ip dhcp-server network
add address=192.168.85.0/24 comment=defconf dns-server=192.168.85.1 gateway=\
    192.168.85.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4048KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.85.1 comment=defconf name=router.lan
add address=192.168.85.133 name=unifi
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=!wireguard1 in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.30.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set cpu-frequency=1400MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 8:43 pm

(1) You are incorrect word semantics. You have a second wireguard interface (not a second peer). Each wg interface has a single client peer.

Not sure what you are doing, but since you are not clear I have to guess. Router A is the reachable router and acts as the server.
It contains two wireguard interfaces, one to an unknown entity and the other to Router B.


(2) The allowed IPs for each peer are incorrect,

They should be as follows
/interface wireguard peers
add allowed-address=192.168.85.0/24,10.255.255.1/32 endpoint-address=\
ec1a0f20d5b6.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
public-key="public-key"


add allowed-address=192.168.17.0/24,10.255.254.2/32 endpoint-address=\
24.50.98.58 endpoint-port=13232 interface=wireguardchesnay public-key=\
"public-key"
(note assuming the second interface connects also to a router with subnets........you have not published the setting for this third device ????????????

(3) I would not name the wireguard interface the same on Router B as on Router A,,,,,,,, can get confusing!!

(4) What is the purpose of this rule......... ?? We are talking services the router provides....... It is not meant to connect subnets etc.....
add action=accept chain=input dst-address=192.168.30.0/24 src-address=\
192.168.30.0/24


If your goal is to allow incoming vpn users to access the router (and the only reason to do that would be for DNS services or to config the router all you need is.
add action=accept chain=input src-address=192.168.30.0/24[/b][/color]

(5) I find this confusing, but Im no source nat guru, what does this rule do for you??
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 \
out-interface-list=LAN src-address=192.168.30.0/24 to-addresses=0.0.0.0

(6) Why do you have this input chain rule on routerB?
add action=accept chain=input dst-port=13231 protocol=udp ??
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 9:47 pm

Thanks for your reply, the reason I haven't posted the config of Router C is that I don't have any issues with it. Sorry about the semantic, Wireguard is a new concept for me, but I'm eager to learn.

2) I've updated the configs
3) thanks for the tip, you're right, I've renamed them
4) That's why I've set this rule, I've changed it based on your suggestion
5) That's an old rule, that I've just disabled
6) it's now disabled

Sadly, none of them did solve the speed problems I'm experiencing...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 9:55 pm

Post the latest config for me to review on both A and B. please.
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 10:10 pm

I think I've broken the link to Router B by disabling : add action=accept chain=input dst-port=13231 protocol=udp which was opening port to enable wireguard

I'll try it later when I get home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 10:11 pm

Ahh so you are saying that router A connects to router B initially and not the other way around???
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 10:14 pm

Initially, they we're connecting both ways yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Tue Oct 25, 2022 10:35 pm

Well that is important to state as requirements as it affects the config options.
As you found out my bad advice to remove that line was based on router A acting as the server for the initial connection not both routers could act as the server for the initial connection.
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Wed Oct 26, 2022 1:49 am

Here Router A (Office)
# oct/25/2022 18:41:57 by RouterOS 7.6
# software id = XBM6-GW7N
#
# model = RB5009UG+S+
# serial number = EC1A0EF453D7
/interface bridge
add admin-mac=2C:C8:1B:FF:5B:68 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lan
set [ find default-name=sfp-sfpplus1 ] name=sfpplus-wan speed=1Gbps
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=\
    sfpplus-wan name=Bell user=b1
/interface wireguard
add listen-port=13231 mtu=1280 name=wgoffice
add listen-port=13232 mtu=1280 name=wireguardchesnay
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add local-address=192.168.30.1 name=peer2 passive=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.30.100-192.168.30.189
add name=VPN-pool ranges=192.168.30.190-192.168.30.199
add name=VPN-FDDF ranges=192.168.30.200-192.168.30.205
/ip dhcp-server
add address-pool=dhcp interface=bridge name=default
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.30.1 name=\
    VPN-FDDF remote-address=VPN-FDDF
set *FFFFFFFE dns-server=192.168.30.1 local-address=192.168.30.1 \
    remote-address=VPN-pool
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge interface=ether1-lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes enabled=yes max-mru=1350 max-mtu=1350 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Bell list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=*1 cipher=blowfish128,aes128,aes256 \
    default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.85.0/24,10.255.255.1/32 endpoint-address=\
    ec1a0f20d5b6.sn.mynetname.net endpoint-port=13231 interface=wgoffice \
    public-key="key"
add allowed-address=192.168.17.0/24,10.255.254.2/32 endpoint-address=\
    24.50.98.58 endpoint-port=13232 interface=wireguardchesnay public-key=\
    "key"
/ip address
add address=192.168.30.1/24 comment=defconf interface=bridge network=\
    192.168.30.0
add address=10.255.255.2/30 interface=wgoffice network=10.255.255.0
add address=10.255.254.1/30 interface=wireguardchesnay network=10.255.254.0
/ip arp
add address=192.168.30.188 interface=bridge mac-address=98:48:27:99:CE:75
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.30.105 client-id=1:0:c:29:37:ce:7c mac-address=\
    00:0C:29:37:CE:7C server=default
add address=192.168.30.122 client-id=1:8:0:23:9f:46:8e mac-address=\
    08:00:23:9F:46:8E server=default
add address=192.168.30.123 client-id=1:c4:2f:90:33:44:7c mac-address=\
    C4:2F:90:33:44:7C server=default
add address=192.168.30.120 client-id=1:38:c9:86:9:30:82 mac-address=\
    38:C9:86:09:30:82 server=default
add address=192.168.30.115 client-id=1:a0:ce:c8:5:33:25 mac-address=\
    A0:CE:C8:05:33:25 server=default
add address=192.168.30.113 client-id=1:6c:40:8:b5:cc:22 mac-address=\
    6C:40:08:B5:CC:22 server=default
add address=192.168.30.172 mac-address=00:0C:29:F6:A7:0F server=default
add address=192.168.30.156 client-id=1:0:1c:2a:1:ae:ec mac-address=\
    00:1C:2A:01:AE:EC server=default
add address=192.168.30.185 client-id=1:78:2b:cb:27:69:95 mac-address=\
    78:2B:CB:27:69:95 server=default
add address=192.168.30.164 client-id=\
    ff:9f:6e:85:24:0:2:0:0:ab:11:6c:6a:66:84:29:85:de:93 mac-address=\
    00:0C:29:CE:9B:09 server=default
add address=192.168.30.149 client-id=1:10:dd:b1:d8:d7:b6 mac-address=\
    10:DD:B1:D8:D7:B6 server=default
add address=192.168.30.167 client-id=1:0:c:29:ef:ef:2f mac-address=\
    00:0C:29:EF:EF:2F server=default
add address=192.168.30.184 client-id=1:0:c:29:b0:d5:a5 mac-address=\
    00:0C:29:B0:D5:A5 server=default
add address=192.168.30.142 client-id=\
    ff:47:5c:3a:82:0:2:0:0:ab:11:5f:7f:38:fd:eb:4a:33:f5 mac-address=\
    74:83:C2:76:E2:01 server=default
add address=192.168.30.174 client-id=1:0:23:24:a7:fa:9d mac-address=\
    00:23:24:A7:FA:9D server=default
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.1 gateway=\
    192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
add address=192.168.30.5 name=unifi
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input dst-port=13232 protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 \
    in-interface=Bell protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" in-interface=Bell \
    protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" in-interface=Bell \
    protocol=ipsec-ah
add action=accept chain=input src-address=192.168.30.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=!wgoffice in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=forward port=80,44 protocol=tcp
add action=drop chain=forward dst-address=!192.168.30.6 src-address=\
    192.168.30.200-192.168.30.205
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add generate-policy=port-override peer=peer2 remote-id=ignore
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=192.168.85.0/24 gateway=wgoffice routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.17.0/24 gateway=\
    wireguardchesnay pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
/system clock
set time-zone-autodetect=no time-zone-name=America/Montreal
/system routerboard settings
set cpu-frequency=1400MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here's Router B (Home)
# oct/25/2022 18:33:51 by RouterOS 7.6
# software id = ED39-LLKN
#
# model = RB5009UG+S+
# serial number = EC1A0F20D5B6
/interface bridge
add admin-mac=DC:2C:6E:28:EF:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan max-mtu=1480 name=\
    Bell use-peer-dns=yes user=b1
/interface wireguard
add listen-port=13231 mtu=1280 name=wghome
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.85.100-192.168.85.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Bell list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.30.0/24,10.255.255.0/24 endpoint-address=\
    proitek.dyndns.org endpoint-port=13231 interface=wghome public-key=\
    "key"
/ip address
add address=192.168.85.1/24 comment=defconf interface=bridge network=\
    192.168.85.0
add address=10.255.255.1/30 interface=wghome network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-wan
/ip dhcp-server lease
add address=192.168.85.133 client-id=1:0:11:32:ac:6f:f3 mac-address=\
    00:11:32:AC:6F:F3 server=defconf
add address=192.168.85.138 client-id=1:0:1c:2a:0:89:7 mac-address=\
    00:1C:2A:00:89:07 server=defconf
/ip dhcp-server network
add address=192.168.85.0/24 comment=defconf dns-server=192.168.85.1 gateway=\
    192.168.85.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4048KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.85.1 comment=defconf name=router.lan
add address=192.168.85.133 name=unifi
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=!wghome in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.30.0/24 gateway=wghome routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set cpu-frequency=1400MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Wed Oct 26, 2022 2:57 am

(1) I would not use the same interface name for the pppoe interface on both router, chance for confusion.
Call one BellOffice and the other just Bell.

(2) For ease of troubleshooting purposes I would use different listening ports on the two routers
A has the default 13231
B could have 14321 for example.
So would need to make two changes on Router B, and one on Router A.

On Router B.
/interface wireguard
add listen-port=14231 mtu=1280 name=wghome
/ip firewall filter
add action=accept chain=input dst-port=14231 protocol=udp

Also add the wireguard interface to the LAN list on Router B.
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Bell list=WAN

add interface=wghome list=LAN

and change this firewall rule its overly complex and confusing.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface=!wghome in-interface-list=!LAN


To the following (but only after you fixed the above list entry)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"

++++++++++++++

On Router A, change
/interface wireguard peers
add allowed-address=192.168.85.0/24,10.255.255.1/32 endpoint-address=\
ec1a0f20d5b6.sn.mynetname.net endpoint-port=14321 interface=wgoffice \
public-key="key" keep alive=25 seconds

(Note you are also missing the keep alive setting on Router B for peer..)

Also on Router A, do the same thing for the wireguard list member on LAN and change the input rule. so it would be......

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Bell list=WAN

add interface=wgoffice list=LAN

from
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface=!wgoffice in-interface-list=!LAN

TO
add action=accept chain=input comment=\
in-interface-list=LAN
add action=drop chain=input comment="drop all else"

.
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Wed Oct 26, 2022 4:29 pm

You're right, it's easier to understand now, I've made the changes, but unfortunately, it didn't change anything to my asymmetric speed issues. The weird part is that Winbox Bandwith test achieve symmetrical results that I can't get in real life scenario....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Wed Oct 26, 2022 4:33 pm

That is weird! Would need someone with more skills than I to figure it out. MTU is out of my scope of knowledge but perhaps related?
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Thu Oct 27, 2022 4:15 am

Thanks for your help! I’ve learned in the process

Anyone else can help me out? Maybe I should just reach to MT tech support
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Asymetric speed on symmetric connections

Thu Oct 27, 2022 4:32 pm

My first thought was some queue configuration, but as there is none in either of your 5009s, my next thought is an issue with the throughput of the external device you use for the test. Can you try whether that device can reach the gigabit speed if connected to another local device?
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Thu Oct 27, 2022 5:56 pm

I thought about that too. I’ve use many devices to make sure it’s not related.
Last edited by BartoszP on Sat Nov 12, 2022 1:52 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart. 3 lines of quote, 1 line of post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Asymetric speed on symmetric connections

Thu Oct 27, 2022 6:03 pm

My question is have you done a public IP to public IP test without VPN (very temporary access). FTP on either site for example............

BW test from each location from a PC using OOKLA (PC to internet) upload/download
BW/Transfer test from PC to PC without VPN.
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Wed Nov 09, 2022 4:12 am

BW test from each location from a PC using OOKLA (PC to internet) upload/download
Results : 900/900 on both using OOKLA
AND
900/900 using build-in Mikrotik Bandwith Test withing Winbox

BW/Transfer test from PC to PC without VPN
190/900 or 900/190 on the other PC (using http download from webserver capable of 5gbps throughput)

So it's NOT related to Wireguard...
Last edited by BartoszP on Sat Nov 12, 2022 1:51 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Asymetric speed on symmetric connections

Wed Nov 09, 2022 10:30 am

Speed of a single TCP session is affected by round-trip time (the sender stops sending if it has too much unacknowledged data "in flight"). So for a single session, there is a cap value. This cap may differ on the same link for different devices because it depends on the properties of the TCP stack of each device. What RTT does ping from one PC to the other one show? And what RTT does ping to the address of the speedtest server show? The network paths between each of your sites and the closest speedtest server are most likely different than the one between those sites. traceroute will show you the details.

Also, if you test using multiple TCP sessions (which is what Ookla does), the bottleneck becomes the actual bandwidth of the link rather than this RTT impact. So try a tool that can use multiple TCP sessions for the PC-to-PC test.
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Sat Nov 12, 2022 5:39 am

Average RTT is 2.5ms PC to PC... the thing is that I was getting about 80mb/s by 80mb/s transfers until recently (my guess is that something broke, either on my config of on a new ROS version...
Last edited by BartoszP on Sat Nov 12, 2022 1:51 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Asymetric speed on symmetric connections

Sat Nov 12, 2022 11:35 am

my guess is that something broke, either on my config of on a new ROS version...
...or in the internet, which consists of many ISP networks. By Murphy's laws, external problems occur at the same time when you do changes on your side. So it may be related to RouterOS version or configuration, or it may not.

80 Mb/s (so much worse than now) or 80 MB/s (so roughly 800 Mb/s, but symmetrically before and only in one direction now)?
 
maxb
newbie
Topic Author
Posts: 34
Joined: Wed Feb 12, 2014 4:42 am

Re: Wireguard Asymetric speed on symmetric connections

Tue Nov 15, 2022 4:06 am

my guess is that something broke, either on my config of on a new ROS version...
...or in the internet, which consists of many ISP networks. By Murphy's laws, external problems occur at the same time when you do changes on your side. So it may be related to RouterOS version or configuration, or it may not.

80 Mb/s (so much worse than now) or 80 MB/s (so roughly 800 Mb/s, but symmetrically before and only in one direction now)?
80 MB/s symmetrically before and now in one direction only :(

Who is online

Users browsing this forum: Bing [Bot], Sailwebwifi and 61 guests