Afaik, there is no IPSEC HW acceleration yet on the RB5009. Thus, Wireguard is done in software.It appears my Wireguard setup is much slower on the RB5009 than on the RB4011, achieving only 150 Mbps to the same endpoint. Has anyone else experienced this issue?
Currently not. But the RB5009 SoC supports crypto HW offload for IPSEC, Wireguard etc. MT support told me making it available in future ROS releases is to be expected.Afaik, there is no IPSEC HW acceleration yet on the RB5009. Thus, Wireguard is done in software.
Good to hear I stand corrected for IPSEC and 7.1. Can't wait to give it a new try.Clearly not reading the release notes.
What's new in 7.1rc3 (2021-Sep-08 13:29):
*) added IPSec hardware acceleration support for RB5009;
Currently not. But the RB5009 SoC supports crypto HW offload for IPSEC, Wireguard etc. MT support told me making it available in future ROS releases is to be expected.
Currently not. But the RB5009 SoC supports crypto HW offload for IPSEC, Wireguard etc. MT support told me making it available in future ROS releases is to be expected.
Did they by any chance reveal any info regarding hw offloading, ie if any of the architectures are able to support ARX vector operations (or similar like the AVX2 instruction set) that can assist ChaCha20 to offload the cpu in the same way as for AES?
Maybe it is because with slower MikroTiks it doesn't exceed the capabilities of the Thunderbolt hub, so fewer frames are dropped.This does indeed look like an interaction with the cheap gigabit transceiver of a Thunderbolt hub. Using a better USB-C to GigE adapter seems to have solved the issue. Not sure why the cheap adapter is better on other Mikrotiks, though.
For Wireguard, the implementation in software is so fast that nobody has bothered to build any hardware accelerators. There's some threads on it on the Netgate forums and a few other places. The CPU software implementation just gets faster as CPU's do, so I doubt anyone will ever make an accelerator for Wireguard except for maybe if the offshore vpn's start getting too slow (and adding more endpoints gets more expensive)
What will it cost you more then some time ?What is important to me to get verified is if a possible WG solution might be sufficient enough to hold multiple (>50) sessions for remote users who need secure access to the companies infrastructure (ie "road warrior" vpn). The objective is to make an informed decision if it's possible to replace an existing VPN solution that is both expensive and administratively demanding.
Using a RB5009 i reach over 700Mbit over wireguard.It appears my Wireguard setup is much slower on the RB5009 than on the RB4011, achieving only 150 Mbps to the same endpoint. Has anyone else experienced this issue?
VERY important remark ... unless I missed it I did not see a response to this question.Also, how are you testing the speed? iperf between endpoints or btest?
What will it cost you more then some time ? Maybe switch over some remote users case by case and monitor how it goes as more get added (esp. CPU usage).
It's dead simple.The only thing lacking from Mikrotik's WG implementation is exactly this what you're looking at: mass-setup and -deployment of users. It's all manual for now.
And what were the results of your tests, if I may ask ?We've performed a numerous of tests like that and it's somewhat naive to claim it's just "dead easy" in terms of hassle and time needed.
Depends on your populationMy bad, I should've written tests in general but my point is that real performance tests performed for business purposes are never ever "dead easy". For obvious reasons this is normally know facts for people involved in this line of work.