Community discussions

MikroTik App
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Wireguard slow speed

Sat Apr 30, 2022 12:13 am

Greetings,
i am sure i have something wrong. Two hap ac^2 routers
I am using IPSEC with speed 15Mbps, when i turn ipsec off and use wireguard it is 9Mbps.
The throughput of the connection between sites is 70Mbps.
What could be wrong? MTU 1420, tryed with 1400 same results
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Sat Apr 30, 2022 12:22 am

post configs of both devices.......
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sat Apr 30, 2022 9:30 am

As requested, both configs please.
Wireguard should normally (when properly configured) be a bit faster then IPSEC.

It's BTW not normal either you only get 15Mbps when connection between both devices is 70Mpbs. I think. Are you sure about that 70 ? Both up and down, nothing in between ?
What encryption are you using for IPSEC ?
Some encryption engines can be HW offloaded on hap AC2, some not.
https://wiki.mikrotik.com/wiki/Manual:I ... celeration

For WG it's only the processor which plays a role. No HW offloading.

Edit: stupid typo ...
Last edited by holvoetn on Sun May 01, 2022 5:38 pm, edited 1 time in total.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 10:41 am

post configs of both devices.......
I have grayed out wireguard routes for know until i figure out why its not working, will use IPSEC
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 10:44 am

A pity you spend time on these screenshots...

Config export is done using terminal
/export file=anynameyouwish.
Then review file contents for sensitive info and post between [code] quotes.

And you did not answer my other question either.
How do you know you got 70mbps end to end both ways ?

Most likely your issue is not with the config of wg nor ipsec.
That's why we need to see all and get all relevant info.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard slow speed

Sun May 01, 2022 11:47 am

I see nothing that can be usefull on those screenshots, only angry red marker painting.
How did you do the bandwidth tests?
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 1:02 pm

A pity you spend time on these screenshots...

Config export is done using terminal
/export file=anynameyouwish.
Then review file contents for sensitive info and post between [code] quotes.

And you did not answer my other question either.
How do you know you got 70mbps end to end both ways ?

Most likely your issue is not with the config of wg nor ipsec.
That's why we need to see all and get all relevant info.

i have tested by fast.com
one line 100/25
and second line 600/600
So when i download from second line to first line i should have 70Mbps easy.
All lines tested with real world downloads. For example steam had 10MB/s on the 100/25 line.

I read somewhere that the fasttrack might be a problem?
Thank you
Last edited by ukro on Sun May 01, 2022 1:05 pm, edited 1 time in total.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 1:05 pm

I see nothing that can be usefull on those screenshots, only angry red marker painting.
How did you do the bandwidth tests?
xD i like red colors xD
By using fast.com
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 1:07 pm

Your limit is 25.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Wireguard slow speed

Sun May 01, 2022 2:42 pm

The wording is a bit off - he is downloading (100 mbps) from the second site (600mbps), so ideally it would be close to 100mbps in ideal/perfect situations.

Have you tried iperf3 between sites?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 3:06 pm

The wording is a bit off - he is downloading (100 mbps) from the second site (600mbps), so ideally it would be close to 100mbps in ideal/perfect situations.

Have you tried iperf3 between sites?
If he's working from site 1 to site 2, the limit is 25Mbps.
Download for site 2 is UPLOAD on site 1 ! We're talking site-to-site connection here, right ?
Upload on site 1 is max 25, no more.
The other way around the max would be 100Mbps. Theoretically, since whatever VPN protocol you choose, there is some overhead to be subtracted.

For WG that's (depending on speed) an order of magnitude 10-15%, for ipsec it will be a bit more overhead.
(Openvpn is a lot worse ...)

But again ...
we need to have full view on the configs and the way those tests are performed.
If doing btest from Mikrotik to Mikrotik, there is a double CPU impact on those devices (btest client/server AND Wireguard encryption).
With theoretical 100/25 as possible throughput, I would expect Wireguard to be in the order of 80/20, at least.
Even IPSEC when testing from site 1 to site2, I still think it is too low. (15 on 25Mbps = 40% overhead, should be better especially if HW offloading can be used).

Ideal way to test:
computer on site 1 with iperf3
Connection to Mikrotik1
WG connection (or IPSEC)
Mikrotik 2
Computer on Mikrotik 2 with iperf3 server

And then test both upstream and downstream from computer 1 to computer 2.
Reverse serve/client on the iperf3 part (test from computer 2 to computer 1) to be sure all bases are covered.
Zero impact on Mikrotik devices for the testing process, only the real wireguard (or ipsec) communication on those devices.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 3:26 pm

For illustration...

My home connection is theoretically 200/20, practically it is 190/19 (I test it every hour so I know).
At work I have a Windows 2016 VM server sitting behind a theoretical 80/80 connection, connected using WG to home.
Using regular speedtest on that server, I see 76 down and 75 up. Just to get a reference.

When testing using iperf I get 18.4 from home to server (home limit acting here) and 61 from server to home (server limit and probably also encryption process acting here).
(last figure could have been a bit higher but maybe something else is playing in between, something I can not check).

In both cases I see CPU on my Hex going towards 18% and 70% respectively. Going up but CPU still has room.
On that server CPU is (almost literally) doing nothing... :lol:
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Wireguard slow speed

Sun May 01, 2022 3:32 pm

He is at site 1 downloading from site 2, from what I understand.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 3:37 pm

At least I can interpret it both ways.
It's not clear.
i have tested by fast.com
one line 100/25
and second line 600/600
So when i download from second line to first line i should have 70Mbps easy.

Anyhow, point I made as well is that whatever limit there is in place, WG should be able to get over at least 80% throughput (even 90%).
Can't speak for IPSEC, I don't use it that much (I HATE the setup troubles it gives ...).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Sun May 01, 2022 4:05 pm

edit: duplicate
Last edited by anav on Sun May 01, 2022 4:40 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Sun May 01, 2022 4:06 pm

What is not clear to me is which device is the peer and which is the server for the initial connection.
Nor is it clear the use of the tunnel. Did you want to use the internet of the server from the peer...........
Not seeing the configs, your complaints have no merit..............
Nor do I have any faith in the basics of your wireguard config as you dont have any of the two devices with a persistant keep alive set.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Wireguard slow speed

Sun May 01, 2022 4:34 pm

@holvoetn assessment is 100% correct.

Throughput is always subject to the weakest link plus ISP idiosyncrasies

Symmetrical connections enjoyed by both PEERS under WireGuard will under excellent circumstance provide 90% or better performance of the subscribed bandwidth assuming peers are capable.

Asymmetrical connections under WireGuard are always subject to the weakest upload Peer and even there WG will exploit 90% or better of the weakest link.

Symmetrical = Upload/Download are equal or within 1% of equal
Asymmetrical = Upload/Download are not equal ever.

When Peer A is Symmetrical and Peer B is Asymmetrical the weakest link governs in both directions.
When Peer A is Symmetrical and Peer B is Symmetrical the performance is usually within the effective range [90% or better]

This is why when testing bandwidth iPerf is the preferred mechanism since it is best in exploiting the PEER capabilities/shortcomings.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 7:14 pm

I am very sorry to everybody for poor info. I really thought that there is some checkbox and all will work correctly.
I will perform bandwidth test between routers and will prepare full config exports. :-o
P.S. The transfer is from 600/600 to 100/25
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 7:29 pm

I hope there is no confidential data D:
SITE B 600/600
192.168.5.0/24
# may/01/2022 18:15:11 by RouterOS 7.2.1
# software id = EU0G-52A4
#

/caps-man channel
add band=2ghz-b/g/n name=channel_2g
add band=5ghz-a/n/ac name=channel_5g
add band=2ghz-b/g/n name=channel_2g_guest
/interface bridge
add admin-mac=TOPSECRET auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge_guest
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=TOPSECRET disabled=no distance=indoors frequency=2427 installation=\
indoor mode=ap-bridge ssid=TOPSECRET station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=TOPSECRET disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=TOPSECRET station-roaming=\
enabled wireless-protocol=802.11
/interface ipip
add allow-fast-path=no local-address=TOPSECRET name=TOPSECRET \
remote-address=TOPSECRET
/interface wireguard
add listen-port=TOPSECRET mtu=1420 name=wireguard1
/caps-man configuration
add channel=channel_2g country=TOPSECRET datapath.bridge=bridge name=config_2g \
security.authentication-types=wpa2-psk ssid=TOPSECRET
add channel=channel_5g country=TOPSECRET datapath.bridge=bridge name=config_5g \
security.authentication-types=wpa2-psk ssid=TOPSECRET
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
add bridge=bridge_guest name=datapath_guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security_guest
/caps-man configuration
add channel=channel_2g_guest country=TOPSECRET datapath=datapath_guest \
datapath.bridge=bridge_guest name=config_2g_guest security=security_guest \
ssid=home_guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WLAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm mode=dynamic-keys name=profile1 supplicant-identity="" \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
profile_guest supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
TOPSECRET master-interface=wlan1 multicast-buffering=disabled \
name=wlan_guest security-profile=profile_guest ssid=home_guest \
station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192,aes-128 name=profile1 \
nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.5.50-192.168.5.254
add name=dhcp_guest ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=3h name=dhcp
add address-pool=dhcp_guest interface=bridge_guest name=dhcp_guest
/ppp profile
add bridge=bridge name=OVPN remote-address=dhcp
/queue simple
add max-limit=400M/400M name=queue1 target=192.168.5.7/32
add max-limit=30M/30M name=wifi_guest target=10.10.10.0/24
add max-limit=100M/100M name=TOPSECRET target=192.168.5.181/32
add disabled=yes max-limit=100M/100M name=TOPSECRET target=\
192.168.5.223/32
add disabled=yes max-limit=64k/64k name="TOPSECRET" target=192.168.5.227/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no interface=all \
signal-range=-87..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=5s disabled=no interface=all \
signal-range=-120..-88 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=config_2g
add disabled=yes master-configuration=config_2g
add disabled=yes master-configuration=config_5g
add action=create-dynamic-enabled hw-supported-modes=ac,an \
master-configuration=config_5g
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
config_2g slave-configurations=config_2g_guest
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn \
master-configuration=config_2g_guest
add action=create-dynamic-enabled disabled=yes master-configuration=\
config_2g_guest
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
add bridge=bridge_guest ingress-filtering=no interface=wlan_guest
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=WLAN
add interface=wlan2 list=WLAN
/interface ovpn-server server
set auth=sha1 certificate=server2021 cipher=aes256 default-profile=OVPN \
enabled=yes mode=ethernet port=TOPSECRET require-client-certificate=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=TOPSECRET endpoint-port=\
TOPSECRET interface=wireguard1 public-key=\
"TOPSECRET"
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=\
192.168.5.0
add address=TOPSECRET/24 comment="TOPSECRET" disabled=yes \
interface=ether1 network=TOPSECRET
add address=10.10.10.1/24 interface=bridge_guest network=10.10.10.0
add address=10.20.32.2/30 interface=IPsec_TOPSECRET network=10.20.32.0
add address=172.16.2.2/30 interface=wireguard1 network=172.16.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=clientid,hostname interface=ether1
add !dhcp-options disabled=yes interface=wlan1
/ip dhcp-server lease
TOPSECRET
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp \
src-address-list=allowed_remote_ips
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp \
src-address-list=allowed_remote_ips
add action=accept chain=input dst-port=TOPSECRET protocol=udp
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment=block_guests_to_local_input dst-address=\
10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=\
guest_users
add action=drop chain=input comment=block_guests_to_local_lan dst-address=\
192.168.5.0/24 src-address-list=guest_users
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1 \
protocol=tcp src-address=192.168.5.0/24
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1 \
protocol=icmp src-address=192.168.5.0/24
add action=drop chain=forward dst-address=192.168.5.0/24 in-interface=ether1 \
protocol=tcp src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1 \
protocol=tcp
add action=accept chain=input dst-port=11944 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input disabled=yes dst-port=80 protocol=tcp \
src-address=TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
allowed_remote_ips
add action=accept chain=input dst-port=8291 in-interface=IPsec_TOPSECRET \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 protocol=tcp
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=accept chain=forward dst-port=8006 protocol=tcp src-address-list=\
allowed_remote_ips
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=forward disabled=yes dst-port=10000 in-interface=\
ether1 protocol=tcp src-address=TOPSECRET
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 in-interface=bridge protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input dst-port=22 in-interface=bridge protocol=tcp
add action=accept chain=input dst-port=21 in-interface=bridge protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET \
dst-port=80 protocol=tcp src-address-list=CountryIPBlocks to-addresses=\
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET \
dst-port=443 protocol=tcp src-address-list=CountryIPBlocks to-addresses=\
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET \
dst-port=80 protocol=tcp src-address-list=all_local to-addresses=\
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET \
dst-port=443 protocol=tcp src-address-list=all_local to-addresses=\
192.168.5.187
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.187 \
dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.187 \
dst-port=443 out-interface=bridge protocol=tcp src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=wireguard1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WLAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
dst-address-list=guest_users ipsec-policy=out,none
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=tcp \
src-address-list=allowed_remote_ips to-addresses=192.168.5.5
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=\
tcp src-address-list=allowed_remote_ips to-addresses=192.168.5.192
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=\
udp src-address-list=allowed_remote_ips to-addresses=192.168.5.192
add action=netmap chain=dstnat disabled=yes dst-port=10000 in-interface=\
ether1 protocol=tcp src-address=151.237.56.5 to-addresses=192.168.5.15
add action=accept chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=TOPSECRET
add disabled=no distance=1 dst-address=192.168.6.0/24 gateway=10.20.32.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.6.0/24 gateway=172.16.2.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add interface=wlan1
/ppp secret
add local-address=192.168.5.1 name=TOPSECRET profile=OVPN remote-address=\
192.168.5.49 service=ovpn
/system clock
set time-zone-name=TOPSECRET
/system identity
set name=TOPSECRET_MT_ROUTER
/system ntp client
set enabled=yes
/system ntp client servers
add address=TOPSECRET
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add name=schedule1 on-event=":delay 30\r\
\n/system script run script1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 1\r\
\n\r\
\n:local reportBody \"\"\r\
\n\r\
\n:local deviceName [/system identity get name]\r\
\n:local deviceDate [/system clock get date]\r\
\n:local deviceTime [/system clock get time]\r\
\n:local hwModel [/system routerboard get model]\r\
\n:local rosVersion [/system package get system version]\r\
\n:local currentFirmware [/system routerboard get current-firmware]\r\
\n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r\
\n\r\
\n\r\
\n:set reportBody (\$reportBody . \"Router Reboot Report for \$deviceName\
\\n\")\r\
\n:set reportBody (\$reportBody . \"Report generated on \$deviceDate at \$\
deviceTime\\n\\n\")\r\
\n\r\
\n:set reportBody (\$reportBody . \"Hardware Model: \$hwModel\\n\")\r\
\n:set reportBody (\$reportBody . \"RouterOS Version: \$rosVersion\\n\")\r\
\n:set reportBody (\$reportBody . \"Current Firmware: \$currentFirmware\\n\
\")\r\
\n:set reportBody (\$reportBody . \"Upgrade Firmware: \$upgradeFirmware\")\
\r\
\nif ( \$currentFirmware < \$upgradeFirmware) do={\r\
\n:set reportBody (\$reportBody . \"NOTE: You should upgrade the RouterBOA\
RD firmware!\\n\")\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n\\n=== Critical Log Events ===\\n\"\
\_)\r\
\n\r\
\n:local x\r\
\n:local ts\r\
\n:local msg\r\
\nforeach i in=([/log find where topics~\"critical\"]) do={\r\
\n:set \$ts [/log get \$i time]\r\
\n:set \$msg [/log get \$i message]\r\
\n:set \$reportBody (\$reportBody . \$ts . \" \" . \$msg . \"\\n\" )\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n=== end of report ===\\n\")\r\
\n\r\
\n/tool e-mail send subject=\"[\$deviceName] Router Reboot Report\" to=\"a\
TOPSECRET\" body=\$reportBody"
/system watchdog
set ping-start-after-boot=1h ping-timeout=2m watch-address=1.1.1.1 \
watchdog-timer=no
/tool e-mail
set address=TOPSECRET from=TOPSECRET port=TOPSECRET tls=starttls user=\
TOPSECRET
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set file-name=packetsniff filter-ip-address=192.168.5.40/32 \
filter-operator-between-entries=and
Last edited by ukro on Sun May 01, 2022 7:53 pm, edited 1 time in total.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 7:44 pm

SITE A 100/25
192.168.6.0/24
# may/01/2022 18:15:37 by RouterOS 7.2
# software id = H7WM-PZPA
#
# model = RBD52G-5HacD2HnD

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-g/n control-channel-width=20mhz frequency=2442 name=channel2
add band=2ghz-g/n control-channel-width=20mhz frequency=2472 name=channel3
/interface bridge
add admin-mac=TOPSECRET auto-mac=no comment=defconf disabled=yes \
name=bridge
add admin-mac=TOPSECRET auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway-internet
set [ find default-name=ether2 ] comment=NEO name=ether2-master-local
set [ find default-name=ether3 ] comment=SWITCH name=ether3-slave-local
set [ find default-name=ether4 ] comment=TOPSECRET name=ether4-slave-local
set [ find default-name=ether5 ] comment=AP_0
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-g/n channel-width=20/40mhz-XX country="TOPSECRET" \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=TOPSECRET wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="TOPSECRET" disabled=no distance=indoors \
frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge ssid=\
TOPSECRET wireless-protocol=802.11
/interface ipip
add allow-fast-path=no local-address=TOPSECRET name=IPsec_TOPSECRET \
remote-address=TOPSECRET
add allow-fast-path=no local-address=TOPSECRET mtu=1480 name=IPsec_TOPSECRET \
remote-address=TOPSECRET
/interface wireguard
add listen-port=TOPSECRET mtu=1420 name=wireguard1
/interface vlan
add interface=ether1-gateway-internet name=vlan1 vlan-id=848
/caps-man datapath
add bridge=bridge-local name=datapath1
/caps-man configuration
add channel=channel1 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=Config \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel2 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=cfg1 \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel3 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=cfg2 \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 user=\
TOPSECRET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=\
MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
profile1 supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=TOPSECRET master-interface=\
wlan1 multicast-buffering=disabled name=wlan3 security-profile=profile1 \
ssid=killme wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192,aes-128 name=profile_1 \
nat-traversal=no
/ip ipsec peer
add address=TOPSECRET/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.6.101-192.168.6.230
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge-local lease-script=":local recipient \"TOPSECRET\"\r\
\n/ip dhcp-server lease\r\
\n:if (\$leaseBound = 1 && [ get [ find where mac-address=\$leaseActMAC ] \
dynamic ] = true) do={\r\
\n\t:do {\r\
\n\t\t:tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC: \
\$leaseActMAC]\" body=\"TOPSECRET - The following MAC address [\$leaseActMAC]\
\_received an IP address [\$leaseActIP] with hostname [\$host-name]\"\r\
\n\t\t:log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
\n\t} on-error={:log error \"Failed to send alert email to \$recipient\"}\
\r\
\n}" lease-time=6h name=default
/ppp profile
add local-address=default-dhcp name=pptpprofile remote-address=default-dhcp
add bridge=bridge-local name=OpenVPN_TOPSECRET remote-address=default-dhcp
/queue simple
add disabled=yes max-limit=100M/100M name=queue1 target=192.168.6.0/24
add dst=IPsec_TOPSECRET max-limit=3M/50M name=skynet-backup target=192.168.6.7/32
add dst=TOPSECRET/32 max-limit=8M/40M name=TOPSECRET target=\
192.168.6.66/32
add dst=192.168.5.0/24 max-limit=15M/50M name=TOPSECRET<>TOPSECRET target=\
192.168.6.66/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=TOPSECRET target=\
192.168.6.66/32
add dst=pppoe-out1 max-limit=5M/40M name=TOPSECRET target=192.168.6.74/32
add max-limit=50M/50M name=TOPSECRET target=192.168.7.49/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1 \
max-limit=4M/60M name=hoax_linux_cp_8-0 target=192.168.6.35/32 time=\
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=6M/70M name=hoax_linux_cp_alltime target=\
192.168.6.35/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1 \
max-limit=7M/60M name=vulcan_cp_8-0 target=192.168.6.45/32 time=\
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/70M name=vulcan_cp_alltime target=\
192.168.6.45/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=\
IPsec_TOPSECRET max-limit=2M/8M name=ARES target=192.168.6.72/32 time=\
7h-23h,sun,mon,tue,wed,thu,fri,sat
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/5M name="ARES alltime" target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=\
TOPSECRET/32 max-limit=5M/12M name="ARES alltime 2 TOPSECRET" target=\
192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=4M/4M name="ARES alltime temperary" target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/8M name=TOPSECRET target=192.168.6.65/32
add dst=IPsec_TOPSECRET max-limit=7M/50M name=muj_PC_2_ua target=192.168.6.65/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/12M name=neo_2_TOPSECRET target=192.168.6.44/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.121/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.122/32
add max-limit=20M/3M name=TOPSECRET target=192.168.6.120/32
add dst=pppoe-out1 max-limit=4M/70M name=TOPSECRET target=192.168.6.2/32
add dst=IPsec_TOPSECRET max-limit=8M/0 name=queue2 target=192.168.6.2/32
add dst=pppoe-out1 max-limit=4M/0 name=TOPSECRET target=192.168.6.79/32
add dst=pppoe-out1 max-limit=3M/0 name=TOPSECRET target=192.168.6.89/32 time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/0 name=TOPSECRET target=192.168.6.65/32
add dst=pppoe-out1 max-limit=3M/50M name=workpcvm target=192.168.6.65/32
add dst=pppoe-out1 max-limit=2M/10M name="new dvr" target=192.168.6.46/32 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=7M/0 name=TOPSECRET target=\
192.168.6.69/32
add disabled=yes dst=pppoe-out1 max-limit=1M/50M name=TOPSECRET target=\
192.168.6.20/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=tel_ox target=\
192.168.6.28/32
add dst=pppoe-out1 max-limit=5M/35M name=tel_tanja target=192.168.6.28/32
add burst-limit=15M/0 burst-threshold=7M/0 burst-time=10m/0s dst=pppoe-out1 \
max-limit=9M/50M name="TOPSECRET TOPSECRET nout" target=192.168.6.196/32
add disabled=yes dst=pppoe-out1 max-limit=1M/60M name=TOPSECRET target=\
192.168.6.58/32
add dst=pppoe-out1 max-limit=1M/15M name="ox TOPSECRET" target=192.168.6.21/32
add dst=pppoe-out1 max-limit=3M/30M name=TOPSECRET target=192.168.6.39/32
add dst=pppoe-out1 max-limit=2M/5M name=queue4 target=192.168.6.45/32
add dst=pppoe-out1 max-limit=1M/8M name=TOPSECRET target=192.168.6.151/32
add dst=pppoe-out1 max-limit=1M/10M name="TOPSECRET main" target=192.168.6.200/32
add disabled=yes max-limit=0/20M name=TOPSECRET target=192.168.6.81/32 time=\
7h-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=0/128k name=queue3 target=wlan1
add disabled=yes dst=pppoe-out1 max-limit=1500k/0 name=wlanque target=wlan1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add email-start-tls=yes email-to=TOPSECRET@TOPSECRET.TOPSECRET name=TOPSECRET target=email
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api"
add name=group1 policy="local,ftp,read,!telnet,!ssh,!reboot,!write,!policy,!te\
st,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
add action=create-dynamic-enabled disabled=yes master-configuration=cfg1
add action=create-dynamic-enabled disabled=yes master-configuration=cfg2
/interface bridge port
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether2-master-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether3-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether4-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-local disabled=yes ingress-filtering=no interface=\
ether1-gateway-internet
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1-gateway-internet list=WAN
add interface=ether2-master-local list=LAN
add interface=ether3-slave-local list=LAN
add interface=ether4-slave-local list=LAN
add interface=ether5 list=LAN
add disabled=yes interface=wlan1 list=discover
add disabled=yes interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=LAN
add interface=ether5 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=wlan2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server2021 cipher=aes256 default-profile=\
TOPSECRET enabled=yes mode=ethernet port=TOPSECRET \
require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=pptpprofile
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=TOPSECRET endpoint-port=\
TOPSECRET interface=wireguard1 public-key=\
"TOPSECRET"
/interface wireless access-list
add signal-range=-85..120
add authentication=no forwarding=no signal-range=-120..-86 vlan-mode=no-tag
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
add address=192.168.6.1/24 interface=bridge-local network=192.168.6.0
add address=192.168.7.1/24 disabled=yes interface=bridge-local network=\
192.168.7.0
add address=10.20.31.1/30 interface=IPsec_TOPSECRET network=10.20.31.0
add address=192.168.6.49 disabled=yes interface=ether4-slave-local network=\
192.168.6.0
add address=192.168.66.1/24 disabled=yes interface=bridge-local network=\
192.168.66.0
add address=192.168.66.49/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.9/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.2/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.65/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=10.20.32.1/30 interface=TOPSECRET network=10.20.32.0
add address=172.16.2.1/30 interface=wireguard1 network=172.16.2.0
/ip dhcp-client
add comment=defconf interface=ether1-gateway-internet
/ip dhcp-server config
set store-leases-disk=3m
/ip dhcp-server lease
TOPSECRET

/ip dhcp-server network
add address=192.168.6.0/24 comment="default configuration" dns-server=\
192.168.6.1 gateway=192.168.6.1
add address=192.168.7.0/24 gateway=192.168.7.1
/ip dns
set allow-remote-requests=yes servers=84.19.64.3,84.19.64.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.6.1 name=router
add address=10.10.10.10 disabled=yes name=TOPSECRET
add address=10.10.10.1 disabled=yes name=TOPSECRET
/ip firewall address-list
add address=54.76.99.212 list=blacklist
add address=52.51.84.21 list=blacklist
add address=92.53.96.0.24 list=blacklist
add address=192.168.6.0/24 disabled=yes list=TOPSECRET
add address=TOPSECRET disabled=yes list=save_ips
add address=TOPSECRET list=save_ips
add address=TOPSECRET list=save_ips
add address=192.168.5.0/24 list=save_ips
add address=TOPSECRET list=save_ips
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=!192.168.6.0/24 \
src-address=192.168.6.64
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=\
save_ips
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=\
tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
save_ips
add action=accept chain=input dst-port=48624 protocol=udp
add action=accept chain=input comment=ovpn_srv dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input disabled=yes protocol=icmp src-address=\
192.168.6.45
add action=drop chain=input src-address-list=blacklist
add action=drop chain=forward src-address-list=blacklist
add action=accept chain=forward disabled=yes dst-address=192.168.7.49
add action=accept chain=forward disabled=yes src-address=192.168.7.49
add action=accept chain=input disabled=yes src-address=192.168.6.49 \
src-address-type=""
add action=drop chain=forward in-interface=pppoe-out1 src-address=10.0.0.0/8
add action=drop chain=forward in-interface=ether1-gateway-internet \
src-address=10.0.0.0/8
add action=log chain=forward connection-state=new disabled=yes dst-limit=\
70/1m,0,src-and-dst-addresses/1m dst-port=10000 in-interface=pppoe-out1 \
log-prefix=TOPSECRET protocol=tcp
add action=drop chain=output dst-address=0.0.0.0 src-address=192.168.6.130
add action=accept chain=forward disabled=yes dst-address=192.168.6.99 \
dst-port=TOPSECRET in-interface=bridge-local protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=IPsec_TOPSECRET protocol=\
tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=TOPSECRET disabled=yes dst-port=8000 \
in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=drop chain=input comment="dropping port scanners" in-interface=\
pppoe-out1 src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
in-interface=pppoe-out1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="dropping port scanners" in-interface=\
pppoe-out1 src-address-list="port scanners"
add action=accept chain=forward comment="TOPSECRET" \
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=\
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=\
TOPSECRET
add action=drop chain=forward comment="TOPSECRET" \
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=\
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=\
TOPSECRET
add action=add-src-to-address-list address-list=TOPSECRET \
address-list-timeout=5s chain=input comment=TOPSECRET dst-port=TOPSECRET \
log-prefix=TOPSECRET protocol=tcp
add action=add-src-to-address-list address-list=TOPSECRET \
address-list-timeout=2m chain=input comment=TOPSECRET dst-port=\
44556 log-prefix=PRDX protocol=tcp src-address-list=PRDX_secured_IP
add action=drop chain=forward comment="drop 6.68 WIN TOPSECRET" \
disabled=yes src-address=192.168.6.68
add action=drop chain=input disabled=yes dst-port=53 protocol=udp \
src-address=!192.168.6.0/24
add action=accept chain=forward disabled=yes protocol=tcp src-address=\
192.168.6.190
add action=drop chain=input disabled=yes dst-port=80 in-interface=pppoe-out1 \
protocol=tcp
add action=accept chain=forward comment=\
"---------------------------TOPSECRET" disabled=yes \
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp
add action=drop chain=input comment=--------------------------------TOPSECRET \
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=80 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="default configuration" disabled=yes \
dst-address=192.168.6.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="default configuration" dst-address=\
192.168.1.0/24 dst-port=TOPSECRET protocol=tcp src-address=192.168.6.0/24
add action=accept chain=input comment=ping in-interface=IPsec_TOPSECRET protocol=\
icmp
add action=accept chain=forward comment="TOPSECRET -> TOPSECRET TOPSECRET " disabled=yes \
dst-address=192.168.6.66 src-address=192.168.1.0/24
add action=accept chain=forward comment="smb TOPSECRET->TOPSECRET" dst-address=\
192.168.6.66 dst-port=445 in-interface=IPsec_TOPSECRET protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET->TOPSECRET" disabled=yes \
dst-address=192.168.6.0/24 dst-port=445 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET->TOPSECRET" disabled=yes \
dst-address=192.168.6.0/24 dst-port=21 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET" disabled=yes \
dst-address=192.168.6.74 dst-port=30303 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET" disabled=yes \
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward comment="TOPSECRETS" disabled=yes \
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward dst-port=22334 protocol=udp
add action=accept chain=forward comment="UA > skynet base2" dst-address=\
192.168.6.9 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="UA > HOAX ARES DB" dst-address=\
192.168.6.72 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="UA > HOAX VULCAN TOPSECRET" \
dst-address=192.168.6.45 dst-port=8081 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET > HOAX ftp" dst-address=\
192.168.6.66 protocol=icmp src-address=192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET > HOAX socket TOPSECRET" dst-port=\
TOPSECRET protocol=tcp
add action=accept chain=forward comment="established,related reverse" \
connection-state=established,related dst-address=192.168.6.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="established,related reverse" \
connection-state=established,related dst-address=192.168.1.0/24 \
src-address=192.168.6.0/24
add action=drop chain=forward comment="default configuration" dst-address=\
192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="default configuration" disabled=yes \
dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="TOPSECRET" disabled=yes protocol=\
udp src-address=192.168.6.190
add action=drop chain=forward comment="TOPSECRET" disabled=yes protocol=\
udp src-address=192.168.6.192
add action=drop chain=forward comment="TOPSECRET" disabled=yes \
protocol=udp src-address=192.168.6.191
add action=drop chain=input comment="drop TOPSECRET brute force" dst-port=TOPSECRET,TOPSECRET \
in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=drop chain=forward comment="drop TOPSECRET brute force" dst-port=\
TOPSECRET,TOPSECRET in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=accept chain=output content="Incorrect user name or password." \
dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=blacklist \
address-list-timeout=1d chain=output content=\
"Incorrect user name or password."
add action=accept chain=input disabled=yes in-interface=IPsec_TOPSECRET protocol=\
icmp
add action=accept chain=input comment="TOPSECRET default configuration" \
connection-state=established
add action=accept chain=input comment="toto default configuration" \
connection-state=related
add action=accept chain=forward dst-port=TOPSECRET protocol=tcp
add action=accept chain=forward dst-port=TOPSECRET protocol=udp
add action=accept chain=input dst-port=8291 protocol=udp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp \
src-address=192.168.5.0/24
add action=accept chain=forward comment="toto default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=accept chain=forward comment="default configuration" in-interface=\
bridge-local
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp \
src-address=192.168.5.0
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="default configuration" \
disabled=yes in-interface=pppoe-out1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=forward comment="default configuration" \
disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment="default configuration" in-interface=\
pppoe-out1
add action=drop chain=forward comment="default configuration" \
connection-state="" in-interface=pppoe-out1
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=\
truenas passthrough=yes src-address=192.168.6.49
add action=mark-connection chain=postrouting disabled=yes dst-address=\
192.168.6.0/24 dst-address-type=local new-connection-mark=truenas \
passthrough=yes src-address=192.168.6.49
add action=mark-packet chain=prerouting disabled=yes in-interface=\
bridge-local new-packet-mark=TOPSECRET passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=\
ether4-slave-local new-packet-mark=TOPSECRET passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1
add action=accept chain=srcnat disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.5.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=\
172.16.2.0/30
add action=accept chain=srcnat dst-address=10.20.30.0/30 src-address=\
10.20.31.0/30
add action=accept chain=srcnat dst-address=10.20.31.0/30 src-address=\
10.20.30.0/30
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.6.0/24
add action=accept chain=srcnat dst-address=172.16.2.0/30 src-address=\
192.168.6.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=\
pppoe-out1 protocol=udp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=5000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway-internet
add action=masquerade chain=srcnat src-address=192.168.6.0/24 to-addresses=\
0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.31.0/30
add action=masquerade chain=srcnat disabled=yes src-address=10.20.30.0/30
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=IPsec_TOPSECRET
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=wireguard1
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes dst-port=20-21 out-interface=bridge-local protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.66 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66 \
to-ports=20-21
add action=dst-nat chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=netmap chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=dst-nat chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21 protocol=tcp src-address=\
192.168.1.0/24 to-addresses=192.168.6.66
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.6.66 \
dst-port=20-21 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.6.66 \
dst-port=20-21 protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat disabled=yes dst-port=20-21 in-interface=\
IPsec_TOPSECRET protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8000 \
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226 \
to-addresses=192.168.6.46 to-ports=8000
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8800 \
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226 \
to-addresses=192.168.6.46 to-ports=80
add action=netmap chain=dstnat comment=TOPSECRET dst-port=10000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.139
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=10000 \
in-interface=pppoe-out1 protocol=udp to-addresses=192.168.6.139 to-ports=\
10000
add action=netmap chain=dstnat disabled=yes dst-port=554 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.152 to-ports=554
add action=netmap chain=dstnat dst-port=30303 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET-SOCKET disabled=yes \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET dst-address=TOPSECRET \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=ZEUS-WG dst-address=TOPSECRET \
dst-port=TOPSECRET in-interface=bridge-local protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment="APOLLO TOPSECRET\? old" disabled=yes \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=TEST_TOPSECRET_PYTHON \
disabled=yes dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp \
to-addresses=192.168.6.74
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes dst-address=192.168.0.0/24 gateway=bridge-local pref-src=\
192.168.6.64
add disabled=no dst-address=192.168.1.0/24 gateway=10.20.31.2
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=10.20.32.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=bridge-local \
pref-src=192.168.5.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=172.16.2.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.6.0/24,192.168.5.0/24,TOPSECRET/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.120 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.121 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.122 service=ovpn
/system clock
set time-zone-name=Europe/Prague
/system logging
add disabled=yes prefix=TOPSECRET topics=ipsec
add action=TOPSECRET prefix=TOPSECRET topics=firewall,info
add disabled=yes topics=ovpn,debug
/system ntp client
set enabled=yes
/system ntp client servers
add address=TOPSECRET
add address=TOPSECRET
/system package update
set channel=long-term
/system scheduler
add name=schedule1 on-event=":delay 30\r\
\n/system script run script1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add disabled=yes interval=5m name=schedule2_wifi_bad_pw_check on-event=\
"/system script run wifi_bad_password_ban" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/12/2022 start-time=18:12:26
/system script
add dont-require-permissions=no name=dhcpleasescript owner=admin policy=\
read,write,policy,test,sniff,sensitive,romon source=""
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 1\r\
\n\r\
\n:local reportBody \"\"\r\
\n\r\
\n:local deviceName [/system identity get name]\r\
\n:local deviceDate [/system clock get date]\r\
\n:local deviceTime [/system clock get time]\r\
\n:local hwModel [/system routerboard get model]\r\
\n:local rosVersion [/system package get system version]\r\
\n:local currentFirmware [/system routerboard get current-firmware]\r\
\n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r\
\n\r\
\n\r\
\n:set reportBody (\$reportBody . \"Router Reboot Report for \$deviceName\
\\n\")\r\
\n:set reportBody (\$reportBody . \"Report generated on \$deviceDate at \$\
deviceTime\\n\\n\")\r\
\n\r\
\n:set reportBody (\$reportBody . \"Hardware Model: \$hwModel\\n\")\r\
\n:set reportBody (\$reportBody . \"RouterOS Version: \$rosVersion\\n\")\r\
\n:set reportBody (\$reportBody . \"Current Firmware: \$currentFirmware\\n\
\")\r\
\n:set reportBody (\$reportBody . \"Upgrade Firmware: \$upgradeFirmware\")\
\r\
\nif ( \$currentFirmware < \$upgradeFirmware) do={\r\
\n:set reportBody (\$reportBody . \"NOTE: You should upgrade the RouterBOA\
RD firmware!\\n\")\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n\\n=== Critical Log Events ===\\n\"\
\_)\r\
\n\r\
\n:local x\r\
\n:local ts\r\
\n:local msg\r\
\nforeach i in=([/log find where topics~\"critical\"]) do={\r\
\n:set \$ts [/log get \$i time]\r\
\n:set \$msg [/log get \$i message]\r\
\n:set \$reportBody (\$reportBody . \$ts . \" \" . \$msg . \"\\n\" )\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n=== end of report ===\\n\")\r\
\n\r\
\n/tool e-mail send subject=\"[\$deviceName] Router Reboot Report\" to=\"a\
lert@biotal.cz\" body=\$reportBody"
add dont-require-permissions=no name=wifi_bad_password_ban owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":local pop 4\r\
\n:local mac\r\
\n:local wifi [/log find message~\"disconnected, unicast key exchange time\
out\"]\r\
\n\r\
\nforeach i in=\$wifi do={\r\
\n:set mac [:pick [/log get \$i message ] 0 ([:len [/log get \$i message ]\
]-71)]\r\
\n:log warning \$mac\r\
\nif ([:len [/log find message~(\$mac . \"@wlan1: disconnected, unicast ke\
y exchange timeout\")] ] >= \$pop) do={\r\
\nif ([/interface wireless access-list find mac-address=\$mac] = \"\" ) do\
={\r\
\n/interface wireless access-list add mac-address=\$mac authentication=no \
interface=all\r\
\n}\r\
\n}\r\
\n}\r\
\n:log warning \"FINISH\""
/system watchdog
set automatic-supout=no ping-start-after-boot=2h ping-timeout=2m \
watch-address=1.1.1.1 watchdog-timer=no
/tool e-mail
set address=TOPSECRET from=TOPSECRET port=TOPSECRET tls=starttls user=\
TOPSECRET
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=pppoe-out1
/tool traffic-monitor
add disabled=yes interface=ether2-master-local name=tmon1 on-event=\
"log info \"ETH2 A LOT TX\"" threshold=5000000
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Sun May 01, 2022 8:09 pm

No full wireguard config ?

What's the story with all the queues ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Sun May 01, 2022 8:56 pm

Observations Site B (600/600 assuming this is the client device??)

(1) The bridge guest is not identified as belonging to any interface list? Could be on purpose.

(2) For MT devices I typically use /24 for Wireguard IP address vice anything else (you have /30 and is fine)

(3) Missing Keep alive on peer settings??

(4) Besides not likeing all the bloatware firewall rules, (personal preference) the three I zoned in on first are these ones.
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp \
src-address-list=allowed_remote_ips
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp \
src-address-list=allowed_remote_ips
add action=accept chain=input dst-port=TOPSECRET protocol=udp


They are disabled except for the last one, but I am assuming this is to allow users from somewhere access ports everywhere........... Far too wide open and not clear to the reader without any comments. If these are from a specific interface, then in-interface=wireguard makes it clear. If its to a particular subnet then delineate that (dst-address=subnet) plus narrow down by port.

The last rule COULD be a SECURITY problem. There should be no external access to the router except for incoming VPN. If its the wireguard or some other VPN, then its fine!!

(5) The more I read your rules, the more clear it is to me the bloatware (a sign of a confused admin) foretold once again a youtube searching and blindly implementing admin.
This rule speaks volumes........
add action=drop chain=input comment=block_guests_to_local_lan dst-address=\
192.168.5.0/24 src-address-list=guest_users


You are using the input chain, which is traffic to/fro the router itself, to attempt to block guest users from accessing LAN users.
What I recommend is that you completely wipe out the crappy rule set and start fresh with the basic defaults. Then add in the required access on the input chain by external VPNS,
and internal access for the ADMIN, be it via a wireguard interface or what have you.
Instead of many block rules that clog up a clean firewall display, simply use block all else rules at the end of the INPUT and FORWARD CHAIN. Then all traffic between users on the LAN are stopped at Layer3, and you only need to state what traffic is allowed. Much easier, less rules, less prone to error.

Also - Group Input chain rules together and Forward chain rules together for ease of reading and less prone to error.
Suggest having a read of this.......... - viewtopic.php?t=180838

(remove all the unnecessary disabled rules or move them to a third group by themselves so that they do not clutter up the config of the working rules!! )

(6) Dont understand these routes and thats probably my lack of knowledge as I dont use preferred source....
However, if you want to force some users out the wireguard for internet (and hence why you have allowed IPs=0.0.0.0), I dont see the rule for that??

What I do see is some strange iteration where its clear you have a NON-local subnet 192.168.6.x that needs to go out the IPSEC gateway.
WTF is that doing also assigned on the wireguard gateway? Also for gateway you can just use name of wiregaud interface.

add disabled=no distance=1 dst-address=192.168.6.0/24 gateway=10.20.32.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.6.0/24 gateway=172.16.2.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

(7) I also do not understand why you need to masquerade the traffic leaving the wireguard tunnel from Site B, when its going to another Mikrotik Device at Site A.................... ?????

OBSERVATIONS FOR SITE A

(8) Okay its clear that 192.168.6.x is the local subnet on Site A..............

(9) Looks like Security issues posed by such wide open rules.

add action=accept chain=input dst-port=80 protocol=tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 protocol=tcp src-address=TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=save_ips

If its not a VPN coming in, no external access to router should be allowed!

(10) many of the same issues with B are with A. A completely disorganized mess!

OVERALL I would not in a million years with that config be able to discern what is causing less speed than anticipated, other than possibly burning cpu cycles accomplishing nothing. :-)
My recommendation is to simplify, simplify, simplify.

ALSO in terms of wireguard It is not clear to me WHY you chose 0.0.0.0/0 as allowed IPs for each site...........
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 9:59 pm

No full wireguard config ?

What's the story with all the queues ?
Full wireguard config in screenshots? oO

Queues are only for local PCs wife,parents they take too much traffic :-E
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 10:07 pm

Observations Site B (600/600 assuming this is the client device??)

(1) The bridge guest is not identified as belonging to any interface list? Could be on purpose.

(2) For MT devices I typically use /24 for Wireguard IP address vice anything else (you have /30 and is fine)

(3) Missing Keep alive on peer settings??

(4) Besides not likeing all the bloatware firewall rules, (personal preference) the three I zoned in on first are these ones.
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp \
src-address-list=allowed_remote_ips
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp \
src-address-list=allowed_remote_ips
add action=accept chain=input dst-port=TOPSECRET protocol=udp


They are disabled except for the last one, but I am assuming this is to allow users from somewhere access ports everywhere........... Far too wide open and not clear to the reader without any comments. If these are from a specific interface, then in-interface=wireguard makes it clear. If its to a particular subnet then delineate that (dst-address=subnet) plus narrow down by port.

The last rule COULD be a SECURITY problem. There should be no external access to the router except for incoming VPN. If its the wireguard or some other VPN, then its fine!!

(5) The more I read your rules, the more clear it is to me the bloatware (a sign of a confused admin) foretold once again a youtube searching and blindly implementing admin.
This rule speaks volumes........
add action=drop chain=input comment=block_guests_to_local_lan dst-address=\
192.168.5.0/24 src-address-list=guest_users


You are using the input chain, which is traffic to/fro the router itself, to attempt to block guest users from accessing LAN users.
What I recommend is that you completely wipe out the crappy rule set and start fresh with the basic defaults. Then add in the required access on the input chain by external VPNS,
and internal access for the ADMIN, be it via a wireguard interface or what have you.
Instead of many block rules that clog up a clean firewall display, simply use block all else rules at the end of the INPUT and FORWARD CHAIN. Then all traffic between users on the LAN are stopped at Layer3, and you only need to state what traffic is allowed. Much easier, less rules, less prone to error.

Also - Group Input chain rules together and Forward chain rules together for ease of reading and less prone to error.
Suggest having a read of this.......... - viewtopic.php?t=180838

(remove all the unnecessary disabled rules or move them to a third group by themselves so that they do not clutter up the config of the working rules!! )

(6) Dont understand these routes and thats probably my lack of knowledge as I dont use preferred source....
However, if you want to force some users out the wireguard for internet (and hence why you have allowed IPs=0.0.0.0), I dont see the rule for that??

What I do see is some strange iteration where its clear you have a NON-local subnet 192.168.6.x that needs to go out the IPSEC gateway.
WTF is that doing also assigned on the wireguard gateway? Also for gateway you can just use name of wiregaud interface.

add disabled=no distance=1 dst-address=192.168.6.0/24 gateway=10.20.32.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.6.0/24 gateway=172.16.2.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

(7) I also do not understand why you need to masquerade the traffic leaving the wireguard tunnel from Site B, when its going to another Mikrotik Device at Site A.................... ?????

OBSERVATIONS FOR SITE A

(8) Okay its clear that 192.168.6.x is the local subnet on Site A..............

(9) Looks like Security issues posed by such wide open rules.

add action=accept chain=input dst-port=80 protocol=tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 protocol=tcp src-address=TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=save_ips

If its not a VPN coming in, no external access to router should be allowed!

(10) many of the same issues with B are with A. A completely disorganized mess!

OVERALL I would not in a million years with that config be able to discern what is causing less speed than anticipated, other than possibly burning cpu cycles accomplishing nothing. :-)
My recommendation is to simplify, simplify, simplify.

ALSO in terms of wireguard It is not clear to me WHY you chose 0.0.0.0/0 as allowed IPs for each site...........
OMG you gave me a lot to thing about and do... Thank you xD

(1) on purpose
(3) is important? :O
(4) on purpose for case when ISP change my public IP
(5) yes it is true, youtube...tutorials...bloatware...
(6) when i didn't had 0.0.0.0/0 i could not ping two mikrotiks through WG (I have done it as per tutorial)
(7) my mistake as it was not working i have been trying every possible combination before i gave up and wrote on this forum
(9) :o :D
(10) yes

Thank you very much for taking your time and explaining everything. When i clean everything up will write back!
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 10:16 pm

At least I can interpret it both ways.
It's not clear.
i have tested by fast.com
one line 100/25
and second line 600/600
So when i download from second line to first line i should have 70Mbps easy.

Anyhow, point I made as well is that whatever limit there is in place, WG should be able to get over at least 80% throughput (even 90%).
Can't speak for IPSEC, I don't use it that much (I HATE the setup troubles it gives ...).
SHOULD! but isn't :( yeah i also hate IPSEC. I have good exp with WG on linux so i thought that on mikrotik it will work right away, but i guess bad firewall rules are source of the problem :(
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 10:18 pm

What is not clear to me is which device is the peer and which is the server for the initial connection.
Nor is it clear the use of the tunnel. Did you want to use the internet of the server from the peer...........
Not seeing the configs, your complaints have no merit..............
Nor do I have any faith in the basics of your wireguard config as you dont have any of the two devices with a persistant keep alive set.
The point was peer to peer settings i followed online tutorial.
No i didn't want to use internet of the server from the peer.
Configs are listed now, sorry.
Will setup persistant keep alive
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Sun May 01, 2022 10:19 pm

(1) okay........
(3) Yes,
(4) There are better ways to address this.
(5) Good to remove
(6) Be accurate in allowed IPs, you should include 172.16.1.1/32 on the cient device and 172.16.1.2/32 on the Server device.
One doesnt have to if one also needs internet access in a particular direction as it clearly includes all IP addresses.
However it seems you are only looking for site B, to site A subnet access and site A to site B subnet access and NOT internet.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Sun May 01, 2022 11:59 pm

(1) okay........
(3) Yes,
(4) There are better ways to address this.
(5) Good to remove
(6) Be accurate in allowed IPs, you should include 172.16.1.1/32 on the cient device and 172.16.1.2/32 on the Server device.
One doesnt have to if one also needs internet access in a particular direction as it clearly includes all IP addresses.
However it seems you are only looking for site B, to site A subnet access and site A to site B subnet access and NOT internet.
(3) done
(6) fixed THX !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard slow speed

Mon May 02, 2022 12:58 am

IM more interested in that you understand the config vice copy and paste config.
More info on wireguard.
viewtopic.php?t=182340
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard slow speed

Mon May 02, 2022 5:25 am

I have good exp with WG on linux so i thought that on mikrotik it will work right away, but i guess bad firewall rules are source of the problem :(
Nah.
If firewall rules would have been the problem, throughput would be ZERO.
Apart from network throughput on the intermediate steps, there are no dials specific to wireguard to crank the volume up or down.
Something else is choking the pipe. And I'm still inclined to look at those queues you got there ...

If you do the testing using iperf, can you also foresee some tests with all queues disabled ?
At least it will show if the source is to be found there or not.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 8:41 pm

With queues enabled
192.168.6.64
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.5.192, port 39506
[ 5] local 192.168.6.45 port 5201 connected to 192.168.5.192 port 39508
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 1.14 MBytes 9.54 Mbits/sec
[ 5] 1.00-2.00 sec 687 KBytes 5.63 Mbits/sec
[ 5] 2.00-3.00 sec 657 KBytes 5.39 Mbits/sec
[ 5] 3.00-4.00 sec 500 KBytes 4.09 Mbits/sec
[ 5] 4.00-5.00 sec 466 KBytes 3.82 Mbits/sec
[ 5] 5.00-6.00 sec 321 KBytes 2.63 Mbits/sec
[ 5] 6.00-7.00 sec 390 KBytes 3.19 Mbits/sec
[ 5] 7.00-8.00 sec 442 KBytes 3.63 Mbits/sec
[ 5] 8.00-9.00 sec 363 KBytes 2.98 Mbits/sec
[ 5] 9.00-10.00 sec 247 KBytes 2.02 Mbits/sec
[ 5] 10.00-10.06 sec 10.7 KBytes 1.38 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.06 sec 5.13 MBytes 4.27 Mbits/sec receiver
=====================
192.168.5.192

iperf3 -c 192.168.6.45
Connecting to host 192.168.6.45, port 5201
[ 5] local 192.168.5.192 port 39508 connected to 192.168.6.45 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.91 MBytes 16.1 Mbits/sec 28 70.8 KBytes
[ 5] 1.00-2.00 sec 942 KBytes 7.72 Mbits/sec 4 42.8 KBytes
[ 5] 2.00-3.00 sec 440 KBytes 3.60 Mbits/sec 1 36.1 KBytes
[ 5] 3.00-4.00 sec 879 KBytes 7.20 Mbits/sec 1 32.1 KBytes
[ 5] 4.00-5.00 sec 440 KBytes 3.60 Mbits/sec 1 32.1 KBytes
[ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 2 21.4 KBytes
[ 5] 6.00-7.00 sec 440 KBytes 3.60 Mbits/sec 0 30.7 KBytes
[ 5] 7.00-8.00 sec 440 KBytes 3.60 Mbits/sec 1 30.7 KBytes
[ 5] 8.00-9.00 sec 440 KBytes 3.60 Mbits/sec 2 20.0 KBytes
[ 5] 9.00-10.00 sec 440 KBytes 3.60 Mbits/sec 3 13.4 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 6.27 MBytes 5.26 Mbits/sec 43 sender
[ 5] 0.00-10.06 sec 5.13 MBytes 4.27 Mbits/sec receiver

iperf Done.
=============================
=============================
=============================
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.6.45, port 48840
[ 5] local 192.168.5.192 port 5201 connected to 192.168.6.45 port 48842
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 1.72 MBytes 14.4 Mbits/sec
[ 5] 1.00-2.00 sec 1.98 MBytes 16.6 Mbits/sec
[ 5] 2.00-3.00 sec 1.95 MBytes 16.3 Mbits/sec
[ 5] 3.00-4.00 sec 1.98 MBytes 16.6 Mbits/sec
[ 5] 4.00-5.00 sec 1.98 MBytes 16.6 Mbits/sec
[ 5] 5.00-6.00 sec 1.96 MBytes 16.4 Mbits/sec
[ 5] 6.00-7.00 sec 1.96 MBytes 16.4 Mbits/sec
[ 5] 7.00-8.00 sec 1.96 MBytes 16.4 Mbits/sec
[ 5] 8.00-9.00 sec 1.98 MBytes 16.6 Mbits/sec
[ 5] 9.00-10.00 sec 1.96 MBytes 16.5 Mbits/sec
[ 5] 10.00-10.11 sec 224 KBytes 16.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.11 sec 19.6 MBytes 16.3 Mbits/sec receiver
-----------------------------------------------------------
======================================
iperf3 -c 192.168.5.192
Connecting to host 192.168.5.192, port 5201
[ 5] local 192.168.6.45 port 48842 connected to 192.168.5.192 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 2.22 MBytes 18.6 Mbits/sec 0 273 KBytes
[ 5] 1.00-2.00 sec 2.21 MBytes 18.5 Mbits/sec 0 374 KBytes
[ 5] 2.00-3.00 sec 2.27 MBytes 19.0 Mbits/sec 41 301 KBytes
[ 5] 3.00-4.00 sec 1.84 MBytes 15.4 Mbits/sec 14 231 KBytes
[ 5] 4.00-5.00 sec 1.84 MBytes 15.4 Mbits/sec 1 180 KBytes
[ 5] 5.00-6.00 sec 2.15 MBytes 18.0 Mbits/sec 0 192 KBytes
[ 5] 6.00-7.00 sec 2.15 MBytes 18.0 Mbits/sec 0 196 KBytes
[ 5] 7.00-8.00 sec 1.72 MBytes 14.4 Mbits/sec 0 196 KBytes
[ 5] 8.00-9.00 sec 2.15 MBytes 18.0 Mbits/sec 0 198 KBytes
[ 5] 9.00-10.00 sec 1.72 MBytes 14.4 Mbits/sec 0 204 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 20.3 MBytes 17.0 Mbits/sec 56 sender
[ 5] 0.00-10.11 sec 19.6 MBytes 16.3 Mbits/sec receiver

iperf Done.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 8:43 pm

I have good exp with WG on linux so i thought that on mikrotik it will work right away, but i guess bad firewall rules are source of the problem :(
Nah.
If firewall rules would have been the problem, throughput would be ZERO.
Apart from network throughput on the intermediate steps, there are no dials specific to wireguard to crank the volume up or down.
Something else is choking the pipe. And I'm still inclined to look at those queues you got there ...

If you do the testing using iperf, can you also foresee some tests with all queues disabled ?
At least it will show if the source is to be found there or not.
Disabled queues, result is the same
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 8:45 pm

traceroute 192.168.6.45
traceroute to 192.168.6.45 (192.168.6.45), 30 hops max, 60 byte packets
1 192.168.5.1 (192.168.5.1) 0.268 ms 0.217 ms 0.368 ms
2 172.16.2.1 (172.16.2.1) 64.749 ms 64.709 ms 64.863 ms
3 192.168.6.45 (192.168.6.45) 66.109 ms 66.091 ms 65.356 ms
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 8:51 pm

IM more interested in that you understand the config vice copy and paste config.
More info on wireguard.
viewtopic.php?t=182340
Uff thx a lot to go through D:
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 9:19 pm

I gave up......
Did this tutorial
https://www.youtube.com/watch?v=rjn7z48HqYM
And same result...
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 10:07 pm

The wording is a bit off - he is downloading (100 mbps) from the second site (600mbps), so ideally it would be close to 100mbps in ideal/perfect situations.

Have you tried iperf3 between sites?
Above ^^
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 10:07 pm

I see nothing that can be usefull on those screenshots, only angry red marker painting.
How did you do the bandwidth tests?
iperf above ^^
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Wireguard slow speed

Mon May 02, 2022 10:28 pm

Are both of the devices using the same ISP? I see your results from your work server is fine.

I was just wondering if they are on the same ISP since there could be an issue with bandwidth limits on peering points between networks along the way if they are not on the same ISP.
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 10:37 pm

Are both of the devices using the same ISP? I see your results from your work server is fine.

I was just wondering if they are on the same ISP since there could be an issue with bandwidth limits on peering points between networks along the way if they are not on the same ISP.
Different country :( different ISP
But i see too much Retr (lost packets?)
 
ukro
newbie
Topic Author
Posts: 27
Joined: Tue Apr 30, 2019 8:51 pm

Re: Wireguard slow speed

Mon May 02, 2022 10:41 pm

Partly i have figured out that from 100/25 to 600/600 it is taking almost full 25upload speed >2.2MB/s
But the other way it is not...

Who is online

Users browsing this forum: araqiel, Maggiore81, Marc1963 and 93 guests