I have a working WireGuard setup, as in it connects and routes traffic, but I have a couple of issues to do with throughput and another to do with different behaviours under slightly different traffic conditions.
I recently connected to WireGuard from my laptop and made some SMB transfers using Windows Explorer. This was slow (<2Mb/s) when it shouldn't have been (connection speeds at both ends very high) and, when I made two simultaneous file copies, only one copy would proceed at a time - when one was downloading the other wasn't and they would swap every 10 seconds or so (one of them at 0kb/s while the other downloaded), rather than both downloading and sharing the bandwidth.
First question - why so slow?
Second question - why only one SMB transfer at a time?
The other issue is that my Windows laptop is not able to connect to anything else on my LAN via web browser over wireguard, but my iOS devices are (Edge on Windows and Safari on iOS). This includes the web browser client for the same NAS box as the slow SMB transfers.
Third question - why would SMB to my NAS work (albeit with the above issues) by IP address but not web browser traffic on my Windows laptop, but iOS is able to connect via its browser?
Everything else about my setup works perfectly and has for years.
Re: WireGuard SMB and Throughput Problems
You have provided very little useful information to even begin a conversation.
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Here is my config
Code: Select all
# 2025-01-31 18:12:46 by RouterOS 7.17
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = ****
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Living Room"
set [ find default-name=ether3 ] name="Port 3 - Girl's Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mac-address=A4:43:8C:36:0B:B1 name=\
"Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
fd6c:b6e2:f488:: name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
/usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dpd-interval=2m dpd-maximum-failures=5 name=NordVPN
/ip ipsec peer
add address=al55.nordvpn.com comment=Albania exchange-mode=ike2 name=NordVPN \
profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=******
add key=DNSMASQ_USER name=pihole_envs value=***
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/dude
set data-directory=usb1-part1/Dude enabled=yes
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Living Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 3 - Girl's Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
add interface=wireguard1 list=listBridge
/interface ovpn-server server
add mac-address=FE:A8:27:88:84:9C name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
name=peer5 public-key="****"
add allowed-address=192.168.10.4/32 comment="4 Dell XPS13 Darren" interface=\
wireguard1 name=peer7 public-key=\
"vyv4"
add allowed-address=192.168.10.5/32 comment="5 iPad" interface=wireguard1 \
name=peer8 public-key="*****"
add allowed-address=192.168.216.3/32 comment="Home (iPhone 13 Pro)" \
interface=*19 name=peer10 public-key=\
"*****"
add allowed-address=192.168.10.3/32 comment="3 Dell XPS 15" interface=\
wireguard1 name=peer11 public-key=\
"*****"
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="Port 8 - WAN"
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
6C:3B:6B:7E:AD:EE server=dhcp1
add address=10.160.100.150 client-id=1:f8:25:51:b6:4a:bc mac-address=\
F8:25:51:B6:4A:BC server=dhcp1
add address=10.160.100.41 client-id=1:c4:65:16:b3:2e:bd mac-address=\
C4:65:16:B3:2E:BD server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=2000 servers=\
1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=telegraph.co.uk list=VPN
add address=youtube.com list=VPN
add address=4.78.139.50 list=YouTube
add address=4.78.139.54 list=YouTube
add address=23.101.24.70 list=YouTube
add address=23.202.231.167 list=YouTube
add address=23.217.138.108 list=YouTube
add address=23.225.141.210 list=YouTube
add address=23.234.30.58 list=YouTube
add address=31.13.64.7 list=YouTube
add address=31.13.67.19 list=YouTube
add address=31.13.67.33 list=YouTube
add address=31.13.67.41 list=YouTube
add address=31.13.68.169 list=YouTube
add address=31.13.69.169 list=YouTube
add address=31.13.69.245 list=YouTube
add address=31.13.70.9 list=YouTube
add address=31.13.70.13 list=YouTube
add address=31.13.70.33 list=YouTube
add address=31.13.71.19 list=YouTube
add address=31.13.73.9 list=YouTube
add address=31.13.73.169 list=YouTube
add address=31.13.75.5 list=YouTube
add address=31.13.75.12 list=YouTube
add address=31.13.76.65 list=YouTube
add address=31.13.76.99 list=YouTube
add address=31.13.80.37 list=YouTube
add address=31.13.80.54 list=YouTube
add address=31.13.80.169 list=YouTube
add address=31.13.81.4 list=YouTube
add address=31.13.82.33 list=YouTube
add address=31.13.82.169 list=YouTube
add address=31.13.83.2 list=YouTube
add address=31.13.83.34 list=YouTube
add address=31.13.84.2 list=YouTube
add address=31.13.84.34 list=YouTube
add address=31.13.85.2 list=YouTube
add address=31.13.85.34 list=YouTube
add address=31.13.85.53 list=YouTube
add address=31.13.85.169 list=YouTube
add address=31.13.86.21 list=YouTube
add address=31.13.87.9 list=YouTube
add address=31.13.87.19 list=YouTube
add address=31.13.87.33 list=YouTube
add address=31.13.87.34 list=YouTube
add address=31.13.88.26 list=YouTube
add address=31.13.88.169 list=YouTube
add address=31.13.90.19 list=YouTube
add address=31.13.90.33 list=YouTube
add address=31.13.91.6 list=YouTube
add address=31.13.91.33 list=YouTube
add address=31.13.92.5 list=YouTube
add address=31.13.94.7 list=YouTube
add address=31.13.94.10 list=YouTube
add address=31.13.94.23 list=YouTube
add address=31.13.94.36 list=YouTube
add address=31.13.94.37 list=YouTube
add address=31.13.94.41 list=YouTube
add address=31.13.94.49 list=YouTube
add address=31.13.95.17 list=YouTube
add address=31.13.95.18 list=YouTube
add address=31.13.95.33 list=YouTube
add address=31.13.95.34 list=YouTube
add address=31.13.95.35 list=YouTube
add address=31.13.95.37 list=YouTube
add address=31.13.95.38 list=YouTube
add address=31.13.95.48 list=YouTube
add address=31.13.95.169 list=YouTube
add address=31.13.96.192 list=YouTube
add address=31.13.96.193 list=YouTube
add address=31.13.96.194 list=YouTube
add address=31.13.96.195 list=YouTube
add address=31.13.96.208 list=YouTube
/ip firewall filter
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
"Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Forward established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
in-interface="Local Bridge" out-interface="Port 8 - WAN" packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
wireguard1 out-interface="Port 8 - WAN"
add action=accept chain=forward comment="Accept dst-nat" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
"special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
connection-state=new dst-port=563 in-interface="Local Bridge" \
new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
"Local Bridge" new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
"Local Bridge" new-connection-mark=ipsec protocol=udp
add action=mark-connection chain=prerouting comment="Mark Telegraph traffic" \
connection-state=new dst-address-list=VPN in-interface="Local Bridge" \
new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
in-interface="Local Bridge" new-connection-mark=ipsec protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface="Port 8 - WAN" log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Force any UDP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface-list=listBridge \
protocol=udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
"Force any TCP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface-list=listBridge \
protocol=tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::4aa9:8aff:fe57:4601 from-pool=IPv6_Pool interface=\
"Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface="Port 8 - WAN" pool-name=IPv6_Pool \
prefix-hint=::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole dst-address=\
fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface="Port 8 - WAN"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
Last edited by BartoszP on Mon Feb 17, 2025 1:11 am, edited 1 time in total.
Reason: removed serials and other data - please do not share
Reason: removed serials and other data - please do not share
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Does that give enough information?
Re: WireGuard SMB and Throughput Problems
Should be, many things you utilize I am not going to be helpful on, veth, dockers etc...
1. Please set to NONE as this function has been known to cause issues.
/interface detect-internet
set detect-interface-list=WAN
2. This line shows an issue as the interface is undefined
add allowed-address=192.168.216.3/32 comment="Home (iPhone 13 Pro)" \
interface=*19 name=peer10 public-key=\
"*****"
Okay it would seem as though for some reason you have both normal wireguard setup and BTH, which is very confusing.............
In any case you dont manually enter in a wireguard peer for BTH, its done dynamically by the router, check your wireguard peers on the device!!!
3. One thing is that BTH allows user to the LAN interface list and its not changeable, so suggesting stick to some defaults.
4. Your firewall rules need work.
Also glad you have the youtube stuff disabled, its really not effective and should be removed.
Also slight cleanup on dstnat rules for pihole,
5. Recommend a sourcenat rule for nordvpn, cannot hurt but may help.
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=NordVPN passthrough=yes protocol=tcp tcp-flags=syn
++++++++++++++++++++++++++++++++++++++++++
Keep it simple and clear! ( trusted reflects those subnet containing admin IPs )
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface list member
add interface="Port 8 - WAN" list=WAN
add interface="Local Bridge" list=LAN
add interface=dockers list=LAN
add interface=wireguard1 list=LAN
add interface="Local Bridge" list=TRUSTED
add interface="wireguard1 list=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/ip firewall address-list
add address=10.160.100.X list=Authorized comment="admin local desktop"
add address=10.160.100.Y list=Authorized comment="admin local laptop wifi"
add address=10.160.100.Z list=Authorized comment="admin local smartphone/ipad wifi"
add address=192.168.10.2 list=Authorized comment="remote admin iphone"
add address=192.168.10.4 list=Authorized comment="remote admin laptop"
ETC>
/ip firewall filter
NOTE DYNAMIC FORWARD RULE FOR BTH WILL BE AT THE TOP ( cannot move/delete/modify and has no effect in this case )
add action=drop chain=forward src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="wireguard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN { note covers bridge, wireguard1 and dockers }
add action=accept chain=forward comment="bridge and wireguard to dockers" in-interface-list=LAN out-interface=dockers
add action=accept chain=forward comment="WG to subnet" in-interface=wireguard1 dst-address=10.160.100.0/24
add action=accept chain=forward comment="BTH to Subnet" in-interface=back-to-home-vpn src-address=192.168.216.0/24 dst-address=10.160.100.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all Else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=NordVPN passthrough=yes protocol=tcp tcp-flags=syn
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface="Port 8 - WAN" log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface-list=LAN protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="users to pihole" in-interface-list=LAN dst-port=53 protocol=udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment="users to pihole" in-interface-list=LAN dst-port=53 protocol=tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
1. Please set to NONE as this function has been known to cause issues.
/interface detect-internet
set detect-interface-list=WAN
2. This line shows an issue as the interface is undefined
add allowed-address=192.168.216.3/32 comment="Home (iPhone 13 Pro)" \
interface=*19 name=peer10 public-key=\
"*****"
Okay it would seem as though for some reason you have both normal wireguard setup and BTH, which is very confusing.............
In any case you dont manually enter in a wireguard peer for BTH, its done dynamically by the router, check your wireguard peers on the device!!!
3. One thing is that BTH allows user to the LAN interface list and its not changeable, so suggesting stick to some defaults.
4. Your firewall rules need work.
Also glad you have the youtube stuff disabled, its really not effective and should be removed.
Also slight cleanup on dstnat rules for pihole,
5. Recommend a sourcenat rule for nordvpn, cannot hurt but may help.
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=NordVPN passthrough=yes protocol=tcp tcp-flags=syn
++++++++++++++++++++++++++++++++++++++++++
Keep it simple and clear! ( trusted reflects those subnet containing admin IPs )
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface list member
add interface="Port 8 - WAN" list=WAN
add interface="Local Bridge" list=LAN
add interface=dockers list=LAN
add interface=wireguard1 list=LAN
add interface="Local Bridge" list=TRUSTED
add interface="wireguard1 list=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/ip firewall address-list
add address=10.160.100.X list=Authorized comment="admin local desktop"
add address=10.160.100.Y list=Authorized comment="admin local laptop wifi"
add address=10.160.100.Z list=Authorized comment="admin local smartphone/ipad wifi"
add address=192.168.10.2 list=Authorized comment="remote admin iphone"
add address=192.168.10.4 list=Authorized comment="remote admin laptop"
ETC>
/ip firewall filter
NOTE DYNAMIC FORWARD RULE FOR BTH WILL BE AT THE TOP ( cannot move/delete/modify and has no effect in this case )
add action=drop chain=forward src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="wireguard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN { note covers bridge, wireguard1 and dockers }
add action=accept chain=forward comment="bridge and wireguard to dockers" in-interface-list=LAN out-interface=dockers
add action=accept chain=forward comment="WG to subnet" in-interface=wireguard1 dst-address=10.160.100.0/24
add action=accept chain=forward comment="BTH to Subnet" in-interface=back-to-home-vpn src-address=192.168.216.0/24 dst-address=10.160.100.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all Else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=NordVPN passthrough=yes protocol=tcp tcp-flags=syn
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface="Port 8 - WAN" log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface-list=LAN protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="users to pihole" in-interface-list=LAN dst-port=53 protocol=udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment="users to pihole" in-interface-list=LAN dst-port=53 protocol=tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Thanks very much for this. All very helpful stuff. I'm making my way through the list.
My problem with BTH is that I tried it once and it didn't work but getting rid of it seems quite hard! I haven't figured out what I should delete to never see it again! Most of the rules seem to be autogenerated and I can't find the root settings that generate the dynamic rules.
Do you know how to blitz BTH? Maybe it is better now, but it wasn't working a year or so ago for me. As you say, it's redundant with WireGuard.
My problem with BTH is that I tried it once and it didn't work but getting rid of it seems quite hard! I haven't figured out what I should delete to never see it again! Most of the rules seem to be autogenerated and I can't find the root settings that generate the dynamic rules.
Do you know how to blitz BTH? Maybe it is better now, but it wasn't working a year or so ago for me. As you say, it's redundant with WireGuard.
Re: WireGuard SMB and Throughput Problems
For sure to remove it
go to IP CLOUD
Select TAB ---> BTH VPN
Select First LIne Back to home VPN: and select circle REVOKED and DISABLED
Would also go to the phone were you first created the BTH and remove that as well.
go to IP CLOUD
Select TAB ---> BTH VPN
Select First LIne Back to home VPN: and select circle REVOKED and DISABLED
Would also go to the phone were you first created the BTH and remove that as well.
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
For your suggestion #5, it requires an interface labelled NordVPN, which doesn't exist. Where do I created that?
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Simple when you know how 
For sure to remove it
go to IP CLOUD
Select TAB ---> BTH VPN
Select First LIne Back to home VPN: and select circle REVOKED and DISABLED
Would also go to the phone were you first created the BTH and remove that as well.
Re: WireGuard SMB and Throughput Problems
The key is understanding the word.......................... Disabled ;-P
As far as NORDVPN goes, that was only if you were using a third party wireguar VPN, if not you can ignore the mangle rule.
( not sure why I thought you had nordvpn - perhaps this --> add name=NordVPN on ipsec ???)
As far as NORDVPN goes, that was only if you were using a third party wireguar VPN, if not you can ignore the mangle rule.
( not sure why I thought you had nordvpn - perhaps this --> add name=NordVPN on ipsec ???)
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
I do use NordVPN, but not via Wireguard. I use IPSEC. Is there any benefit to using Wireguard?
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Going back to my original problem, the SMB performance over Wireguard and low throughput. Testing this again it hasn't made any difference to the 1-at-a-time SMB transfer and the total throughput is very slow.
Is there any suggestion about how to fix or troubleshoot that?
Is there any suggestion about how to fix or troubleshoot that?
-
-
dazzaling69
Member Candidate
- Posts: 168
- Joined:
Re: WireGuard SMB and Throughput Problems
Are there any suggestions for fixing the throughput issue?