Hello,
this is another wireguard performance thread, i have a strange problem when connecting from my laptop wireguard peer, to my rb5009 at the office.
I use my laptop which is connect with ethernet cable on a Chateau lte18 using lte connection (~100mbps down / 70~ mbps up)
I connect with wireguard to my office using also the 0.0.0.0/0 on allowed addresses in order to "take" my office public IP and route all my laptop's traffic through the office.
My office has a connection with 200mbps down and 20mbps up (point to point Public IP connection through VDSL technology)
MTU on wireguard interface at rb5009 is 1420.
My download speed from my laptop when connected on wireguard is 1mbps down and 19 mbps upload.
I can't find why i have so poor performance on down speeds while the upload is fine.
I thought it was mtu issue but tried several values without any change, down speed is very low compared to the up speed.
when i check the wireguard interface on rb5009 i get many tx errors around 1617 errors at the moment, while rx errors are 0.
Below is my mikrotik config:
and this is my peer connection via wireguard:
any ideas for the poor performance? The resources on rb5009 is almost 0% on cpu, i checked all cores and nothing goes above 5% when i am connected with wireguard and try to speed test.
this is another wireguard performance thread, i have a strange problem when connecting from my laptop wireguard peer, to my rb5009 at the office.
I use my laptop which is connect with ethernet cable on a Chateau lte18 using lte connection (~100mbps down / 70~ mbps up)
I connect with wireguard to my office using also the 0.0.0.0/0 on allowed addresses in order to "take" my office public IP and route all my laptop's traffic through the office.
My office has a connection with 200mbps down and 20mbps up (point to point Public IP connection through VDSL technology)
MTU on wireguard interface at rb5009 is 1420.
My download speed from my laptop when connected on wireguard is 1mbps down and 19 mbps upload.
I can't find why i have so poor performance on down speeds while the upload is fine.
I thought it was mtu issue but tried several values without any change, down speed is very low compared to the up speed.
when i check the wireguard interface on rb5009 i get many tx errors around 1617 errors at the moment, while rx errors are 0.
Below is my mikrotik config:
Code:
interface bridgeadd admin-mac=DC:2C:6E:3B:C7:89 auto-mac=no comment=defconf name=bridge.LAN \ priority=0x1000/interface wireguardadd listen-port=51820 mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool1 ranges=10.0.0.100-10.0.0.199/ip dhcp-serveradd address-pool=dhcp_pool1 interface=bridge.LAN lease-time=1w1d name=dhcp1/queue typeset 0 kind=sfqadd kind=sfq name=qos/queue treeadd bucket-size=0.01 max-limit=190M name=DOWN parent=bridge.LAN queue=defaultadd name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 queue=defaultadd name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=defaultadd name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=defaultadd name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=defaultadd name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=defaultadd name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=defaultadd name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=6 queue=\ defaultadd name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 queue=defaultadd name="9. OTHER" packet-mark=OTHER parent=DOWN queue=defaultadd bucket-size=0.01 max-limit=20M name=UP parent=ether1 queue=defaultadd name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=defaultadd name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=defaultadd name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=defaultadd name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=defaultadd name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=defaultadd name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=defaultadd name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=6 queue=\ defaultadd name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=defaultadd name="9. OTHER_" packet-mark=OTHER parent=UP queue=default/interface bridge portadd bridge=bridge.LAN comment=defconf interface=ether3add bridge=bridge.LAN comment=defconf interface=ether4add bridge=bridge.LAN comment=defconf interface=ether5add bridge=bridge.LAN comment=defconf interface=ether6add bridge=bridge.LAN comment=defconf interface=ether7add bridge=bridge.LAN comment=defconf interface=ether8add bridge=bridge.LAN comment=defconf interface=sfp-sfpplus1/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset tcp-syncookies=yes/ipv6 settingsset disable-ipv6=yes/interface list memberadd comment=defconf interface=bridge.LAN list=LANadd comment=defconf interface=ether1 list=WANadd interface=ether2 list=WANadd interface=wireguard1 list=LAN/interface wireguard peersadd allowed-address=172.16.10.2/32 interface=wireguard1 \ public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"add allowed-address=172.16.10.3/32 interface=wireguard1 \ public-key="xxxxxxxxxxxxxxxxxxxxxxxx"/ip addressadd address=10.0.0.1/24 comment=defconf interface=bridge.LAN network=10.0.0.0add address=XXXXXXXXX interface=ether1 network=XXXXXXXXXadd address=172.16.10.1/24 interface=wireguard1 network=172.16.10.0/ip dhcp-server networkadd address=10.0.0.0/24 gateway=10.0.0.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,1.0.0.1/ip firewall address-listadd address=voips.modulus.gr list="Modulus SIP"/ip firewall filteradd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="Port Scanners to list" \ protocol=tcp psd=21,3s,3,1add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \ protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\ tcp tcp-flags=fin,psh,urg,!syn,!rst,!ackadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \ tcp-flags=fin,syn,rst,psh,ack,urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \ tcp-flags=!fin,!syn,!rst,!psh,!ack,!urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \ tcp-flags=fin,synadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \ tcp-flags=syn,rstadd action=accept chain=input comment="WG VPN Rule" dst-port=51820 protocol=\ udpadd action=accept chain=input comment="VPN Allow Rules" dst-port=1701 \ protocol=udpadd action=accept chain=input dst-port=4500 protocol=udpadd action=accept chain=input dst-port=500 protocol=udpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=input src-address-list="port scanners"add action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall mangleadd action=mark-connection chain=prerouting comment=DNS connection-state=new \ new-connection-mark=DNS passthrough=yes port=53 protocol=udpadd action=mark-packet chain=prerouting connection-mark=DNS new-packet-mark=\ DNS passthrough=noadd action=mark-connection chain=postrouting connection-state=new \ new-connection-mark=DNS passthrough=yes port=53 protocol=udpadd action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\ DNS passthrough=noadd action=mark-connection chain=prerouting comment="VOIP GW" \ new-connection-mark=VOIP passthrough=yes src-address-list="Modulus SIP"add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=\ VOIP passthrough=yes port=\ 6050,5090,5060-5062,50000-50019,50020-50039,50040-50059,9000-10999 \ protocol=udpadd action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=\ VOIP passthrough=noadd action=mark-connection chain=prerouting comment=QUIC connection-state=new \ new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udpadd action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=\ QUIC passthrough=noadd action=mark-connection chain=prerouting comment=UDP connection-state=new \ new-connection-mark=UDP passthrough=yes protocol=udpadd action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=\ UDP passthrough=noadd action=mark-connection chain=prerouting comment=ICMP connection-state=new \ new-connection-mark=ICMP passthrough=yes protocol=icmpadd action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=\ ICMP passthrough=noadd action=mark-connection chain=postrouting connection-state=new \ new-connection-mark=ICMP passthrough=yes protocol=icmpadd action=mark-packet chain=postrouting connection-mark=ICMP \ new-packet-mark=ICMP passthrough=noadd action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK \ packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ackadd action=mark-packet chain=prerouting new-packet-mark=ACK packet-size=0-123 \ passthrough=no protocol=tcp tcp-flags=ackadd action=mark-connection chain=prerouting comment=HTTP connection-mark=\ no-mark connection-state=new new-connection-mark=HTTP passthrough=yes \ port=80,443 protocol=tcpadd action=mark-connection chain=prerouting connection-bytes=5000000-0 \ connection-mark=HTTP connection-rate=2M-200M new-connection-mark=HTTP_BIG \ passthrough=yes protocol=tcpadd action=mark-packet chain=prerouting connection-mark=HTTP_BIG \ new-packet-mark=HTTP_BIG passthrough=noadd action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\ HTTP passthrough=noadd action=mark-connection chain=prerouting comment=OTHER connection-state=\ new new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=\ tcpadd action=mark-packet chain=prerouting connection-mark=POP3 new-packet-mark=\ OTHER passthrough=noadd action=mark-connection chain=prerouting connection-mark=no-mark \ new-connection-mark=OTHER passthrough=yesadd action=mark-packet chain=prerouting connection-mark=OTHER \ new-packet-mark=OTHER passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip firewall rawadd action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \ log-prefix="WAN DNS" protocol=udp/ip firewall service-portset sip disabled=yes/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=XXXXXXXXX routing-table=\ main suppress-hw-offload=no/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset api-ssl disabled=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" disabled=yes list=\ bad_ipv6add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\ bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \ list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6add address=100::/64 comment="defconf: discard only " disabled=yes list=\ bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\ bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yesadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid disabled=yesadd action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \ protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" \ disabled=yes port=33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\ 546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" disabled=yes \ dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \ protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\ yes protocol=ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" disabled=yes \ ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" disabled=yes \ in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yesadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid disabled=yesadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\ bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\ bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ disabled=yes hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \ protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \ protocol=139add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \ dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\ yes protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\ yes protocol=ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" disabled=yes \ ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" disabled=yes \ in-interface-list=!LAN/snmpset enabled=yes/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANCode:
[Interface]PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxListenPort = 51820Address = 172.16.10.2/32DNS = 1.1.1.1[Peer]PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAllowedIPs = 10.0.0.0/24, 172.16.10.1/32, 0.0.0.0/0Endpoint = xxxxxxxxx:51820Statistics: Posted by haris013 — Mon Apr 01, 2024 8:33 pm