MikroTik

Hello,

I’ve got a HexS connected to a WireGuard server with a route in place to force traffic over from a certain subnet, it works but it seems the speed maxes out at 100MB on download, it rarely goes above.

I have a 350MB download speed and can achieve this if not going across the VPN.

I have also noticed that when browsing websites across the VPN there can be some slow loading times.

I can ping out fine and don’t lose any packets, trace routes look fine as well.

I’ve turned fast track off, makes no difference.

Does anyone have any ideas as to why I get slow loading speeds when browsing and why I’m only being capped to around 100MB throughput? Is it just the capability of the HexS and it needs a more powerful router? The CPU doesn’t max out so I don’t think it’s this.

I have a WireGuard profile setup on my mobile phone and I can achieve full speed so I don’t think it’s the server on the other side that’s the bottleneck.

Has been a while but on my Hex (same CPU) if I recall correctly I never was able to get more then 80-90 Mbps.
You have to look at all cores of the CPU. If 1 maxes out, you've reached the limit.

As a reference: just this morning I did a test between AX3 and RB5009 using wireguard.
I was able to get 840-ish but 1 core on AX3 was close to 100%.
So nothing more could be achieved.

Keep in mind most modern smartphones have a CPU outperforming Hex(S) by a large margin.

Thanks for confirming, how was general web browsing for you? Mine does work but at times it can be stuck loading a page for a while when the CPU is barely being used.

Can't really say.
I rarely use WG for web browsing, mostly for data connections or remote management.

Mine does work but at times it can be stuck loading a page for a while when the CPU is barely being used.

You should make 2 rules for mtu clamp.
That is a cure for stuck.

Copy rules here (change the wireguard interface name):
viewtopic.php?t=200017

Thanks for confirming, how was general web browsing for you? Mine does work but at times it can be stuck loading a page for a while when the CPU is barely being used.

Do you adjust TCP MSS for packets traversing the tunnel? If you don't, some things might not work. Check out 9.D. in the Wireguard configuration guide.

I’ve turned fast track off, makes no difference.

There is a way to keep part of fasttrack with 2 simple rules:

If you have wan ip on ether1 ( without pppoe):
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=bridge1 out-interface=ether1
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=ether1 out-interface=bridge1

If you have pppoe:
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=bridge1 out-interface=pppoe-out1
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=pppoe-out1 out-interface=bridge1

This way allows exclude fasttrack for wireguard and keep fasttrack for "normal" wan internet traffic

Thanks everyone - it looks like implementing TCP MSS has fixed the problem for loading websites at the expected rate