What's new

Asuswrt-Merlin 388.1 - Wireguard site-to-site on 2xAX88U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The issue is that Wireguard is incompatible with broadcom nat hw accelleration and before the latest firmware release enabling wireguard completally turned off nat hw accelleration crippling all data to ~500Mbit, even to wan.
Asus/Broadcom developed this bypass that merlin ported in so only clients that uses wireguard would be crippled.
The problem is that it only works on lan source addresses, so if you are using destination based rules it may apply to all.

I dont even know if this is nessisary since you have turned off nat.

How is your vpn director rule? Did you put in source 192.168.2.0/24 there?

We could make a script that removes this entry automatically, but Im not sure we should. Or atleast you should test this extensively before we do it so there are no side effects.
 
Last edited:
Yes it works. Thanks
You can see the results in the last attachment

I put this rule (see attachment)

So the cap that you said before about 500 Mbit/s can be related to my VPN speed? (same value about 500 Mbit/s)
Is the Broadcom chipset the problem?

I'll test this change in the next days

Thanks
 

Attachments

  • Screenshot_20230606_235236_Chrome.jpg
    Screenshot_20230606_235236_Chrome.jpg
    39.4 KB · Views: 66
without the local ip (see attachment) same upload problem

I removed the rule with the command:
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network
 

Attachments

  • rule.PNG
    rule.PNG
    10.4 KB · Views: 62
without the local ip (see attachment) same upload problem

I removed the rule with the command:
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network
Alright, altough you could keep your rule without the local ip, it is the proper way imo.

Except from general router stability, up/download speed, keep an extra eye on the syslog in the gui. Lookout if it gets flooded with error about blog or similar. Try to provoke by sending/recieving large files over Wireguard.

Let me know when/if you are confident enough to make this entry removed on wg start.
 
Alright, altough you could keep your rule without the local ip, it is the proper way imo.

Except from general router stability, up/download speed, keep an extra eye on the syslog in the gui. Lookout if it gets flooded with error about blog or similar. Try to provoke by sending/recieving large files over Wireguard.

Let me know when/if you are confident enough to make this entry removed on wg start.
yes I'm ready. what should I do?
thanks
 
yes I'm ready. what should I do?
thanks

Code:
nano /jffs/scripts/wgclient-start

Populate with:
Code:
#!/bin/sh
echo "del 192.168.2.0/24" >> /proc/blog/skip_wireguard_network
Save & exit.

Make it executable:
Code:
chmod +x /jffs/scripts/wgclient-start

And you should be all set! Now the entry are removed each time any wg client starts, but beware, if you ever create more wg clients this entry is needed and you will get issues.

Just out of curiosity, what speeds are you reaching over vpn?
 
Just out of curiosity, what speeds are you reaching over vpn?

thanks!
the speed over WG vpn is about 500 mbit/s. the exact value of the broadcom limit
do you think it will improve with future updates?

Iperf result:

VPN OpenVpn [Router server - Router client] (Site to site)
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 188 MBytes 158 Mbits/sec sender
[ 4] 0.00-10.00 sec 187 MBytes 157 Mbits/sec receiver

VPN WireGuard [Router server - win 10 software client]
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 2.27 GBytes 650 Mbits/sec sender
[ 4] 0.00-30.00 sec 2.27 GBytes 650 Mbits/sec receiver

VPN WireGuard [Router server - Router client] (Site to site)
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 1.60 GBytes 458 Mbits/sec
[ 4] 0.00-30.00 sec 1.60 GBytes 458 Mbits/sec

LAN (external web) no VPN

[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 3.24 GBytes 927 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.24 GBytes 927 Mbits/sec receiver
 

Attachments

  • vpn.PNG
    vpn.PNG
    25.1 KB · Views: 64
Last edited:
I see the all the top Asus router mount a Broadcom chipset.
Is the problem present on all models?

thanks
As the root issue is in hardware, Broadcom may update the hardware for future chipsets but for the current models we are stuck with this. Altough, how the bypass work may change in software and improve in order to isolate Wireguard communication better. This means our "fix" may be obsolete or need further tweaking whenever there is an firmware update.

I know that the nat hw acceleration have some different variations. it used to be called Archer on the older models, now it's FlowCache and Runner but I dont know how it differs between all router models but I know that the symptoms of this incompatibility ranges from log errors and poor speeds to craches or random reboots on different routers models.

https://github.com/ZebMcKayhan/WireguardManager#disable-flowcache
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top