Slow performance through Wireguard tunnel to LAN despite normal performance to WAN
-
Symptom: I can route WAN (internet) traffic through my pfSense firewall via full-tunnel Wireguard connection from remote peers at nearly full speed of my remote internet connection, i.e. speedtest.net reports speeds up to 300 Mbps on a fast remote connection or 100 Mbps on a remote wifi connection. Speedtest also reports tests performed by remote peers are coming from my pfSense firewall's IP. I know Speedtest can be unreliable, but Steam downloads also reach 100 Mbps. These speeds are good, and they are definitely going through the wireguard tunnel. However, iperf3 or SMB traffic from the same remote peers to LAN devices behind the same pfSense firewall is slow, around 32 Mbps (4 MBps) for SMB and 16Mbps (2MBps) or less for SMB. In fact, iperf3 test to the firewall's own IP is equally slow, and servers on the LAN can talk to pfSense at gigabit speeds, so the problem seems to be in the firewall or my clients, not on the LAN.
I've experienced this same behavior from a Windows client and a GliNet portable router sending traffic from multiple clients to my pfSense firewall. An iOS peer actually seems to work better with iperf tests reaching 100Mbps which matches that peer's internet speed test. Sadly I can't test SMB speed or other services very well on an iOS device.
Anybody know why internet/WAN speed would test well, and appear to actually work well over Wireguard, while traffic to LAN clients (at least the types of traffic I've tried to use/test) is slow?
-
Did you try changing MTU values for the WG interface?
I have a similar problem but only with iperf3 testing with Windows PC (SMB traffic is ok) on my 200/20 Mbps connection
Desktop or Laptop (Windows)-----pfSense----- VPS ( WG server) I Get around 35/19 Mbits/s (while testing with iperf3 but when downloading something from VPS I get about 23MB/sec and uploading is 2.3MB/sec) so the problem is only with iperf3 testing.
Desktop(Windows with OMV on Hyper V)------------pfSense------VPS 195/19 Mbits testing with iperf3
My phone with Termux -------pfsense ------VPS 195/19 Mbits
-
Turns out I was seeing 2 separate problems, and neither of them were directly Wireguard or pfSense related. I did try tweaking MTU values but it didn't help, which makes sense now that I understand the cause of my problems...
First, I was using an out of date version of iperf3 on my remote Windows client. One of the mirrors for iperf3 lists the oldest builds at the top and newest at the bottom, I didn't realize this, so I practically had the oldest build.
Second, SMB inherently has poor performance over any VPN because it doesn't handle high latency well. Tom Lawrence has a great video discussing this limitation here: https://www.youtube.com/watch?v=LnDRZbTQv9I
I confirmed SFTP works at expected speeds, this is not as convenient as SMB on a Windows client, but it is usable with the right software, and it shows there wasn't actually anything wrong with my firewall or Wireguard setup.
-
Yes, the older version of iperf3 on Windows clients was to blame for low testing speeds.