Skynet Skynet Slow down with Wireguard server

[michael249478]

Hi

I try wireguard as VPN server. on GT-AXE16000. and merlin 3004.388.5_0

I have Qos Disabled

Without Skynet enabled, i can get up to 450mb on download and 600mb on upload

With Skynet enabled the bandwitch down to 234 on download and 530Mb on upload.

I tried to bypass the iptables raw table for wireguard interface, but it don't resolve this issue.

Someone already have the same issue ?

Best regards

 

[Viktor Jaep]

Hi

I try wireguard as VPN server. on GT-AXE16000. and merlin 3004.388.5_0

I have Qos Disabled

Without Skynet enabled, i can get up to 450mb on download and 600mb on upload

With Skynet enabled the bandwitch down to 234 on download and 530Mb on upload.

I tried to bypass the iptables raw table for wireguard interface, but it don't resolve this issue.

Someone already have the same issue ?

Best regards

Skynet takes a hit on your bandwidth if you're filtering inbound and outbound traffic... If you set it to only monitor inbound traffic, you can get much of that lost bandwidth back. But that comes with a price, because now it's also no longer able to filter countries outbound, or block devices from going to malware sites, etc.

 

[SomeWhereOverTheRainBow]

Hi

I try wireguard as VPN server. on GT-AXE16000. and merlin 3004.388.5_0

I have Qos Disabled

Without Skynet enabled, i can get up to 450mb on download and 600mb on upload

With Skynet enabled the bandwitch down to 234 on download and 530Mb on upload.

I tried to bypass the iptables raw table for wireguard interface, but it don't resolve this issue.

Someone already have the same issue ?

Best regards

@Viktor Jaep is right. Good luck with that, with the current way skynets firewall rules handle outbound exchanges you take a performance penalty hit due to the overhead of processing packets at a higher priority than just the flow of traffic itself. This penalty hit is more prevalent in weaker router CPU's. It is slightly less noticeable in newer AX/AX-Pro model routers--- more so less noticeable in the AX-Pro models. In contrast, it ensures your outbound blocks are given priority as the first action. Maybe you can bring @Adamm back to the scene by convincing him that there are inbound considerations that should be taken with the firewall when considering the routers local services (e.g. dhcp, dns, ntp, etc) , and there are outbound situations that need to be considered when balancing performance with security. The Addon landscape has changed significantly in regards to services which are available since @Adamm developed skynet. There is alot more that skynet blocks, than was intially considered in its original design (including unbound dns traffic which should take priority over block rules). Not to mention, if you enable ipv6-- there is no skynet considerations given. With the newer generation of supported Asuswrt-Merlin AX routers, the firewall rules for skynet can be adapted to support ipv6 with the way it is currently handled; however, this cannot be adapted for older AC routers because of the limited ipv6 firewall rules support. A different blocking technique would have to be adapted for AC models over IPV6. Currently, Skynet does not consider ipv6, so enabling ipv6 actually creates a network security weakness since ipv6 is growing more and more widespread.

Alas, I cannot argue with anyone here about skynets ability to block. It is super great at being able to block. That is not necessarily the concern. The question is, does it block too much and introduce a performance penalty doing such. With each user case, your mileage may vary.