Hi all,

I have a 2865ac connected via WAN2 to a symmetrical gigabit connection. All ethernet attached clients on the LAN achieve the full speed of the internet link no problem.

I have a server internally that I forward port 443 to for HTTPS traffic (private cloud). I also have a firewall rule using Country Objects to block all source IPs except from those inside the UK to reduce risk exposure.

My problem is WAN throughput to this server. I can't achieve any more than 200-250Mb/sec over the WAN. If I go to the server directly on its internal IP, is 920Mb/s no problem. Even when accessing my server via the WAN IP (ie NAT loopback) I get the same 200Mb-250Mb/s max throughput. If I turn off the firewall on the router, I can get the throughput closer to 300Mb/sec. I also notice the CPU of the router rising to 90% during transfers.

All signs point to some cap or limitation in the router but the product page for the 2865 says:

Performance
NAT Performance:
100 Mb/s Max Sync Rate with VDSL2
300 Mb/s Max Sync Rate with VDSL2 35b
950 Mb/s NAT Throughput for Ethernet WAN with Hardware Acceleration
1.3Gb/s Total Mult-WAN NAT Throughput
800 Mb/s NAT Throughput per WAN without Hardware Acceleration
60,000 NAT Sessions
8000 Hardware Accelerated NAT Sessions

Any ideas?

What's the performance from another Internet connection? I'm not sure the performance figures account for NAT loopback, which may be slowing things down due to the additional complexity.

Some suggestions I have are:
1. Update to 4.3.1 BT once that's available in a couple of days
2. Turn on Hardware Acceleration, enable it for NAT TCP/UDP traffic
3. Try disabling WAN1 to see if that improves hardware acceleration - I'm not sure if this is still necessary with the 2865, but it helped the 2860/2862
3. Check the MTU is correct for the WAN, probably 1500, but you can use the test Path MTU discovery feature in the WAN2 settings to find the right value
4. One last thing to try, put a switch in between WAN2 and the Gigabit connection to see if that makes a difference.

Thanks for the feedback. Good to know NAT Loopback is not a valid test as I thought it would be indicative of WAN performance. Clearly not.

Performance from another gigabit line was also around 250Mb/s but one of your suggestions appears to made a positive difference:

1. Currently running 4.3.1_RC6_BT (due to ongoing wireless Mesh issues with an AP903 just flat out not working with the router as the mesh root).
2. That's been on the whole time. Does it matter that that's on for IPsec traffic too? (I do have an IKEv2 VPN running too).
3. This helped a lot. When repeating speed tests (Open SpeedTest) from another Internet connection, I'm now seeing 550Mb/s upstream and that was via a client on another Gbe line over WiFi6! (can't test wired yet).
4. It was set at 1492 but after running a detect against 8.8.8.8, the recommendation is 1476 which is now what its set at. This doesn't appear to have made any positive or negative difference however.
5. Another interesting suggestion, I will try that out.

Disabling WAN1 has made a big difference though - over 50% improvement.

Thanks for trying that, that's great news that it's helped so much already.

4.3.1 RC6 is basically the same as the release so you don't need to update just yet

Given that helped you, I think we should see if there can be an article on Hardware Acceleration and conditions that can slow it down.

Great idea. The Knowledge Base is goldmine of configuration guides as the Manual leaves a fair bit to be desired in my experience.

Incidently I also seem to be hitting a 200Mb/s performance cap using NordVPN LAN-to-LAN config - its been setup using the Draytek documented NordVPN IKEv2 EAP guide.
https://www.draytek.co.uk/support/guides/kb-vpnservice-nordvpn

The tunnel works as expected but even with Hardware Acceleration on for IPSec traffic, performance tops out at 200Mb/s upstream and downstream over the tunnel. Not sure if this is a 2865 challenge or whether its Nord's end. However when I use a NordApp on my desktop to establish a tunnel, I get 750Mb/s so this would suggest their UK servers can handle something much faster than 200Mb/s.

My understanding is that an IKEv2 tunnel should be eligible for IPsec hardware acceleration by DrayOS right? I see the Router's CPU completely pegged when running a speedtest down the tunnel to Nord in a similar behaviour to NAT loopback tests.

I've taken a look into what might cause the slow performance with an IKEv2 VPN and apparently it's because although IPsec VPNs are accelerated, in current firmware that only for routed VPN connections.

We've asked that that be improved to include NATted IPsec connections too, to give better performance with VPN services.