pfSense - Wireguard tunnel gives good performance to WAN but bad for LAN devices

Symptom: I can route WAN (internet) traffic through my pfSense firewall via full-tunnel Wireguard connection from remote peers at nearly full speed of my remote internet connection, i.e. speedtest.net reports speeds up to 300 Mbps on a fast remote connection or 100 Mbps on a remote wifi connection. Speedtest also reports tests performed by remote peers are coming from my pfSense firewall’s IP. I know Speedtest can be unreliable, but Steam downloads also reach 100 Mbps. These speeds are good, and they are definitely going through the wireguard tunnel. However, iperf3 or SMB traffic from the same remote peers to LAN devices behind the same pfSense firewall is slow, around 32 Mbps (4 MBps) for SMB and 16Mbps (2MBps) or less for iperf3. In fact, iperf3 test to the firewall’s own IP is equally slow, and servers on the LAN can talk to pfSense at gigabit speeds, so the problem seems to be in the firewall or my clients, not on the LAN.

I’ve experienced this same behavior from a Windows client and a GliNet portable router sending traffic from multiple clients to my pfSense firewall. An iOS peer actually seems to work better with iperf tests reaching 100Mbps which matches that peer’s internet speed test over the same connection. Sadly I can’t test SMB speed or other services very well on an iPhone.

Anybody know why internet/WAN speed would test well, and appear to actually work well over Wireguard, while traffic to LAN clients (at least the types of traffic I’ve tried to use/test) is slow?

Could be MTU issues. Try setting the MSS value on the LAN interface to something like 1280 and see if that makes a difference.

Good suggestion, didn’t help unfortunately. I did see talk about MTU/MSS tweaks when I searched for into about poor wireguard performance, and I’d also tried tweaking the MTU settings for the Wireguard tunnel itself. Unfortunately that didn’t help either. The confusing part is the WAN interface has the same settings as the LAN (MTU 1500, no separate MSS setting) but I was able to access websites at the full speed I expected.

What’s the theoretical upload speed of your WAN ?
Are you using pppoe?

My main site WAN is on a 300mbps up/down plan, in practice, it can be high as 1Gbps up/down. So maxing out my remote site’s WAN speed, like the 100Mbps-300Mbps I can see on a speedtest website, sounds about right.

My remote WAN connections have slower upload speeds, but running iperf3 in either direction (my understanding is default would be upload from remote client, reverse is download to remote client) seems to be equally slow, download isn’t much better than upload, and both speeds are even slower than my remote WAN upload speed.

Edit: main site WAN is DHCP, not PPPoE. Unsure about remote connections but I’ve seen this behavior from multiple networks on both cable and fiber connections, so I expect at least one of them was not using PPPoE but still had this issue

Well it turns out I was using an outdated version of iPerf3 on my Windows client. Oops. All looks good now. Only remaining question is why my SMB speeds are so poor, but I can probably find more info on that specifically now that I know what the specific problem is.

EDIT: And it turns out, SMB is never going to work well over a high-latency connection. https://www.youtube.com/watch?app=desktop&v=LnDRZbTQv9I

SFTP isn’t quite as convenient, but it will have to do for moving lots of data over my VPN.