Low speed and high latency in VPN wireless AP mode

This is a Netis N6 with various snapshots, including yesterdays. Im also unable to connect anything to the router via wire - the port shows a link and theres a small amount of activity but it not serving an ip to the host thats plugged in.

The connection works at normal speed if i use it via a similarly specced router in a different subnet and without the 200-500 latency. Im using speedtest-cli to check the latency.

Not sure whats happening here and need some help figuring it out. The networking and firewall settings seem normal. The wireless is set to AP mode. The vpn is Zerotier. Changing the exit point to another location shows similar behavior.

Please help me figure this out. Here are some relevant settings:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan3'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

- bunch of clients here -  

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ZeroTier-Inbound'
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '-------------::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'ZeroTier'
	option proto 'none'
	option device 'zt---------'

config device
	option name 'br-ZeroTier'
	option type 'bridge'
	list ports 'zt---------'

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'btoehlpa'
	option encryption 'psk2'
	option key '-------------------------------------'
	option wpa_disable_eapol_key_retries '1'
	option isolate '1'

If you enable stp you must wait some time until port s%arts forwarding, including dhcp.

Right, this would be why it wouldnt connect yesterday - just noticed the wired client has an address now. Thank you. The description of the Spanning Tree Protocol Makes me wonder why its not turned on by default...

Is there a log that would show why speed and latency are so affected? It seems like its somehow bouncing around with that latency - like something with the routing.

Ideally zt or wg still adds few ms latency, make sure rudimentary qos like codel or fifo is attached to innermost vpn interface, not much gain having it handle only physical interface with literarily one stream visible. Same applies to your vpn provider.

I dont remember ever needing any qos installed or having any issue like this with another router.

I dont have any others like it running the snapshots, but attaching the same host to a simulated (using two NICs/ 3 ports) openwrt x86 with yesterdays snapshot gives me full the requisite 100 Mbps instead of the 10 im getting through the Netis.

I should mention that my network is very translated - its the third router, theres no VLAN.

7621 can reach 100Mbps vpn, but not more.

I got 130-140 Mbps top speed on AX23 over 5 GHz wifi and LAN. But then it is finito.

That is still x10 times faster than the 7-10 im getting at the moment.

Almost sounds like a cable/port issue, if you are only getting up to 10 Mbps. Or does the speed only drop if the VPN is enabled/used?

The port looks fine, heres some tests from a phone connected to the router.

Red/unmarked = default route set on the router
Blue = default set on phone conneced to the router without default set
Green = no idea why thats like that
205/159 = no vpn, line speed for me

Screenshot_20250119-2109111033×1539 116 KB

Your VPN provider is oversubscribed.