Hi everyone
I'm looking for some greatly appreciated troubleshooting advice as I just can't seem to figure it out with my limited networking knowledge.
I'm running a media server (Jellyfin) on a Raspberry Pi 4 (let's call it device A) on a 1 Gbit ethernet connection using docker and SWAG (NGINX) behind a R7800 router using Hnyman's OpenWrt 21.02-SNAPSHOT r16328-f441be3921 build
I use a docker image to speedtest the connections to the server. Using an ethernet connection I can use a local PC (device B) to reach it with speeds of approximately 500 mbit which is what I'd expect and the media server works really well.
Both device A and device B have good internet speeds when tested separately but when I try to approach the server from outside the network through DDNS I only get 60 mbit speeds (tested on multiple devices that have well over 100 mbit internet speeds). These speeds seem to not improve when tested over a wireguard connection to the router instead of using port forward/NGINX. Although I guess I can't expect full speeds due to the CPU limitations on the router while processing wireguard encryption I do get speeds of approx. 100 mbit using wireguard as a client otherwise.
When using device B to approach device A using the DDNS address rather than the local IP the speed also drops to 60 mbit (speedtest says the connecting IP is the router's IP 192.168.1.1 rather than device B's IP itself in that case)
In summary:
Device A: 200-400 mbit WAN upload/download
Device B: 200-400 mbit WAN upload/download
Device B to device A using local IP address: 500 mbit upload/download
Device B to device A using DDNS address: only 60 mbit mbit upload/download
External access to device A through DDNS and port forward only 60 mbit
External access to device A through wireguard reaches only 60 mbit
I'm trying to figure out where it bottlenecks and causes such a loss of speed when accessing from the outside and how to troubleshoot this. I'm using port forward and VPN policy based routing to forward to device A but as mentioned an external wireguard approach also causes a loss of speed. Below are some relevant parts of configs but let me know what other parts you'd need to troubleshoot:
Firewall
config redirect
option target 'DNAT'
option name 'Allow-Pi-Nginx-HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '192.168.1.150'
option dest_port '80'
config redirect
option target 'DNAT'
option name 'Allow-Pi-Nginx-HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.1.150'
option dest_port '443'
Policy Based Routing
config policy
option name 'local-ignore'
option interface 'ignore'
option dest_addr '192.168.0.0/16 172.16.0.0/12 10.0.0.0/8'
config policy
option interface 'wan'
option src_port '80 443'
option src_addr '192.168.1.150'
option name 'pi-nginx'
config policy
option name 'lan-wgclient'
option interface 'wgclient'
option src_addr '192.168.1.128/25'
config policy
option name 'wgserver-wgclient'
option src_addr '172.16.1.128/25'
option interface 'wgclient'
config policy
option name 'dns-wgclient'
option dest_addr '<redacted>'
option chain 'OUTPUT'
option interface 'wgclient'
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option boot_timeout '30'
option strict_enforcement '0'
list ignored_interface 'wgserver'
list ignored_interface 'wgguest'
option webui_protocol_column '0'
Thank you all for your advice