NordVpn extremely slow

RouterOS Beginner Basics
1

Hello,
I am new to RouterOS as I bought hAP AC2 few days ago. I set up the basics and I wanted to get a VPN. I followed this instructions:
https://support.nordvpn.com/Connectivity/Router/1360295132/Mikrotik-IKEv2-setup-with-NordVPN.htm / https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS
Everything except adding identity went smooth (don’t know what was wrong with identity but I added it manually)… and I got the connection but it is unbelievably slow. It does not even load most pages.

My question is what did I do wrong or what else should I do that is not mentioned in the tutorials I followed?

2

Apparently you have to remove IPSEC from fasttrack rules - http://forum.mikrotik.com/t/privateinternetaccess-com-ipsec-ike2-config-with-port-forwarding/131568/1
To summarise;

#Mangle rules to identify IPSEC traffic
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec

If you have a fasttrack rule already, under general, Connection Mark (!) ipsec. Or to add the rule

/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related

Made a huge difference to my connection.

3

I know this post is over a year old, but I am having the exact same problem. I tried the Mangle rules to bypass fast track for ipsec traffic and it made little to no difference. I have tried it both on my Audience at home and my RB951G-2HnD at work with the same result. Has anyone been able to resolve this?

4

Search this forum for ‘mss fix’, probably that is.

5

Fastrack should be of and just first check by just disbling all fasttraking.

NordVPN has troubles with sending back ICMP 3-4 on some servers and the this won’t help but always good to have.

http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/46

You can set the MTU manually but my money is on the fasttracking with you.

6

Thanks for the suggestion but disabling fast track all together didn’t seem to make any difference. What’s weird is Google comes right up along with some other websites, but many others including DuckDuckGo won’t load at all. Again , same results on both home and work routers . Different ISP’s and everything. I tried this which was suggested by Sindy in the link you posted as an alternative for the MTU issue but it didn’t seem to help either.

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1

I don’t have an absolute need to use NordVPN at the router level but it would have been nice. The Android and Linux apps seem to work well enough.

7

I mentioned this and NordVPN did come to me on this.
http://forum.mikrotik.com/t/nordvpn-troubles/151544/9

I have set to new-mss=1372 but you might start at 1232 and increase from there.

The line in /ip ipsec policy normally catches all ICMP 3-4 and convey them to the correct client. The problem is with NordVPN and some servers don’t let through the returnin ICMP 3-4 and we have to fore a fixed MTU in mangle.
After this I had no problems anymore but it was working before with out setting a fixed MTU.

8

Thanks. I’m not very well versed with mangle. I gather that this line is changing the mss to 1372 if it has been previously been given the connection mark “NordVPN”? If so, how do I get it marked in the first place? Sorry for the dumb question…

 add action=change-mss chain=postrouting connection-mark=NordVPN connection-state=new log-prefix=MSS new-mss=1372 passthrough=yes protocol=tcp tcp-flags=syn]
9

This posdible when use option 2 of the setup. I don’t know if you point traffic to NordVPN based on IP address or connection mark.

https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS#Option_2:_Accessing_certain_addresses_over_the_tunnel

You can also see if and what connection mark is used by your setup by looking at the top line in NAT when you are connected to NordVPN.

If you use IP address then you should filter in my line on that source IP addrress.

10

Awesome! Thanks for the more clear explanation. Everything works great now including Duck Duck Go. I was pointing traffic based on an ip address list, so i changed your line to:

add action=change-mss chain=postrouting src-address-list=local connection-state=new log-prefix=MSS new-mss=1372 passthrough=yes protocol=tcp tcp-flags=syn
11

Have fun with the working VPN and let’s hope NordVPN will fix it soon and the line can be deactivated again.

12

Noone mentioned my guide?

http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

The only reason why NordVPN could be slow is because MSS/MTU size issues. All mentioned in the guide.

13

I would have done. However the cause is solely with NordVPN that have some servers of them not sending through ICMP 3-4.