I have an RB750G with RouterOS 4.10. It's set up with 2 PPP connections: 1. ppp-isp - PPPoE connection through a Netgear modem configured as a bridge 2. ppp-eu - PPTP connection to StrongVPN
The PPTP connection performs poorly and inconsistently. I have a 2Mb link, and I get throughput rates of between 60 and 100kBps (though it varies quite a lot - I might get 140 for a while, then it drops to 50, etc).
If I disable the PPTP connection on my router and establish it directly from my PC, I get full line speed - up to 230kBps.
The PPPoE connection MTU is 1480. The PPTP connection MTU is set to 1450 (as recommended by StrongVPN).
I have about 20 firewall rules and about 10 mangle rules routing various bits of traffic over the appropriate connection, but I've tried removing all of them and it's no different.
ppp-isp sets the default route when it comes up. ppp-eu is the routing mark for a custom route that uses the ppp-eu connection.
The mangle rule that routes my traffic over the VPN is: Chain: Prerouting Src. address list: vpn-all (which contains IPs of everyone to route over VPN) Action: routing mark: ppp-eu
Any suggestions for what I can look at to diagnose this?
Is there a possible scenario where ICMP control packets aren't going where they should? I don't have any rules that specifically target ICMP.
My firewall config is below. All the port knock rules are just a way to add and remove people from the vpn address lists.
Code:
[admin@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic
7 ;;; Port knock: route all through VPN chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-all address-list-timeout=0s in-interface=ether1-local-master dst-port=10242
8 ;;; Port knock: route all through VPN - remove from vpn-web chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s in-interface=ether1-local-master dst-port=10242
9 ;;; Port knock: route web through VPN chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-web address-list-timeout=0s in-interface=ether1-local-master dst-port=10241
10 ;;; Port knock: route web through VPN - remove from vpn-all chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s in-interface=ether1-local-master dst-port=10241
11 ;;; Port knock: stop routing through VPN - remove from vpn-all chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s in-interface=ether1-local-master dst-port=10240
12 ;;; Port knock: stop routing through VPN - remove from vpn-web chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s in-interface=ether1-local-master dst-port=10240
13 ;;; Allow all from LAN chain=input action=accept src-address=192.168.1.0/24
Yes, very simple solution - do NOT route all traffic thru tunnels that are 20 hops away.
My strongvpn endpoint is 9 hops away. Also, distance wouldn't explain why I get line-speed through it when connected from my PC, but 50% or less through RB.
I think you should further reduce MTU to 1440 on the PPTP interface, just to be sure (I always use MTU size of host interface - 40 bytes). Also, instead of playing around with routing marks try to only set a host route on the PPPoE interface towards the strongvpn IP, and then let the PPTP client create a default route. If that solves your problems maybe there is a problem with the marks you're setting.
I think you should further reduce MTU to 1440 on the PPTP interface, just to be sure (I always use MTU size of host interface - 40 bytes). Also, instead of playing around with routing marks try to only set a host route on the PPPoE interface towards the strongvpn IP, and then let the PPTP client create a default route. If that solves your problems maybe there is a problem with the marks you're setting.
Thanks for the suggestion. I suspect StrongVPN forces it down to 1400 at connection time anyway. After some more searching I did find some suggestions that the "change TCP MSS" setting in ROS is pretty ineffective, and as a result have tried creating my own change MSS rules.
It's running much better now, but I'm trying to tweak the setting for the ideal change MSS rule.
My PPPoE MTU is 1492 so I'm setting MSS to 1492 - 40 = 1452 My PPTP MTU is 1400 so I've set the change MSS rule for that connection to 1360. Is that the ideal setting? Browsing is much better with that but I'm still only getting about 40% of connection speed when downloading anything over the VPN.
i have same problem with strong vpn. could you explain the exact setting about MTU and MSS that workd for you. i have confused about ppoe and pptp MTU and MSS.
now i have MTU and MSS default in ADSL Modem. strongvpn show MTU 1400 when connected.
Users browsing this forum: Bing [Bot], Majestic-12 [Bot], MSN [Bot] and 22 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
Login |
HOME
