Community discussions

MikroTik App
 
hjbotha
just joined
Topic Author
Posts: 4
Joined: Wed Jul 07, 2010 9:18 am

PPTP VPN connection to StrongVPN slow and inconsistent

Wed Jul 07, 2010 9:49 am

Hi all,

I have an RB750G with RouterOS 4.10. It's set up with 2 PPP connections:
1. ppp-isp - PPPoE connection through a Netgear modem configured as a bridge
2. ppp-eu - PPTP connection to StrongVPN

The PPTP connection performs poorly and inconsistently. I have a 2Mb link, and I get throughput rates of between 60 and 100kBps (though it varies quite a lot - I might get 140 for a while, then it drops to 50, etc).

If I disable the PPTP connection on my router and establish it directly from my PC, I get full line speed - up to 230kBps.

The PPPoE connection MTU is 1480. The PPTP connection MTU is set to 1450 (as recommended by StrongVPN).

I have about 20 firewall rules and about 10 mangle rules routing various bits of traffic over the appropriate connection, but I've tried removing all of them and it's no different.

ppp-isp sets the default route when it comes up. ppp-eu is the routing mark for a custom route that uses the ppp-eu connection.

The mangle rule that routes my traffic over the VPN is:
Chain: Prerouting
Src. address list: vpn-all (which contains IPs of everyone to route over VPN)
Action: routing mark: ppp-eu

Any suggestions for what I can look at to diagnose this?

Is there a possible scenario where ICMP control packets aren't going where they should? I don't have any rules that specifically target ICMP.

My firewall config is below. All the port knock rules are just a way to add and remove people from the vpn address lists.
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 

 0   chain=srcnat action=masquerade out-interface=ppp-isp 
 1   chain=srcnat action=masquerade out-interface=ppp-eu 
 2 I chain=srcnat action=masquerade out-interface=ppp-us 
 3   chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=80 
 4   chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=8444-8446 
 5   chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=10240-10245 
 6   chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=udp src-address=!192.168.1.0/24 dst-port=10240-10245 
 7   chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp in-interface=ppp-isp dst-port=22 
 8   chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=tcp src-address=!192.168.1.0/24 dst-port=5120-5130 
 9   chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=udp src-address=!192.168.1.0/24 dst-port=5120-5130 
10   chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=tcp src-address-list=safe in-interface=ppp-isp dst-port=3389 

[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; HTPC - route all through ISP
     chain=prerouting action=mark-routing new-routing-mark=ppp-isp passthrough=yes src-address-list=htpc 

 1 X ;;; HTPC - route traffic to sanitised-ip through ppp-eu
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp dst-address=x.x.x.x src-address-list=htpc 
     dst-port=80,443 

 2   ;;; HTPC - route web traffic through ppp-eu
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp src-address-list=htpc dst-port=80,443 

 3   ;;; vpn-web - Route HTTP through VPN
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp src-address-list=vpn-web dst-port=80,443 

 4   ;;; vpn-all - Route ALL through VPN
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes src-address-list=vpn-all 

 5   ;;; all - Route 9999 through VPN
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp dst-port=9999 

 6 X ;;; router - Route DNS through VPN
     chain=output action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=udp src-address=127.0.0.1 dst-port=53 

 7   ;;; proxy - Route HTTP through VPN
     chain=output action=mark-routing new-routing-mark=ppp-isp passthrough=yes protocol=tcp dst-port=80,443 

 8 X ;;; ALL - Route through VPN
     chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes src-address=192.168.1.10-192.168.1.250 

 9   ;;; HJB - route RDP through ISP
     chain=prerouting action=mark-routing new-routing-mark=ppp-isp passthrough=yes protocol=tcp src-address-list=vpn-all src-port=3389 

[admin@MikroTik] > /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 

 0   ;;; Allow pings
     chain=input action=accept protocol=icmp icmp-options=8:0-255 

 1   chain=forward action=accept 

 2   ;;; Allow established
     chain=input action=accept connection-state=established 

 3   ;;; Allow related
     chain=input action=accept connection-state=related 

 4   ;;; Port knock: 1
     chain=input action=add-src-to-address-list protocol=tcp address-list=portknock1 address-list-timeout=15s in-interface=ppp-isp dst-port=xxxxx 

 5   ;;; Port knock: 2
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=portknock1 address-list=portknock2 address-list-timeout=15s 
     in-interface=ppp-isp dst-port=xxxxx 

 6   ;;; Port knock: 3
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=portknock2 address-list=safe address-list-timeout=15m 
     in-interface=ppp-isp dst-port=xxxxx 

 7   ;;; Port knock: route all through VPN
     chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-all address-list-timeout=0s in-interface=ether1-local-master 
     dst-port=10242 

 8   ;;; Port knock: route all through VPN - remove from vpn-web
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s 
     in-interface=ether1-local-master dst-port=10242 

 9   ;;; Port knock: route web through VPN
     chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-web address-list-timeout=0s in-interface=ether1-local-master 
     dst-port=10241 

10   ;;; Port knock: route web through VPN - remove from vpn-all
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s 
     in-interface=ether1-local-master dst-port=10241 

11   ;;; Port knock: stop routing through VPN - remove from vpn-all
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s 
     in-interface=ether1-local-master dst-port=10240 

12   ;;; Port knock: stop routing through VPN - remove from vpn-web
     chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s 
     in-interface=ether1-local-master dst-port=10240 

13   ;;; Allow all from LAN
     chain=input action=accept src-address=192.168.1.0/24 

14   ;;; Drop the rest
     chain=input action=drop 

Thanks for any suggestions
 
hjbotha
just joined
Topic Author
Posts: 4
Joined: Wed Jul 07, 2010 9:18 am

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Wed Jul 07, 2010 1:52 pm

Yes, very simple solution - do NOT route all traffic thru tunnels that are 20 hops away.
My strongvpn endpoint is 9 hops away. Also, distance wouldn't explain why I get line-speed through it when connected from my PC, but 50% or less through RB.
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Wed Jul 07, 2010 7:48 pm

I think you should further reduce MTU to 1440 on the PPTP interface, just to be sure (I always use MTU size of host interface - 40 bytes).
Also, instead of playing around with routing marks try to only set a host route on the PPPoE interface towards the strongvpn IP, and then let the PPTP client create a default route. If that solves your problems maybe there is a problem with the marks you're setting.
 
hjbotha
just joined
Topic Author
Posts: 4
Joined: Wed Jul 07, 2010 9:18 am

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Wed Jul 07, 2010 9:31 pm

I think you should further reduce MTU to 1440 on the PPTP interface, just to be sure (I always use MTU size of host interface - 40 bytes).
Also, instead of playing around with routing marks try to only set a host route on the PPPoE interface towards the strongvpn IP, and then let the PPTP client create a default route. If that solves your problems maybe there is a problem with the marks you're setting.
Thanks for the suggestion. I suspect StrongVPN forces it down to 1400 at connection time anyway. After some more searching I did find some suggestions that the "change TCP MSS" setting in ROS is pretty ineffective, and as a result have tried creating my own change MSS rules.

It's running much better now, but I'm trying to tweak the setting for the ideal change MSS rule.

My PPPoE MTU is 1492 so I'm setting MSS to 1492 - 40 = 1452
My PPTP MTU is 1400 so I've set the change MSS rule for that connection to 1360. Is that the ideal setting? Browsing is much better with that but I'm still only getting about 40% of connection speed when downloading anything over the VPN.

Additional tips welcome!

Thanks
 
hjbotha
just joined
Topic Author
Posts: 4
Joined: Wed Jul 07, 2010 9:18 am

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Thu Jul 08, 2010 9:47 am

I've tried your other suggestion of sending all traffic through the VPN instead of using mangle rules. Didn't make any difference.

I also configured my ADSL modem to establish the PPP connection so that the RB is free to handle the PPTP connection on its own with the same result.

Thanks
 
User avatar
stlony
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Mon Nov 19, 2007 6:25 pm
Location: Egypt
Contact:

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Tue Jun 14, 2011 6:45 pm

Hello
I have the same problem did you found a solution for it?
 
machitza
just joined
Posts: 12
Joined: Sun Nov 27, 2011 4:12 pm

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Sat Apr 07, 2012 2:15 pm

MTU 1440 is the key ! it worked through the pptp vpn...now full speed as using pc...

thanks !
 
omidi
newbie
Posts: 28
Joined: Tue Jul 12, 2011 10:22 am

Re: PPTP VPN connection to StrongVPN slow and inconsistent

Tue Apr 10, 2012 11:55 am

Hi

i have same problem with strong vpn. could you explain the exact setting about MTU and MSS that workd for you.
i have confused about ppoe and pptp MTU and MSS.

now i have MTU and MSS default in ADSL Modem. strongvpn show MTU 1400 when connected.

tanx

Who is online

Users browsing this forum: achu, Bing [Bot], Majestic-12 [Bot] and 83 guests