I have an RB750G with RouterOS 4.10. It's set up with 2 PPP connections:
1. ppp-isp - PPPoE connection through a Netgear modem configured as a bridge
2. ppp-eu - PPTP connection to StrongVPN
The PPTP connection performs poorly and inconsistently. I have a 2Mb link, and I get throughput rates of between 60 and 100kBps (though it varies quite a lot - I might get 140 for a while, then it drops to 50, etc).
If I disable the PPTP connection on my router and establish it directly from my PC, I get full line speed - up to 230kBps.
The PPPoE connection MTU is 1480. The PPTP connection MTU is set to 1450 (as recommended by StrongVPN).
I have about 20 firewall rules and about 10 mangle rules routing various bits of traffic over the appropriate connection, but I've tried removing all of them and it's no different.
ppp-isp sets the default route when it comes up. ppp-eu is the routing mark for a custom route that uses the ppp-eu connection.
The mangle rule that routes my traffic over the VPN is:
Chain: Prerouting
Src. address list: vpn-all (which contains IPs of everyone to route over VPN)
Action: routing mark: ppp-eu
Any suggestions for what I can look at to diagnose this?
Is there a possible scenario where ICMP control packets aren't going where they should? I don't have any rules that specifically target ICMP.
My firewall config is below. All the port knock rules are just a way to add and remove people from the vpn address lists.
Code: Select all
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ppp-isp
1 chain=srcnat action=masquerade out-interface=ppp-eu
2 I chain=srcnat action=masquerade out-interface=ppp-us
3 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=80
4 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=8444-8446
5 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp src-address=!192.168.1.0/24 dst-port=10240-10245
6 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=udp src-address=!192.168.1.0/24 dst-port=10240-10245
7 chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp in-interface=ppp-isp dst-port=22
8 chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=tcp src-address=!192.168.1.0/24 dst-port=5120-5130
9 chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=udp src-address=!192.168.1.0/24 dst-port=5120-5130
10 chain=dstnat action=dst-nat to-addresses=192.168.1.83 protocol=tcp src-address-list=safe in-interface=ppp-isp dst-port=3389
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; HTPC - route all through ISP
chain=prerouting action=mark-routing new-routing-mark=ppp-isp passthrough=yes src-address-list=htpc
1 X ;;; HTPC - route traffic to sanitised-ip through ppp-eu
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp dst-address=x.x.x.x src-address-list=htpc
dst-port=80,443
2 ;;; HTPC - route web traffic through ppp-eu
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp src-address-list=htpc dst-port=80,443
3 ;;; vpn-web - Route HTTP through VPN
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp src-address-list=vpn-web dst-port=80,443
4 ;;; vpn-all - Route ALL through VPN
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes src-address-list=vpn-all
5 ;;; all - Route 9999 through VPN
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=tcp dst-port=9999
6 X ;;; router - Route DNS through VPN
chain=output action=mark-routing new-routing-mark=ppp-eu passthrough=yes protocol=udp src-address=127.0.0.1 dst-port=53
7 ;;; proxy - Route HTTP through VPN
chain=output action=mark-routing new-routing-mark=ppp-isp passthrough=yes protocol=tcp dst-port=80,443
8 X ;;; ALL - Route through VPN
chain=prerouting action=mark-routing new-routing-mark=ppp-eu passthrough=yes src-address=192.168.1.10-192.168.1.250
9 ;;; HJB - route RDP through ISP
chain=prerouting action=mark-routing new-routing-mark=ppp-isp passthrough=yes protocol=tcp src-address-list=vpn-all src-port=3389
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow pings
chain=input action=accept protocol=icmp icmp-options=8:0-255
1 chain=forward action=accept
2 ;;; Allow established
chain=input action=accept connection-state=established
3 ;;; Allow related
chain=input action=accept connection-state=related
4 ;;; Port knock: 1
chain=input action=add-src-to-address-list protocol=tcp address-list=portknock1 address-list-timeout=15s in-interface=ppp-isp dst-port=xxxxx
5 ;;; Port knock: 2
chain=input action=add-src-to-address-list protocol=tcp src-address-list=portknock1 address-list=portknock2 address-list-timeout=15s
in-interface=ppp-isp dst-port=xxxxx
6 ;;; Port knock: 3
chain=input action=add-src-to-address-list protocol=tcp src-address-list=portknock2 address-list=safe address-list-timeout=15m
in-interface=ppp-isp dst-port=xxxxx
7 ;;; Port knock: route all through VPN
chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-all address-list-timeout=0s in-interface=ether1-local-master
dst-port=10242
8 ;;; Port knock: route all through VPN - remove from vpn-web
chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s
in-interface=ether1-local-master dst-port=10242
9 ;;; Port knock: route web through VPN
chain=input action=add-src-to-address-list protocol=tcp address-list=vpn-web address-list-timeout=0s in-interface=ether1-local-master
dst-port=10241
10 ;;; Port knock: route web through VPN - remove from vpn-all
chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s
in-interface=ether1-local-master dst-port=10241
11 ;;; Port knock: stop routing through VPN - remove from vpn-all
chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-all address-list=vpn-all address-list-timeout=1s
in-interface=ether1-local-master dst-port=10240
12 ;;; Port knock: stop routing through VPN - remove from vpn-web
chain=input action=add-src-to-address-list protocol=tcp src-address-list=vpn-web address-list=vpn-web address-list-timeout=1s
in-interface=ether1-local-master dst-port=10240
13 ;;; Allow all from LAN
chain=input action=accept src-address=192.168.1.0/24
14 ;;; Drop the rest
chain=input action=drop