Hi Folks,
We’ve recently just purchased three new Mikrotik Routerboards for a client and we’re trialing these as a potential replacement for Sonicwalls as our default go-to device (Cost is a major factor, as most clients don’t want to fork out $600+ for a Sonicwall plus Maint per year).
We’ve configured the Mikrotik’s, got them up on the PPPoE connection and got a VPN tunnel established between our Datacentre and the client - however we’re finding the IPSEC performance is extremely poor.
The client’s connection at each site is 100Mbps/100Mbps and we’ve confirmed we can get this rate (Approx 98/98 max) but we’re getting around 800Kbps when trying to copy files over the IPSEC VPN. So we know the normal PPPoE connection appears to be setup and working normally.
The Device at our Datacentre is an Enterprise Class Sonicwall - we put a smaller Sonicwall at the clients end to test the VPN capabilities and can get near enough to the full 98/98 over the IPSEC tunnel (Using the exact same settings/algorithms as we used with the Mikrotik).
I found some articles relating to using different Encryption Algorithms and I have had a play with this, but only got a boost in around 100Kbps.
Having a look at the Mikrotik CPU it’s only sitting at around 20% average during a file copy - so it’s nowhere near maxxed out.
I’m considering that it may be an MTU issue - however I’m not quite sure where to start on that - as I’ve never done an MTU on a Mikrotik before and it’s a little different to the Sonicwalls I usually work on.
Any assistance would be appreciated as to how to go about looking at this and resolving it - we’d really like to start using Mikrotik Devices more for our Client Endpoints but if we can’t get this resolved then we’ll have to fall back to Sonicwall.
A bit about the configuration:
- Devices are a CRS109-8G-1S-2HnD and a CRS125-24G-1S-2HnD
- Packages are currently v6.24 and RouterOS is currently 3.19 (Both Latest)
- WAN Port is a 100Mbps/100Mbps Fibre Connection
- It is VLAN Tagged (VLAN10) and connects to the ISP via PPPOE
- There are 3 IPSEC VPN Tunnels are connecting to Our Sonicwall at two different Datacentres (2 to Site A, and 1 to Site B)
- Currently they are using P1 MD5/AES128/MODP1024 and P2 ESP, MD5, AES128
- MTU on the Gateway Interface is 1500, L2MTU is 1588
- MTU on the VLAN Interface (Bound to Gateway) is 1500 with an L2MTU of 1584
- MTU on the PPPOE-Out Interface (Bound to VLAN10) is 1480, and MRU is 1480
- There are no Firewall Rules bar 3 srcnat rules to allow the VPN subnets to traverse
- There are two Mangle Rules by Default for all PPPOut with an TCP MSS of 1441-65536 and New TCP MSS of 1440 (These rules are not able to be modified though)
- These are straight IPSEC VPN Tunnels - there are no EoIP, IP or GRE Tunnel Interfaces