CRS309 + NordVPN IKEv2: very slow on PC connected to VLAN

avelor76 · December 31, 2025, 5:51am

Hi all,

I configured my CRS309-1G-8S+ (RouterOS 7.20.6) with two VLANs:

VLAN1 plain switch mode, connected to an external router (via sfp-sfpplus1)
VLAN30 connected to the same external router (via sfp-sfpplus2), but configured in router mode (double NAT configuration).

I have a working NordVPN IKEv2 setup: I can activate ipsec peers selectively (e.g. I activate NordVPN_jp for connecting to a server in Japan), and route all traffic of a given local machine through VPN by adding its address to the corresponding firewall address list (i.e. nordvpn_jp_list): see full configuration below.

My Windows PC connected to VLAN30 (via sfp-sfpplus3, IP 192.168.30.100) works perfectly at full 1Gbit/s. But when NordVPN IKEv2 activates for use to/from this PC, speedtest drops to very slow speeds (too slow to explain by VPN overhead alone) and general web connectivity become very slow, while router CPU stays <1%.

Do you see any issue in my config? Any fixes or suggestions to have VPN work properly?

Thanks for your help!
Lorraine

# 2025-12-31 01:33:25 by RouterOS 7.20.6
# model = CRS309-1G-8S+

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge 
vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan30 vlan-id=30
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 0 l3-hw-offloading=no
set 1 l3-hw-offloading=no
set 3 l3-hw-offloading=no
set 4 l3-hw-offloading=no
set 5 l3-hw-offloading=no
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no
/interface list
add name=WAN
add name=LAN
add name=WAN30
add name=LAN30
/interface wireless security-profiles
set \[ find default=yes \] supplicant-identity=MikroTik
/ip hotspot profile
set \[ find default=yes \] html-directory=hotspot
/ip ipsec mode-config
add name=NordVPN_it responder=no src-address-list=nordvpn_it_list
add name=NordVPN_jp responder=no src-address-list=nordvpn_jp_list
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=it256.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN_it 
profile=NordVPN
add address=jp674.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN_jp 
profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=pool_vlan30 ranges=192.168.30.10-192.168.30.100
/ip dhcp-server
add address-pool=pool_vlan30 interface=vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus2 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus3 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=sfp-sfpplus3 vlan-ids=30
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=sfp-sfpplus3 list=LAN30
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus2 list=WAN30
add interface=ether1 list=LAN30
/ip address
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add interface=sfp-sfpplus2
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
/ip firewall address-list
add address=192.168.30.100 list=nordvpn_jp_list
add address=192.168.30.100 list=nordvpn_it_list
add address=192.168.30.1 list=nordvpn_jp_list
add address=192.168.30.1 list=nordvpn_it_list
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat in-interface=vlan30 out-interface-list=
WAN30
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=
port-strict mode-config=NordVPN_it peer=NordVPN_it policy-template-group=
NordVPN username=
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=
port-strict mode-config=NordVPN_jp peer=NordVPN_jp policy-template-group=
NordVPN username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=
0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Rome

BartoszP · December 31, 2025, 6:07am

Hi,

You use a switch as a router. That is the problem.
It has no support for encryption so all encrypting is done by CPU and that kills your switch.
CRS have ability to route but it's rather intended for occasional management usage, not for full scale service.

CGGXANNX · December 31, 2025, 6:20am

Even if the CRS309 has a slow CPU for routing and VPN, it's not that slow that you cannot browse websites while the CPU load is under 1%.

You are combining IPsec with fasttrack, that's the cause of your problem. They are not compatible. Please note that in the firewall that MikroTIk ship with their defconf configuration for home routers, the fasttrack rule is preceded by two rules:

/ip firewall filter
# ... 
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
# ...

The two accept rules make sure the fasttrack rule cannot catch packets with the two specific ipsec-policy. Try to add those two rules before your fasttrack rule.

Also, the masquerade NAT rule also have special condition related to IPsec:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

You should also add ipsec-policy=out,none to your masquerade rule.

avelor76 · December 31, 2025, 2:40pm

Thank you for the hints.

Indeed these rules help, even if the second one (add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec) is never hit and shows 0 stats.
Disabling fasttrack completely improves connection even more. So probably the rules do not prevent completely fasttrack from interacting with IPSEC.

Even with fasttrack disabled I think I am still missing something, because connectivity through VPN is not quite smooth yet:

Speedtest download is around 40Mbps, not saturating CPU.
Speedtest upload is intermittent at beginning, takes some seconds to stabilize and reach a decent bandwidth after a few seconds.
The "accept out ipsec policy" rule still shows 0 hits
Internet browsing through VPN is smoother than before (I even managed to watch videos on Youtube Japan), but still some sites take forever to load.
In many cases the site shows up fast but "site loading" indicator continues to spin for long time.
I tried to connect my smart TV through VPN too, but it most streaming apps do not even load, showing connectivity errors.

Below you can see a simplified config (no VLAN, router only).
What could still be missing?

Would it be possible to send me the full default Mikrotik "home router" configuration?

# 2025-12-31 14:43:28 by RouterOS 7.20.6
# model = CRS309-1G-8S+

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=jp674.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/port
set 0 name=serial0
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.20.1/24 interface=bridge network=192.168.20.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1
/ip firewall address-list
add address=192.168.20.0/24 list=local
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Rome

CGGXANNX · January 1, 2026, 1:06am

You might not get higher throughput than that number with the dual core 800MHz CPU of the CRS that has no IPsec hardware acceleration. For reference, the old hEX RB750Gr3 with dual core 880MHz CPU and IPsec hardware acceleration available can only do 135Mbps in MikroTik published ideal numbers.

With the CPU having no IPsec hardware acceleration, it might be better to switch to WireGuard for better performance.

As for the issue with some sites taking forever to load or your smart TV, it's most probably a MTU issue. You might need to add a mangle rule to reduce the MSS for the TCP connection, something like:

/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec \
    new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1383-65535
add action=change-mss chain=forward ipsec-policy=out,ipsec \
    new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1383-65535

Consult the table at the bottom of this page Best practices for an AWS Site-to-Site VPN customer gateway device - AWS Site-to-Site VPN for the suitable MSS limit depending on the encryption an hashing algorithm used.

If you switch to WireGuard, then you'll also need the two change-mss rule, but replace the ipsec-policy condition with in-interface=wg1 and out-interface=wg1 (with wg1 being the name of the WireGuard interface) and the MSS ceiling is 1380 instead of 1382.

avelor76 · January 1, 2026, 1:43pm

Hi! Happy new year and thank you very much for the support!

It was indeed a MTU issue!

Looking for "NordVPN + MTU" keywords in the forum I jumped into this old post:
https://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/

The workaround proposed there still works:

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1

with 192.168.88.0/24 replaced by my subnet.

This even solved my smartTV connectivity problems.

BartoszP · January 1, 2026, 1:47pm

It's the difference between home routers and advanced ones.
The home ones can satify 99% of your needs with default settings but the advanced 1% is unaccesible as it is assumed to be unnecessary for home user.
The advanced routers do 1% of your needs at the start but the 99% is accesible when you need it, however it needs a lot of training to set it up properly.