I’m new to Mikrotik and I have some questions around performance tuning over VPN. Initially, things were very slow, but I found some very useful threads around fasttrack which solved the issue, however I would like to dig into some more fine-grained detail around the IKEv2 settings
At the moment, I am getting around 15mbps down/8 up. Not too bad for my needs, but would like to ensure I’m squeezing out every last drop of speed.
I do have one question on fasttrack - This hAP lite will only only be used for VPN traffic. At the moment, I have added the mark to exclude ipsec. Is there any benefit to simply delete this rule?
I have also seen notes around Hardware acceleration within SAs; is this available within the hAP Lite? I did see that on a tutorial for setting up IKEv2, the settings were pretty weak, like dh-group=null and use of sha1. I tweaked that a little:
I do notice the lack of ‘H’ in the SPI output. Are there any better ‘sweet spot’ settings here that still give solid security?
Finally, MTU - For simplicity, I am doing double NAT (WiFi Client > hAP > NAT> Home Router > NAT> Internet). Not ideal I know, alas, it works and keeps things easy. I’ve seen various threads around MTU tuning, ranging from as low as 1210 up to 1460. Is there more performance to squeeze here, too?
I am running RouterOS 6.47.4
Thanks so much in advance for any tips and tricks you can provide…with only around 24 hours experience in RouterOS, I’m finding it super intuitive!
No need for action=fasttrack-connection rule if you only plan to use the device for VPN with bare IPsec (matching traffic by src-address and dst-address in /ip ipsec policy), i.e. if none of the forwarded traffic goes outside the VPN via WAN.
As for the MTU, the amount of bytes occupied by the IPsec overhead depends on the encryption and authentication algorithms used, and the encapsulation of ESP into UDP which is used to facilitate NAT traversal also takes a few bytes. It doesn’t matter, though, how many layers of NAT the connection traverses - the only difference is between no NAT at all at either side (where ESP is put directly into IP) and any other case (where ESP is put into UDP which in turn is put into IP).
But the IPsec transport packets do get fragmented if they exceed the MTU of the physical link, and with traffic matching, you cannot affect the MTU of anything else but the physical link. So you have to make sure that eventual ICMP “fragmentation needed” messages sent by your own router to the LAN hosts are not matched by the traffic selector of the VPN’s policy and sent down the VPN, so that PMTUD could work. Look into this post for details.
Thanks for the help! I did wonder about the hardware accelleration being unlikely but I couldn’t quite tell based on the specs.
Appreciate the points on MTU, especially the ICMP related traffic; I’d never have thought of that! With that said, the connection seems stable and reliable, so it may well be doing things reasonably well as-is. I will check that thread out, looks very helpful.
