I installed NordVPN and my traffic drops from 1GB/s to 15-70MB/s max

RouterOS Beginner Basics
1

Hello folks,

A few days ago I purchased a Mikrotik hAP ax³, and am configuring it with Adguard DNS + NordVPN. However, when I do enable NordVP my speed is reduced by 80%, any idea what am I doing wrong?

I tried the normal config: Speed goes up to 1.2GB/s on VPN active 80Mb/s. I follow just their guidelines there is no run of other configs. Searching the forum I also entered the below commands but didn't help:

[admin@MikroTik] > /ip firewall mangle add action=mark-connection chain=forward ips
ec-policy=out,ipsec new-connection-mark=ipsec
[admin@MikroTik] > /ip firewall mangle add action=mark-connection chain=forward ips
ec-policy=in,ipsec new-connection-mark=ipsec
[admin@MikroTik] > /ip firewall filter add action=fasttrack-connection chain=forwar
d connection-mark=!ipsec connection-state=established
[admin@MikroTik] > /ip ipsec policy
[admin@MikroTik] /ip/ipsec/policy> move *ffffff destination=0
[admin@MikroTik] /ip/ipsec/policy> add action=none dst-address=192.168.88.0/24 src-
address=0.0.0.0/0 place-before=1
[admin@MikroTik] /ip/ipsec/policy> /ip firewall mangle
[admin@MikroTik] /ip/firewall/mangle> /ip firewall mangle add action=change-mss cha
in=postrouting src-address-list=local connection-state=new log-prefix=MSS new-mss=1
372 passthrough=yes protocol=tcp tcp-flags=syn



ISP connection type (fiber), all ports on the router are in Bridge Mode.
Topology: ISP → MikroTik → Unmanaged Switcher → LAN devices
Configured: Adguard DNS + NordVPN IPsec/IKEv2

[admin@MikroTik] > /ip ipsec export

2025-05-10 14:57:53 by RouterOS 7.18.2

model = C53UiG+5HPaxD2HPaxD

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=se594.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN
username=##
/ip ipsec policy
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0
template=yes

/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-mark=!ipsec
connection-state=established hw-offload=yes
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec
new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec
new-connection-mark=ipsec
add action=change-mss chain=postrouting connection-state=new log-prefix=MSS
new-mss=1372 protocol=tcp src-address-list=local tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN

/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec
new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec
new-connection-mark=ipsec
add action=change-mss chain=postrouting connection-state=new log-prefix=MSS
new-mss=1372 protocol=tcp src-address-list=local tcp-flags=syn

/interface bridge
add admin-mac=## auto-mac=no comment=defconf name=bridge
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3

wifi4 not ready

in/out-bridge-port matcher not possible when interface (wifi4) is not slave

add action=drop chain=forward in-interface=wifi4

wifi4 not ready

in/out-bridge-port matcher not possible when interface (wifi4) is not slave

add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4


Appreciate your help. Thanks.