Hello,
We have established a wireless link between two buildings (range 600m) using Mikrotik Dynadish 5 over 802.11ac protocol. These two ends (Dynadish 5) are wired connected with two corresponding Mikrotik routers (RB2011UiAS-2HnD-IN and RB2011UiAS-RM). We have access to each subnet behind RB2011UiAS-2HnD-IN and RB2011UiAS-RM and when we test with bandwidth tester iperf, we have almost ideal symmetric bandwidth results (approximately 250Mbps in TCP testing for each direction).
in the next step we establish an IPSEC tunnel between the two RB2011UiAS-2HnD-IN and RB2011UiAS-RM through the wireless link. Please see below the settings for each side of the IPSEC tunnel.
When we are testing for bandwidth over IPSEC, results are significantly lower than the no-IPSEC case, however this is expected.
we would welcome any suggestions on a more advanced hardware with on board hardware encryption capabilities that could support many IPSEC tunnels without significant degradation of performance in terms of bandwidth.
Furthermore, we would like to make some tests in order to verify that all the traffic through the wireless link is encrypted in the IPSEC tunnel. Is there any possibility that traffic could be transmitted outside the IPSEC tunnel?
The IPSEC is established from one end (RB2011UiAS-2HnD-IN) to the other end (RB2011UiAS-RM) through the wireless link between the two Dynadish 5. We are really troubled since we obtain bandwidth results completely asymmetric. From one end to the other we obtain approximately 140-150Mbps, but when we test the opposite direction we obtain results approximately in the range of 10-15Mbps. All bandwidth tests take place with 2 PCs in the two corresponding subnets. From one side of the link, Dynadish and RB2011UiAS-RM are upgraded to the latest RouterOS version (6.37.1) but from the other side we have the previous version (6.36).
As we understand, there seems to be a firewall fasttrack issue because when we enable fasttrack from one side and disable from the other, the results are opposite but still highly asymmetric.
Somehow connected is another issue, when we establish the IPSEC tunnel, we cannot get access to the mikrotik end of the IPSEC tunnel of the other side. Winbox seems to try to connect but eventually it does not. And the weird thing is that when we run a network monitoring software (PRTG) on the 10.113.1.0/24 side to monitor link conditions and router status, we collect data via SNMP from every router (RB2011UiAS-2HnD-IN with 10.113.1.252, Dynadish 10.113.1.253, RB2011UiAS-RM 10.13.49.168) but we receive error message from router Dynadish 10.13.49.169 (SNMP is enabled and tested without IPSEC tunnel).
Any suggestions would be welcome.
