Hi guys,
Some time ago I made myself a nice present, the RB4011IGS-5HACQ2HND-IN as a home router (4 cores, 1GB RAM, IPSec acceleration, etc.).
I bought it to, among others, make a good use of onboard IPSec acceleration.
Recently I started tinkering with NordVPN and wanted to redirect most of my traffic thru that provider. They made IPSec with IKEv2 available, so I simply used this official Mikrotik manual:
https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS
It worked.
Having my firewall set up as it came from factory, I stumbled upon some initial problems with VPN speeds, which were ridiculously slow (like 1 Mbps), but I managed to find out that it’s because of IPSec traffic is by default put thru the fasttrack channel.
Using this advices:
- http://forum.mikrotik.com/t/nordvpn-extremely-slow/140424/2
- http://forum.mikrotik.com/t/privateinternetaccess-com-ipsec-ike2-config-with-port-forwarding/131568/1
I managed to get the IPSec traffic out of the fasttrack which improved the overall situation, but…
Now we’re getting into the problem mentioned in the topic:
Whatever I do with my firewall rules, I can’t achieve VPN speeds that are faster than 42/5 Mbps with my Mikrotik. My WAN is capable of 250/20 Mbps, and I checked the NordVPN link I’m using by setting up another connection, directly from my PC (Windows can do IKEv2 by default) to the VPN server. Well, the VPN connection established that way was easily able to max out my WAN capacity.
I was trying to ponder the problem in multiple ways so far: I tried to disable fasttrack completely, I excluded IPSec traffic from fasttrack (leaving it active) by indentifying it in Mangle, I’ve been swtitching encryption settings for IPSec from very casual up to AES-256 - which seems to have no impact on the performance. At one point I even tested a scenario with ALL my firewall rules to be switched off - that doesn’t help either.
My software is up to date with the stable release.
It’s not going to be a secret that I’m not a master of neither the Mikrotik platform nor iptables, but considering that my firewall rules are almost identical with factory defaults (with an exception to 2 rules for port redirection and the previously mentioned modification of fasttrack excluding IPSec traffic), the device according to the manufacturer is capable of hardware accelerated IPSec with 1-2 Gbps depending on multiple factors, the processor utilisation during using NordVPN is 0-1%, the VPN provider has been confirmed as a capable of delivering far more than 42 Mbps… You see where I’m going with this.
It’s kind of hard to believe that it’s the VPN provider’s fault…
What am I missign? It’s hard to believe the kind of powerful device I’ve bought is so limited in its performance.
I was digging thru the forum but didn’t find anything despite a bunch of posts referring to the problem of IPSec traffic going to fasttrack by default, which limits the VPN speed to ridiculous ca. 1 Mbps and makes it not responsive. But that’s not my case.
If you have any idea of what’s going on here please help. I’m getting seriously frustrated with this case 
Other than the speed issue I don’t have any problems with the VPN link to Nord.
I didn’t touch anything else regarding my config, I never had any MTU issues, etc.