IPsec VPN Mikrotik - Sonicwall not using full internet speed

mihazitko · October 7, 2024, 11:17am

I have a problem with upload internet speed over IPsec VPN between two points.

Point A has a SONICWALL TZ500 with SonicOS 6.5 and 100/100 Mbps intenet line.
Point B has a Mikrotik RB4011iGS+ with internet line300/90 Mbps.

My VPN is set up and working, internet speed from point B to point A is 73MBps according to IPERF and if I copy a file over the VPN it shows about the same. But in direction from A to B the speed is only 11MBps. I tested with IPERF over internet without VPN directly from A to B and speed is 94MBps.

I have no idea, what is wrong and why A-B speed is so slow. Can anybody suggest a solution?

This is my Mikrotik config:

# 2024-10-07 12:50:54 by RouterOS 7.16
# software id = **ELIDED**
#
# model = RB4011iGS+
# serial number = **ELIDED**
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no fast-forward=no name=B-LAN \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN1
set [ find default-name=ether3 ] name=3-LAN2
set [ find default-name=ether4 ] name=4-LAN3
set [ find default-name=ether5 ] name=5-LAN4
set [ find default-name=ether6 ] name=6-LAN5
set [ find default-name=ether7 ] name=7-LAN6
set [ find default-name=ether8 ] name=8-LAN7
set [ find default-name=ether9 ] name=9-LAN8
set [ find default-name=ether10 ] name=10-LAN9
/interface pppoe-client
add add-default-route=yes disabled=no interface=1-WAN name=FTTH \
    use-peer-dns=yes user=
/interface vlan
add interface=B-LAN name=VLAN80 vlan-id=80
add interface=B-LAN name=VLAN50 vlan-id=50
add interface=B-LAN name=VLAN40 vlan-id=40
add interface=B-LAN name=VLAN10 vlan-id=10
add interface=B-LAN name=VLAN60 vlan-id=60
add interface=B-LAN name=VLAN20 vlan-id=20
add interface=B-LAN name=VLAN70 vlan-id=70
add interface=B-LAN name=USERS vlan-id=30
/interface bonding
add name=Switch_bond slaves=9-LAN8,10-LAN9
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=193.189.168.2/32 exchange-mode=ike2 name=COMPANYFTTH
add address=188.199.133.37/32 exchange-mode=ike2 name=COMPANYLTE
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool_VLAN10 ranges=10.10.10.50-10.10.10.55
add name=dhcp_pool_VLAN20 ranges=10.10.20.50-10.10.20.150
add name=dhcp_pool_USERS ranges=10.10.30.50-10.10.30.250
add name=dhcp_pool_VLAN40 ranges=10.10.40.50-10.10.40.150
add name=dhcp_pool_VLAN50 ranges=10.10.50.50-10.10.50.150
add name=dhcp_pool_VLAN60 ranges=10.10.60.50-10.10.60.150
add name=dhcp_pool_VLAN70 ranges=10.10.70.50-10.10.70.150
add name=dhcp_pool_VLAN80 ranges=10.10.80.50-10.10.80.150
/ip dhcp-server
add address-pool=dhcp_pool_VLAN10 interface=VLAN10 lease-time=1w1d name=dhcp_VLAN10
add address-pool=dhcp_pool_VLAN20 interface=VLAN20 lease-time=1w1d name=\
    dhcp_VLAN20
add address-pool=dhcp_pool_USERS interface=USERS lease-time=1w1d name=\
    dhcp_USERS
add address-pool=dhcp_pool_VLAN40 interface=VLAN40 lease-time=1w1d name=\
    dhcp_VLAN40
add address-pool=dhcp_pool_VLAN50 interface=VLAN50 lease-time=1w1d name=\
    dhcp_VLAN50
add address-pool=dhcp_pool_VLAN60 interface=VLAN60 lease-time=1w1d name=\
    dhcp_VLAN60
add address-pool=dhcp_pool_VLAN70 interface=VLAN70 lease-time=1w1d name=\
    dhcp_VLAN70
add address-pool=dhcp_pool_VLAN80 interface=VLAN80 lease-time=1w1d name=\
    dhcp_VLAN80
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=B-LAN interface=3-LAN2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=B-LAN interface=4-LAN3 internal-path-cost=10 path-cost=10 pvid=30
add bridge=B-LAN interface=5-LAN4 internal-path-cost=10 path-cost=10 pvid=30
add bridge=B-LAN interface=6-LAN5 internal-path-cost=10 path-cost=10 pvid=30
add bridge=B-LAN interface=7-LAN6 internal-path-cost=10 path-cost=10 pvid=30
add bridge=B-LAN interface=8-LAN7 internal-path-cost=10 path-cost=10 pvid=30
add bridge=B-LAN interface=2-LAN1 internal-path-cost=10 path-cost=10 pvid=10
add bridge=B-LAN interface=Switch_bond internal-path-cost=10 path-cost=10 \
    pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=B-LAN tagged=B-LAN,Switch_bond untagged=3-LAN2 vlan-ids=10
add bridge=B-LAN tagged=B-LAN,Switch_bond untagged=4-LAN3 vlan-ids=30
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=20
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=40
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=50
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=60
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=70
add bridge=B-LAN tagged=B-LAN,Switch_bond vlan-ids=80
/interface list member
add interface=1-WAN list=WAN
add interface=PROVIDER-ADSL list=WAN
add interface=B-LAN list=LAN
add interface=VLAN10 list=LAN
add interface=VLAN20 list=LAN
add interface=USERS list=LAN
add interface=VLAN40 list=LAN
add interface=VLAN50 list=LAN
add interface=VLAN60 list=LAN
add interface=VLAN70 list=LAN
add interface=VLAN80 list=LAN
/ip address
add address=10.10.10.1/24 interface=VLAN10 network=10.10.10.0
add address=10.10.20.1/24 interface=VLAN20 network=10.10.20.0
add address=10.10.30.1/24 interface=USERS network=10.10.30.0
add address=10.10.40.1/24 interface=VLAN40 network=10.10.40.0
add address=10.10.50.1/24 interface=VLAN50 network=10.10.50.0
add address=10.10.60.1/24 interface=VLAN60 network=10.10.60.0
add address=10.10.70.1/24 interface=VLAN70 network=10.10.70.0
add address=10.10.80.1/24 interface=VLAN80 network=10.10.80.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.10.30.100 mac-address=10:7C:61:1F:D4:35
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1,8.8.8.8,1.1.1.1 gateway=\
    10.10.10.1 ntp-server=193.2.1.117
add address=10.10.20.0/24 dns-server=10.10.20.30,10.10.20.1,8.8.8.8,1.1.1.1 \
    domain=zitko.ml gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.20.30,10.10.30.1 domain=zitko.ml \
    gateway=10.10.30.1 ntp-server=10.10.20.30
add address=10.10.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.40.1 \
    ntp-server=193.2.1.117
add address=10.10.50.0/24 dns-server=10.10.20.30,10.10.50.1,8.8.8.8,1.1.1.1 \
    gateway=10.10.50.1 ntp-server=193.2.1.117
add address=10.10.60.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.10.60.1
add address=10.10.70.0/24 dns-server=10.10.70.1,8.8.8.8,1.1.1.1 gateway=\
    10.10.70.1 ntp-server=193.2.1.117
add address=10.10.80.0/24 dns-server=10.10.80.1 gateway=10.10.80.1 \
    ntp-server=10.10.80.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=wan1.company.si comment="COMPANY FTTH TK" list=dostop_admini
add address=wan2.company.si comment="COMPANY LTE TK" list=dostop_admini
add address=wan1.castel.si comment="Castel - administrator" list=\
    dostop_admini
add address=192.168.121.0/24 comment="COMPANY old net" list=dostop_admini
add address=10.110.2.0/24 comment="COMPANY sever net" list=dostop_admini
add address=10.110.5.0/24 comment="COMPANY user net" list=dostop_admini
add address=10.10.10.0/24 list=lokalna_omrezja
add address=10.10.20.0/24 list=lokalna_omrezja
add address=10.10.30.0/24 list=lokalna_omrezja
add address=10.10.40.0/24 list=lokalna_omrezja
add address=10.10.50.0/24 list=lokalna_omrezja
add address=10.10.60.0/24 list=lokalna_omrezja
add address=10.10.70.0/24 list=lokalna_omrezja
add address=10.10.80.0/24 list=lokalna_omrezja
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=tcp src-address-list=USERS src-port=53
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp src-address-list=dostop_admini
add action=accept chain=input in-interface-list=WAN src-address-list=\
    dostop_admini
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=VLAN40
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=\
    VLAN40
add action=drop chain=forward dst-address-list=USERS src-address-list=VLAN40
add action=drop chain=forward dst-address-list=VLAN50 src-address-list=\
    VLAN40
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=\
    VLAN40
add action=drop chain=forward dst-address-list=VLAN70 src-address-list=\
    VLAN40
add action=drop chain=forward dst-address-list=VLAN80 src-address-list=VLAN40
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN40 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN50 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN70 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN80 src-address-list=USERS
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=VLAN50
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=\
    VLAN50
add action=drop chain=forward dst-address-list=USERS src-address-list=VLAN50
add action=drop chain=forward dst-address-list=VLAN40 src-address-list=\
    VLAN50
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=\
    VLAN50
add action=drop chain=forward dst-address-list=VLAN70 src-address-list=\
    VLAN50
add action=drop chain=forward dst-address-list=VLAN80 src-address-list=VLAN50
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=VLAN60
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=\
    VLAN60
add action=drop chain=forward dst-address-list=USERS src-address-list=VLAN60
add action=drop chain=forward dst-address-list=VLAN40 src-address-list=\
    VLAN70
add action=drop chain=forward dst-address-list=VLAN50 src-address-list=\
    VLAN60
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=\
    VLAN60
add action=drop chain=forward dst-address-list=VLAN70 src-address-list=\
    VLAN60
add action=drop chain=forward dst-address-list=VLAN80 src-address-list=VLAN60
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=VLAN70
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=\
    VLAN70
add action=drop chain=forward dst-address-list=USERS src-address-list=VLAN70
add action=drop chain=forward dst-address-list=VLAN40 src-address-list=\
    VLAN70
add action=drop chain=forward dst-address-list=VLAN50 src-address-list=\
    VLAN70
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=\
    VLAN70
add action=drop chain=forward dst-address-list=VLAN80 src-address-list=VLAN70
add action=drop chain=forward dst-address-list=VLAN10 src-address-list=VLAN80
add action=drop chain=forward dst-address-list=VLAN20 src-address-list=VLAN80
add action=drop chain=forward dst-address-list=USERS src-address-list=VLAN80
add action=drop chain=forward dst-address-list=VLAN40 src-address-list=VLAN80
add action=drop chain=forward dst-address-list=VLAN50 src-address-list=VLAN80
add action=drop chain=forward dst-address-list=VLAN60 src-address-list=VLAN80
add action=drop chain=forward dst-address-list=VLAN70 src-address-list=VLAN80
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="Drop FTP Brute Forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ftp_blacklist \
    address-list-timeout=1d chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp
add action=drop chain=input comment="Drop Telnet Brute Forcers" dst-port=23 \
    protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=1d chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec \
    new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec passthrough=yes
add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp \
    src-address-list=under_vpn tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.121.0/24 src-address=\
    10.10.80.0/24
add action=accept chain=srcnat dst-address=192.168.121.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=srcnat dst-address=10.110.1.0/24 src-address=\
    10.10.80.0/24
add action=accept chain=srcnat dst-address=10.10.80.0/24 src-address=\
    192.168.121.0/24
add action=accept chain=srcnat dst-address=10.10.20.0/24 src-address=\
    192.168.121.0/24
add action=accept chain=srcnat dst-address=10.10.80.0/24 src-address=\
    10.110.1.0/24
add action=dst-nat chain=dstnat dst-port=56001 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.20.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56002 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.20.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56003 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.20.30 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56007 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.40.100 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56006 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.20.50 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56005 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.20.40 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56004 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.30.40 to-ports=3389
add action=dst-nat chain=dstnat dst-port=56009 in-interface=PROVIDER-ADSL \
    protocol=tcp to-addresses=10.10.30.100 to-ports=3389
add action=masquerade chain=srcnat out-interface=PROVIDER-ADSL
/ip firewall raw
add action=drop chain=prerouting dst-address-list=VLAN10 src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=VLAN20 src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=USERS src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=VLAN40 src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=VLAN50 src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=VLAN80 src-address-list=\
    VLAN60
add action=drop chain=prerouting dst-address-list=VLAN70 src-address-list=\
    VLAN60
/ip ipsec identity
add peer=COMPANYFTTH
add peer=COMPANYLTE
/ip ipsec policy
add dst-address=10.110.1.0/24 peer=COMPANYFTTH src-address=10.10.80.0/24 \
    tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=COMPANYFTTH src-address=\
    10.10.80.0/24 tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=COMPANYFTTH src-address=\
    10.10.20.0/24 tunnel=yes
add disabled=yes dst-address=10.110.1.0/24 peer=COMPANYLTE src-address=\
    10.10.80.0/24 tunnel=yes
add disabled=yes dst-address=192.168.121.0/24 level=unique peer=COMPANYLTE \
    src-address=10.10.80.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=output
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=ZITKO-MIKROTIK
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.2.1.117
add address=193.2.1.92
/system routerboard settings
set enter-setup-on=delete-key silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sonicwall settings for VPN:

https://www.dropbox.com/scl/fi/j9mwaqpkyil6p7phc9rkc/SW_conf2.jpg?rlkey=idww6i9ddctzg8353a0gfisp6&dl=0

https://www.dropbox.com/scl/fi/7a37dtezsuytgtxod3r9i/SW_conf1.jpg?rlkey=u4egz298vtohcmsdwedgl7eai&dl=0

rplant · October 8, 2024, 10:34am

You could perhaps try you iperf (I assume iperf3) With the -V and -M options.

Using custom/reduced MSS settings to see if it is perhaps something to do with reduced MTU at one end due to pppoe.
And add an appropriate mss adjustment rule if it helps

mihazitko · October 21, 2024, 1:32pm

So I did a few more tests.

I changed point A to another Mikrotik RB4011iGS+ on 100/100 Mbps intenet line. (instead of SONICWALL TZ500 with SonicOS 6.5 and 100/100 Mbps intenet line)
Point B has a Mikrotik RB4011iGS+ with internet line300/90 Mbps.

The result was the same. Speed between clients over IPsec was OK in one direction but only 1/10th of internet speed to another.

So I tested some more: I put both Mikrotik RB4011iGS+'s in test enviroment, on same switch no internet connection between themand created IPsec: while testing with iperf the speed was about 450Mbps/sec both ways I concluded that my IPsec config is OK. I again tested with same IPsec config on internet and again the speed decreses.

I think it has something to do with MTU, but I don’t know how to set it up correctly. Any ideas?

This is my config in test enviroment for both routers:

RUTER A
/system identity set name=TEST_A
/user set admin password=
/user add name=companyadmin group=full password=

/interface list add name=WAN
/interface list add name=LAN

/interface set 0 name=1-WAN
/interface set 1 name=2-LAN1

/ip address add address=192.168.10.5 \ netmask=255.255.255.0 interface=1-WAN
/ip route add gateway=192.168.10.1
/ip dns set allow-remote-requests=yes servers 

/interface bridge add admin-mac=D4:01:C3:17:E4:B3 auto-mac=no fast-forward=no name=B-LAN vlan-filtering=yes

/interface vlan add vlan-id=10 interface=B-LAN name=MGMT

/ip cloud set ddns-enabled=yes
/ip dns set allow-remote-requests=yes

/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system ntp client set enabled=yes
/system ntp client servers add address=193.2.1.117
/system ntp client servers add address=193.2.1.92
/system clock set time-zone-name=Europe/Ljubljana
/ipv6 settings set disable-ipv6=yes

/interface list member add interface=B-LAN list=LAN
/interface list member add interface=MGMT list=LAN
/ip neighbor discovery-settings set discover-interface-list=LAN

/ip dns static add address=10.100.10.1 name=router.lan
/ip address add address=10.100.10.1 \ netmask=255.255.255.0 interface=MGMT
/ip dhcp-server network add address=10.100.10.0/24 gateway=10.100.10.1 dns-server=10.100.10.1
/ip pool add name=dhcp_pool_MGMT ranges=10.100.10.10-10.100.10.15
/ip dhcp-server add address-pool=dhcp_pool_MGMT disabled=no interface=MGMT name=dhcp_MGMT lease-time=8d

/interface list member add interface=1-WAN list=WAN
/interface list member add interface=B-LAN list=LAN
/interface list member add interface=MGMT list=LAN
/ip neighbor discovery-settings set discover-interface-list=LAN


/interface bridge vlan add bridge=B-LAN tagged=B-LAN vlan-ids=10
/interface bridge port add bridge=B-LAN interface=2-LAN1 pvid=10
/interface bridge vlan add bridge=B-LAN untagged=2-LAN1 vlan-ids=10

/ip firewall nat add action=accept chain=srcnat dst-address=10.100.20.0/24 src-address=10.100.10.0/24
/ip firewall nat add action=accept chain=srcnat dst-address=10.100.10.0/24 src-address=10.100.20.0/24
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip ipsec profile add name=profile1 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec peer add address=192.168.10.6 profile=profile1 exchange-mode=ike2 name=peer-to-router-a
/ip ipsec identity add peer=peer-to-router-a secret="YourSecretPSK"
/ip ipsec policy add src-address=10.100.10.0/24 dst-address=10.100.20.0/24 tunnel=yes sa-src-address=192.168.10.6 sa-dst-address=192.168.10.5 peer=peer-to-router-a

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=1-WAN

RUTER B

/system identity set name=TEST_B
/user set admin password=
/user add name=companyadmin group=full password=

/interface list add name=WAN
/interface list add name=LAN

/interface set 0 name=1-WAN
/interface set 1 name=2-LAN1

/ip address add address=192.168.10.6 \ netmask=255.255.255.0 interface=1-WAN
/ip route add gateway=192.168.10.1
/ip dns set allow-remote-requests=yes servers 

/interface bridge add admin-mac=78:9A:18:DC:CB:FD auto-mac=no fast-forward=no name=B-LAN vlan-filtering=yes

/interface vlan add vlan-id=10 interface=B-LAN name=MGMT

/ip cloud set ddns-enabled=yes
/ip dns set allow-remote-requests=yes

/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system ntp client set enabled=yes
/system ntp client servers add address=193.2.1.117
/system ntp client servers add address=193.2.1.92
/system clock set time-zone-name=Europe/Ljubljana
/ipv6 settings set disable-ipv6=yes

/interface list member add interface=B-LAN list=LAN
/interface list member add interface=MGMT list=LAN
/ip neighbor discovery-settings set discover-interface-list=LAN

/ip dns static add address=10.100.20.1 name=router.lan
/ip address add address=10.100.20.1 \ netmask=255.255.255.0 interface=MGMT
/ip dhcp-server network add address=10.100.20.0/24 gateway=10.100.20.1 dns-server=10.100.20.1
/ip pool add name=dhcp_pool_MGMT ranges=10.100.20.10-10.100.20.15
/ip dhcp-server add address-pool=dhcp_pool_MGMT disabled=no interface=MGMT name=dhcp_MGMT lease-time=8d

/interface list member add interface=1-WAN list=WAN
/interface list member add interface=B-LAN list=LAN
/interface list member add interface=MGMT list=LAN
/ip neighbor discovery-settings set discover-interface-list=LAN

/interface bridge vlan add bridge=B-LAN tagged=B-LAN vlan-ids=10
/interface bridge port add bridge=B-LAN interface=2-LAN1 pvid=10
/interface bridge vlan add bridge=B-LAN untagged=2-LAN1 vlan-ids=10


/ip firewall nat add action=accept chain=srcnat dst-address=10.100.20.0/24 src-address=10.100.10.0/24
/ip firewall nat add action=accept chain=srcnat dst-address=10.100.10.0/24 src-address=10.100.20.0/24
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip ipsec profile add name=profile1 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec peer add address=192.168.10.5 profile=profile1 exchange-mode=ike2 name=peer-to-router-a
/ip ipsec identity add peer=peer-to-router-a secret="YourSecretPSK"
/ip ipsec policy add src-address=10.100.20.0/24 dst-address=10.100.10.0/24 tunnel=yes sa-src-address=192.168.10.6 sa-dst-address=192.168.10.5 peer=peer-to-router-a

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=1-WAN

Larsa · October 21, 2024, 1:55pm

You need to use an IPsec encryption setup that matches AES hardware offloading on both sides.

mihazitko · October 22, 2024, 6:38am

Thank you for your answer. Can you be more specific?

Larsa · October 22, 2024, 7:27am

If using two RB4011s works, check if the TZ500 could be the bottleneck and whether it supports hardware acceleration with AES-256. If not, you’ll need to find an encryption method that both sides can use with hardware acceleration. Take a look at the RB4011s (CPU AL21400) in this table: https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec#IPsec-Hardwareacceleration

ToothyGardener · October 22, 2024, 12:11pm

It sounds like you’ve got a solid setup with the two RB4011s, but you might be onto something with the TZ500 potentially being the bottleneck. If it doesn’t support hardware acceleration for AES-256, that could definitely slow things down. I’d recommend checking the specifications of the TZ500 to see if it can handle that level of encryption efficiently. C4Yourself

If it turns out that the TZ500 isn’t up to par, you might want to explore alternative encryption methods that support hardware acceleration on both devices. The RB4011s look promising, especially with their AL21400 CPU. You can find more detailed performance metrics in the link you shared, which should help in determining the best configuration for your needs. Let me know what you find out!

Larsa · October 22, 2024, 1:06pm

Hey @ToothyGardener, thanks for that LLM-generated response that was pretty much just a reworded version of my last post, but with some extra fluff thrown in. (## SPAM warning ##)

NetWorker · October 22, 2024, 2:40pm

If the same setup works at 450 mbps both ways locally and you have ruled out issues with MTU, MSS, TTL, etc. then it’s likely a problem with one of the ISPs.

I’ve run into issues with an ISP at a customer’s remote office. We narrowed it down to it “probably” being a limitation of single connection or VPN protocol speeds at the ISP or it’s uplink. We contacted them on multiple occasions, explained the problem and only ever got a “we’ll look into it” in return. Thanks for nothing.

rplant · October 23, 2024, 6:39am

For testing,

You could perhaps attach a queue to the wan interface of the 4011,
(initially a cake queue)
Set it up with a max-limit of something less than 100Mbps, even maybe 50Mbps and packet-mark=no-mark, and see if that
shows up anything useful.