NordVPN...speeds limited at 20 mbps?

cstemp · October 3, 2023, 1:52am

Hello everyone. After a couple months of frustration and clicking through every article I can find on using NordVPN with my MT, I’ve finally broken down to try and get some help. It seems like no matter what I do, my NordVPN connection pegs at 20 meg (on a good day). I’ve tried fasttrack, mangle rules, setting the whole thing up again, and my laptop is about to get flying lessons due to the frustration. Can someone take a look at the following config and see if there is something blatantly stupid I’m missing?

Thanks!

export hide-sensitive 
# 2023-10-02 21:41:57 by RouterOS 7.10.2
# software id = GTKA-36XW
#
# model = RB2011iL
# serial number = <removed>
/interface ethernet
set [ find default-name=ether2 ] name=CHIPPERNET
set [ find default-name=ether5 ] name=IOT
set [ find default-name=ether1 ] name=LUMEN
set [ find default-name=ether3 ] name=STEMP
set [ find default-name=ether4 ] name=TV
/interface virtual-ethernet
add arp=enabled disabled=yes mac-address=02:00:28:58:DA:81 mtu=1500 name="test eth"
/interface vlan
add interface=ether8 name=vlan1 vlan-id=80
add interface=ether8 name=vlan2 vlan-id=85
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=TV
/ip ipsec peer
add address=<redacted> exchange-mode=ike2 name=CABIN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] hash-algorithm=sha256
add name=NordVPN
/ip ipsec peer
add address=us5938.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
add name=NordVPN pfs-group=none
/ip pool
add name=CHIPPERNET-dhcp ranges=10.0.20.30-10.0.20.254
add comment=TV name=TV-dhcp ranges=10.0.100.10-10.0.100.100
add comment=IOT name=IOT-dhcp ranges=10.0.50.10-10.0.50.100
/ip dhcp-server
add address-pool=CHIPPERNET-dhcp interface=CHIPPERNET lease-time=10m name=dhcp1
add address-pool=TV-dhcp interface=TV name=dhcp2
add address-pool=IOT-dhcp interface=IOT lease-time=10m name=dhcp3
/port
set 0 name=serial0
/routing table
add fib name=nordvpn_blackhole
/snmp community
add addresses=::/0 name=zabbix
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=STEMP switch=switch1 vlan-id=101
/interface list member
add interface=LUMEN list=WAN
add interface=CHIPPERNET list=LAN
add interface=IOT list=LAN
add interface=vlan1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.20.1/24 interface=CHIPPERNET network=10.0.20.0
add address=10.1.0.1/25 interface=STEMP network=10.1.0.0
add address=10.0.100.1/25 comment=TV interface=TV network=10.0.100.0
add address=10.0.50.1/25 interface=IOT network=10.0.50.0
add address=10.0.0.10/24 interface=ether9 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=16m40s
/ip dhcp-client
add interface=LUMEN
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.0.20.1 netmask=24
add address=10.0.50.0/25 dns-server=103.86.96.100,103.86.99.100,8.8.8.8,1.1.1.1 gateway=10.0.50.1
add address=10.0.100.0/25 dns-server=103.86.96.100,103.86.99.100,8.8.8.8,1.1.1.1 gateway=10.0.100.1
add address=10.1.0.0/25 dns-server=8.8.8.8,1.1.1.1 gateway=10.1.0.1
/ip firewall address-list
add address=10.0.20.0/24 list=local
add address=110.0.20.0/24 list=local
add address=10.0.50.0/25 list=localiot
add address=10.0.100.0/25 comment=TV list=TV
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=mark-routing chain=prerouting new-routing-mark=nordvpn_blackhole passthrough=yes src-address-list=\
    under_nordvpn
add action=change-mss chain=forward connection-mark=!ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1360
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=SONARR disabled=yes dst-port=7878 in-interface=LUMEN protocol=tcp to-addresses=\
    10.0.20.12 to-ports=7878
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-port=9443 protocol=tcp to-addresses=10.0.20.5 to-ports=\
    9443
add action=dst-nat chain=dstnat comment="PLEX REMOTE ACC" dst-port=32400 protocol=tcp to-addresses=10.0.20.12 to-ports=\
    32400
add action=dst-nat chain=dstnat comment="REMOTE DESKTOP" disabled=yes dst-port=3389 protocol=tcp to-addresses=\
    10.0.20.20 to-ports=3389
add action=dst-nat chain=dstnat comment=OMBI-Requests dst-port=3579 protocol=tcp to-addresses=10.0.20.12 to-ports=3579
add action=dst-nat chain=dstnat comment=ZABBIX dst-port=10064 protocol=tcp to-addresses=10.0.20.64 to-ports=80
add action=dst-nat chain=dstnat comment=LIDARR disabled=yes dst-port=7878 protocol=tcp to-addresses=10.0.20.12 \
    to-ports=7878
add action=masquerade chain=srcnat comment="VPN NETWORK" out-interface=LUMEN src-address=10.0.100.0/25
add action=dst-nat chain=dstnat comment=NZBGET disabled=yes dst-port=6789 log-prefix="\"\"" protocol=tcp to-addresses=\
    10.0.20.12 to-ports=6789
add action=dst-nat chain=dstnat comment=nginx-http dst-address=!10.0.20.1 dst-address-type=local dst-port=80 protocol=\
    tcp to-addresses=10.0.20.12 to-ports=80
add action=dst-nat chain=dstnat comment=nginx-https dst-address=!10.0.20.1 dst-address-type=local dst-port=443 \
    protocol=tcp to-addresses=10.0.20.12 to-ports=443
add action=masquerade chain=srcnat comment=nginx-hairpin-nat dst-address=10.0.20.12 dst-port=80,443 protocol=tcp
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=CABIN
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=\
    NordVPN policy-template-group=NordVPN username=<redacted>
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
set 1 dst-address=10.0.0.0/24 src-address=10.0.20.0/25
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway="test eth" routing-table=nordvpn_blackhole
/ip service
set telnet address=10.0.20.0/24 disabled=yes port=2300
set ftp disabled=yes
set www address=<redacted>
set ssh address=<redacted>
set api disabled=yes
set winbox address=<redacted>
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=LUMEN
/routing bfd configuration
add disabled=no
/snmp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=CHIPPERNET-RTR
/system note
set show-at-login=no
/system ntp server
set enabled=yes

Moba · October 3, 2023, 2:26am

You’re trying to run VPN encryption on a very weak embedded device. If you can’t use Nord’s client software (PCs, tablets and phones are much more powerful), you will need to purchase a more powerful router.

You can also use some sort of low-cost security gateway or a firewall appliance as a drop in solution.

normis · October 3, 2023, 2:16pm

RB2011L is an older model, not really good for encryption, like above poster said. Something more modern like the L009 or hAP ax series would do better.
Also are you sure your connection to NordVPN is even that good?

cstemp · October 3, 2023, 3:09pm

I’ve tried different Nord servers, and when i run their app locally on my computer or tablet I get 250+ mbps (i pay for 250 from my ISP).

I was hoping it was a setting and not the age of the board. But, all I needed to hear was that i needed the new model to push me over the edge! Thanks for taking a look for me.