Nth Load balancing -Slow speed

msaini · August 8, 2020, 7:57pm

Hello Guys,

I am balancing load over two Gre tunnel formed over two LTE/PPP connections.
We are transmitting data via the IPSEC tunnel. We are able to balance the load using the NTh technique in the Output chain and marking routes accordingly.
The failover is also working perfectly. Both LTE can support up to 3Mbs download individually

The issue is when the packets are sent via both gateways we are hardly able to achieve the speed of more than 1 Mbps over both tunnels. But when we are testing the failover single tunnel is downloading close to 3 Mbps. Please Help

Below is My configuration :

/interface ppp-client
add add-default-route=no allow=“” apn=internet1.com data-channel=3
dial-on-demand=no disabled=no info-channel=2 name=PPP-SIM-1 port=usb3
use-peer-dns=no
add add-default-route=no allow=“” apn=Internet1.com data-channel=3
dial-on-demand=no disabled=no info-channel=2 name=PPP-SIM-2 port=
usb4 use-peer-dns=no

/interface gre
add local-address=172.20.64.13 name=“GRE-PPP-SIM-1” remote-address=
55.55.55.1
add local-address=172.24.148.87 name=“GRE-PPP-SIM-2” remote-address=
66.66.66.1

/ip firewall connection tracking
set enabled=yes
/ip address
add address=10.99.1.1/30 interface=“LOCAL LAN” network=10.99.1.0
add address=10.10.10.10 interface=PEER IP=10.10.10.10
add address=3.3.3.17/30 interface=“GRE-PPP-SIM-1” network=3.3.3.16
add address=3.3.3.21/30 interface=“GRE-PPP-SIM-2” network=3.3.3.20

/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=G1 nth=2,1 passthrough= yes protocol=ipsec-esp
add action=mark-routing chain=output new-routing-mark=G2 nth=2,2 passthrough= yes protocol=ipsec-esp

/ip ipsec peer
add address=17.1.1.1/32 local-address=10.10.10.10 name=“IPSEC PEER” send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp768 enc-algorithm=3des hash-algorithm= md5 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=1d pfs-group=modp768
/ip ipsec identity
add peer=“IPSEC PEER” secret=cisco
/ip ipsec policy
add dst-address=0.0.0.0/0 peer=“IPSEC PEER” sa-dst-address=17.1.1.1 sa-src-address=10.10.10.10 src-address=10.99.1.0/30 tunnel=yes

/ip route
add check-gateway=ping distance=1 gateway=“GRE-PPP-SIM-1” routing-mark=G1
add check-gateway=ping distance=2 gateway=“GRE-PPP-SIM-2” routing-mark=G1
add check-gateway=ping distance=1 gateway=“GRE-PPP-SIM-2” routing-mark=G2
add check-gateway=ping distance=2 gateway=“GRE-PPP-SIM-1” routing-mark=G2
add check-gateway=ping distance=1 gateway= “GRE-PPP-SIM-1,GRE-PPP-SIM-2”
add check-gateway=ping distance=1 dst-address=55.55.55.1/32 gateway=PPP-SIM-1
add check-gateway=ping distance=1 dst-address=66.66.66.1/32 gateway= PPP-SIM-2

Thanks in advance for your help

msaini · August 9, 2020, 10:13am

Anyone ? Can someone please help me with this..

msaini · August 10, 2020, 7:17pm

??..

msaini · August 10, 2020, 7:52pm

??..

sindy · August 10, 2020, 8:16pm

The only thing to come to my mind is that IPsec is sensitive about packets coming in wrong order, and the two LTE paths are unlikely to have the same delay. The fact that many protocols are sensitive about packet order is the reason why most bonding strategies use the same physical interface for all packets belonging of the same logical stream.

msaini · August 11, 2020, 5:35pm

Hello Sindy ,
Thanks for your reply. I have done some FTP test without IPsec even but the results are same. And I am using Sims from a same operator. Both Sims are providing more than 3Mbps of speed in the downlink chain individually during failover.
But when used in load balanced mode, they are hardly reaching to 1 Mb each.
My CPU usage is also very low .

sindy · August 11, 2020, 6:43pm

The fact that the SIMs are from the same operator has no significance, mobile networks have a big irregularity of transport delay, so packets will be arriving in different order than in which they have been sent quite often. And FTP uses TCP where missequenced packets can also cause a throughput reduction.

Try verifying that it is the case by sniffing the traffic at the receiving end into a file, and then analyse that file using Wireshark, it should show you whether the SEQ numbers grow monotonously or not.

joegoldman · August 12, 2020, 6:41am

As said above - load balancing per packet or similar systems won’t work well on jittery connections - your best bet to use the 6mbit combined is to do it per connection, so a stream always uses only 1 SIM, and yes means that one stream is limited to 3mb, but as more connections happen it will balance and you will use all 6, so 2 streams @ 3mb each as they balances one to each link, or 6 streams at 1mb each if they balanced perfectly.