PPTP tunnel unusable slow

snowdogging · September 10, 2017, 2:25pm

I have a VPN service that I connect to using PPTP. I am trying to selectively route a single local IP through it. I followed the instructions here: https://strongvpn.com/setup-mikrotik-pptp.html

If I create the PPTPclient interface with a default route the speed is fine (60Mbs) but then ALL local traffic goes over VPN.
If I create it without a default route, only the single host goes over VPN but speed drops to 20Kbs.

I am assuming I should NOT be adding a default route?

Any suggestions on improving speed? Could fasttrack be causing this? Thank you.

/interface ethernet
set [ find default-name=ether1 ] comment=“Internet Gateway” mac-address=**** name=
ether1-gateway
set [ find default-name=ether2 ] comment=“Master Switch Port” name=ether2-master
set [ find default-name=ether3 ] comment=Wifi master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface pptp-client
add allow=mschap1,mschap2 connect-to=*** disabled=no max-mru=
1400 max-mtu=1400 name=pptp-out1 password=**** user=****

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=
ether1-gateway
add action=masquerade chain=srcnat comment=“pptp tunnel” out-interface=pptp-out1

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no
new-routing-mark=pptp passthrough=yes src-address=192.168.88.10 tcp-flags=“”

/ip route
add comment=“pia tunnel route” distance=1 gateway=pptp-out1 routing-mark=pptp

jspool · September 11, 2017, 2:51am

The nature of fasttrack makes it an enemy of mangle rules.
Test it by disabling fasttrack. Make sure the normal accept established&related forward is still enabled.
Clear connections and retest.
If it works as desired then you can either leave it disabled or you could try marking the pptp traffic and excluding it from fasttrack if you really want to keep it enabled.

The below site has an example of how to do it with ipsec which could be easily edited to cover other types.
https://schemen.me/mikrotik-fast-track-that-excludes-ipsec/

I’m sure you are aware that encrypted vpn traffic will be significantly less throughput than non vpn traffic.

Many of my VPN customers want speed over security and some want security over speed. That typically dictates which types to use. and if encrypted then one must make sure your router has a suitable cpu to ensure that it can achieve the max throughput possible.

snowdogging · September 12, 2017, 5:35pm

Thanks jspool. Fasttrack was the problem. Rather than disable it entirely or get into some complicated connection rules I modified the default fasttrack rule to not apply to my pptp in-interface. Now everything works as intended. I don’t entirely understand why fasttrack is clogging the gears here but am happy nonetheless.

spr41178 · October 17, 2018, 7:20pm

How did you mark the pptp packets and bypass them in fasttrack please?