Really Slow VPN

acerimmer10 · March 27, 2013, 5:16am

Hi,

We have setup a VPN on a Mikrotik RB750G router and are trying to correct an issue with really slow VPN connections.

When we connect via the vpn, running things like a speed test on the internet drop from 6.93 Mbps to 652 kbps and ping time jump and even get request timed out.

I have been searching the forums and looking around and everyone says that it will be an MTU issue, but I’m not sure how to fix it. I have pinged from the client with the issue and found that the MTU is 1372, when the user connect to the VPN the router says that they have a MTU of 1400. The MTU of the router is 1500 and I have checked on the clients Windows and the MTU on the VPN connection on his machine is 1400 as well.

Can anyone suggest what is going wrong, is it an MTU issue or something else?

I have tried updating to the latest version but it has not made a difference.

acerimmer10 · April 1, 2013, 10:09pm

Any suggestions appreciated?

Engitech · April 1, 2013, 10:20pm

Can you do an export /compact?
Is this VPN connection only to reach some network ?

acerimmer10 · April 2, 2013, 12:56am

Hi,

Yes this VPN is so that our external staff can connect to our internal network and access servers etc..

Below is out /export compact - I have removed some address usernames etc..

apr/02/2013 10:13:18 by RouterOS 5.24

software id = 2582-JTV0

/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" unicast-ciphers=""
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=PPTP-Pool ranges=10.0.2.210-10.0.2.230
/ppp profile
add change-tcp-mss=yes dns-server=10.0.2.250,10.0.2.247 local-address=
10.0.1.254 name=pptp-in remote-address=PPTP-Pool use-compression=yes
use-encryption=required use-vj-compression=yes
/interface pppoe-client
add disabled=no interface=ether1-gateway-1 name=pppoe-internode-1 password=
mf83pm3tj profile=default-encryption use-peer-dns=yes user=\

add disabled=no interface=ether2-gateway-2 name=pppoe-internode-2 password=
5kvq2bnrt profile=default-encryption use-peer-dns=yes user=\

/system logging action
set 3 remote=0.0.0.0
/interface bridge filter
add action=drop chain=forward in-interface=ether3-local src-mac-address=
1C:B0:94:C8:CC:EC/FF:FF:FF:FF:FF:FF
add action=drop chain=input in-interface=ether3-local src-mac-address=
1C:B0:94:C8:CC:EC/FF:FF:FF:FF:FF:FF
add action=drop chain=forward out-interface=ether3-local src-mac-address=
00:26:B9:AE:4A:37/FF:FF:FF:FF:FF:FF
add action=drop chain=input in-interface=ether3-local src-mac-address=
00:26:B9:AE:4A:37/FF:FF:FF:FF:FF:FF
/interface pptp-server server
set default-profile=pptp-in enabled=yes
/ip address
add address=10.0.1.254/21 interface=ether3-local
/ip dhcp-client
add comment="default configuration" default-route-distance=0 disabled=no
interface=ether1-gateway-1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=
192.231.203.132,192.231.203.3
/ip firewall address-list
add address=208.53.48.50 list=SPAM
add address=208.53.48.71 list=SPAM
add address=208.53.48.175 list=SPAM
add address=208.53.48.191 list=SPAM
add address=208.53.48.199 list=SPAM
add address=208.53.48.200 list=SPAM
add address=108.60.195.222 list=SPAM
add address=108.60.195.214 list=SPAM
add address=108.60.195.218 list=SPAM
add address=76.73.18.74 list=SPAM
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
in-interface=ether1-gateway-1
add chain=input comment="default configuration" connection-state=established
in-interface=ether2-gateway-2
add chain=input comment="default configuration" connection-state=related
in-interface=ether1-gateway-1
add chain=input comment="default configuration" connection-state=related
in-interface=ether2-gateway-2
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
"Push Mail Server via second link" dst-address=!10.0.0.0/21
new-routing-mark=mail passthrough=no protocol=tcp src-address=10.0.2.252
add action=mark-routing chain=prerouting comment="RDWeb Across Second Link"
dst-address=!10.0.0.0/21 new-routing-mark=RDWeb passthrough=no
src-address=10.0.2.246
add action=change-mss chain=forward new-mss=1400 out-interface=
pppoe-internode-2 protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=1400 out-interface=
pppoe-internode-1 protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-internode-1
to-addresses=
add action=masquerade chain=srcnat out-interface=pppoe-internode-2
to-addresses=
add action=masquerade chain=srcnat dst-address=10.0.0.0/21 out-interface=
ether3-local src-address=10.0.0.0/21
add action=dst-nat chain=dstnat comment="SMTP Inbound" dst-address=
dst-port=25 protocol=tcp src-address-list=SPAM
to-addresses=
add action=dst-nat chain=dstnat comment="HTTP Inbound" dst-address=
dst-port=80 protocol=tcp to-addresses=
add action=dst-nat chain=dstnat comment="HTTPS Inbound" dst-address=
dst-port=443 protocol=tcp to-addresses=
/ip neighbor discovery
set ether1-gateway-1 disabled=yes
/ip proxy
set max-cache-size=none
/ip route
add distance=5 gateway=pppoe-internode-2 routing-mark=mail
add distance=1 gateway=pppoe-internode-2 routing-mark=RDWeb
add check-gateway=ping distance=1 gateway=pppoe-internode-1
add check-gateway=ping distance=5 gateway=pppoe-internode-2
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/21 disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
/queue interface
set ether1-gateway-1 queue=ethernet-default
set ether2-gateway-2 queue=ethernet-default
set ether3-local queue=ethernet-default
set ether4-spare queue=ethernet-default
set ether5-spare queue=ethernet-default
/system clock
set time-zone-name=Australia/Sydney
/system logging
add topics=pptp
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.0.2.250
/tool graphing interface
add interface=pppoe-internode-1
add interface=pppoe-internode-2
/tool mac-server
add disabled=no interface=ether2-gateway-2
add disabled=no interface=ether3-local
add disabled=no interface=ether4-spare
add disabled=no interface=ether5-spare
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-gateway-2
add interface=ether3-local
add interface=ether4-spare
add interface=ether5-spare
/tool sniffer
set file-limit=20000KiB filter-mac-protocol=!ip memory-limit=20000KiB
memory-scroll=no only-headers=yes
/tool traffic-monitor
add interface=pppoe-internode-1 name=tmon1 threshold=0
add interface=pppoe-internode-2 name=tmon2 threshold=0
add interface=ether1-gateway-1 name=tmon3 threshold=0 traffic=received

Engitech · April 2, 2013, 7:35am

if i understand:

you have a rb750 as router in your office.
you set a vpn server ont it (pptp server) for remote access.

When user are login from external to your vpn server - the speed of browsing of these users is slow.

It is because all of the traffic of these vpn users is going through your router (including internet traffic).

You must modify the user configuration client vpn, for that the user will use vpn connection only for remote subnet office.
In pptp client connection (user side), there is option to not use remote gateway by default in adanced tcp/ip properties.

acerimmer10 · April 2, 2013, 10:21pm

Hi,

It’s not just slow browsing, accessing the network via the VPN is really slow as well.

I will change that setting on the remote machine and test.

Tyler · April 21, 2013, 10:20am

Hi all

I have the same problem. I’ve PPTP-tunnel between RB750 to acces my work network from my home network and accessing the work network is very, very slow.

acerimmer10 · April 22, 2013, 11:07pm

Hi,

We have set the gateway not to default to the VPN’s gateway, which has helped local browsing speeds, but the VPN speed is still really slow. Does anyone else have any suggestions?