The default openvpn mikrotik server is slow (may be cause of the tcp), so i decided to install OpenVPN server behind NAT on Debian.
It looks like this:
The mikrotik speed is 400mbps in/out
The clients speed is 100mbps in/out
The problem is that the bandwidth through the tunnel is very low.
I tested with iperf localy, the speed is fine 600+mbps.
Iperf test from external network to the debian server (NATed port)
Iperf test from external network with openvpn
It is really strange problem. I even tried with wireguard, the connection stay the same, so i blame my mikrotik configuration now.
May be the problem is with the basic failover I am using and the recursive routing ?
here is my config: config.rsc (7.17 KB)
Any help will be appreciated.
No the purchaser didnt do their homework as open vpn is not fully supported by MT and only recently has started trying to make it possible.
Meanwhile wireguard which is faster and easier is available…
No I made my homework.
I knew that openvpn installed on the router uses tcp and it is slow.
In this case i installed it on debian server, on the local network and made port forwarding. I did not expect that the mikrotik can not handle simple port forwarding.
I tried to iperf (port forwarding without VPN, only open port to the internet) - again slow bandwidth.
I Do not understand, Why mikrotik has so slow speed when port forwarding ?
With other cicso router, the speed is x5
I do the test with iperf3. I start the --server on the local network and make a port forwarding.
From external network I start the test --client to the Public IP/port where the server is.
The CPU is not more than 5% during the test.
"[*]IP address should be set on the bridge, not on an interface that is part of the bridge"
How to change that ? A have Dual WAN with fail over. That's why it is set on the interface.
On Cisco I use TCP
Thanks for replay mate. I appreciate it
It’s definitely not that RouterOS couldn’t handle port forwarding. Slighly wrong VLAN and IP config shouldn’t do it either. Same goes for seemingly unnecessary proxy ARP. But what if you forget about dual WAN for a moment (disable DHCP client on ether10) and try with only single connection, does it change anything?
Actually based on your configuration file (that you have attached to your opening post) you have not done your homework before purchasing as from it seems that you had not checked the block diagram of RB3011UiAS-RM before purchasing. Since from your configuration it seems that you are not using any of the missing features like BFD that is implemented in RouterOS v6 it is time to move on to v7 (it has UDP OpenVPN by the way).
The risk averse way of this is to export your configuration with
export file=thedesirednameoftheexportedconfigfile
than copy it to your computer so you have it as a reference at hand, than use Netinstall to load the latest stable RouterOS v7 (at the time of writing it is 7.7) to your device (make sure that you don’t select “keep old configuration” (Windows version) or in case of the GNU/Linux version you do use the “-r” parameter). After it rebuild your configuration on the router from scratch (do not load your previously exported configuration file on the router).
Based on your configuration export I assume that
your ISPs’ Ethernet cables are connected to Eth1 and Eth10
you have started from the default configuration
Unfortunately the default configuration on at least a few devices with more than one switch chip is one which is mentioned as a typical Layer 2 misconfiguration in the current documentation: Bridgeing and Switching Case Studies / Layer2 misconfiguration / VLAN filtering with multiple switch chips. The block diagram of RB3011UiAS-RM clearly states that it has two switch chips and a SFP cage (directly connected to the CPU with XOR with switch2 serving ports Eth6 to Eth10) therefore from performance point of view having a single bridge with all of the ports may be suboptimal. According to the current documentation the RB3011UiAS-RM has two QCA8337 switch chips. Since the two switches are the same they have the same Bridge Hardware Offloading capabilities. Since these two chips are the same type they have the same Bridging and Switching / Switch Chip Features as described in the documentation. Therefore to maximise the throughput you should use two separate bridges: one for the Eth1 to Eth5 ports and and another one for Eth6 to Eth10 ports (except the port(s) that are used for Internet uplink) while keeping in mind not to enable features on the two separate bridges that are not supported in the respective switch chip’s hardware. Please note that in case you intend to use the SFP cage in the future than it is better to select from Eth6 to Eth9 for Internet uplink(s) (Eth10 has passive PoE out), for additional reasons keep on reading.
While implementing Basic VLAN switching following the case study in the documentation than heed the warning in it:
On > QCA8337 > and > Atheros8327 > switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and adapt the configuration (bridge1 should only have Eth1 to Eth5 ports):
