Slow throughput over IPIP tunnel with mangle routing

Hello,

I’m trying to expose my home office (with public IP B.B.B.B) to the internet with Hetzner CHR VM (C.C.C.C) via public IP (A.A.A.A) through IPIP tunnel.

To accomplish that, I did the following steps :

• Connected Hetzner VM (CHR / RouterOS 7.2.3) ↔ Home office (CCR2004-1G-12S+2XS / RouterOS 7.2.3) via IPIP tunnel
  
  
  
• Routed A.A.A.A from Hetzner into IPIP tunnel in CHR
  
  
  
• Marked connection leaving IPIP tunnel in my home office with hetzner connection mark
  
  
  
• Marked routing packets with hetzner connection mark with hetzner new routing mark
  
  
  
• Added routing rule with hetzner routing mark to hetzner routing table
  
  
  
• Added default route for packets with hetzner routing table to IPIP tunnel
  
  
  
• Assigned A.A.A.A to home office VM (with private IP 10.88.5.5)

Schema summary
Internet ↔ CHR ↔ IPIP tunnel ↔ CCR2004-1G-12S+2XS ↔ Home office VM

Symptoms
With that configuration, I can successfully reach A.A.A.A from the Internet, but the throughput is extremely slow (~1mbps) whereas home office ISP has ~300mbps ingress throughput.

CHR & CCR2004-1G-12S+2XS configurations

# CHR configuration
/interface ipip
add allow-fast-path=no local-address=C.C.C.C name=ipip-tunnel1 \
    remote-address=B.B.B.B
/ip address
add address=C.C.C.C interface=ether1 network=D.D.D.D
add address=10.66.1.2/24 interface=ipip-tunnel1 network=10.66.1.0
/ip arp
add address=A.A.A.A interface=ether1 published=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=D.D.D.D routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=A.A.A.A/32 gateway=10.66.1.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10


# CCR2004-1G-12S+2XS configuration
/interface ipip
add allow-fast-path=no local-address=B.B.B.B name=ipip-tunnel1 \
    remote-address=C.C.C.C
/routing table
add disabled=no fib name=hetzner
/ip address
add address=10.66.1.1/24 interface=ipip-tunnel1 network=10.66.1.0
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=A.A.A.A in-interface=ipip-tunnel1 \
    new-connection-mark=hetzner passthrough=no
add action=mark-connection chain=prerouting dst-address=A.A.A.A \
    in-interface=pptp-out1 new-connection-mark=hetzner passthrough=yes
add action=mark-routing chain=prerouting connection-mark=hetzner \
    connection-state="" log=yes new-routing-mark=hetzner passthrough=no
/ip route
add check-gateway=ping comment=to-hetzner-ipip-tunnel disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=10.66.1.2 pref-src=0.0.0.0 routing-table=\
    hetzner scope=30 suppress-hw-offload=no target-scope=10
add comment=route-to-zubra-hetzner disabled=no distance=1 dst-address=\
    A.A.A.A/32 gateway=10.88.5.5 pref-src=0.0.0.0 routing-table=\
    hetzner scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=hetzner table=\
    hetzner

What am I doing wrong?

As you have posted only the part of your configuration that you assume to be relevant, I can only speculate that you haven’t exempted the traffic you want to send via the IPIP tunnel from getting fasttracked. Most, but not all, packets of fasttracked connections bypass mangling (it is the very essence of fasttracking). So those which take the slow path do get their routing mark and thus get to the tunnel, which explains why the connection works but the throughput is low.

Another possibility is that the CHR has the free license, which limits outgoing bandwidth on each interface to 1 Mbit/s.

You saved my day, I had a “free” license attached to my CHR instance.
Many thanks Have a good evening .