Tunnel which generates least traffic when IDLE

notToNew · January 28, 2019, 10:14am

Hi,
I need a tunnel from an external MT to the main router.
When I configure an L2TP Tunnel, it gererates about 400MB of Traffic per Day when IDLE.
Do you have any suggestion which tunneltype and/or configuration i shoud use, when “minimal idle traffic with “some” security” has priority?

cdiedrich · January 28, 2019, 11:40am

if security is not really an issue, I can recommend pptp which creates just a couple of kilobytes per day when totally idle.
-Chris

vecernik87 · January 28, 2019, 12:15pm

If security is not an issue then GRE would technically do even less traffic than PPTP when idle…

notToNew · January 28, 2019, 12:21pm

I have to add that only one side has a fixed IP, so GRE won’t work. Thank you anyway…

Kindis · January 28, 2019, 10:22pm

I have dynamic IP on both sides and still use GRE. I have a script that checks every 5 min if my IP has changed and If so changes my IP on the GRE interface. Works like a charm.

vecernik87 · January 29, 2019, 2:55am

Sorry, I forgot to use a smiley - my post was not meant really seriously. GRE has absolutely no security (until you encapsulate it in IPSec but then - why not use IPSec alone, right?) and it was just a poor attempt for a joke after PPTP was suggested.
****I just created one dummy PPTP connection with absolutely zero traffic inside. In 15 minutes it generated 6.7kB of data. Extrapolated into future, it will be 27kB in 1 hour and almost 650kB in 1 day. This is based on

keepalive-timeout=30

. Obviously, it can be adjusted and with longer timeout, it will utilize less data when idle.
It is clear that this is big improvement over L2TP based on presented 400MB-per-day usage

To dig deeper - I believe it would be good to understand @notToNew requirements better:

is an small regular keep-alive packet fine or not? (example trouble: some mobile connections bill data in some minimum increment (lets say 1kB). If the billing timeout expires between those keep-alive packets, user may be billed for much more data than he actually used. This is pretty common trouble for pay-as-you-go data billing)
how often/how much is the tunnel going to be used? Example usage?
does it need to be established and available from both sides all the time? Would it be okay to have something like “dial on demand” from the “external MT”? (related to previous question - if the connection is gonna be used too often, dial-on-demand may not be efficient even if it would work)

notToNew · February 7, 2019, 11:40am

Sorry for not answering, I was outside country.

is an small regular keep-alive packet fine
it is fine, altought i get billed for it.
how often/how much is the tunnel going to be used?
when someone calls that something doesn’t work. About twice a month. It’s an external building without any wired connection
does it need to be established and available from both sides all the time?
Yes, as I cann’t start “dial on demand”.

It would be ok to allow a connection at every quarter/hour, but only if it’s really worth it.

I’m thinking of establishing pptp and then create a IPSEC tunnel if i really need to work with it,
using pptp only to be able to connect to the router.

Thank you for all the imput, I’ll try this all.

best Regards,

Joe

matuss · February 7, 2019, 12:16pm

You could make yout own dial ondemmand.

You could make a script in remote Mikrotik to send HTTP GET request and based on the result you could enable tunnel interface (and thus dial the tunnel).
Then you would have to schedule that script to run every hour or so and voila

What I don’t know is exact data consumption - how big is GET request and how big would be smallest possible response, but I assume it would be small enough, plus you can play with polling interval to minimize data consumption.

r00t · February 7, 2019, 2:35pm

Not a bad idea, but to get even smaller idle data size, another idea:
Use scripting+scheduler to try to connect to special TCP port on your router (using telnet). If this fails, do nothing - only data sent is SYN request, just a few bytes.
When you want remote router to dial in, simply open this port and then script would detect that and establish VPN.

sebastia · February 7, 2019, 2:41pm

Is that 400mb / day realistic? This translate to a continuous stream of data at about 5KB / s ???
Just pinging and rekeying isn’t that expensive!

matuss · February 7, 2019, 3:20pm

Good idea!

On my L2TP IPsec (aes256+sha256) I hace constant flow of 3 packets per second (1.5 kbps) from client (RB2011) to server (Hex S). That makes about 16 MB per day.

R1CH · February 7, 2019, 5:29pm

Wireguard is absolutely silent when there’s no traffic and supports changing of endpoint IPs with no connectivity interruption. If you can go a non-Mikrotik route, I’ve had great success running Wireguard behind the router on a Linux box.

notToNew · February 12, 2019, 11:28am

Nice, but that’s what my ISP billed me. I don’t know the LTE overhead, and i didn’t didn’t use all Mikrotik.Settings like disabling CloudDNS, etc.
But I had no default route using the LTE so i didn’t expect that much traffic.

vecernik87 · February 12, 2019, 12:18pm

here we go… So maybe, just maybe, the ISP is billing more than you really consume…
can you find exact billing conditions? what is the smallest billing unit? If your packets are small and sporadic, while smallest billing unit is large enough, then each packet can be billed in separate unit which is way bigger then packet itself. since it is interface on your router, you should be able to figure out what was exact amount of data which you really transmitted. If your ISP bills you significantly more, then it points toward this very popular billing policy…