I have a question about RouterBOARD 750G r2 (v6.30) and slow VPN performance
The router is setup on a home network with a single network and a vDSL router to the internet.
The Routerboard is setup as an alternative gateway on the network and it routes traffic over the internet via a VPN.
You set the VPN gateway simply by changing the guest gateway IP.
The Routerboard config is a simple PPTP VPN using NAT/Masquerade+Mangling and route tables.
Performance of the links
Straight to vDSL router I get 60Mbps down and 30Mbps up.
Via Routerboard with VPN disabled I get 56Mbps down and 38Mbps up
Via Routerboard with VPN enabled I get 4Mbps 1Mbps up.
Ping times (google) 750ms via VPN. 56ms direct.
I know the performance of the 750 is minimal but is there a better way to route over the VPN?
Also setup on a x86/hyper-V session and only got 4Mbps down and 1.3Mbps up.
Are there better clients than PPTP for performance?
I tried routing by destination (Skips mangling) but still got the same performance
What type of VPN are you using, and where does it terminate? What is the bandwidth at the other end of the tunnel? Have you tried lowering the MTU values of the tunnel to make sure packets are not getting fragmented?
The 750 should be able to get you better speed than that, but it also depends on what you have setup. The questions above can cause a large impact on performance depending on the answers. There could be more going on, but those would be the first things to check.
Just enable the graphing and you will have a permanent plot of CPU load.
When performance matters and the VPN is just for routing and not for hiding your super-secret communications,
I use IPsec tunnels with AH protocol. (no encryption, only signing)
This uses much less CPU than ESP on such low-end routers because it does not have to run AES or DES.
The easiest way to check for fragmentation is to send out a ping with the do not fragment flag set down the VPN tunnel. In windows something like this:
ping 4.2.2.2 -l 1450 -f
It will tell you if the ping failed because the packet needed to be fragmented somewhere along the line.
The Mikrotik can act as a client for IPSec as well as a server. They just don’t present it in a nice way to visualize it. It helps if you know how it works on the back end and you can adjust the settings as needed for each vendor. Each vendor will use different terms or different menus but it is all standardized how it’s supposed to work. That doesn’t make it always easy, but it does make it easier.
When you are getting the low bandwidth speeds what is the CPU percentage of the MikroTik? Dustynz is right on the easiest way to get historical information. You can also look at /tools profile and /system resources to get a picture of what is currently going on and taking up the CPU time. With IPSec I would expect around 20-30 Mbps of traffic from a 750, though I’ve never tested one directly. PPTP should have better speeds than that.
That does not sound like valid information for a plain IPsec tunnel.
You should get your VPN provider to supply ALL the EXACT details of your VPN connection.
Trying to get IPsec working without having them is like shooting in the dark.
That’s not enough information to configure IPSec, and IPSec does not use a username and password. So chances are they are just running with L2TP/IPsec with standard Windows client settings instead of a pure IPSec setup. The MikroTik can handle that fine, it just needs to be configured properly.
1.) Configure the L2TP client with the appropriate connect to address, username, and password.
2.) Setup an IPSec peer, this is phase1 settings for IPSec:
You will likely want to turn on IPSec debugging in the logs so you can see when/if there is an error and correct it. It will generate a lot of logs, but you can pause the log scrolling to review the messages.
