VPN Over PPTP down when Fasttrack connection enabled

RouterOS General
1

Hi all,

I was using PPTP connection for access to blocked web sites or others etc. which are filtered by upstream provider, normally pptp traffic is nearly 14-15mb but when I enable fasttrack this traffic start to down like 3mb- 4mb and web sites and videos start to load slowly. is there any one here faced problem with pptp and fasttrack ?

here is simple config for vpn;

/ip firewall address-list
add address=facebook.com list=UnBlock
/ip firewall mangle
add action=mark-routing chain=prerouting comment=blocked traff. dst-address-list=UnBlock new-routing-mark=BlockedWEB passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VPN-Blocked

for firewall

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input protocol=ospf
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=WAN

Thanks…

2

Your can read this topic: http://forum.mikrotik.com/t/rb750gr3-l2tp-ipsec-unbearably-slow/116062/1

And at the end: http://forum.mikrotik.com/t/rb750gr3-l2tp-ipsec-unbearably-slow/116062/1

3

Thanks msatter,
I disabled fasttrack…

4

You do not need to disable fasttracking completely. Choose the category of traffic which occupies the most bandwidth and let that one be handled by the defaut routing table, i.e. without marking, which makes it possible to fasttrack it. If it is the traffic category you need to send via the PPTP tunnel, create an individual route to the PPTP server in the main routing table, and make the default route in the main routing table point to the PPTP tunnel (so that whatever is not marked would be sent via the tunnel). Mark the traffic which should NOT use the PPTP tunnel, and don’t forget to connection-mark it, not just route-mark, in both directions (i.e. whatever comes in via the uplink and is not a PPTP transport packet must be also connection-marked). Connection marking must come first, i.e. routing marks must be assigned based on connection marks.

Right before the ****

action=fasttrack-connection

rule in the

/ip firewall filter

, place an

action=accept

rule which matches the same properties like the

action=fasttrack-connection

one plus

connection-mark=your_connection_mark

. That way, any packets belonging to marked connections will avoid fasttracking, so route-marking will work on them, while other connections will be fasttracked.

5

Hi sindy,

Thanks for your help,
for fasttrack I used;

add action=fasttrack-connection chain=forward connection-mark="!VPN NETWORK" connection-state=established,related

for mangle;

ip firewall mangle
add action=mark-connection chain=prerouting comment=GR in-interface-list=VPN new-connection-mark="VPN NETWORK" passthrough=yes
add action=mark-routing chain=prerouting comment=GR dst-address-list=UnBlock new-routing-mark=BlockedWEB passthrough=yes

I try to selecet PPTP interface in connection-mark or is better to select dst-address-list at there ?