Hello everyone
My problem is with VPN speed when I config it on the MikroTik router (RB4011IGS+5HacQ2HnD-IN) as the client the speed drop drastically compare to when I connect to the same VPN server on the windows, on both I use PPTP.
I think the problem is with the MikroTik mac address because here IPSs are very restricted about people using VPN on their connections so maybe they got a way to detect the device type by mac address and limit the traffic if they connect to the VPN with those devices. I had this issue somewhere else in the city but in that place, we had internet with ADSL so by configuring the modem on the bridge mode and crease the PPPoE on the router and then route the traffic through VPN (the same server also PPTP as well) and problem solved. but since here the ISP gives you a preconfigured ZLT P19H modem and all of the settings are locked (plus I’m not sure if the modem has bridge mode or not) so can’t do the same thing here. that’s why I was thinking about changing the mac address of the router to see if it fixes the problem since with a simple google search you can see the mac address is belongs to a MikroTik router.
or maybe you guys got other solutions which I will appreciate if you tell me
speedtest of VPN PPTP on the windows
speedtest of VPN PPTP on the router
They do not check device, but ttl time, see other topic already open about that.
If you use the pc, you are directly connected, and is ok,
But if you put between the router, the ttl is decreased by one (device) and the provider understand than you share the connection.
Oh is that so, Thank you for your reply.
I searched the forum didn't find a topic about it can you be so kind and send those topic's links to me?
I change the TTL but no difference. I tried different numbers and test with those but all same thing, not sure my configuration is right though.
Ping result without VPN: Reply from 1.1.1.1: bytes=32 time=114ms TTL=52
Ping result with VPN on PC: Reply from 1.1.1.1: bytes=32 time=123ms TTL=56
Ping result with VPN on router: Reply from 1.1.1.1: bytes=32 time=125ms TTL=55
When you say “VPN on the PC” vs. “VPN on the router”, does that really mean only where you run the VPN client, or do you also connect the PC directly to the ISP’s modem (excluding the 4011 from the path)?
you saying (MT wiki) that if we change the TTL on the LTI we would be able to get more bandwidth, why is that?
Cant find any logical explanation
hi,
what @rextended trying to say most ISP capped your connection if they determined you put a router in between by observing the TTL and decremented by 1 and triggered them to reduced your bandwidth, since you try to reset the TTL to 65 the ISP shouldn’t notice you put a router and in theory should not capped your connection, in this case this could be something else and i don’t think this is a port negotiation mismatch issue on your Ethernet port towards the WAN interface, could you check if this is the case there’s no harm in trying 
the logic behind is that mobile operators want to discourage subscribers from using LTE to connect whole networks, assuming that networks generate more traffic than individual phones. So the ISPs offer specific (more expensive) tariff plans for connection of networks. And by the TTL value they distinguish packets sent by the mobile phone itself from packets sent by devices connected to the phone externally.
No it’s just VPN client on windows. the PC is always connect to the rb4011.
Hey man
Thanks for your reply, how exactly can I test this? as you can see I’m pretty new to MicroTik and also a network beginner 
Given the awful upload performance, are you sure you have MTU / MSS set properly?
The ISP given maximum upload speed is 8Mbps
My internet connection is: 40Mbps download - 8Mbps upload
If so, the MAC address of the 4011 plays no role in the VPN throughput, because the VPN provider can never see a MAC address, whereas the ISP can always see the MAC address of the 4011’s WAN, no matter where the VPN client is running.
2 ms difference on 123 ms of ping round-trip time is nothing, so I would assume the issue to be caused by the PPTP transport packets getting fragmented and many of the fragments to get lost. The thing is that the VPN client on the PC advertises a small enough MTU on the payload interface so that fragmentation wouldn’t happen, whereas the PPTP client on the Mikrotik may advertise a too high MTU on the payload interface, resulting in the PC sending 1500-byte packets as per the Ethernet MTU, and the 4011 passing them on fragmented, and a good deal of the small second fragments getting lost on the path between the 4011 and the VPN server. Post the text export of the Mikrotik configuration, following the mini-howto in my automatic signature below.
Also it’s worth mentioning that sometimes the speed with VPN on the PC or phone got also slow to about 13Mbps but without VPN it’s more than 40Mbps.
but it’s just sometimes and I’m sure it’s not about VPN server bandwidth cause it’s 10Gbps and the 1Mbps speed I got when I have the VPN on the router is not even close to 13Mbps.
Something else I notice is that in those sometimes speed down (when using VPN (no difference on the device type)) I still have full upload bandwidth (it’s 8Mbps MAX) but when I have the VPN on the router I got no upload bandwidth.
Thank you very much for your reply.
here you go:
Is there a way to completely cover the VPN so ISP never understand I’m using one?
Definitely not with PPTP, whose encryption is so weak that it actually hides nothing; IPsec or something-over-IPsec is also obvious, so you’d have to use an SSTP VPN which looks like a normal HTTPS session, except that the packet sizes and traffic patterns may be unusual, plus SSTP has some drawbacks for the user (speed being one of the first ones to bother you). So no, no way to hide the fact that you are using a VPN from someone really determined to find out.
To your speed issue - the default max-mtu and max-mru settings of PPTP client interface, 1450 bytes, assume that the PPTP transport packets will be sent over an Ethernet interface with MTU of 1500 bytes. However, your WAN interface is a PPPoE one, which means a MTU of 1480 bytes or smaller, hence reducing the max-mtu and max-mru values in /interface pptp-client to 1400 might do the trick. If it doesn’t, try to add the following firewall rules:
/ip firewall mangle add chain=forward in-interface=pptp-out1 protocol=tcp tcp-flags=syn action=change-mss new-mss=1300
/ip firewall mangle add chain=forward out-interface=pptp-out1 protocol=tcp tcp-flags=syn action=change-mss new-mss=1300
With L2TP/IPsec, the issue is one step more complicated as the PPP transport packets are encapsulated into UDP rather than GRE, and the UDP ones are encapsulated into ESP, which may be encapsulated into UDP again. So even more overhead, and thus you need to reduce the max-mtu and max-mru even more to prevent fragmentation.