I have a question about RouterBOARD 750G r2 (v6.30) and slow VPN performance

The router is setup on a home network with a single network and a vDSL router to the internet.
The Routerboard is setup as an alternative gateway on the network and it routes traffic over the internet via a VPN.
You set the VPN gateway simply by changing the guest gateway IP.
The Routerboard config is a simple PPTP VPN using NAT/Masquerade+Mangling and route tables.

Performance of the links
Straight to vDSL router I get 60Mbps down and 30Mbps up.
Via Routerboard with VPN disabled I get 56Mbps down and 38Mbps up
Via Routerboard with VPN enabled I get 4Mbps 1Mbps up.
Ping times (google) 750ms via VPN. 56ms direct.

I know the performance of the 750 is minimal but is there a better way to route over the VPN?
Also setup on a x86/hyper-V session and only got 4Mbps down and 1.3Mbps up.

Are there better clients than PPTP for performance?
I tried routing by destination (Skips mangling) but still got the same performance

What type of VPN are you using, and where does it terminate? What is the bandwidth at the other end of the tunnel? Have you tried lowering the MTU values of the tunnel to make sure packets are not getting fragmented?

The 750 should be able to get you better speed than that, but it also depends on what you have setup. The questions above can cause a large impact on performance depending on the answers. There could be more going on, but those would be the first things to check.

The VPN is a off the shelf CyberGhost VPN tunnel. On a windows machine with native windows PPTP client I am seeing close to 90% of my local link.


Whats the easiest way to see if I am getting packet fragmentation? Using std MTU of around 1450 I think

Also notice a massive jump in ping times. 50-700ms. Sure that is telling as well.

Also noticing that PPTP is one of the costliest VPN tunnels for performance and IPSEC (not L2TP) is the best.

Vendor supports IPSEC client but seems RouterOS only supports IPSEC to IPSEC (Server to Server)

Also, whats the easiest way to plot CPU load on the 750. I am assuming that if the 750 is the limit then I would see max CPU load??

The easiest way to check for fragmentation is to send out a ping with the do not fragment flag set down the VPN tunnel. In windows something like this: It will tell you if the ping failed because the packet needed to be fragmented somewhere along the line.

The Mikrotik can act as a client for IPSec as well as a server. They just don't present it in a nice way to visualize it. It helps if you know how it works on the back end and you can adjust the settings as needed for each vendor. Each vendor will use different terms or different menus but it is all standardized how it's supposed to work. That doesn't make it always easy, but it does make it easier.

When you are getting the low bandwidth speeds what is the CPU percentage of the MikroTik? Dustynz is right on the easiest way to get historical information. You can also look at /tools profile and /system resources to get a picture of what is currently going on and taking up the CPU time. With IPSec I would expect around 20-30 Mbps of traffic from a 750, though I've never tested one directly. PPTP should have better speeds than that.

Thanks

Have had a look about to setup as an IPSec (not L2TP) tunnel client and can't seem to see anything. Are you saying I need to config at the console?

VPN supplier has provided the following ipsec settings
Destination:
UN:
PW:
SECRET:

The VPN is to a public/internet endpoint
Thanks

Thanks

Have had a look about to setup as an IPSec (not L2TP) tunnel client and can't seem to see anything. Are you saying I need to config at the console?

VPN supplier has provided the following ipsec settings
Destination:
UN:
PW:
SECRET:

The VPN is to a public/internet endpoint
Thanks

That's not enough information to configure IPSec, and IPSec does not use a username and password. So chances are they are just running with L2TP/IPsec with standard Windows client settings instead of a pure IPSec setup. The MikroTik can handle that fine, it just needs to be configured properly.
1.) Configure the L2TP client with the appropriate connect to address, username, and password.
2.) Setup an IPSec peer, this is phase1 settings for IPSec: 3.) Setup the IPSec proposal, these are the phase2 settings for IPSec 4.) Setup an IPSec policy, this defines what traffic the router will encrypt for IPSec You will likely want to turn on IPSec debugging in the logs so you can see when/if there is an error and correct it. It will generate a lot of logs, but you can pause the log scrolling to review the messages. Most of the IPSec settings I borrowed from the wiki, but modified them a bit to fit more into what you are asking about.
http://wiki.mikrotik.com/wiki/L2TP_%2B_ ... Windows_PC

Little update
Running
ping www.google.com -l 1395 -f

Pinging www.google.com [216.58.199.36] with 1395 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Basically 1392 is when packet fragmentation stops. Have changed the Max MTU and MRU?

This should do it. You can also change the L2TP's MTU value down to 1392 by editing the client interface.

MTU is not the same as TCP MSS, so values in mangle rules should be 1354byte or less (subtract default size of IP header and TCP header).