Community discussions

 
KiralyIstvanFot
just joined
Topic Author
Posts: 4
Joined: Mon Mar 25, 2019 9:41 pm

NordVPN-IKEv2 slow NET speed

Fri Jul 12, 2019 10:25 am

Dear All, I tested the ikev2 connection(6.45.1 FW) to the NordVPN, but the respond and the speed too slow, but my net speed 1Gbit/300Mbit
With NordVPN the speed 110/30MBit, but very hectic, and the web pages sometimes load sometimes run it to timeout.

Somebody has any experience about this?

Or what is the most best VPN provider to the Mikrotik? I know the ovpn client is not working yet full functionally.

I used the mikrotik document: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN-IKEv2 slow NET speed

Fri Jul 12, 2019 4:54 pm

Not enough information. Some routerboards support encryption in hardware and some don't, and for years IPsec used to be incompatible with fasttracking although newest (6.44+) RouterOS versions seem not to have this limitation any more. So post your configuration (if you're concerned about privacy, check my automatic signature below), the Routerboard model and RouterOS version are part of the export.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN-IKEv2 slow NET speed

Fri Jul 12, 2019 4:58 pm

That speed is not to bad. I am using PureVPN and I don't have muvh more (only IKEv2).

I stopped using it for serveral weeks now now because of the many renewalls during sessions.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
fruel
just joined
Posts: 4
Joined: Wed Oct 18, 2017 11:24 pm
Location: Vienna, Austria

Re: NordVPN-IKEv2 slow NET speed

Sun Jul 14, 2019 7:41 pm

Did you remove your IPsec traffic from fasttrack? I just posted my config example for privateinternetaccess.com VPN (viewtopic.php?f=2&t=150179) connections where you can see it.

I had similar issues - speeds seemed fine initially but the connection were unstable and I got regular timeouts.
With the fasttrack exceptions I am getting now 287/48 MBit/s on a 300/50 connection. (with an RB4011)
 
KiralyIstvanFot
just joined
Topic Author
Posts: 4
Joined: Mon Mar 25, 2019 9:41 pm

Re: NordVPN-IKEv2 slow NET speed

Mon Jul 15, 2019 10:58 am

Did you remove your IPsec traffic from fasttrack? I just posted my config example for privateinternetaccess.com VPN (viewtopic.php?f=2&t=150179) connections where you can see it.

I had similar issues - speeds seemed fine initially but the connection were unstable and I got regular timeouts.
With the fasttrack exceptions I am getting now 287/48 MBit/s on a 300/50 connection. (with an RB4011)
I've too an RB4011. what You write about the fasttrack exceptions I didn't add to the firewall.

So this is what You think? And It's enough to the speed and timeout issues?

# basic IPsec fast track exception
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN-IKEv2 slow NET speed

Mon Jul 15, 2019 1:23 pm

There is a specific problem associated to use of ipsec-policy matcher in /ip firewall filter or /ip firewall mangle rules when src-nat needs to be used to make the packets actually match the ipsec policy. The matcher doesn't anticipate future, it merely checks whether the packet's headers as they look like at the very moment when the packet is handled by the rule match to the traffic selector of any policy with action=encrypt. And when the packet passes through the mangle and/or the filter, the src-nat operation is not yet executed, so it doesn't yet match the policy which it will match once the src-nat will happen. So your rule set will not prevent those packets from making their connection fasttracked.

But as said earlier, it seemed to me that fasttracking stopped interfering with IPsec in the recent RouterOS releases, so maybe there is another reason for your lower-than-expected speed. So if you can stop all non-VPN traffic for a while, you can simply disable the fasttracking rule and try whether new connections through VPN will get faster. If you cannot get rid of the other traffic, the best criterion for exclusion from fasttracking seems to be the address-list used by the dynamically added src-nat rule - i.e. you'll add src-address-list=!that-address-list dst-address-list=!that-address-list to the action=fasttrack-connection rule. You can optimize that later, once you confirm that fastracking is the cause of the speed under expectations.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Morphlingg
just joined
Posts: 3
Joined: Tue Jul 16, 2019 6:28 pm
Location: Washington
Contact:

Re: NordVPN-IKEv2 slow NET speed

Tue Jul 16, 2019 6:54 pm

Dear All, I tested the ikev2 connection(6.45.1 FW) to the NordVPN, but the respond and the speed too slow, but my net speed 1Gbit/300Mbit
With NordVPN the speed 110/30MBit, but very hectic, and the web pages sometimes load sometimes run it to timeout.

Somebody has any experience about this?

Or what is the most best VPN provider to the Mikrotik? I know the ovpn client is not working yet full functionally.

I used the mikrotik document: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Maybe problem with VPN's servers location. Sometimes VPN doesn't provide you optimal location. I have downloaded VPN from Veepn.com. It has 48 servers by the way. So i haven't any problems with connection and speed yet.
 
noko
just joined
Posts: 1
Joined: Fri Oct 18, 2013 3:29 am

Re: NordVPN-IKEv2 slow NET speed

Mon Sep 23, 2019 2:30 am

I have the same issue. Connection is so, that even web pages can't fully load.
First I think that problem in MTU size, but changing MTU to 1200 won't fix it.

I've try to exclude ipsec traffic from fasttrack rule, but get the same result. I don't know how to debug this issue. Maybe torch tool can help?
 
Rumpel
just joined
Posts: 2
Joined: Tue Oct 08, 2019 8:42 pm

Re: NordVPN-IKEv2 slow NET speed

Tue Oct 08, 2019 9:51 pm

I think I have same issue here on RBD52G-5HacD2HnD with RouterOS v6.45.6
I have two subnets:
192.168.1.0/24 is for ordinary home router usage. Router itself has address 192.168.1.1 and the rest address space is used for DHCP pool for connected devices.
192.168.2.0/24 is DHCP pool for devices connected to the L2TP server configured on the router.

When I was setting-up NordVPN tunnel (using manual on Mikrotik's wiki page) I decided to route only 192.168.2.0/24 to it so I won't disturb ordinary internet connection at home while doing so. Also I was adding to exceptions some destination addresses which won't go through the tunnel and will be routed directly.
Now after I have configured all that I also want 192.168.1.0/24 to be routed through the NordVPN tunnel so I add it to the corresponding address list. And after that I get a strange situation:
On 192.168.1.0/24 I got above-mentioned problem where I got 25Mbps download speed (maximum for my ISP connection) and nearly 0Mbps (about 0.02Mbps) for upload speed. So browsing on the Web lags a lot. But connections in the exceptions list are going fine at full speed.
At the same time on the same machine when I connect to the VPN server on the router and accordingly get to the 192.168.2.0/24 subnet everything works perfectly and I get maximum download and upload speeds permitted by my ISP through the NordVPN tunnel.

Any ideas how to fix this upload speed problem?

I am really a newbie in all this, so firstly in my case it can simply be some stupid mistake in config and secondly please speak simplier in answers :)

------- UPDATE -------------
I have disabled fasttracking as described by sindy. It helped but didn't solve the problem. With fasttracking disabled I have about 4Mbps upload speed.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN-IKEv2 slow NET speed

Tue Oct 15, 2019 11:00 pm

With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel is up, check the /ip ipsec installed-sa print for the presence of the H symbol next to the dynamic item ID in the leftmost column, indicating hardware encryption to be used:

[me@MyTik] > ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xFA1132C1 src-address=x.x.x.x dst-address=y.y.y.y state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="d3b45f4dd85075f97b4a44943aff308c2a3c9f65"
enc-key="9688c7251cfc7bd79cbda89801d818805b629695c68c6284f54843601989d4ae" addtime=oct/15/2019 17:53:45 expires-in=9m12s
add-lifetime=24m/30m current-bytes=3000 current-packets=19 replay=128


If hardware encryption is in use, post the configuration export following the anonymisation hint in my automatic signature below, as the firewall setup may not be optimal.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN-IKEv2 slow NET speed

Tue Oct 15, 2019 11:13 pm

Have thought about lowering the MTU because MSS is broken for upload in RouterOS!

viewtopic.php?f=2&t=152831&p=754579#p754579

Set MTU to 1280 and ! 0-1280:

viewtopic.php?f=2&t=143990&p=754524#p754564
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Rumpel
just joined
Posts: 2
Joined: Tue Oct 08, 2019 8:42 pm

Re: NordVPN-IKEv2 slow NET speed

Wed Oct 16, 2019 8:53 pm

With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel is up, check the /ip ipsec installed-sa print for the presence of the H symbol next to the dynamic item ID in the leftmost column, indicating hardware encryption to be used:
There are not so many firewall rules in my config, and CPU usage is not going above 5% while performing speed tests to remote servers. Even on our local ISP network where I have 100Mbps limitation I never got more than 30% CPU usage (with fasttracking disabled) while dowloading torrents at full speed.
Have checked support by hardware and H symbol presents in every entry. And I think this potential cause can't explain why I have speed limitation on straight path and don't have it in VPN path because the latter has even more encryption in it but results in more speed.

Have thought about lowering the MTU because MSS is broken for upload in RouterOS!
viewtopic.php?f=2&t=152831&p=754579#p754579
Set MTU to 1280 and ! 0-1280:
viewtopic.php?f=2&t=143990&p=754524#p754564
Yes! Have added rule for mangle from the second link and it solved the problem! (though I didn't specify ports in my case) Now everything works as expected.

Thank you all for helping me out!
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN-IKEv2 slow NET speed

Wed Oct 16, 2019 9:14 pm

The rule would not have to present if all was working as expected.

Pleased that helped and I got it again from other members here helping others like me with this.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN-IKEv2 slow NET speed

Wed Oct 16, 2019 11:36 pm

I'd really love to understand how an MTU issue can cause much lower speed but otherwise working connections. Okay, each packet occupying the whole MTU gets broken into two thanks to IPsec processing which adds extra bytes to it, but that should cause half the speed at worst. And if they didn't get through at all due to wrong MTU, the TCP sessions should completely fail, not just become slow.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN-IKEv2 slow NET speed

Wed Oct 16, 2019 11:59 pm

I have looked with WireShark what is happening when I get a slow start and half the speed. This was recent time.

Download it finds the correct MTU if or without the MSS line and also if clamp to pmtu is activated. Working great.

On upload all goes haywire and the MTU is not found and it came even that far that it failed completely and it got stuck on MTU 536. I could not resolve it by activating the MSS line or even restarting the router. Only a restore of a backup could untangle the MTU knot.
I looked at the ICMP traffic and it was destined for my client but it never made it out of the router and the IPSEC grabbed it and nothing happened. It was marked as NAT so it should be communicated to my client that it should lower the MTU to 1382.

In the past I had L2TP connection and then I had no traffic when I reached the second part of speedtest.net. Sometimes it worked and then again not.

Using IKEv2 now and being better informed I I have now the MSS line always active and sometimes even then the upload is off when as example I post here that goes very slow or parts of the forum don't work. It can take a few minutes or even days before I can post again or login. I am used to that by now.

I have send a supout.rif to Mikrotik when my router was in a locked MTU status and till now I have only received the automatic confirmation.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)

Who is online

Users browsing this forum: No registered users and 74 guests