Community discussions

MikroTik App
 
medi01
just joined
Topic Author
Posts: 13
Joined: Wed Jun 20, 2018 9:49 am

Highest bandwidth VPN with Mikrotik routers

Sun Jun 28, 2020 3:04 pm

Good day,

Newbie here.

I have the following topology::

Mikrotik1 (951G-2HnD) (192.168.0.2) => ISP Router A (120/6mbit) ------------------ ISP Router B (50/50mbit) <= HAP AC (10.1.0.x)

ISP Router A can be configured to forward UDP/TCP ports, no DMZ option.
ISP Router B is more advanced, has DMZ, although I'd prefer not to use it.

I already have OVPN and SSTP working with Mikrotik1 being the server,
My issue is: I need to transfer gigabytes of data from B to A, but TCP connection BW between the two, maxes at about 2.5mbit (of 50 available)
Curiously, Mikrotiks bandwidth test shows drastically different results for TCP/UDP over VPN connections.
UDP maxes at about 30mbit, TCP ten times less.

In the past, I was using PPTP connection for file transfers and it was maxing at 30-40mbits. But back then Mikrotik1 was directly connected to the public internet, it stopped working after I got new ISP router. (I guess GRE packets do not get through?)

For large file transfer, there are no concerns about securiy.

Question: what is the fastest VPN connection applicable to the above topology supported by Mikrotik today? Could you poke me with RTFM on how to set it up?
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Highest bandwidth VPN with Mikrotik routers

Sun Jun 28, 2020 4:02 pm

Curiously, Mikrotiks bandwidth test shows drastically different results for TCP/UDP over VPN connections.
UDP maxes at about 30mbit, TCP ten times less.
TCP only sends a certain amount of data until a confirmation from the recipient arrives, so not only the available bandwidth but also the round-trip delay plays a role. If you do the test between two devices on the same LAN, the results will be nearly the same.

(I guess GRE packets do not get through?)
Correct. GRE has no notion of ports, and most applications using GRE do not use the optional tunnel ID, so it can be NATed only with limitations - only one GRE endpoint at the private side of a NAT at a time for each public IP, and many NAT boxes cannot do even that.

Question: what is the fastest VPN connection applicable to the above topology supported by Mikrotik today? Could you poke me with RTFM on how to set it up?
None of your Mikrotik models supports encryption in hardware, so there is little difference between the VPN types if using the same transport (TCP/UDP) and encryption strentgh. If there are no security concerns, you can use bare L2TP with encryption disabled (use-encryption=no in the /ppp profile row used). For that, it is enough to copy-paste the PPTP setup at both the client and the server, and forward UDP port 1701 from the public IP to the private IP at server side.

But I'd be careful with statements like "security is not an issue", because not only encryption of the data being transported should worry you but also security of the authentication process, and here bare L2TP is not as secure as IPsec. So the access through the tunnel should be restricted to the lowest possible number of hosts, so that if someone connects instead of the proper client, the damage would be minimized. The authentication (in)security is the same for PPTP and bare L2TP as both rely on the same authentication protocols.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
medi01
just joined
Topic Author
Posts: 13
Joined: Wed Jun 20, 2018 9:49 am

Re: Highest bandwidth VPN with Mikrotik routers

Sun Jun 28, 2020 6:52 pm

TCP only sends a certain amount of data until a confirmation from the recipient arrives, so not only the available bandwidth but also the round-trip delay plays a role. If you do the test between two devices on the same LAN, the results will be nearly the same.
I'm aware of that, but TCP connection is able to buffer traffic, normally for long enough for lag of 40-50ms to not matter. (or so I thought)

Correct. GRE has no notion of ports, and most applications using GRE do not use the optional tunnel ID, so it can be NATed only with limitations - only one GRE endpoint at the private side of a NAT at a time for each public IP, and many NAT boxes cannot do even that.
There is something I'm not quite following here.
Port 1723 was mapped to Mikrotik2, yet MK1 was complaining about "connection refused" when trying to use PPTP.
DMZ-ing MK2 lead to "connection established... connected", but actual transfer of data over the tunnel didn't work (ping failing, connection dropping).

None of your Mikrotik models supports encryption in hardware, so there is little difference between the VPN types if using the same transport (TCP/UDP) and encryption strentgh. If there are no security concerns, you can use bare L2TP with encryption disabled (use-encryption=no in the /ppp profile row used). For that, it is enough to copy-paste the PPTP setup at both the client and the server, and forward UDP port 1701 from the public IP to the private IP at server side.
I haven't tried it without encryption, but even with default encryption (cbc(aes) + hmac(sha1)) L2TP is about 4 times faster than OVPN/SSTP (10-12-ish Mbit), so it's not just CPU (if at all) that is limited the BW. (wouldn't bandwidth test also hit CPU limit? Yet it was 30+Mbit)

Who is online

Users browsing this forum: Google [Bot], inteq, ugd and 62 guests