Community discussions

MikroTik App
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Major packet loss over simple VPN

Fri Jun 20, 2014 9:55 am

You have probably answered this question in your head before reading this... "packet loss over the VPN = MTU is wrong"... right? but where!?!?

Do this with me, but remember my two sites are across the internet, and im connected to the internet via 4G...

MT SERVER
Enable PPTP server... settings default:
Max MTU 1450
Max MRU 1450
MRUU disabled
Give the a server IP of 10.0.0.1
and use a profile WITHOUT encryption

MT CLIENT
PPP, create Client, settings:
Connect to: XX.XX.XX.XX
User, password, etc
again no encryption
Max MTU 1450
Max MRU 1450

.. and now connect... great, you are connected!

From the client: Tools, Ping: 10.0.0.1
Ping stats come pack perfect!! 40ms no loss, great!!

Again on the Client do this:
Tools, Bandwidth Test
Test To 10.0.0.1, with default settings:
UDP
UDP Size: 1500
Remote UDP Size: 1500
Direction: Send <--------------- First see send (This where this client transmits to the server)

Results are great: NO LOSS!!
Send.JPG
Now change it to Receive, and test again, without changing any settings.

TERRIBLE RESULTS!!
Receive.JPG
I get loss of up 200 packets

Please someone explain this to me, and help me to fix this - ill be transmitting SIP / voice over these VPN connections and currently the voice quality is terrible... understandably since the loss is crazy.
You do not have the required permissions to view the files attached to this post.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Major packet loss over simple VPN

Fri Jun 20, 2014 11:32 am

This is normal behaviour with BTest - that is how BTest works.

With TCP you have a windowing mechanism that adjusts with internal TCP mechanisms and packets dont get lost.

With UDP, to detect max speed, you send packets untill some of them get lost - thats how you know that the link is maxed, and you simulate a "window" behaviour.
So dropped UDP packets on UDP speedtest with RouterOS BTest are completly normal behaviour - you are maxing your link.

Any link when maxed will drop packets.

Also, since you are sending at 916 pps (1.3Mbit/s at 1500 byte packets), and your BTest is running atleast 10 seconds (because the 10s average is calculated), that is actually just a ~1.5% packet drop.
You can see how good the "UDP windowing" mechanism in BTest is.
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Re: Major packet loss over simple VPN

Fri Jun 20, 2014 12:15 pm

Ah right... and you technically cannot loses any packets when you send them (and since there is no ACK)... the only way to test the other direction would be to setup another receive from the server side.

So now this begs the question - in order to transmit SIP traffic - what "special" conditioning should one apply to the VPN to ensure that packets are not loss/change order/fragmented/ etc?.. considering also that I will need to sling a EIOP tunnel across the VPN. Like this:
http://blog.butchevans.com/2008/09/mikr ... pptp_eoip/

This is all in the aid of handling only voice traffic... any suggestions?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Major packet loss over simple VPN

Fri Jun 20, 2014 12:22 pm

That tutorial uses EoIP over PPTP, and justifies it by saying that PPTP is securing the EoIP tunnel.
That is just plaing wrong these days, as PPTP uses MPPE encryption, which can be broken by a smartphone today - the tutorial is from 2008.

Use IPSec in transport mode to secure the EoIP tunnel if you need security.
If not, use pure un-encrypted EoIP.

Will you ONLY be running SIP over the EoIP tunnel, or other traffic as well?
Will the SIP be inside EoIP, or along-side some other traffic, etc?

Also, since EoIP is encapsulating L2 packets in L3 packets, make sure you are using low enough MTU on the EoIP tunnel, to avoid fragmentation of the underlying EoIP L2 frames over multiple L3 frames.
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Re: Major packet loss over simple VPN

Fri Jun 20, 2014 12:31 pm

If not, use pure un-encrypted EoIP.
Absolutly no requirement for security, this is a replacement for straight SIP of general internet, but right now SIP over general internet is winning the race - quality is far better with-out any VPN or anything.
Will you ONLY be running SIP over the EoIP tunnel, or other traffic as well?
100% SIP only.
Also, since EoIP is encapsulating L2 packets in L3 packets, make sure you are using low enough MTU on the EoIP tunnel, to avoid fragmentation of the underlying EoIP L2 frames over multiple L3 frames.
This is the part im unsure of... what does "low enough MTU" mean? Im really unsure of my MTU - must have missed that day in class. :(
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Major packet loss over simple VPN

Fri Jun 20, 2014 12:39 pm

100% SIP only.
Then simply prioritize the whole EoIP tunnel on the output to internet on your router.
That will make sure SIP is getting priority, since only SIP will be inside of the EoIP tunnel.
This is the part im unsure of... what does "low enough MTU" mean? Im really unsure of my MTU - must have missed that day in class. :(
To make it short, set MTU to 1400 on the EoIP interface, that will make that work.

----- some notes: -----
EoIP is already VPN as it is, so you dont need to PPTP or any other tunnel on top of it, as we already discussed before.

What is the end expected result in this setup - what do you want to accomplish?
You mentioned you already run SIP over plain internet.
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Re: Major packet loss over simple VPN

Sat Jun 21, 2014 12:48 am

Well this has been rather interesting...

Firstly voice quality over VPN and EOIP, isn't great, im getting quite a lot of packet loss, even tho i have plenty of bandwidth, and low latency.

here us what i manged to do and what my findings where... maybe there is something more i can do.

1. create pptp VPN1 to the server 10.0.0.1 via isp 1
2. create pptp VPN2 to the server 10.0.0.2 via isp 2
3. tunnel EOIP1 from client to 10.0.0.1 with id 0
4. tunnel EOIP2 from client to 10.0.0.2 with id 1
5. create a bonding adapter bond1 on client between EOIP1 & 2
6. set a local ip to bond1 192.168.2.1
7. create a bonding adapter bond1 on the server between EOIP1 & 2
8. set a local ip to bond1 192.168.2.2

set bonding to broadcast for both client and server.

vpn mtu is 1450
eoip mtu is 1400

right, now from the client i can ping the server on 192.168.2.2, and it works perfectly.... as expected, i get all 4 duplicates back, two packets sent, and both replied twice.... really robust, technically each packet has double the chance of being received.

this all sounds great, but the reality of an actual call is interestingly bad call quality. not dreadful, but noticeable packet loss. this being compared , at the same time, over the same link, with a native sip over general internet.

now here is the interesting thing: disabling one of the links actually improves the call quality!!

and even more interesting applying a limitation to the vpn bandwidth, using a simple queue bandwidth limitation, this also makes the call quality bad... this doesn't make sense to me, since the bonding mode of broadcast is supposed to duplicate all packets, so if one simply doesn't arrive via EOIP1, it just uses the one via EOIP2 - this does work if you disable the vpn, but not if you limit it (simulating congestion, or poor bandwidth).
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Re: Major packet loss over simple VPN

Sat Jun 21, 2014 11:27 am

And to answer your questions:

I need the PPTP, to establish the connection because it will connect through an existing client firewall without modification or port forwards. EOIP on it own would probably require the return tunnel to have ports opened on the client end. Also EOIP needs to know the client live IP address, this is going to be impossible to determine - although it may be done with script, without the correct ports open this approach is futile. VPN provides you with predictable ips inside the tunnel.

The overall objective is to have to most "packet robust" VPN possible, ie, if a packet fails or is late on one link it doesn't matter because it is there on the other, i must be able to have two totally different links, with different latency, and it shouldn't matter. The thing about voice data is that as soon as you get packet loss, you hear it right away - and clients complain! I want to make sure that any packet in any direction has at least the "best chance" of arriving, no matter what route it took. At the expense of additional headers, bandwidth etc etc... its all about voice quality. I have never had a client say... oh out voice is using too much bandwidth... its always about the call quality.

It seems that the bonding with "broadcast" somehow has a relationship with its other packets, because reducing the bandwidth on one VPN, effects the flow of packets on the other. I experienced this with using queues, and in a real life test. (All connections give problems at some point, ADSL WiFi, 3G, 4G... all of them, all i want is for that to not result in a complaint)
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Mon Oct 22, 2012 10:18 am

Re: Major packet loss over simple VPN

Tue Jun 24, 2014 11:11 am

After days of fiddling with this, im still no further to solving the packet loss.

Right now, there is a phone, an RB750, 4G Router, the Internet an RB 2011 and then Asterisk

If the phone uses the RB750 as a router and the traffic is directly routed to the Asterisk box... audio is perfect.

If the RB750 creates a vPN connection to the RB2011, and then the phone connects over the VPN... poor audio! Just packet loss, nothing else.

so this is my goal:

[phone]---[RB750 (VPN client)]----------{VPN}---------[RB1100 (VPN server)]---[Asterisk]
\-------{INTERNET}------/

For now i just want the VPN to have same performance of the direct connection. Then i will bond the two EOIPs and look at ways to make it more robust.


FWY... in some TCP test, im able to send and receive up to 10mb/s no problem, its either UDP that's the problem or the MTU or something like that, because not even 1 call at a time (40kb per second) works without some packet loss.

The test also show that at no point is the actual VPN or EOIP dropping the packets... although i think its lying to me. If its not, then it may be with the way the EOIP is handling the RTP packet.

Why am i loosing packet? :?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Major packet loss over simple VPN

Tue Jun 24, 2014 11:13 am

Like you said, for the moment, I would focus on bare essentials.

Dont use EoIP, use L2TP or GRE.
Use just a single routed tunnel - no bridging.
Set 1400 MTU on VPN interfaces.

Test for packet loss.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], uxertxo and 73 guests