Page 1 of 1

Mikrotik RB1200 as VPN Solution

Posted: Wed Nov 16, 2011 11:29 pm
by slech
Hello Everyone.
I tried RouterBoard 1200 as VPN Solution for our Office.
Test was produced between RB1200 and Windows7 Ultimate SP1 Pro and Windows XP SP3 Home and Ubunru 9.10.
For speed testing I used iperf and wget:
Server: iperf.exe -s
Client: iperf.exe -c 192.168.0.2 -P 15 -w 10000
#
wget ftp://test:test@192.168.0.22/routeros-5.8.arc
#2011-11-16 23:01:30 (3.14 MB/s) - `routeros-5.8.arc' saved [81351895]
RB1200
Anyone have a RB1200 in a rack?
Restart RB1200 every day, aleatory - resolved !
RB1200 ROS 5.0 - up to 5.5 - randomly reboots (BGPv4 and v6) - resolved !
RouterBoard 1200
Hardware error RB1200
RB1200 PPPoE Server
RB1200 IPSec perfomance issue

Genaral VPN issues
VPN clients and DNS Suffix
dns problem for incomming vpn users
pptp vpn client connection - dns suffix ?

PPTP Server

L2TP Server
L2TP have trouble with Windows XP behind NAT. Also is not possible to connect two client from one NAT'ed location.
NAT-T & IPSec Issues still exist
MTik L2TP/IPSec VPN server for Win clients behind NAT
L2TP/ipsec problems with windows 7 / vista when behind NAT

SSTP Server
SSTP: sstp-client for linux not working properly?

OpenVPN Server
Open VPN in ROS not supporting now:
1. Certificate based authentication.
2. UDP.
3. Compression.
4. Push route.
Configuring OpenVPN
Feature Request: OpenVPN [ovpn] udp tunnels
OpenVPN - TCP
OPEN VPN PUSHING ROUTES
Sometimes I enabled OpenVPN but it works only after RB reboot :(

Maybe this is not a good idea to switch or current OpenVPN Server on CentOS to RB1200 ?
Can someone share their experience ?

Thank you.

Re: RB1200 as VPN Solution

Posted: Thu Nov 17, 2011 12:01 am
by slech
Attached RB1200-As-VPN-Solution.xlsx

Re: RB1200 as VPN Solution

Posted: Sat Dec 03, 2011 7:47 am
by snoms
Thaank you very much for your work. I really expected to see higher numbers on the RB1200. I still have some Cisco 3000 VPN concentrators working which I wanted to replace. But I definitely need more throughput. Looking at MikrotikĀ“s support for SSTP, I reaaly considered those. Well, it would be interesting to see what VPN throughput the RB1100AHx2 will have.
An alternate solution would be to use Windows Server 2008 R2 (enterprise) on a 1HE Intel Xeon E3-1230 based server, where one could use PPtP, SSTP and L2TP/IPSec (with e.g. certificate based authentication).

Re: RB1200 as VPN Solution

Posted: Mon Dec 05, 2011 8:55 am
by macgaiver
I have several questions:

1) do you run tests from and to the router or through the router? - it must be through
2) Do you single or multiple simultaneous TCP connections? - it must be multiple TCP or UDP, to avoid protocol limitation.
3) Are you sure there are no MTU (MSS) problems with setups?

Re: RB1200 as VPN Solution

Posted: Mon Dec 05, 2011 2:28 pm
by slech
macgaiver
1) do you run tests from and to the router or through the router? - it must be through
RB1200 as VPN solution. I tested it as VPN Server.
Speed test was performed through VPN on RB1200.
Client --- Internet ---- RB1200 ---- LAN ---- Server
2) Do you single or multiple simultaneous TCP connections? - it must be multiple TCP or UDP, to avoid protocol limitation.
As described in the first post i used iperf:
Client: iperf.exe -c 192.168.0.2 -P 15 -w 10000
-P, --parallel # number of parallel client threads to run
In my case P=15.
3) Are you sure there are no MTU (MSS) problems with setups?
How I can verify this ?

Can you share you experience with RB1200 ?

Re: RB1200 as VPN Solution

Posted: Fri Dec 09, 2011 3:45 am
by otgooneo
As far as I know RB1200 has serious issues.

1. When total traffic is 100kbps and cpu usage is 1%, ICMP latency still 17-18ms.
2. Low ipsec performance: Using AES-128 and MD5, TCP traffic max 20-30Mbps. At this moment, CPU usage is not high and packet loss occurs.
3. If I create IPSec tunnel for dst-address=0.0.0.0/0 src-address=192.168.100.0/24, after tunnel establishes can`t access from 192.168.100.0/24 network to 192.168.100.1, which is address of RB1200. Also routerboard can`t access to 192.168.100.0/24 network. But if I try to access to remote network from 192.168.100.0/24, it is okay. No problem. Also from my remote network can access to 192.168.100.0/24 network.

Re: Mikrotik RB1200 as VPN Solution

Posted: Mon Mar 05, 2012 4:31 pm
by slech
Great news ! SSTP Client on linux
SSTP: sstp-client for linux not working properly?