Hello folks,
One of my client asked me to set up some PPTP tunnels for a road warrior usage, but now he complains about the performance.
The router is a RB3011 on a symmetric 1Gbps FTTH, the actual bandwith is about 500Mbps symmetric...
But when connected to this router via PPTP, if I do a speedtest, I obtain something like 15Mbps from router to client and about 650kbps from client to router !
I have a 1Gbps symmetric FTTH on the client side too.
So the client is not happy, and I'm not either, I can't understand why the bandwith is limited, I tried everything, read every topic about this problem, and still don't found any solution...
I checked the CPU usage when doing the bandwith test, it's about 2%, so clearly the CPU is not is cause.
Do somebody have an idea, or even better, a solution ?
Joris
-
-
Zoolander06
Frequent Visitor
- Posts: 86
- Joined:
Re: Very slow PPTP tunnel
I add that I tried with L2TP/IpSec and with OpenVPN with similar results (a little bit better with OpenVPN, but still ridiculous compared with the WAN bandwith).
-
-
Zoolander06
Frequent Visitor
- Posts: 86
- Joined:
Re: Very slow PPTP tunnel
Hi,
Nobody has an idea about my problem ?
It bothers me because I have clients asking me for a good road warrior VPN solution, and I don't know what to answer...
Nobody has an idea about my problem ?
It bothers me because I have clients asking me for a good road warrior VPN solution, and I don't know what to answer...
Re: Very slow PPTP tunnel
PPTP can't be "a good road warrior VPN solution" anyway.
As for the problem - try lowering MTU on the tunnel to smth like 1400.
As for the problem - try lowering MTU on the tunnel to smth like 1400.
-
-
Zoolander06
Frequent Visitor
- Posts: 86
- Joined:
Re: Very slow PPTP tunnel
I understand that, but, the problem is the same with L2TP/IPSEC or OpenVPN...
I already tried to lower the MTU, that makes no difference :(
Joris
I already tried to lower the MTU, that makes no difference :(
Joris
Re: Very slow PPTP tunnel
What speeds do you get when testing with two computers, using iPerf?
What Internet connection do you have at the vpn client device?
Can you please share your config with us (/export hide-sensitive file=whateveryoulike)?
What Internet connection do you have at the vpn client device?
Can you please share your config with us (/export hide-sensitive file=whateveryoulike)?
-
-
Zoolander06
Frequent Visitor
- Posts: 86
- Joined:
Re: Very slow PPTP tunnel
Hi, the speed between two computers is even worse, I don't reach 1Mbps, both sides are connected via 1Gbps FTTH.
Here is my conf :
Joris
Here is my conf :
Code: Select all
/interface bridge
add admin-mac=C4:AD:34:D8:7D:AC arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface gre
add allow-fast-path=no local-address=195.216.141.172 name=GRE-LeLuc \
remote-address=212.194.113.149
/interface vlan
add interface=ether1 name=vlan4001 vlan-id=4001
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.99
add name=pool-pptp ranges=192.168.2.120-192.168.2.129
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes name=PPPoE only-one=yes use-compression=no \
use-encryption=no use-mpls=no use-upnp=yes
add change-tcp-mss=yes interface-list=LAN local-address=192.168.2.1 name=PPTP \
remote-address=pool-pptp use-encryption=yes
/interface pppoe-client
add allow=pap,chap disabled=no interface=vlan4001 name=ftth-ether1 profile=\
PPPoE user=ip20080366630@fibre.srvc.bytel.dop
/queue tree
add max-limit=1G name=download parent=bridge priority=1 queue=default
add max-limit=1G name=upload parent=ether1 priority=1 queue=default
add limit-at=2M max-limit=1G name=voip-download packet-mark=voip-pkt parent=\
download priority=1 queue=default
add max-limit=1G name=std-donwload packet-mark=std-pkt parent=download queue=\
default
add limit-at=2M max-limit=1G name=voip-upload packet-mark=voip-pkt parent=\
upload priority=1 queue=default
add max-limit=1G name=std-upload packet-mark=std-pkt parent=upload queue=\
default
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ftth-ether1 list=WAN
add interface=GRE-LeLuc list=LAN
/interface pptp-server server
set default-profile=PPTP enabled=yes max-mru=1452 max-mtu=1400
/ip address
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=172.16.0.2/30 interface=GRE-LeLuc network=172.16.0.0
/ip dhcp-server lease
add address=192.168.2.50 mac-address=58:38:79:33:CF:35
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"Accept Webfig https connections from WAN" dst-port=8443 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept PPTP connections from WAN" \
dst-port=1723 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dscp=46 new-connection-mark=\
voip-cnx passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=std-cnx passthrough=yes
add action=mark-packet chain=prerouting connection-mark=voip-cnx \
new-packet-mark=voip-pkt passthrough=yes
add action=mark-packet chain=prerouting connection-mark=std-cnx \
new-packet-mark=std-pkt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8001 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.2.210
add action=dst-nat chain=dstnat disabled=yes dst-port=4443 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.2.150 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8181 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.2.35 to-ports=80
add action=dst-nat chain=dstnat dst-port=5006 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.2.210
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=10.10.20.1
add check-gateway=ping distance=1 gateway=ftth-ether1
add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=\
172.16.0.1
/ip service
set www-ssl certificate=WebFig disabled=no port=8443
/ppp secret
add name=vpnuser1 profile=PPTP service=pptp
add name=vpnuser2 profile=PPTP service=pptp
add name=vpnuser3 profile=PPTP service=pptp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="RB3011"
/system ntp client
set enabled=yes server-dns-names=fr.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=100000KiB file-name=test.pcap filter-interface=*F00017 \
only-headers=yes
Re: Very slow PPTP tunnel
you need to exclude vpn from fasttrack. (or accept before fasttrack rule in filter tab)
Or use Routing->Rules instead of firewall's mark-routing..
Or use Routing->Rules instead of firewall's mark-routing..
Last edited by volkirik on Mon Jun 26, 2023 9:24 am, edited 1 time in total.
Re: Very slow PPTP tunnel
alternatively use my following script to import (sync) an address-list into routing-rules table.. then you can fasttrack PPTP and you will not need to mark-routing.
remember to add ; SRC:(empty) DST:LAN table:main routing rule, manually for the incoming traffic..
note: add scheduler for running it every ten seconds, or so...
WARNING: script is experimental... use it at your own risk...
Hope this can be implemented natively someday by MikroTik Team! because using the script is resource-intensive.
remember to add ; SRC:(empty) DST:LAN table:main routing rule, manually for the incoming traffic..
Code: Select all
:local LANaddr "192.168.88.0/24"
:local fwaddrlist "pptp"
:local scriptname "fw_sync_rrule"
:local routetable "pptp"
{
/system script job
:if ([:len [find script="$scriptname"]] > 1) do={
:log info "$scriptname : script already running"
:error "$scriptname : script already running"
}
}
/routing/rule
:local addrlistentryId
:foreach i in=[find comment="$scriptname"] do={
:local src [get $i src-address]
:local dst [get $i dst-address]
:local dstWO32 [get $i dst-address]
:if ( :len [:find $dst "/32"] > 0) do={
:set dstWO32 [:pick $dst 0 [:find $dst "/32"]]
}
:if ($LANaddr != $src) do={
/routing/rule/set $i src-address=$LANaddr
:log info "$scriptname : routing rule $dst fixed (wrong LAN address)"
}
:if ( [:len [:find $dst "/"]] < 1 ) do={
/routing/rule/set $i dst-address=($dst . "/32")
:log info "$scriptname : routing rule $dst fixed (add missing /32)"
}
:set addrlistentryId [ /ip/firewall/address-list/find list="$fwaddrlist" address="$dstWO32"]
:if ( [ :len $addrlistentryId ] < 1 ) do={
/routing/rule/remove $i
:log info "$scriptname : routing rule $dst removed (not in firewall)"
}
}
/ip/firewall/address-list/
:local rruleentryId
:foreach i in=[find list="$fwaddrlist"] do={
:local addr [get $i address]
:if ( [:len [:find $addr "/"]] < 1 ) do={
:set addr ($addr . "/32")
}
:set rruleentryId [ /routing/rule/find comment="$scriptname" dst-address="$addr"]
:if ( [ :len $rruleentryId ] < 1 ) do={
/routing/rule/add comment="$scriptname" src-address=$LANaddr dst-address=$addr action=lookup table=$routetable
:log info "$scriptname : routing rule added for $addr"
}
}WARNING: script is experimental... use it at your own risk...
Hope this can be implemented natively someday by MikroTik Team! because using the script is resource-intensive.