Community discussions

MikroTik App
 
DEFC19
just joined
Topic Author
Posts: 7
Joined: Sun Feb 16, 2020 1:59 pm

RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 2:06 pm

Good afternoon everyone!

I tell you my problem and my scenario set up.

I have a site to site VPN between a Wachtguard Firewall and a Mikrotik Hex Router, connected without problems via IKEv1 in tunnel mode with IPSec in Tunnel mode.

The ping from the Mikrotik subnet --> towards the Watchguard Firewall subnet is executed correctly with a constant speed of 28 ms without interruptions TTL=126

The problem I have is when I connect via Remote Desktop from the Mikrotik headquarters to the server where the Watchguard Firewall is located.

The speed is very very slow, and the connection quality is poor. Disconnects from set slow.

I have tried to configure with IKEv2 in a way with another encryption protocol in PHASE1 and PHASE2 with identical results.

Also to rule out, I have configured with Firewall Wachguard headquarters A and remote headquarters B and the RDP connection is established correctly and smoothly.

I have increased the UDP connection tracking time to 20 seconds, but with identical results.

OS version is 6.49.7

I'm new to MIkrotik and I can't find any clue that I can solve, thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 2:52 pm

Why use (unsafe) RDP, use wireguard ( mkx made me say that) or teamviewer..........
 
DEFC19
just joined
Topic Author
Posts: 7
Joined: Sun Feb 16, 2020 1:59 pm

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 3:02 pm

Hi, it's a production environment and we only need RDP communication, since our users work with access to the terminal server throughout the infrastructure.

Thanks for the input
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 4:05 pm

Anav:
There should not be a problem to use RDP when using an IPSEC tunnel.
It's RDP which connects directly to an open port which would worry me (I have it seen being misused by ransomware with the client I am working for due to negligence of former IT responsible, luckily we had very good backup systems and proper segregation of systems).

OP:
Wireguard is only a protocol to set up the tunnel so IPSEC or WG, doesn't make a difference for your users (provided Watchguard box is able to terminate WG ?? The last time I saw one, it couldn't but it was not a very recent one so maybe they can now ?)

What speed are we talking about between those two sites over IPSEC ? What should be possible ?
You say you already tested using 2 Watchguards, why not keep those ?

Have you considered moving Hex to ROS7 (7.6 at least) ?
IPSEC HW support was added in ROS7 for MMIPS devices (with latest corrections as of 7.6).
If IPSEC can be handled by HW, you should see a performance improvement.
(see this table for specific info: https://help.mikrotik.com/docs/display/ ... celeration)

OTOH if this is a corporate environment, I'm a bit confused why you use Hex for this (so it seems) important part of the connection.
It's a good SOHO router (a very good one, if you ask me) but it has its limitations (hence the low price).
You may be in need of something beefier (more dedicated towards IPSEC comm. then).
Or reconsider the setup for that tunnel and move to wireguard or something else. Depending on speed, 2 Hexes can be used for a WG tunnel with decent speed :D
My view.
 
DEFC19
just joined
Topic Author
Posts: 7
Joined: Sun Feb 16, 2020 1:59 pm

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 5:44 pm

Hi, we value the MIkrotik option in less complex scenarios and for clients who do not want to invest in a much more valuable product in the case of Wachtguard. And if it is possible to communicate them between MIkrotik and Firewall WatchGuard with IPSEC protocol. I'm thinking that it could be the marked connections that Mikrotik uses to verify the traffic...
 
DEFC19
just joined
Topic Author
Posts: 7
Joined: Sun Feb 16, 2020 1:59 pm

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 7:37 pm

Good afternoon everyone,

I have been able to solve the error, I add below what I have done to help someone with a similar problem.

I have made 2 Mangle rules:

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec

and then
Two firewall rules:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
/ip firewall filter add chain=forward action=accept connection-state=established,related

The Fasttrack rule has to go on top of the established and related connection rule.

*The order of the rules is important!!

thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Thu May 11, 2023 8:33 pm

Yes, if you had provided a config along with the initial explanation, that would have been obvious..... :-)
 
DEFC19
just joined
Topic Author
Posts: 7
Joined: Sun Feb 16, 2020 1:59 pm

Re: RDP unstable between VPN site to site with MIkrotik and Firewall Watchguard

Fri May 12, 2023 10:05 am

Good afternoon everyone,

I have been able to solve the error, I add below what I have done to help someone with a similar problem.

I have made 2 Mangle rules:

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec

and then
Two firewall rules:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
/ip firewall filter add chain=forward action=accept connection-state=established,related

The Fasttrack rule has to go on top of the established and related connection rule.

*The order of the rules is important!!

thank you!

Who is online

Users browsing this forum: No registered users and 76 guests